Human Resources

Human Resources, the Missing Piece From Every Security Program

Like a ‘service on the Internet’ – which we’ve had for decades – is now called The Cloud, Human Resources is now known by more touchy-feely names. Talent, People, Employee Success, all sound great, but they don’t represent a fundamental shift in the functions they perform. Or even HOW they perform those function from what I’ve seen.

Regardless of what the department is called, I’ve never seen one take an active part in their organisation’s security program. Not one, in the better part of 20 years, and as I hope to demonstrate, this a significant loss to everyone concerned.

HR are usually the very first people in an organisation that you talk to, often even before the interview process begins. They are first ones who can instill the security culture in new candidates from the get-go. Anyone who has tried to implement a security awareness program knows that the loss of this ‘first impression’ makes the task exceedingly difficult. Unnecessarily so. If the joiners had just been told how important security is, AND received appropriate training, they would just accept it as a fact of life. Try and force it on them after they have already learned the bad behaviours and your impact is enormously reduced.

But there are 5 fundamental areas in security, that with HR’s help, would be significantly more effective:

o

  1. Onboarding – As I have already stated above, HR are the first people with whom new employees have interaction. The onboarding process is the perfect time to get everything out on the table. From Acceptable Use Policy / Code of Conduct, to security awareness training, security can be instilled from the very beginning. Now imagine if the CEO had a welcome letter prepared that emphasised the importance of data protection / privacy. Imagine further that this letter detailed what is expected them, and to take this aspect of their jobs seriously. There is ZERO cost associated with any of this, yet the positive impact of the security culture is immeasurable.
    o
  2. Role Based Access Control – The hint is in the title; ROLE based. If HR broke the org chart into specific roles, granting appropriate access to all joiners, movers , and leavers would be that much simpler. In theory, everyone gets what I call ‘base access’, usually consisting of email address and domain access. A role could then receive everything they need to perform their basic job functions automatically. Then, an individual could apply for any additional access they require. Everything is now recorded appropriately, allowing for not only a demonstrable access control process, but the raw material for all access reviews. Especially those with elevated privileges.
    o
  3. Policies, Standards, and Procedures – If you accept that policies represent the distillation of the corporate culture, standards are the baselines of ‘known good’ configurations, and procedures are the sum of all corporate knowledge, why aren’t these distributed at the beginning? First, most organisations don’t even HAVE these documents in place, at least not in a condition to meet the above criteria anyway. Second, even if they did exist, HR take no part in their distribution. Why not? If they assisted with RBAC per 2. above, surely it’s a simple step to have the relevant department heads which documents should be attributed to a specific role? Can you imagine it, every new employee knows 1) what they should and should not do, 2) how to do it, and 3) what to do it with!
    o
  4. Security Awareness Training – OK, so HR are not security experts and will take very little part in developing the SAT content, but they should be involved in HOW it’s delivered. HR are the people experts, IT and IS professions are usually quite the opposite. Training written by me would suit technical people, who’s going to write it for everyone else? After all, it’s usually the ‘everyone else’ who are the cause of most of the issues. HR should also be tracking the annual SAT program and flagging any issues to the employee’s supervisor etc.
    o
  5. Role Specific Procedures – This one is a bit of a stretch, but I can’t just have 4 bullet points. The concept is that part of everyone’s job description is to document every one of their repeatable tasks. If the procedure already exists, they could be challenged to improve it. In almost every job I’ve had there was a 3 month probation period. This review, and every performance review from that point forward could include a procedure section where failure to develop appropriate content has negative repercussions. Or, for the glass-half-full folks, great documentation has rewards attached to it. Imagine how nice it would be is every new starter just moved forward and didn’t have to waste time re-inventing the wheel.

The fact is most HR departments are not geared to perform any of the above functions. They are simply not trained to do so. I can’t help thinking this is a terrible waste.

I’d actually love to hear from some HR folks, even if you’re gonna tell me I’m way out of line! ūüôā

[If you liked this article, please share! Want more like it, subscribe!]

Ransomware

Ransomware, Stop Focusing on the Symptoms!

Once again, a ransomware outbreak (WannaCry) has dominated the media headlines, and cybersecurity vendors¬†are scrambling to capitalise. At the time of this writing, the top 3 spots on Google to the search phrase ‘ransomware’ are 2 vendor ads, and one ad for cyber insurance. All but one thereafter on page 1 results are doom and gloom / blamestorming ‘news’ stories. The one exception? Good old Wikipedia.

This is the exact same thing that happened the last time there was a ransomware attack, and the time before, and is the exact same thing that will happen the next time. Because there will be a next time.

From the Press’s perspective, this is just what they do, and you’re never going to see headlines like; “NHS Goes 6 Months Without a Breach!”, or “NHS Blocks Their 1,000,000th Attempted Hack!”. Only bad stuff sells, and frankly no-one gives a damn about cybersecurity unless they’re a victim, or they can make money off it.

I have dedicated many blogs to the criticism of cybersecurity vendors for being little better than ambulance chasers. This blog is no different. So let’s be very clear;

Ransomware is NOT a TECHNOLOGY problem!!

If your organisation is the victim of an attack, 99 times out of 100 it’s entirely your fault. Either your people, your process, or a combination of both were inadequate. And I’m not talking about your security program not being cutting-edge/best of breed, I’m talking about it being wholly inappropriate for YOUR business. It does not matter what business you’re in, you have a duty of care to know enough¬†about security to address the issues.

Yes, the bad guys are a$$holes, but we’ve had bad guys for millennia and they will always be part of the equation. Security is, and has always been, a cost of doing business, so sack-up and take responsibility. And if you aren’t even doing the security basics, not only will technology be unable to help, but you deserve what you get.

Harsh? Yes, absolutely, because they basics don’t bloody well cost anything! Not in capital terms anyway. It takes what I, and every other like-minded consultant out there have been preaching for decades;

Common sense!

  1. Don’t keep your important files on your computer – ¬†Keep your data on external encrypted hard drives and/or cloud drives. If it’s not ON your system, you can’t lose it. In a perfect world you can¬†Forget the Systems, Only the Data Matters.
    o
  2. Patching – Your systems would have been immune from WannaCry if you have installed a patch made available by Microsoft in MARCH! I could rant for hours about this one, but there’s no point. You know you should be patching your systems, and if you don’t know that, you are clearly not from this planet. Your laptop or you PC is just a means to manipulate the data. Ideally you should completely reinstall your PC/laptop every 6 months to ensure that you have only 1) the latest and greatest versions of everything, 2) no extraneous crap you no, longer use/need, and 2) no hidden malware.
    o
  3. Back-Ups – I don’t care how little you know about computers, if you have one and are online, you damned well know you should be backing up your data. And not just to one location, several locations. Everyone from your operating system, to your bank, to your grandkids have told you about back-ups, so there’s no excuse. ¬†External hard drives are cheap, and the online Cloud drives are numerous. Use them all. Yes, I know this is different for a business, but not much.
    o
  4. Don’t open every attachment you get – I feel stupid even writing this one, and it’s not just me talking from a position as a security professional. This is me talking from the position of someone who can read.

So from an organisation’s security program perspective, if you’d had 4 basics in place, WannaCry¬†would not have been an issue:

  1. Policies, Standards and Procedures – The dos, don’ts, how-tos, and what-withs of an organisation;
  2. Vulnerability Management – where patching sits;
  3. Incident response – where back-ups sit; and
  4. Security Awareness Training – self-explanatory

 

SOME technologies can make this stuff easier / more efficient, but fix the underlying processes and people issues first. That or get yourself a huge chunk of cyber insurance.

[If you liked this article, please share! Want more like it, subscribe!]

Policies & Procedures

Information Security Policy Set: It All Starts Here

Information Security Policies, or more accurately; Policies, Standards, & Procedures (a Policy Set) are the cornerstone of every security program. It is therefore rather odd, that not one client I have ever helped started with any of them in place. While not everyone is a security expert, everyone can be security savvy enough if, and ONLY if, what they are supposed to do is written down!

That’s what a good Policy Set is; an instruction manual on what to do, what not to do, why, and how.

I have written too many many times on why a good¬†Policy Set is important, and have used the term ‘baseline’ more times than I’ve had hot dinners. I have described what a Policy Set consists of, and even how to manage one, but what I have not do up till now was to describe how to find a Policy Set that’s right for your business.

First, you may be wondering what’s so hard about finding policies. And I agree; type “information security policy example” into Google and you’ll get tens of millions of hits. Universities readily publish theirs for the world to see (e.g¬†University of Bristol), and a whole host of organisations even make editable versions freely available. On top of that, online services with ridiculous promises like “THE ONLY WAY TO GET AN INFORMATION SECURITY POLICY CUSTOMIZED FOR YOU IN AN HOUR, GUARANTEED.” are depressingly common.

The challenge is that if you’re looking for information security policies in this fashion you clearly have no experience implementing them, let alone actually writing one¬†yourself. An overly-dramatic analogy;¬†I found thousands of¬†instructions¬†on emergency appendectomies, would you now trust me to perform one on you? A good Policy Set is one that is appropriate to your business. Not your industry sector, not the prevailing regulatory requirement, your business!

Therefore, if you don’t have security expertise in-house, it is very unlikely that you know the right questions to asks providers of Policy Sets. The vast majority of vendors will sell you what you ask for (can’t really blame them for this), so ensuring you get what you actually need is entirely based on the homework you performed beforehand.

To that end I have written something vaguely resembling a white paper to help you. In the imaginatively named ‘Choosing the Right Policy Set‘ I have broken the choosing of a policy set vendor into 15 Questions. These could easily form the core of an RFI or RFP if you were taking this seriously enough.

Simple questions like; “Can you provide a Document Management Standard and Procedure?” or “Does your service include a mapping of policy statements to the PCI DSS?” are sometimes not even considered. But when you consider that the choosing of a policy set can be the difference between compliance and non-compliance, it makes sense to ask them. Up front!

90% of organisation will end up either throwing something together themselves, or buying the cheapest option available. That’s fine, when regulatory¬†fines start getting handed out they will realise just how expensive their choice was.

[If you liked this article, please share! Want more like it, subscribe!]

ISO 27001 Certification

How to Begin Your ISO 27001 Certification Project

There are many consultants with significantly more ISO 27001 experience than I have. And type “how to begin ISO 27001” into Google and you’ll get ~8.2 million hits. So what makes¬†me think I can do any better?

Actually, I not saying I can, but I am saying that my style of consulting seems to be conducive to getting such difficult projects off the ground quickly. Or at all for that matter. No security project is more difficult that implementing an ISMS.

In last week’s blog;¬†ISO 27001 Certification, Is It Really Worth It?¬†I stated that the top 5 reasons that ISO certification projects fail are:

  1. Grossly underestimating the level of effort;
  2. Doing it just to land a big contract (or for marketing purposes);
  3. Tying the certification to an overly aggressive deadline;
  4. Ignoring the expert help; and
  5. Having no business goals in mind.

It follows therefore that to make certification a success, you must overcome these challenges at a minimum. Sadly, nothing I say from this point point forward will be in any way new. Some of what I have to say has been said dozens of times by me, and thousands of times by my peers and betters.

The Challenges

  1. Grossly underestimating the level of effort – Symptomatic of one thing; asking the wrong questions. If you had asked the right people the right questions you would KNOW just how difficult an ISO certification project is. No certification should be undertaken lightly, but there are more than enough ISO experts out there to make the level of effort abundantly clear.
    o
  2. Doing it just to land a big contract (or for marketing purposes) – While I can empathise with this one, allowing what amounts to greed to provide the entire impetus for something¬†that requires a fundamental shift in culture is naive at best. The promise of a big contract¬†can, and often does, provide the initial business case for ISO certification. But to then focus entirely on doing just enough to land that project is¬†a total waste of time and effort. Many good consultants will rightly walk away from such projects. It’s our reputation too.
    o
  3. Tying the certification to an overly aggressive deadline – Usually an extension of 2 above, and will invariable derail¬†the project before it begins. If all you’re focused on is a looming deadline, nothing will be done properly, nor will it be sustainable. Remember, ISO certification requires 6 month health checks, an unsustained ISMS will result in the removal of your certification. Quite right too.
    o
  4. Ignoring the¬†expert help – You don’t go to the doctor and tell them you have a brain tumour. You tell them you have a headache and let them do the rest. So why would you hire an ISO expert them argue with every step of the way just because you don’t like what you hear? A good consultant will not ask you for anything they already have, or they do not need, so either do the work or stop the project if it’s too much.
    o
  5. Having no business goals in mind – Contracts, even very large ones, are¬†not business goals, they are a means to achieving¬†a business goal. Done correctly, an ISMS can enable almost every goal you’d care to mention. Done correctly. Before you begin your project, find out what your CEO’s goals are and map the ISMS efforts to them. Miss this step and you will fail¬†every time.

I use the word ‘recommend’ very carefully, but I HIGHLY recommend that you put all the relevant stakeholders through a 1 day ISMS training session to set the scene. Without this context, you will have no support.

If the CEO can’t even make an appearance at this session, that will tell you all you need to know about how your project is going to go.

[If you liked this article, please share! Want more like it, subscribe!]

ISO 27001 Certification

ISO 27001 Certification, Is It Really Worth It?

For the last decade, ISO 27001 certification has been the de facto standard for security programs across the globe. The only problem is, few organisations can be bothered with it. In the years of its existence, I have been asked about implementing a total of twice.

Why?

The reasons are numerous, and vary from organisation to organisation. However, they most often fall within these categories. The client has:

  1. never actually heard of it;
  2. doesn’t care about cybersecurity;
  3. thinks it’s too difficult;
  4. thinks it’s too expensive; and
  5. cannot see a return on investment (ROI).

But the biggest reason I have not been involved in ISO that much?… The Payment Card Industry Data Security Standard (PCI DSS). Which coincidentally, began at almost the same time.

All by itself, PCI has sucked the security budgets out of enough organisations that¬†there was little left for anything else. And if I’m honest, because of PCI, I haven’t had to go looking for any other work.

Think about that for just a minute…

A very basic, controls-only standard,¬†related to a single form of data, that’s not even a law has driven enough business my way that I have not had to worry about diversifying.

And frankly, I still don’t, but with what’s going on here in the EU, we are all going to need something better. From the General Data Protection Regulation (GDPR) to the Payment Services Directive (PSD2), the regulatory landscape is finally making real security a necessity.

It follows therefore that organisations will begin looking to ISO for options.

And that’s really the point, can the ISO standards actually help, or is the 2700X series just a bunch of meaningless paperwork? At first glance, it certainly looks that way, and few organisations choose to go any further. And the ones that do, get so lost in the paperwork that they forget why they are doing it. It’s only when the framework is fully customised and implemented, that you see its true and significant benefits.

However, before you look to ISO, you absolutely MUST do your homework! You have to know exactly what an¬†Information Security Management System (ISMS)¬†is, why you’re doing it, and¬†how you’re going to keep it going. If you can’t answer those questions, don’t start, because you will never cross the finish line.

The biggest killers of ISO certification projects, are, in this order:

  1. Grossly underestimating the level of effort;
  2. Doing it just to land a big contract (or for marketing purposes);
  3. Tying the certification to an overly aggressive deadline;
  4. Ignoring the expert help; and
  5. Having no business goals in mind.

These are usually exacerbated by not getting senior leadership support, and then failing to tailor ISO to your needs. So what organisations end up with 99 times out of 100 is a stalled project and an external consultant taking all the blame.

ISO 27001 certification is bloody difficult…

…just accept that from the beginning. It requires commitment from every aspect of your organisation, and will only be effective if you enable the culture shift necessary to embrace it properly.

Strangely enough though,¬†it actually looks fairly simple, as the ISO 27001 standard itself is only 30-odd pages long and only 114 controls. However, for every 1 of those controls, there are an average of 4 additional¬†aspect to consider from the NINETY-odd page ISO 27002. Then, if that’s not enough, you must show some kind of evidence that you actually doing what you say you are!

For example, the very first ISO 27001 control is “A.5.1.1 – Policies for information security –¬†A set of policies for information security shall be defined and approved“. Sounds simple enough until you realise that there are a minimum of 19 suggested ‘Implementation Guidance’ factors behind it.

From requiring that Information Security Policies address; “business strategy” and “regulation, legislation and contract“, to the suggested ‘examples’ of “policy topics”, A.5.1.1 becomes a project all by itself. Then, assuming you get all this paperwork together, you have to ensure that the policies are; “communicated to employees and relevant external parties in a form that is relevant, accessible and understandable to the intended reader, e.g. in the context of an ‚Äúinformation security awareness, education and training programme‚ÄĚ (see 7.2.2).” Finally, you then need to provide¬†some ‘record’ that this is all implemented , or that you have a risk treatment plan in place that shows you’re going to get it implemented¬†…how …and when.

There are 114 of these, and even if you decide a few of them are not relevant to you, you must fully justify their EXclusion.

Not trying to put you off, the implementation of an appropriate ISMS is one of the best things you can do for your business as a whole. Just make sure you start out the project for the right reasons, with the right support, and the right goals in mind. And for GOD’S sake, get an expert in for a day FIRST to show all major stakeholders what to expect BEFORE you commit to the full project!

I see ISO 27001 certification becoming a must-have for almost any business, but only if it’s done properly.

[If you liked this article, please share! Want more like it, subscribe!]