Want to Stay Compliant, Work WITH Internal Audit

Internal Audit.

It’s right up there with Traffic Wardens, Used Car Salesman, and Lawyers, isn’t it? You get a phone call from Internal Audit (IA) and it feels like you’ve just been sent to the Head Master’s office!

But why? If you have been doing everything right, following appropriate policies and procedures, have ACTUALLY read the Acceptable Use / Code of Conduct, why would this be any different? I mean, even SECURITY winces at IA, and we’re total pariahs ourselves!

This is unfortunate, because like it or not, every department needs someone to provide checks and balances. Someone who can look at everything with a fresh and objective pair of eyes, someone not answerable to YOUR boss so can tell them how it is without repercussions, someone who can suggest changes that you know should happen, but fear / politics prevents you from saying anything.

Take your pick, regardless of how you view IA, they, like InfoSec, are an necessary evil in a world where both the threat and regulatory landscapes are spinning out of control.

Best practice frameworks like ISO 27001 call for Internal Audit by name, and an ever increasing number of regulators are requiring  evidence FROM IA processes so that organizations demonstrate that they are actually complying with their own policies. This should not be a hardship, if your corporate security culture was adequate, this would not be an issue. Look to the senior leadership, it they don’t care, no-one else will.

I have stated over and over again that if you were doing security properly, EVERY compliance regulation on the planet would fall out the back-end (plus or minus some customised reporting). Not one has ever, and likely WILL never go above industry accepted best practices, as no-one is looking for perfection, just risk-reduction enough.

It makes perfect sense to me therefore that you would put a watcher on the watchers. Security have their fingers in almost every business pie, just to make sure that proper security controls are built in from the beginning. Like Legal, security is there to save the business from itself, and done properly, it should NEVER get in the way.

This can lead to a certain complaisance, or blinkered view of the world, IA can provide the necessary perspective to continually test processes that that could potentially stagnate if not seen through an objective lens. And who knows, because IA generally have direct (if dotted line) access senior leadership, there is a very good chance your requests for budget/resources will be looked on favorably if supported by an entity mostly immune from repercussions.

In this context therefore, Internal Audit is the conscience of Security; Are the controls enough?; Are they too much?; Are they easily measured?; are they flexible enough to adapt to business goals?; etc…

From the very first policy draft, to the almost ubiquitous Plan, Do, Check, Act of ISO 2700X, security professionals need to look to IA for support and guidance, but the opposite is equally true. IA can tend to rely on their unassailable positions to hide behind lack of expertise in security subject matter, they need to work just as closely with security to make sure they are up to the task.

I’m in Information Security, I Don’t OWN Anything!

In 16 years of information security consulting, I never worked at an organisation where ownership of any aspect of the IT function was in the right place, let alone IT Security.

Anyone who has ever worked in IT, regardless of the discipline, knows that the business side of the organisation cares nothing for HOW things are done, they only care that they GET done. Ever try talking to a salesperson about total cost of ownership for their bright ideas on driving revenue?

To be fair, the salespeople don’t have to care, but someone from that side of the business sure as Hell does. Even a £1,000,000 deal is pointless if it costs £2,000,000 to deliver it. Both the business side and the IT side have failed if they cannot easily determine the suitability of the deal. However, it’s the business side that is responsible to justify a project, not IT, not IT Security, the business side.

THEY own it.

Luckily, the steps for getting this information together in the right format are, quite literally, centuries old:

  1. Perform a Risk Assessment (RA) – As boring as this sounds, ANY change to an organisation, even one that seems like a no-brainer, presents risk. Keep it simple, and brief, but without an understanding of the risk, there’s no context for the reward. Selling your only bottle of water for £1,000.00 is a great deal …unless you’re in the middle of a desert.
    o
  2. Perform a Business Impact Analysis (BIA) – This is often seen as a negative thing, where you are spelling out the cost if something bad happens. There’s no reason that positives cannot be built in, and often this is entirely appropriate. If the risk determined above, and the cost of bad things happening, is far outweighed by the benefits, then the decision to proceed, or not, becomes much easier to make.
    o
  3. Develop a Project Plan – This one rarely get done properly, but without it, the true cost of a proposed project cannot be determined. The plan needs to spell out everything that is required, including resource and capital costs, and time-frame. Done properly, this will develop into little more than a list of every action item, assigned to individuals, with due dates.

IT and IT Security will be very much involved in this process, so could many other departments depending on the project in question. Legal may be involved from a contractual or regulatory perspective, HR may jump in if they are organised enough have employee skill-set mappings, marketing will certainly want the heads-up if they are to be called on later and so on.

This is why the best companies have three things; a) a robust Project Management function, and 2) a standardised process for requesting project resources, and 3) a centralised Governance function that brings all of an organisation’s decision makers together in one room.

From the RA and BIA you know the cost of doing and NOT doing something in terms of both bad things happening, and potential lost revenue. From the project plan you know what it will take to proceed. The project management function will be able to tell you everything missing from the end goal, and how to get there, and the Governance function will then have everything they need to make EDUCATED recommendations to the executive leadership regarding investment.

This is why IT and IT Security can never OWN anything, they are there to enable, not run the business.

There’s No Regulatory Compliance Without Governance

I don’t think anyone can doubt that the regulatory landscape relative to data privacy has tightened significantly over the last few years. I also think few will doubt that this tightening will continue, given the enormous growth in things like big data analytics, artificial intelligence, alternative payment methods, mobile, and of course, the Internet of Things.

Most businesses have given considerable thought on how to take advantage of these things, and may even have existing projects in place to exploit them, but without a program of IT Security Governance in place to provide the right input, at the right time, these projects could rapidly become a regulatory and financial albatross.

But what do I mean by Governance? According to Wikipedia, Governance;”…relates to the processes of interaction and decision-making among the actors involved in a collective problem that lead to the creation, reinforcement, or reproduction of social norms and institutions.

According to ISCA – The Governance Institute, it is; “…the way that an organisation is directed and controlled. It is the toolkit for the processes and the oversight which drives the highest standards of leadership, accountability and behaviour. Strong governance helps boards and organisations to achieve their goals by acting appropriately and fairly.”

I could find 100 different descriptions, and none of them would be wrong, or even inappropriate to my message, but it’s a lack of understanding of what true Governance is that causes so many organisations to ignore it altogether. Without Governance, you don’t have any form of compliance, internal or external, let alone real security. End of story. It is one of The 4 Foundations of Security, and arguably the most important.

I like to simplify, so to me Governance is; “The business side and the IT side having appropriate conversations.” That’s it. The business side will ALWAYS own and control an organisation’s goals, and rightfully so, the ONLY role of IT is to support and enable the achievement of those goals. Nothing more.

That said, exclude IT and IT Security from ANY aspect of the strategy and planning processes and you’re in for a world of hurt. Security is never more expensive or ineffectual than when it’s retrofitted on a broken process. IT is NOT there to say no, they are there to say, OK, but do it this way from the beginning. IT Security are no different, and there is not one regulation on the planet that cannot be met if the proper planning is performed at the beginning.

As an extension to this, without Governance, Legal and IT and IT Security department can and do get in the way. It’s their JOB to protect the organisation! Too often Sales goes crying up to the CEO that someone is in the way of them doing business and an edict comes from on high that completely circumvents the checks and balances that are there for a very good reason.

Governance controls this process and ensures that the needs of all sides, and therefore the entire business, are met with the minimum of delay or inefficiency. It is represented by Legal, IT, IT Security, HR, Sales, Marketing, you name it, everyone must have their say. There is simply nothing more important to a business’s health and future than a well run cross-functional unit that has executive management support.

As an example, think about how important big data analytics has become to some organisations whose very existence is driven by transforming data into information. Harmless content can become personal information, ‘AI’ can create profiles that would attract significant penalties without the collection of appropriate consent. With input from Legal, IT Security, and Data Analytics, a comprehensive strategy can be put in place to develop a product that meets regulatory needs. Then Marketing and Sales can do their thing and everyone wins.

Governance is both the way and means to get these teams in the same room and talking about the same goal, no other function in the organisation has this much influence.

And it’s all so simple.

[If you liked this article, please share! Want more like it, subscribe!]

Continuous Vulnerability Management: Security as a Baseline

Ask 100 security ‘professionals’ what vulnerability management is and at least half of them will begin with patching, another 25% will focus on vulnerability scanning and penetration testing, and the majority of the rest will start quoting the gamut of Risk Assessment to Business Continuity. I’m not saying they are wrong, but most will not be right enough.

If you accept this description as standard; “Vulnerability Management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities, especially in software and firmware. Vulnerability Management is integral to computer security and network security.“, it’s no wonder that actually performing appropriate vulnerability management is a concept rife with misinterpretation and bad decisions.

The old adage; “You can’t manage what you can’t measure.”, while often incorrectly interpreted from the original work of W. Edwards Deming, is actually completely relevant in information security. Security is series of baselines / whitelists /  known-goods, and is only ever effective if it’s simple and repeatable. In other words, if you don’t have a point to measure security from, how can you possibly know if it’s enough, or too much?

Like every process in security, vulnerability management  is only as good as the context in which you place it, and ANY security process out of context from the underlying business goals is doomed to failure. Rightfully so. The vulnerability management controls you put in place relevant to your environment therefore go through the exact same process as every other control, from firewalls to outsourcing.

Step 1: Determine your business goals – in order to conduct an appropriate Risk Assessment (RA) and Business Impact Analysis (BIA)

Step 2: Conduct a gap analysis – to determine the shortfalls or over-extensions between current security capability and desired capability

Step 3: Fill the gaps – to the capability level determined by the BIA (accept residual risk)

Step 4: Determine appropriate baselines – for the management, maintenance and monitoring of the ‘new’ infrastructure/processes

Step 5: Place appropriate ISMS-esque controls – around the ongoing management, maintenance and monitoring of the new infrastructure/processes

Step 6: Develop appropriate mechanism for the decision making process – from responsibility / function, to scoring / rating, to mitigation, everything must be in-line with Step 1 in order to be effective and sustainable

Step 7: Determine all control inputs to the process – including – and certainly not limited to – patching, vulnerability scanning, penetration testing, code review (if applicable), logging, FIM, and so on…

Step 8: Determine all appropriate internal and external sources of threat intelligence  – from relevant vendors to paid-for services.

Step 9: Bring everything together into a Management capability – one with a specific charter and report structure.

Step 10: Re-examine every step for continued relevant and effectiveness – on a regular basis

If this sounds complicated, it’s likely that you don’t understand one or several of the steps. All aspects of security are simple, they have to be, and while is can be difficult to implement, that’s almost always because you are not asking the right questions. In any endeavour outside of your business’s core competencies, the trick is not to ask for what you think you need, it’s to ask for help from someone who KNOWS what you need.

You don’t tell your doctor you have a brain tumour, you tell them you have a headache a leave the diagnosis up to the expert.

[Ed. Written in collaboration with Voodoo Technology, Ltd.]

All About the Data

Forget Cyber, Forget Cloud, It’s ALL About the Data!

Ever wonder why data breaches are now called cyber attacks, or an application on the Internet is now called The Cloud? It’s for the same reason that Coca Cola is constantly changing it’s ‘look’, adding ‘new’ flavours of what is basically the same sugary mess. And why they’ve changed their slogan FORTY SEVEN times in their 125 year history;

To keep things fresh, to keep you thinking about them, and of course, to help you spend money.

So is this necessarily a bad thing for the field of information security? The answer is clearly no if these marketing ‘tricks’ actually help keep you secure though valid awareness programs and good services. But a resounding YES if it’s just a new buzz-phrase used to sell the same services with less due diligence.

Too many vendors and self-interested lobby groups are frighteningly good at demand generation. From new buzz-phrases, the invention of perceived needs, and playing on an organisation’s fear of losing a competitive edge, these have all been the cause of many bad purchasing decisions. This is especially frustrating when the tools for making good decisions have been around for decades. Literally.

For example; ISO 27001 – probably the best known and de facto security framework – has it’s roots in BS 7799 first published in 1995, ISACA’s COBIT was released in 1996, and even PCI (which is just a controls based standard for the protection of cardholder data) has some merit in its 10th year in existence. If these aren’t enough, the ages-old – but still VERY much alive – concept of Confidentiality, Integrity and Availability has been around for so long that no-one seems to know when it started.

And these are just the overarching frameworks for the security of data, beneath them you have equally well known, mature, and readily available tools for the protection of your data assets:

1. Governance – The Business side and the IT side having meaningful conversations;

2. Risk Assessment – An examination of the business needs applied to the current ability to achieve those goals;

3. Vendor Due Diligence – a THOROUGH review of the external help you’ll likely need;

4. Asset Management – You can’t manage what you don’t even know you have; and

5. Vulnerability Management and Change Control – If you have absolute control over the changes you make internally, the only things that can increase risk are from the outside. These two tools work hand-in-hand.

All of these tools are covered to a varying degree in the above frameworks, and represent standard good security practices established for longer than most of us have been alive. Without these processes in place, you don’t have data security. Full stop.

So if they are that established, why are they not as well known and pervasive as they should be? Simple, and for the same reason no-one likes paying for insurance; there is no obvious positive impact on the bottom line. Where’s the ROI for spending money on security? But this assumes that an ROI involves making MORE money, but is not LOSING money just as impactful? Fines, damages / reparations, and the inevitable loss of reputation all have significant negative impact.

Instituting an appropriate level of data security for your business is actually quite simple, keeping it in place requires much more effort but is equally simple; follow the decades-old advice of the existing frameworks.

[Ed. Written in collaboration with Voodoo Technology, Ltd.]

[If you liked this article, please share! Want more like it, subscribe!]