GDPR Step-by-Step - Documentation

GDPR Compliance Step-by-Step: Part 5 – Documentation

As a consultant there’s nothing I like more sitting around a table with a bunch of really smart people simplifying complex issues and guiding them towards an appropriate and effective security program.

Then someone has to go spoil the ride by saying; “That sounds great David, when can we expect the report?” [sob] 

‘Documentation’ really should be a 4-letter word.

Continue reading
GDPR Step-by-Step Part 1 - Prerequisites

GDPR Compliance Step-by-Step: Part 1 – The Prerequisites

Roughly half the blogs I’ve written in the last 6 months have been about the GDPR or privacy in general. I could take this as a good sign in that it beats hands-down writing about PCI, but the reasons I write about both of these ‘regulations’ in the first place are two-fold:

  1. Organisations do so little homework on applicable regulatory compliance that they leave themselves wide open to unscrupulous vendors and consultants; and
    o
  2. I want to do everything in my power to protect organisations from those unscrupulous vendors and consultants.
Continue reading
Human Resources

Human Resources, the Missing Piece From Every Security Program

Like a ‘service on the Internet’ – which we’ve had for decades – is now called The Cloud, Human Resources is now known by more touchy-feely names. Talent, People, Employee Success, all sound great, but they don’t represent a fundamental shift in the functions they perform. Or even HOW they perform those function from what I’ve seen.

Regardless of what the department is called, I’ve never seen one take an active part in their organisation’s security program. Not one, in the better part of 20 years, and as I hope to demonstrate, this a significant loss to everyone concerned.

HR are usually the very first people in an organisation that you talk to, often even before the interview process begins. They are first ones who can instill the security culture in new candidates from the get-go. Anyone who has tried to implement a security awareness program knows that the loss of this ‘first impression’ makes the task exceedingly difficult. Unnecessarily so. If the joiners had just been told how important security is, AND received appropriate training, they would just accept it as a fact of life. Try and force it on them after they have already learned the bad behaviours and your impact is enormously reduced.

But there are 5 fundamental areas in security, that with HR’s help, would be significantly more effective:

  1. On-Boarding – As I have already stated above, HR are the first people with whom new employees have interaction. The on-boarding process is the perfect time to get everything out on the table. From Acceptable Use Policy / Code of Conduct, to security awareness training, security can be instilled from the very beginning. Now imagine if the CEO had a welcome letter prepared that emphasised the importance of data protection / privacy. Imagine further that this letter detailed what is expected them, and to take this aspect of their jobs seriously. There is ZERO cost associated with any of this, yet the positive impact of the security culture is immeasurable.
    o
  2. Role Based Access Control – The hint is in the title; ROLE based. If HR broke the org chart into specific roles, granting appropriate access to all joiners, movers , and leavers would be that much simpler. In theory, everyone gets what I call ‘base access’, usually consisting of email address and domain access. A role could then receive everything they need to perform their basic job functions automatically. Then, an individual could apply for any additional access they require. Everything is now recorded appropriately, allowing for not only a demonstrable access control process, but the raw material for all access reviews. Especially those with elevated privileges.
    o
  3. Policies, Standards, and Procedures – If you accept that policies represent the distillation of the corporate culture, standards are the baselines of ‘known good’ configurations, and procedures are the sum of all corporate knowledge, why aren’t these distributed at the beginning? First, most organisations don’t even HAVE these documents in place, at least not in a condition to meet the above criteria anyway. Second, even if they did exist, HR take no part in their distribution. Why not? If they assisted with RBAC per 2. above, surely it’s a simple step to have the relevant department heads which documents should be attributed to a specific role? Can you imagine it, every new employee knows 1) what they should and should not do, 2) how to do it, and 3) what to do it with!
    o
  4. Security Awareness Training – OK, so HR are not security experts and will take very little part in developing the SAT content, but they should be involved in HOW it’s delivered. HR are the people experts, IT and IS professions are usually quite the opposite. Training written by me would suit technical people, who’s going to write it for everyone else? After all, it’s usually the ‘everyone else’ who are the cause of most of the issues. HR should also be tracking the annual SAT program and flagging any issues to the employee’s supervisor etc.
    o
  5. Role Specific Procedures – This one is a bit of a stretch, but I can’t just have 4 bullet points. The concept is that part of everyone’s job description is to document every one of their repeatable tasks. If the procedure already exists, they could be challenged to improve it. In almost every job I’ve had there was a 3 month probation period. This review, and every performance review from that point forward could include a procedure section where failure to develop appropriate content has negative repercussions. Or, for the glass-half-full folks, great documentation has rewards attached to it. Imagine how nice it would be is every new starter just moved forward and didn’t have to waste time re-inventing the wheel.

The fact is most HR departments are not geared to perform any of the above functions. They are simply not trained to do so. I can’t help thinking this is a terrible waste.

I’d actually love to hear from some HR folks, even if you’re gonna tell me I’m way out of line! 🙂

[If you liked this article, please share! Want more like it, subscribe!]

Ransomware

Ransomware, Stop Focusing on the Symptoms!

Once again, a ransomware outbreak (WannaCry) has dominated the media headlines, and cybersecurity vendors are scrambling to capitalise. At the time of this writing, the top 3 (non-paid advertising) spots on Google to the search phrase ‘ransomware’ are 2 vendor ads, and one ad for cyber insurance. All but one thereafter on page 1 results are doom and gloom / blamestorming ‘news’ stories. The one exception? Good old Wikipedia.

This is the exact same thing that happened the last time there was a ransomware attack, and the time before, and is the exact same thing that will happen the next time. Because there will be a next time.

From the Press’s perspective, this is just what they do, and you’re never going to see headlines like; “NHS Goes 6 Months Without a Breach!”, or “Acme Co. Blocks Their 1,000,000th Attempted Hack!”. Only bad stuff sells, and frankly no-one gives a damn about cybersecurity unless they’re a victim, or they can make money off it.

I have dedicated many blogs to the criticism of cybersecurity vendors for being little better than ambulance chasers. This blog is no different. So let’s be very clear;

Ransomware is NOT a TECHNOLOGY problem!!

If your organisation is the victim of an attack, 99 times out of 100 it’s entirely your fault. Either your people, your process, or a combination of both were inadequate. And I’m not talking about your security program not being cutting-edge/best of breed, I’m talking about it being wholly inappropriate for YOUR business. It does not matter what business you’re in, you have a duty of care to know enough about security to address the issues.

Yes, the bad guys are a$$holes, but we’ve had bad guys for millennia and they will always be part of the equation. Security is, and has always been, a cost of doing business, so suck-up and take responsibility. And if you aren’t even doing the security basics, not only will technology be unable to help, but you deserve what you get.

Harsh? Yes, absolutely, because the basics don’t bloody well cost anything! Not in capital terms anyway. It takes what I, and every other like-minded consultant out there have been preaching for decades;

Common sense!

  1. Don’t keep your important files on your computer –  Keep your data on external encrypted hard drives and/or cloud drives. If it’s not ON your system, you can’t lose it. In a perfect world you can Forget the Systems, Only the Data Matters;
    o
  2. Patching – Your systems would have been immune from WannaCry if you had installed a patch made available by Microsoft in MARCH! I could rant for hours about this one, but there’s no point. You know you should be patching your systems, and if you don’t know that, you are clearly not from this planet. Your laptop or your PC is just a means to manipulate the data. Ideally you should completely reinstall your PC/laptop every 6 months to ensure that you have only 1) the latest and greatest versions of everything, 2) no extraneous crap you no longer use/need, and 2) no hidden malware;
    o
  3. Back-Ups – I don’t care how little you know about computers, if you have one and are online, you damned well know you should be backing up your data. And not just to one location, several locations. Everyone from your operating system, to your bank, to your grandkids have told you about back-ups, so there’s no excuse.  External hard drives are cheap, and the online Cloud drives are numerous. Use them all. Yes, I know this is different for a business, but not much;
    o
  4. Don’t open every attachment you get – I feel stupid even writing this one, and it’s not just me talking from a position as a security professional. This is me talking from the position of someone who can read.

So from an organisation’s security program perspective, if you’d had 4 basics in place, WannaCry would not have been an issue:

  1. Policies, Standards and Procedures – The dos, don’ts, how-tos, and what-withs of an organisation;
  2. Vulnerability Management – where patching sits;
  3. Incident response – where back-ups sit; and
  4. Security Awareness Training – self-explanatory

SOME technologies can make this stuff easier / more efficient, but fix the underlying processes and people issues first. That or get yourself a huge chunk of cyber insurance.

[If you liked this article, please share! Want more like it, subscribe!]

Policies & Procedures

Information Security Policy Set: It All Starts Here

Information Security Policies, or more accurately; Policies, Standards, Procedures, & Guidelines (a Policy Set) are the cornerstone of every security program. It is therefore rather odd, that not one client I have ever helped started with any of them in place. Not appropriately anyway. While not everyone is a security expert, everyone can be security savvy enough if, and ONLY if, what they are supposed to do is written down!

That’s what a good Policy Set is; an instruction manual on what to do, what not to do, why, and how.

I have written too many many times on why a good Policy Set is important, and have used the term ‘baseline’ more times than I’ve had hot dinners. I have described what a Policy Set consists of, and even how to manage one, but what I have not done up till now was to describe how to find a Policy Set that’s right for your business.

First, you may be wondering what’s so hard about finding policies. And I agree; type “information security policy example” into Google and you’ll get tens of millions of hits. Universities readily publish theirs for the world to see (e.g University of Bristol), and a whole host of organisations even make editable versions freely available. On top of that, online services with ridiculous promises like “THE ONLY WAY TO GET AN INFORMATION SECURITY POLICY CUSTOMIZED FOR YOU IN AN HOUR, GUARANTEED.” are depressingly common.

The challenge is that if you’re looking for information security policies in this fashion you clearly have no experience implementing them, let alone actually writing one yourself. An overly-dramatic analogy; I found thousands of instructions on emergency appendectomies, would you now trust me to perform one on you? A good Policy Set is one that is appropriate to your business. Not your industry sector, not the prevailing regulatory requirement, your business!

Therefore, if you don’t have security expertise in-house, it is very unlikely that you know the right questions to ask providers of Policy Sets. The vast majority of vendors will sell you what you ask for (can’t really blame them for this), so ensuring you get what you actually need is entirely based on the homework you performed beforehand.

To that end I have written something vaguely resembling a white paper to help you. In the imaginatively named ‘Choosing the Right Policy Set‘ I have broken the choosing of a policy set vendor into 15 Questions. These could easily form the core of an RFI or RFP if you were taking this seriously enough.

Simple questions like; “Can you provide a Document Management Standard and Procedure?” or “Does your service include a mapping of policy statements to the PCI DSS?” are sometimes not even considered. But when you consider that the choosing of a policy set can be the difference between compliance and non-compliance, it makes sense to ask them. Up front!

90% of organisation will end up either throwing something together themselves, or buying the cheapest option available. That’s fine, but when regulatory fines start getting handed out they will realise just how ‘expensive’ their choice was.

[If you liked this article, please share! Want more like it, subscribe!]