NBlog Oct 23 - transparency and oversight

NoticeBored - Tue, 10/22/2019 - 8:54pm
Along with increasing legal and regulatory compliance pressures on organizations to implement appropriate privacy controls, popular awareness of the issues appears to be on the up with commercial implications for organizations.
Global IT megacorps such as Facebook, Microsoft, Apple and Google are particularly exposed to public criticism simply because they are household names ... but that's not to say they are powerless, far from it.  Contrast Apple's handling of the FBI iPhone security incident against Facebook's handling of the Cambridge Analytica scandal, plus other privacy incidents.
All the megacorps have to take their own cybersecurity seriously simply because they are such massive targets facing business-critical information risks: it's literally an existential issue. They are also forced to comply with various laws and regulations, for the same reasons as any other organization - to avoid potentially huge punitive fines and other substantial costs arising from noncompliance incidents. In addition, they make strategic and commercial choices on privacy and related matters. Their internal policies and corporate cultures influence the extent to which they satisfy broader ethical obligations towards customers, employees and others.
I see an interesting distinction opening up between reality and perception. Apple has been quite vocal and forthright in public about its concerns for customer privacy, whereas at the other end of the sale Facebook comes across negatively and consequently faces a hammering from the media (both traditional journalism and social media). Google and Microsoft appear (to me) somewhat ambiguous, dithering around the middle of the scale: at times they claim to be highly concerned about security and privacy, yet their actions sometimes indicate otherwise. Given their marketing prowess with huge budgets and global reach, I have the distinct feeling we're all being manipulated on a grand scale, so who knows what's really going on in terms of governance and ethical direction from their boardrooms? 
The same concern applies to our governments, with the added complication of their being able to duck behind 'official secrets'. Whistleblowers such as Assange, Snowden and Manning are just the few with the guts and good fortune to beat the machinery of government to the draw. In regimes such as China, Russia, North Korea and Turkmenistan (plus many others), governmental oppression is plenty strong enough to prove liberty and life-threatening for anyone with the affront to challenge authority. 
So what, if anything, can/should be done about this? Personally, being a reformed/former auditor, I'm a big fan of transparency and accountability, although at the same time I accept that there are genuine reasons for all types and sizes of organizations to retain some measure of privacy about certain aspects of their internal affairs. The audit approach revolves around internal assessment by competent, independent investigators, a strong form of oversight. It is trust-based, in that auditors are granted privileged access to private internal matters, in much the same way that we trust our doctors with intensely private medically-related information ... because it's in our interests to do so. That self-interest is the key, for me, turning public unease through disquiet into pressure to open up, hopefully without the situation degenerating towards anarchy.
In the case of commercial organizations, their profit motive represents a vulnerability: if sufficient customers revolt, lightening their wallets elsewhere, companies appearing deficient in privacy and security may be forced to take more care, or at least open up and prove that they are doing things right.
Investigative journalism is another approach, although independence and bias is a concern given pressures from media moguls, not least to sell more papers, plus various constraints imposed by the authorities and of course the organizations being challenged. As to social media (such as NBlog!), fake news is not just a game played by the big players, raising questions about the competence and integrity of social media pundits (like me!). Is this blog piece fair and reasonable, unbiased and insightful, or am I pushing an agenda and skewing the topic to suit some ulterior purpose? You decide, dear reader. I hope you'll come back for more but if not, it's goodbye from me.
Categories: NoticeBored

NBlog Oct 22 - a business case for privacy

NoticeBored - Tue, 10/22/2019 - 12:49am

This week I'm slugging away at the coal face to complete the management materials for November's privacy awareness module - an update on our previous coverage to reflect current issues, recent incidents and so forth.

As always, we'll be providing a set of goodies specifically aimed at management from which customers can pick and choose to suit their purposes: 1.      Diagrams for privacy - the topic in pictures 2.      Management seminar on privacy - see below 3.      Board agenda on privacy compliance - I blogged about this on Friday 4.      Elevator pitch on privacy - sums up the key points in about 150 carefully-chosen words 5.      Model policy on privacy compliance - a template to customize 6.      Model policy on privacy inquiries, complaints & incidents - another policy template 7.      Executive briefing on privacy - a high-level one-pager  8.      Management briefing on privacy - a more in-depth briefing/discussion piece 9.      Model job description for Privacy Officer - outlines the typical role and responsibilities 10.  Privacy metric - suggesting how to measure what matters most in this area
I've made solid progress on the management seminar slide deck today, laying out the key messages and telling the story through engaging graphics with enough supporting content to make managers sit up and take notice.
The other day I blogged about substantial penalties for GDPR noncompliance. Today, in writing the speaker notes to accompany a slide about privacy risks from the organization's perspective, I wrote this about the impacts:The organizational consequences of privacy incidents can include penalties (potentially huge fines under GDPR plus class action) and other consequential business impacts (bad publicity and reputational damage, customer defection, loss of trust and respect, more rigorous scrutiny by the authorities) on top of the direct costs (incident investigation and resolution, hurriedly improved information security, credit reporting and compensation for those affected etc.).... and, with hindsight, it occurred to me how negatively that comes across, emphasizing the costly nature of being held to account for privacy fails.  
So, how about something more positive to balance that out, emphasizing the gains arising from privacy wins? "Nice idea, Gary, but what are you on about?"
I'd like to elaborate on the business benefits other than the obvious intent to avoid or reduce those costs. Are there any? Well, yet there are, but to be honest they are not exactly overwhelming - things such as establishing a trustworthy, ethical reputation among customers and others (including employees, by the way. Cogitate on that for a moment. Does it matter to the business if employees don't trust their employer to protect personal information, not least their own? I believe it does, but it would be hard to prove or substantiate).
It might not be possible to build a business case for privacy purely on the positives, which perhaps explains why this is such a heavily compliance-driven area in practice. Still, I'll see what I can come up with. I enjoy that sort of challenge.
Categories: NoticeBored

NBlog Oct 18 - a universal awareness device

NoticeBored - Thu, 10/17/2019 - 6:54pm
Since the very beginning of NoticeBored back in 2003, one of our regular monthly deliverables has been a "board agenda" - a security awareness item aimed at informing and engaging the most senior managers in an organization.
At that stratospheric level, awareness materials need to be both succinct and relevant to stand any hope of being used. Senior managers are extremely busy people. 
The board agendas are each just one side of paper if printed, as is usually the case for board papers in their briefing packs. We deliberately avoid jargon and lengthy explanation on the basis that the audience is both busy and competent, generally highly experienced and quick-witted people keen to get straight down to business. The audience isn't expected to know everything, but hopefully they can rely on the support of their trusted networks of peers and direct reports, plus of course the remaining security awareness content provided. Oh and Google, naturally. We'd love them to read and consider these papers ahead of the meeting, but if not they are simple enough to figure out on the fly.
The NoticeBored papers all fall within the broad area of information risk and security covering the same topic area as the remaining awareness content in the module, reflecting the design goal of encouraging social interaction and discourse throughout the organization. Security awareness is not just something to be aimed at 'users', treating them condescendingly as mere serfs! We're consciously socializing information risk and security, making it an integral part of the corporate culture, top to bottom, side to side.
Given the specific target audience for the papers, relevance is achieved by emphasizing high-level matters that most concern senior management, namely business aspects such as strategy, governance and compliance ... talking of which, we'll be incorporating this colorful diagram into November's board agenda for the privacy awareness module:
The idea is deceptively simple: following an introductory paragraph briefly outlining the topic, senior managers will be invited to consider their positions on privacy compliance, 'make their mark' somewhere appropriate within the triangle, then discuss the topic with their peers at the next meeting.
The red-amber-green triangle is an elaboration on the linear RAG spectrum figures we use routinely. Either way, this highly visual approach is an excellent means to set people thinking about the topic, expressing their opinions in a manner that encourages open discussion of their respective viewpoints and concerns. For instance, marks close to any apex indicate strongly held opinions, while marks towards the middle suggest indecision or ambiguity. The wording of the amber corner in this case is intentionally provocative: we'd like those with more specific views to challenge those who put themselves on the fence, as it were, or fail to engage. Managers with something specific to say on this topic have their opportunity to speak up and make their case, while everyone listens and learns - an awareness win, plus a chance for the whole team to review and perhaps refine corporate positions, strategies and policies in this area through discussion and (hopefully!) consensus.
In case it's not immediately obvious, the stimulating approach I've developed and described here is broadly applicable, almost universal. Pick virtually any topic (within or without information risk and security) and context (awareness session, training course, workshop, meeting, online collaboration ...) and it shouldn't be hard to come up with options that fall across a range in one or more dimensions. Assemble a group of interested people to consider and discuss the matters at hand, using visual devices along these lines, and Bob's yer uncle.
Categories: NoticeBored

NBlog Oct 17 - managing privacy compliance risks

NoticeBored - Thu, 10/17/2019 - 12:41am
This week I'm exploring the compliance aspects of privacy for November's security awareness and training module, hunting down information about the meaty fines meted out for privacy incidents breaching GDPR for starters.  
According to what I've read so far, the regulators determine GDPR fines by considering ten specific factors, most of which a proactive management has the capability to control. Management can therefore (to some extent) influence the GDPR penalty part of the business impact of privacy breaches. The speed of response when notified of a breach, for example, is largely determined by the incident management activities. Incident response can be designed and operated to be more efficient and effective, for instance through sensible policies and procedures, coupled with awareness, training and exercises, plus other aspects such as clear roles and responsibilities plus slick incident reporting, escalation and official notification mechanisms. If the organization is primed and ready, it is more likely to react well than if it merely muddles through, unprepared and shambolic.
Furthermore, some of those ten factors concern preventive controls that should reduce the probability of privacy incidents occurring at all - for example, choosing not to process personal information unless necessary (risk avoidance), especially not the highly sensitive types such as medical data (e.g. by outsourcing medical services for employees to specialists who handle the privacy compliance obligations as part of the contract - a form of risk sharing).
In other words, management has some control over both the probability and impact of a potentially significant information risk relating to privacy and compliance. Nice!
Categories: NoticeBored

NBlog Oct 8 - 2020 vision

NoticeBored - Tue, 10/08/2019 - 3:03am
Over the weekend, I wrote about CISOs and ISMs preparing cunning strategies and requesting budgets/proposing investments
During the remainder of 2019, we will be treated/subjected to a number of predictions about what's in store for information security in the year ahead, thanks to a preponderance of Mystic Megs with unsupervised access to the Interweb, gazing wistfully into their crystal balls and pontificating. 
As with horoscopes in the tabloid rags, some of their predix will be right on the button by sheer chance in the sense that, given an ample sufficiency of poo to throw at the wall, some of it will stick. A few more informed pundits, however, will be chucking stickier poo thanks to their experience and insight. 
Trouble is, how are we to distinguish the insightful few with sticky poo from the manifold plain or polished poo propellants?
Years ago, the solution involved tracking or looking back at prior predictions to assess how accurate the pundits were ... although, as with investments, past performance is not necessarily an accurate guide to the future. It's an indicator at best.
These days, the situation is trickier still thanks to the Intarweb, social media and the global information melting-pot that turns pretty much everything into a brown sticky malodorous mess. Independent, honest, experienced, reasonably accurate soothsayers find themselves swimming in an ocean inhabited by marketing whales, a few great whites and vast shoals of me-toos who grasp desperately at any passing thought like a drowning man clutches at a log, only to wring all the life out of it.
So, for what it's worth (almost every penny!), my advice is to consider the credentials of anyone claiming to know what's ahead. Do they know what they speak of? Do they have a clue? Are they usually about right? Do they follow the latest fads, spouting clouds of meaningless drivel from their blow-holes, or are they brave enough to buck the obvious trends, say-it-like-it-is and explain themselves straightforwardly?
And then temper everything with a large dose of good ol' common sense. If your organization is taking its first baby steps into the cloud, guess what: it lacks cloud experience, hence the more extreme cloudiness is likely to be riskier for you than, say, a company that is and has been cloud-first or cloud-everything for years already and knows what it's getting itself into. In other words, choose your battles. Build on your strengths, consider and address your weaknesses. By all means get creative and explore the cutting edge stuff ... but be wary of exposing your jugular to that glinting slicey-slicey sharpness.
Don't neglect your inner-circle of trustworthy advisors, the colleagues and contacts who have proven insightful or at least good listeners in the past ... which hints at a possible strategy for 2020: work hard on bolstering and extending your personal network, ready for your 2021 strategies, proposals and budget requests. The flip side of that ocean of pundits is that it's easier than ever to find potential partners and build relationships. Perhaps even the odd blogger making sense of this turbulent world.
Categories: NoticeBored

NBlog Oct 6 - a dozen infosec strategies

NoticeBored - Sat, 10/05/2019 - 5:19pm
This Sunday morning, further to my tips on planning for 2020, prompted by "5 disruptive trends transforming cybersecurity" and fueled by some fine Columbian (coffee not coke!), I've been contemplating information risk and security strategies. Here's a dozen strategic approaches to consider:
  1. Use risk to drive security. Instead of vainly hoping to address every risk, hammer the biggest ones, tap at the middling ones and let the little'uns fend for themselves (relying on general purpose controls such as incident and business continuity management, resilience etc.). 'Hammer the biggest' means going the extra mile for 'key' or 'critical' controls addressing 'key' or 'major' or 'bet the farm' risks, and implies substantial effort to identify and evaluate the risks.
  2. Make security processes as slick as possible, using automation, simplicity, repeatability etc. DevSecOps is an example of automating security to keep up/catch up with speeding cyclists. SecDevOps could be security attempting to lead the pack (good luck with that!).
  3. Develop security architectures - comprehensive, coherent, all-encompassing approaches, with solid foundations and building blocks that slot into place as the blueprint comes to life. Requires long term planning and coordination with other architectures and strategies for business, information, IT, risk, compliance, governance etc.
  4. Be business-driven. Let management govern, direct and control things, including cybersecurity, information security, risk and security, or whatever, to enable and deliver business objectives. Encourage and enable management to manage change both reactively and proactively. This strategy requires that management has a decent understanding of the risks and opportunities relating to information security, or at least is well-advised in that area (i.e. manage your managers!).
  5. Make do but improve systematically, in other words take a cold hard look at where you are now, identify the most urgent or serious issues and improvement opportunities, address them. Lather rinse repeat. This may be the only viable approach if management is not interested in being proactive in this area (which might be one of those issues worth tackling!).
  6. Use metrics - specifically, business- and risk-driven metrics - to identify and respond to pain points, trends, imbalances etc., ideally before they become issues. Requires a decent suite of relevant, trustworthy metrics, which implies clarity around the measurement objectives and methods. Also requires enough time to accumulate the data for trends analysis, and sound analysis (e.g. appropriate use of statistics). And beware surrogation.
  7. Employ 'good practices', such as ISO27k, NIST SP800, COBIT, CSA, OWASP and so on ... hinting at the practical issue of deciding which one/s to follow, and to what extent. Standards are reactive in nature, out of date by the time they are published but they generally provide a sound basis, and if used sensibly can be a useful shortcut to get basic frameworks (at least) in place. Not so useful, though, if compliance drives the organization rather than the business - another type of surrogation.
  8. Collaborate. Find and work with internal and external resources to get stuff done (implies shared goals). Maybe cloud-first or cloud-only makes perfect sense after all, for your organization - a current-day version of the old 'best of breed', 'best in class' or 'buy blue' mantras - so be sure information risk and security considerations are an integral part of the cloud adoption process. Exploit cloud security services: push security into the cloud.
  9. Focus and simplify. Stop expanding willy-nilly into the cloud without proper planning and preparation, including risk management. Develop an actual strategy, a clear map of the destination/s and routes. Prioritize resources. Find and employ the best people, methods, systems, standards, tools etc. for the most important jobs. Assemble high-performance teams, give them clear goals, motivate them and give them the space to do their thing (possibly within defined boundaries, possibly not).
  10. Fail small and often. Don't just anticipate failure, expect it. Recover. Learn. Improve. Try harder. Be experimental. Take (appropriate) risks. Invest unwisely. Default to "yes" rather than "no", ask "why not?" instead of "why?". Practice hard to become excellent at identifying and reacting to risks and opportunities of all kinds. Set things up to spot, flag and react to failures effectively and efficiently. Better still, learn from others' failures: gain without pain.
  11. Figure out and do whatever's best for your organization - perhaps some version or combination of the above or other things unique to your organization, its situation, resources, constraints and objectives. Innovate. Think much further into the future. Imagine! Master the topic. Come up with more creative/unconventional strategies, and evaluate them. Write better lists than this one.
  12. Accept defeat. Follow lamely rather than lead, or get by without a strategy. Pass the buck, exploit scapegoats. Let other suckers path-find. Scrabble desperately to implement the current so-called strategy. Hold the fort. Duck the issues. Keep your head down until your watch is over. Preserve the status quo. Do the least amount possible. Summon and wait for reinforcements. Retire or find another career. Use what little remains of your motivation and self-esteem to apply for jobs at more enlightened organizations. Up-skill. Retrain. Read more than just blogs. Think on. Good luck.
Categories: NoticeBored

NBlog Oct 4 - tips on planning for 2020

NoticeBored - Thu, 10/03/2019 - 8:37pm
The Security Executive Council is a consultancy specializing in physical security for commercial organizations. Their latest newsletter led me to a nice little piece about business cases, including this: Brad Brekke, SEC emeritus faculty and former Vice President of Assets Protection and Corporate Security for Target Corporation, emphasizes that the business case must be built upon a deep understanding of the business and security's role and strategy within it. "I'd recommend you conduct this exercise: Study your business. Know how it operates, how it makes money, how it's set up, what its strategy is – for instance, is it a growth strategy, an expense-driven strategy, a service-driven strategy. Know the culture and risk tolerance of your organization and know the voice of its customer," says Brekke.That approach makes sense for any substantial strategy, change or investment proposal. All organizations exist to achieve [business] objectives, so being clear about how a proposal supports or enables those [business] objectives is a no-brainer, right?
How to do that in practice, however, may not be entirely obvious, especially to specialists/professionals deeply immersed in particular fields such as information risk and security. Our worldview naturally revolves around our own little world. We perceive things in our own terms. We are inevitably biased towards certain aspects that interest and concern us, hence we inevitably emphasize them while downplaying, ignoring or failing even to notice others. 
That's true regardless of the specialism. For instance, HR pros naturally focus on people, sociology, human behaviour and so on. Finance pros focus on dollars and financial risks. IT pros focus on computing and tech. And, guess what, CISOs and ISMs have their focal points and blind-spots too.
The same is also true of other people with whom we interact at work, including those execs who will ultimately make the big decisions about our big proposals, plus assorted managers and [other] specialists beneath who advise and influence them. We all have our interests and prejudices, our personal agendas, hot-buttons and fear-factors. Despite the title, even "general managers" didn't mysteriously parachute-in to the role out of a clear blue sky but worked their way through the educational system, the ranks and the University of Life, picking up skills and experiences along the way, shaping their personalities today.
So, when proposing something, awareness of our own biases plus those of our audiences (for there are several) presents the opportunity to counteract them on both sides. 
The SEC piece, for instance, offers this advice:Brekke also cautions security leaders not to undervalue the importance of storytelling. Each organization has a language that resonates with management. Consider the language of the brand and the language of the organization's business as you develop the story you will tell and as you make your business case. You may find it helpful to reframe some security language to better reflect business value. For instance, because one of Target's foundational goals was to focus on the experience of the customer, conversations about shoplifting became conversations about enabling the guest experience.That's the no-brainer business-focused approach I mentioned earlier, and fair enough: it's not unreasonable to expect everyone in an organization to share a common interest in furthering the organization's business aims. At an overall level, being business-focused makes perfect sense. However, there's more to it in that 'the organization' is, in reality, an assortment of individuals with distinct personalities. 
So, I recommend a more granular, more mature approach. Rather than simply preparing and submitting a business-like proposal then expecting 'the organization' or 'management' to approve it, consider the individual people who will make the decisions, plus those who advise and influence them. Ideally, spend quality time with them during the drafting process, explaining what you are hoping to achieve and finding out what they want or expect or fear from it. Explain things in their terms, if you can. As Brad suggests, use pertinent examples that resonate with them. Tease out their concerns, and emphasize the benefits for them and their areas of interest, plus others (it's perfectly OK to bring up the wider perspective, including opinions and concerns raised by various colleagues). Try not to leave things hanging in mid-air: where relevant, revise your proposals to take account of the feedback and let them know you have done so. Reassure them that you have genuinely responded to their suggestions - even if that means compromising or, on occasions, rejecting them due to competing pressures. This is a negotiation process, so negotiate towards agreement. If it helps, you can even quote those feedback comments, partly because of what they say and partly to demonstrate that you have both listened and reacted.
For bonus marks, collaborate with your colleagues from the outset. Develop joint proposals with other departments. Drive out extra value by optimising your approaches, addressing multiple objectives simultaneously. Work as a team.
Now is an excellent time of year to put this approach into practice as most organizations head rapidly towards the new financial year, hence strategies, initiatives, priorities and budgets are all up for discussion. If your normal approach is head-down, focused on building what you believe to be the best possible business cases and proposals in isolation, then lift your head from the page for once. Consider who your proposals will affect, and go see them for a chat - now, well before the ink is dry. I promise you, it's time well spent. You'll markedly improve your chances of success.
It works both ways too. If, say, Marketing is lining-up for a substantial investment, initiative or change of approach, get actively engaged with the formulation of their proposal concerning the information risk and security aspects. Find out what they are on about. Consider the implications. Where appropriate, push for changes and make concessions to them in return for their support for your objectives and proposals, and vice versa, all the while circling around those common business objectives. 'What's best for the business' is a particularly compelling perspective, hard to argue against. Plotting the best route is easier if everyone is heading for the same destination.
Categories: NoticeBored

NBlog October - digital (cyber) forensics module released

NoticeBored - Sun, 09/29/2019 - 4:26pm

IT systems, devices and networks can be the targets of crime as in hacking, ransomware and computer fraud. They are also tools that criminal use to research, plan and coordinate their crimes. Furthermore, criminals use technology routinely to manage and conduct their business, financial and personal affairs, just like the rest of us.Hence digital devices can contain a wealth of evidence concerning crimes committed and the criminals behind them.Since most IT systems and devices store security-related information digitally, digital forensics techniques are also used to investigate other kinds of incidents, figuring out exactly what happened, in what sequence, and what went wrong ... giving clues about what ought to be fixed in order to prevent them occurring again.  It’s not as simple as you might think for investigators to gain access to digital data, then analyze it for information relevant to an incident. For a start, there can be a lot of it, distributed among various devices scattered across various locations (some mobile and others abroad), owned and controlled by various people or organizations. Some of it is volatile and doesn’t exist for long (network traffic, for instance, or the contents of RAM). Some is unreliable and might even be fake, a smoke-screen deliberately concealing the juicy bits.A far bigger issue arises, though, if there is any prospect of using digital data for a formal investigation that might culminate in a disciplinary hearing or court case. There are explicit requirements for all kinds of forensic evidence, including digital evidence, that must be satisfied simply to use it within an investigation or present it in court. Ensuring, and being able to prove, the integrity of forensic evidence implies numerous complications and controls within and around the associated processes. They are the focus of October’s NoticeBored security awareness materials which:
  • Describe the structured, systematic process of gathering digital forensic evidence and investigating cyber-crime and other incidents involving IT;
  • Address information risks associated with the digital forensics process;
  • Prompt management to prepare or review policies and procedures in this area, training workers or contracting with forensics specialists as appropriate;
  • Encourage professionals with an interest in this area to seek and share information;
  • Discourage workers in general from interfering with and perhaps destroying forensic evidence.
Read more about the module here.  Purchase it here.
Categories: NoticeBored

NBlog Sept 29 - awareness and training program design

NoticeBored - Sat, 09/28/2019 - 10:36pm
The first task when preparing any awareness content is to determine the objectives. What are you hoping to achieve here? What is the point and purpose? What's the scope? What would success or failure even look like?
There are several possible approaches. 
You might for instance set out to raise security awareness 'in general', with no particular focus. That's a naive objective given the variety of things that fall within or touch on the realm of 'security'. Surely some aspects are more pertinent than others, more likely to benefit the workforce and hence the organization? Trying to raise awareness of everything all at once spreads your awareness, training and learning resources very thin, not least the attention spans of your audiences. It risks bamboozling people with far too much information to take in, perhaps confusing them and turning them off the whole subject. 
It's not an effective educational strategy. We know it doesn't work and yet, strangely, there are still people talking in terms of an "annual security awareness training session" as if that solves the problem. 
[Shakes head in despair, muttering incoherently]
Instead, you might identify a few topic areas that are more deserving of effort, 'just the basics' you might say. OK, that's better but now there's the issue of deciding what constitutes 'the basics'. One of the complicating, challenging  and fascinating aspects of information risk and security is the mesh of overlapping and interlocking concerns. Security isn't achieved by doing just a few things well. We need to do a lot of things adequately and simultaneously.
Take 'passwords' for example, one of the security controls that most organizations would consider basic. You could simply instruct workers on choosing passwords that meet your organization's password-related policies or standards ... but wouldn't it be better to explain why those policies and standards exist, as well as what they require? Why do we have passwords anyway? What are they for? Addressing those supplementary issues is more likely to lead to understanding and acceptance of the password rules. As you scratch beneath the surface, you'll encounter several important things relating to passwords such as:
  • access control;
  • accountability and responsibility;
  • biometrics and multi-factor authentication;
  • identification and authentication;
  • malware and hacking attacks;
  • password length and complexity;
  • password memorability and recall;
  • password sharing and disclosure;
  • password vaults;
  • phishing and other social engineering attacks;
  • the password change process ...
... and more. Similar considerations apply to any other form of 'basic' security: I challenge you to name any 'basic' security topic so narrowly-scoped that it doesn't touch or depend on related matters. 
A third approach, then, is to acknowledge those touch points and the mesh of interrelated topics, planning a sensible sequence of awareness topics that meander through the entire field. Maybe cover accountability first, then passwords, then access control ... and so on. Now you're starting to get somewhere! 
Oh but hang on, at this level of analysis there is such a variety of potential topics that the sequence takes some thought, especially as there are only so many awareness and training opportunities in the year. Planning is like plate-spinning: in order to raise awareness, you need to re-cover each topic periodically, reminding people before they forget, each awareness and training episode building on previous ones (especially the most recent and/or the most memorable). That's all very well, provided you don't let the plates fall. If your security awareness people move on, listen for the clatter of broken crockery.
A fourth approach is the NoticeBored way. Every month since 2003, we've picked a topic and gone into some depth on it. We've brought up other relevant topics but only briefly, since they are all explored in depth when their time comes. We've picked up on new topics as they emerged (making the content fresh and topical - literally), sometimes combining topics or deliberately taking different perspectives in successive passes. As plummet towards the 200th NoticeBored module in December, we've steadily accumulated a security awareness and training portfolio covering ~70 topics, all of them designed and prepared to a consistently high standard by a small team of experts. On average, every module has passed three times through the mill, meaning they are all quite stable and mature.
Aside from the topic-based monthly deliveries, there's another innovation in that the NoticeBored materials address three parallel audiences: general employees, managers and professionals. Complementing the breadth and depth of the awareness content, the three-streams lead to cultural changes across the entire organization. We think of this as socializing security within the corporation, informing the three audience groups about matters that concern them in terms they can understand, while encouraging them to interact and communicate both among and between themselves. 
With the NoticeBored monthly subscription service drawing to a close in just a few months, we're thinking about how best to continue maintaining and updating the portfolio of materials, tracking the ever-evolving field of information risk and security. We'll probably make fewer, irregular updates just a few times a year.
Meanwhile, we're gradually loading-up the SecAware eStore with additional awareness modules and ramping-up the marketing. If you need top-notch content for an effective security awareness and training program, please browse SecAware's virtual shelves and grab yourself a bargain. There's something strangely motivating about sales!
Categories: NoticeBored

NBlog Sept 26 - audit strategies

NoticeBored - Wed, 09/25/2019 - 5:04pm

I recommend treating any audit as a negotiation process with risks and opportunities* for both parties i.e. auditees and auditors. Here's why.
In respect of ISO/IEC 27001 compliance, the certification auditors are supposed to be formally checking that an ISMS complies with the standard’s formal requirements, plus information security requirements that the organization determines for its own purposes**. They are not supposed to conjure-up additional requirements out of thin air, then complain about noncompliance. However, auditors are human and make mistakes. So auditees are fully entitled to ask auditors to identify any requirements in the standard or in their corporate requirements that they say are not being fulfilled, if necessary down to the individual clause numbers and specific words from ‘27001, their policies etc. By all means discuss the wording and intent/meaning of those requirements, as well as reviewing the evidence and details of the alleged noncompliance. 

So far, that's conventional, an expected, routine part of the normal interaction between auditor and auditee. From that point, however, the process can proceed along various paths. 
The auditee could take a very hard line, focusing myopically and deliberately on strict compliance with the explicit requirements of the standard, being really tough on the auditors about that … but beware as the auditors can take just as hard a line in response, perhaps even pointing out additional minor noncompliance issues that they might otherwise have ignored. Bringing out the big compliance sticks is a viable but risky strategy. It can be tricky to back down once either party starts down this path. It tends to make the relationship between auditors and auditees highly adversarial and tough-nosed, each party treating the other as the enemy to be beaten. It’s stressful for all concerned, adding to the usual stresses of audits and certification. [Speaking as a former/reformed auditor, this may be a sign of either a naïve/scared or, paradoxically, a highly experienced/assertive auditee. Identifying and responding proactively to the situation as it develops is part of the auditor’s social skill set, which varies with the auditor’s experience level plus their own personality. If things escalate, it draws-in management on both sides, so each party really needs their management behind them. It’s also something that experienced auditors will have dealt-with many times (stress and challenge is very much part of the job), hence they tend to be well-practiced at it and on the front-foot, whereas auditees tend to be less well prepared and on the back-foot.]
Alternatively, the auditee could make more of an effort to understand and deal with the issues the auditor claims to have found, setting aside the pure compliance aspects (at least for now). Discuss and negotiate with the auditors, aiming towards finding mutually-acceptable solutions. Be “reasonable” about things (whatever that means!). Consider the businessimplications of what the auditors are saying, in particular consider whether they might just have put their finger on genuine information risks that the organization probably ought to address in some way. Focus on addressing those risks and reaching agreement on suitable responses, rather than compliance. Make and seek little concessions, respond positively and home-in on a resolution that both moves the business forward andleads to certification. Work with the auditors, each party treating the other as collaborators or colleagues with shared objectives. At the end of the day, either party can still reach for the big compliance stick if the negotiation stalls and the other party becomes stubborn, but that’s best left as a last resort option since it can lead to the same souring of the relationship. [This is generally a less stressful, less risky approach provided both parties are willing to play the game and move things forward. It helps if both parties have negotiation skills, or can get support from their managers/colleagues who do. It may take longer, though, which can be an issue if there are deadlines such as other audits or business demands. And there is inevitably some formality around this that needs to be respected. The auditors must meet their own obligations or risk losing their accreditation.]
But wait, there’s more.
The audit report, in particular the precise phrasing and wording of any adverse findings/noncompliance statements, is potentially another opportunity to clash or collaborate. Although the auditors own their report and have the final say (part of their formal independence), the auditee should have opportunities to review and discuss/respond to drafts, if appropriate challenging and ‘insisting’ that the details are factually correct. In general, the issue comes down to the facts and hence the audit evidence, which should be non-negotiable if the auditor has done a good job. The way those facts are documented, explained and interpreted is where the discussion tends to revolve. Again, both parties have their objectives/requirements, and it’s best if they negotiate a mutually satisfactory outcome and move ahead. Both parties being clear about priorities and overall objectives helps immensely.
And one last thing.
The relationship between auditor and auditee generally extends beyond an individual audit since audits are periodic. As well as the stage 1 and 2 certification audits, there are surveillance and re-certification audits to look forward to. So, the way the audit itself goes, the manner in which issues are raised, discussed and addressed, and the way audit findings and reports are resolved, is all part of the background for, and hence to some extent affects, future audits. Auditors who personally experienced or have been briefed about an intensely adversarial auditee in a previous audit are likely to anticipate a similar strategy and more aggravation on the next audit. Audit management might even consciously pre-select tough auditors who are strong in that situation for future audits, and likewise auditees might choose hard-nosed compliance specialists and negotiators to front-up their team, escalating matters. This can be the sting in the tail for auditors and auditees who have taken an unreasonably hard line in the past: it takes effort on both sides to turn things around and re-focus on more productive matters (namely the organization’s management of its information risks and security in support of business objectives), rather than the audit/certification process itself. 


* Experienced negotiators appreciate the game-playing aspect to the typical negotiation process. Clued-up players enter the arena well-prepared, with goals and bottom-lines clarified and various game-playing strategies not just in mind but ideally refined through previous events. Each game plays out within the rules (mostly!), the players attacking and defending, trying various approaches, each pushing towards their own goals and exploiting weaknesses in the other, while gradually establishing and reaching agreement on neutral ground (hopefully!). At the end, the players depart with yet more experience under their belts, ready for another encounter. Every negotiation is a rehearsal for the next. Same thing with audits.

** ISO/IEC 27006:2015 says:

  • "Certification procedures shall focus on establishing that a client’s ISMS meets the requirements specified in ISO/IEC 27001 and the policies and objectives of the client." (clause;
  • "The audit objectives shall include the determination of the effectiveness of the management system to ensure that the client, based on the risk assessment, has implemented applicable controls and achieved the established information security objectives." (clause;
  • "In addition to evaluating the effective implementation of the ISMS, the objectives of stage 2 are to confirm that the client adheres to its own policies, objectives and procedures." (clause ...
... and more. Auditees who are unclear about this, want to develop a sound, proactive strategy in preparation for their audits, or find themselves heading into a battle royale with the auditors, can study '27006 and ISO/IEC 17021-1:2015 (Conformity assessment — Requirements for bodies providing audit and certification of management systems — Part 1: Requirements) for additional insight into the certification audit objectives, process and constraints. 
Categories: NoticeBored