Screen Shot 2016-04-22 at 09.50.30

Document Management System, How’d I Miss That!?

In all my years performing security assessments, and even providing my own policy and procedure service, somehow I have completely missed out on HOW to actually manage the polices, standards and procedures. Yet I have harped on about them incessantly.

Yes, I have mention a Document Management System (DMS) as a way of controlling and distributing documents, but I had never really given thought as to how you would go about maintaining a library of documents that almost all organisation collect over time.

It may not sound like an important subject, until you realise that no policy, standard, or procedure means anything unless it’s the RIGHT one. Is the procedure you’re working from the latest version? Are you in violation of a policy that can lead to you getting fired because you’re looking at a printed copy from 2014? Are you holding your vendors accountable to SLAs in the latest contract?

The first thing I have noticed is that it’s incredible easy to over-complicate the whole thing to the point it’s unsustainable. It must be intuitive for anyone to follow, and it must be easy to manage, or like everything else in security, it will be bypassed.

I would love to hear from true expert on how this is done, but for now, he is what I think is best:

  1. Document Numbering: Have enough information that you know at a glance what the document is, but not so much that it’s 100 characters long. For example;

    * First 2 characters is the company name, or a designation of external (e.g. CN, or EX)
    * Second 2 characters is the document type (e.g. PO = Policy, PR = Procedure etc.)
    * Third 2 characters is the applicable region (e.g. GL = Global, GB = United Kingdom, etc.)
    * Fourth 2 characters is the applicable department (e.g. XX = All departments, LG = Legal, SE = Security etc.)
    * Last 4 characters is the unique number (e.g. 0000 – 9999)

  2. Revision Number:  rX.0 for major release, and rX.1 for a minor release. So the first draft would be r1.0, a slight change would be r1.1, and a complete rewrite would be r2.0 and so on.
  3. Friendly Name: What’s the document title? e.g. “Access Control Policy”
  4. Document Status: One of only 3 things; DRAFT, RELEASED, or OBSOLETE, all self-explanatory

So, for Acme Rockets Ltd., a first draft of a global legal policy on access control would be; ‘AR-PO-GL-LE-0001-r0.1 – Access Control Policy-DRAFT‘, or a rewrite of a vendor contract related to  a firewall managed service procedure specific to the UK would be; ‘EX-PR-GB-SE-0003-r2.0 – Firewall Managed Service Procedure-RELEASED

Assuming I haven’t completely lost you, the next step is to work out how to get them into a centralised and access controlled library to which EVERYONE who needs access, has it. Every RELEASED version of the entire policy and procedure set needs to be online and the location of it familiar to the entire company. No printed version can ever be trusted unless the number, name, and status matches (these should be printed in the document header).

Finally, and here’s the real kicker; EVERY document in use in the organisation needs to be entered into a Master Documents Record (MDR) of some sort, and maintained to an extremely high degree of integrity. In theory you could use your Intranet or SharePoint for the central location and an Excel spreadsheet for your MDR, but best of luck keeping that up to date in a large org.

So, am I, David Froud, actually suggesting that larger organisations buy technology to solve a business problem despite my constant warnings not to do so?

Yes, yes I am.

Screen Shot 2016-04-13 at 11.44.29

I’m in Information Security, I Don’t OWN Anything!

In 16 years of information security consulting, I never worked at an organisation where ownership of any aspect of the IT function was in the right place, let alone IT Security.

Anyone who has ever worked in IT, regardless of the discipline, knows that the business side of the organisation cares nothing for HOW things are done, they only care that they GET done. Ever try talking to a salesperson about total cost of ownership for their bright ideas on driving revenue?

To be fair, the salespeople don’t have to care, but someone from that side of the business sure as Hell does. Even a £1,000,000 deal is pointless if it costs £2,000,000 to deliver it. Both the business side and the IT side have failed if they cannot easily determine the suitability of the deal. However, it’s the business side that is responsible to justify a project, not IT, not IT Security, the business side.

THEY own it.

Luckily, the steps for getting this information together in the right format are, quite literally, centuries old:

  1. Perform a Risk Assessment (RA) – As boring as this sounds, ANY change to an organisation, even one that seems like a no-brainer, presents risk. Keep it simple, and brief, but without an understanding of the risk, there’s no context for the reward. Selling your only bottle of water for £1,000.00 is a great deal …unless you’re in the middle of a desert.
  2. Perform a Business Impact Analysis (BIA) – This is often seen as a negative thing, where you are spelling out the cost if something bad happens. There’s no reason that positives cannot be built in, and often this is entirely appropriate. If the risk determined above, and the cost of bad things happening, is far outweighed by the benefits, then the decision to proceed, or not, becomes much easier to make.
  3. Develop a Project Plan – This one rarely get done properly, but without it, the true cost of a proposed project cannot be determined. The plan needs to spell out everything that is required, including resource and capital costs, and time-frame. Done properly, this will develop into little more than a list of every action item, assigned to individuals, with due dates.

IT and IT Security will be very much involved in this process, so could many other departments depending on the project in question. Legal may be involved from a contractual or regulatory perspective, HR may jump in if they are organised enough have employee skill-set mappings, marketing will certainly want the heads-up if they are to be called on later and so on.

This is why the best companies have three things; a) a robust Project Management function, and 2) a standardised process for requesting project resources, and 3) a centralised Governance function that brings all of an organisation’s decision makers together in one room.

From the RA and BIA you know the cost of doing and NOT doing something in terms of both bad things happening, and potential lost revenue. From the project plan you know what it will take to proceed. The project management function will be able to tell you everything missing from the end goal, and how to get there, and the Governance function will then have everything they need to make EDUCATED recommendations to the executive leadership regarding investment.

This is why IT and IT Security can never OWN anything, they are there to enable, not run the business.

Screen Shot 2016-04-04 at 20.04.04

There’s No Regulatory Compliance Without Governance

I don’t think anyone can doubt that the regulatory landscape relative to data privacy has tightened significantly over the last few years. I also think few will doubt that this tightening will continue, given the enormous growth in things like big data analytics, artificial intelligence, alternative payment methods, mobile, and of course, the Internet of Things.

Most businesses have given considerable thought on how to take advantage of these things, and may even have existing projects in place to exploit them, but without a program of IT Security Governance in place to provide the right input, at the right time, these projects could rapidly become a regulatory and financial albatross.

But what do I mean by Governance? According to Wikipedia, Governance;”…relates to the processes of interaction and decision-making among the actors involved in a collective problem that lead to the creation, reinforcement, or reproduction of social norms and institutions.

According to ISCA – The Governance Institute, it is; “…the way that an organisation is directed and controlled. It is the toolkit for the processes and the oversight which drives the highest standards of leadership, accountability and behaviour. Strong governance helps boards and organisations to achieve their goals by acting appropriately and fairly.”

I could find 100 different descriptions, and none of them would be wrong, or even inappropriate to my message, but it’s a lack of understanding of what true Governance is that causes so many organisations to ignore it altogether. Without Governance, you don’t have any form of compliance, internal or external, let alone real security. End of story. It is one of The 4 Foundations of Security, and arguably the most important.

I like to simplify, so to me Governance is; “The business side and the IT side having appropriate conversations.” That’s it. The business side will ALWAYS own and control an organisation’s goals, and rightfully so, the ONLY role of IT is to support and enable the achievement of those goals. Nothing more.

That said, exclude IT and IT Security from ANY aspect of the strategy and planning processes and you’re in for a world of hurt. Security is never more expensive or ineffectual than when it’s retrofitted on a broken process. IT is NOT there to say no, they are there to say, OK, but do it this way from the beginning. IT Security are no different, and there is not one regulation on the planet that cannot be met if the proper planning is performed at the beginning.

As an extension to this, without Governance, Legal and IT and IT Security department can and do get in the way. It’s their JOB to protect the organisation! Too often Sales goes crying up to the CEO that someone is in the way of them doing business and an edict comes from on high that completely circumvents the checks and balances that are there for a very good reason.

Governance controls this process and ensures that the needs of all sides, and therefore the entire business, are met with the minimum of delay or inefficiency. It is represented by Legal, IT, IT Security, HR, Sales, Marketing, you name it, everyone must have their say. There is simply nothing more important to a business’s health and future than a well run cross-functional unit that has executive management support.

As an example, think about how important big data analytics has become to some organisations whose very existence is driven by transforming data into information. Harmless content can become PII, AI can create profiles that would attract significant penalties without the collection of appropriate consent. With input from Legal, IT Security, an Data Analytics, a comprehensive strategy can be put in place to develop a product that meets regulatory needs. Then Marketing and Sales can do their thing and everyone wins.

Governance is both the way and means to get these teams in the same room and talking about the same goal, no other function in the organisation has this much influence.

And it’s all so simple.

Screen Shot 2016-03-25 at 09.56.30

Stop Wasting Your Security Budget on Technology

Don’t get me wrong, I love toys. I’ve had every version of the iPhone since its inception and have, quite literally, a drawer full of the old ones. I also cannot even tell you how many electronic gadgets I have sitting in boxes that I had wanted badly, used once or twice, and eventually packed away after watching them gather dust for months / years on end.

I could start my own eBay with this stuff. Or a museum.

In this context, technology is harmless. Every toy I have is offline, provides no access to sensitive data of any sort, and simply demonstrates that I have more money than sense. Though in truth, I have very little of both.

This becomes a far riskier proposition when organisations throw technology at broken processes, especially when those processes are directly related to some compliance / regulation requirement of some sort. PCI for example, has driven technology purchases (both infrastructure and outsourced managed services) like no other regulation before it.

This is because the DSS called for technologies by name; firewalls, anti-virus, intrusion detection/protection systems, file integrity monitoring and so on, and instead of performing a risk assessment FIRST, most organisations went straight out and spent money on things that likely provide no security benefits whatsoever. It takes significant expertise to extract value from technology.

And no technology related to information security can ever provide benefit unless:

  1. It was purchased to fulfil a properly defined business need (via risk assessment, business impact analysis, and Governance)
  2. It is appropriate for the current needs, but can scale for future growth, or reduce in the case of managed services (speaks to controls selection and vendor due diligence processes)
  3. It was purchased with full understanding of who is responsible for the following, and how they are to be accomplished:
    i.   Installation and integration with established processes
    ii.  Ongoing maintenance and updates
    iii. Monitoring and incident response
  4. It has properly defined metrics to measure its proiduction capability against the originally defined requirements, and those resulting from a changing threat landscape (via vulnerability management and ISMS)
  5. It is constantly baselined against an established ‘known-good’ state. If it’s not simple, it’s not secure. Period / Full Stop.

Think about this another way; every appliance you buy is just a server, with an operating system, running an application, and regardless of how much effort went into hardening this system against an attack, the bad-guys get smarter ever day. Secure today is no indication of security tomorrow (just ask Juniper about their backdoor challenges).

The purchase of any new technology is always the last of these three options:

  1. Examine your business processes to determine whether or not you really need to process / keep the sensitive data in the way you currently do. i.e. can you tokenise, truncate, delete entirely, or outsource etc?
  2. Examine your current infrastructure and procedures to see if adjustments here can fill the gaps exposed by the risk assessment and gap analysis
  3. Buy an appropriate technology in-line with the above 5 pre-requisites above.

Equal effort needs to go into maintaining current capability using existing technology and decommissioning obsolete technology as buying new capability, and not one of these decisions falls outside of a properly run security program in-line with business goals.

You really must ask the right questions, or you’ll get what you asked for, not what you need. Security vendors will not help you here, it will be up to you.

Screen Shot 2016-03-24 at 14.37.10

From Corporate, to Start-Up, and Back Again

In 2013 I was made redundant from a company where I had worked for the previous 12.5 years. I had grown with the company from the 14th person to join (as a firewall admin) to a position leading 28 people across 14 time zones in a company of over 1,000.

I subsequently discovered that I was basically unhirable, so I started my own consulting practice, which I thoroughly enjoyed. I then joined a very small start-up for a year, which I thoroughly enjoyed, and went back to my own practice.

I swore up and down that I would never go corporate, ever again. I convinced myself that there was never enough freedom, or room for innovation, or ability to make a difference in a large organisation to EVER go back. Not that ‘corporate’ would ever have me back.

Now here I am, at the end of my 3rd week at an organisation that is bigger by far than any I have ever worked for previously.

…and I’m thoroughly enjoying it.

Many times in the course of my blogs I have expounded on the need for self-reflection, on being honest with yourself enough to know when something was entirely your fault, and to adjust your career choices accordingly. Well clearly I had mistaken ‘corporate’ for my own inability to effectively create the change needed to stop me from being made “redundant”.

While I’m not saying I now have that ability, as I will always have a big mouth, when you’re in an organisation who ALL seem to want the change you’ve craved your whole career, it’s a feeling unlike I’ve ever experienced at work. I’ve never needed, or even particularly wanted, to be part of a team growing up, I now find myself in one.

…and I like it.

Frankly I’m not even sure why I’m writing this blog, except perhaps as a tip for those who find themselves in a position where they cannot decide on what’s the right place for them to work. Corporate, start-up, self-employed, or somewhere in between. Every one of my jobs had its benefits, and had its downsides, and I’m under no illusion that this one will be the same. The only difference this time, is that I have now seen both sides of the fence.

It’s not the fence that matters, your skills and talents have no fences.

The only reason I think that corporate fails to attract the truly entrepreneurial is that they are still very attached to job titles and descriptions, effectively pigeon-holing a person into a role that will always limit them. It’s the organisations that go looking for talents to fill known functional gaps, but then get out of the person’s way, that will attract the game changers.

Not saying I’m a game changer, but my title was only assigned to complete a field in the HR system, and my job description was a run-down of the challenges my new organisation was facing. And in just 3 weeks I have not only learned more than I did in the last 6 months, I have a learning curve ahead of me for which I can see no end.

I loved running my own business, and have no regrets about the start-up, but this little adventure is a revelation that has me very excited for the future. And the lesson I learned from all this?;

Don’t limit where you look for your next job, just ask the right questions.