02.04.10
What is the best starting point to embrace risk management?
This is a topic that has generated a great deal of traffic on the Linkedin “Governance, Risk and Compliance Management (GRC) site. If you are a member I recommend you read through the comments, if not you should consider joining. This is a cross post, slightly modified, of my answer to this question, so forgive the double traffic if you are a member.
I was shocked that no one had mentioned the size and financial ability of the company. So this addresses both small and large corporations with and without financial money allocated to security.
If the company is 300 people and has very little money then usually the starting point is convincing management why money needs to be directed towards an assessment versus actually doing something tangible. Therefore, obtaining management support through some shock and awe factor will help get buy in and then you can do a risk assessment. That assessment should provide a roadmap and serve as the strategic plan.
Now if the company is more mature and financially stable, I agree with several of the current comments, which stated some type of RA framework or COSO control framework. Anyway, the typical starting point is conducting some type of strategic risk assessment. Something reviews all of the organizations assets, the threats, and vulnerabilities. This assessment should help start the program by prioritizing based on risk each security effort. From this assessment one of action items, if it doesn’t already exist, should be to put in a control (ISMS) type framework in place.
Once the prioritized roadmap is created and a control structure is in place then these two items can be baselined and measured over time. Also each control area can have individual metrics. As the risk management program grows the next step will be to build a project or application based risk approach in addition to the strategic risk assessment. This focus of this secondary assessment approach is to rapidly assess projects and determine the level of security review required at the project level. Some projects will require more based on their risk (i.e. type of data, etc.).
08.07.09
BITS Shared Assessments – Useful or Not
What do you think? Is this another useless assessment methodology, great idea, or a platform for vendors to sell products?
I recently went to the 2nd Annual BITs Shared Assessments in Chicago. http://www.sharedassessments.org/
I found the event driven mostly by product vendors, a few assessment firms, and some footprint from the banking industry. During the time of the event and now I was able to deliver an engagement and as a result of the conference and this delivery I have the following comments.
- Many assessors are using older versions of the SIG and still have not adopted 4.2.
- Product vendors have incorporated many of the features and appear to be pushing the solution the most.
- The current AUP and SIG are fairly decent, but the overall solution still needs to mature greatly. I found that several of the AUPs were incorrect or missing. I have yet to consolidate all my comments; however I emailed the main contact number on the site. Currently comments are submitted one by one. I don’t want to enter them one by one, thus, I haven’t submitted as I’m still waiting for a response after several weeks.
- The current scoping and process for delivery is underestimated. My experience shows that you will have to set strict guidelines with the number of follow up conversations and have a cut off for evidence. Otherwise the entity that is assessed will continue to try and justify they have the appropriate controls in place.
- There are plans for mapping to other compliance regulations. There are many more comments I have about this solution, but mostly I’m seeing customers use only the SIG Light or SIG level 2.
I see this as holding a place in the 3rd party assessment realm for an organization. I’m wondering! Is anyone else using the Shared Assessments? What are your thoughts? Will this solution grow and be used like PCI even though it doesn’t have the formal backing like PCI?
05.19.09
More on Staffing and Governance
I been tracking via this blog a good amount of search hits looking for security staffing and governance. Unfortunately when you search there is not much out on the Internet. If anyone is interested let me know and I will start an open source project off this blog to create a governance and staffing solution/program.
For those that have little or no knowledge in this area I suggest you review the Security Task Force documentation and the Educause updates located here:
Educause Information Security Governance Assessment Tool
For an open source program I would like to build of the current work, but also provide a lot more emphasis on the organizational charts and the roles and responsibilities. If your interested please let me know and we can get everyone together and create an updated model for multiple industries.
04.17.09
Application Risk Assessments
I came across an interesting blog about application risk assessment today, so I wanted to highlight some of the different approaches in response.
Blog Post:
In the blog Chris’s approach seems somewhat like threat modeling, which is typically used for code reviews. In general he covers a large part of the important content but doesn’t address the real issues of risk – Cost vs Risk. Anyway I hope to address that here and explain the two major methods used extensively. These are threat modeling and the NIST/OCTAVE asset based approach.
Threat Modeling Approach
Threat Modeling is basically the ongoing risk assessment process which covers the entire Software Development Lifecycle.
Strategic Approach
From a managerial risk assessment approach I would take a different view using a strategic NIST/OCTAVE approach.
-
What are the assets? (i.e. information, applications, hardware, etc.)
-
What are the threats? (i.e. data contamination, malicious code, equipment failure, etc.)
-
What are the vulnerabilities (i.e. no security training for developers, lack of formal SDLC, no development standards, no security requirements, no security testing, etc.)
Within the vulnerabilities I would role up any identified tactical findings into strategic issues. For example, software code with clear text passwords may result in a poor encryption policy, lack of standard, or a lack of proper classification policy and controls around passwords.
Overall using this strategic approach helps us to determine what assets in the entire application architecture/environment have the highest risk and we can mitigate accordingly. In the long run this approach should save cost. We really wouldn’t want to spend $40,000 dollars on a code review for each application when I know that none of the developers have security training nor do we have secure development standards. This money can be strategically better spent on training since we might have 30 applications across the enterprise. At that point we can then decide to perform a sample checkup and measure the progress to see how we perform both before and after the training. This will be the most cost effective approach and produce metrics that can be delivered to executive management.
03.19.09
Do QSA’s Understand PCI?
I guess that title should say “Can anyone clarify PCI?” or “Can we get some PCI consistency please?. I find myself in discussion day after day on topics around PCI.
What is required for web app test? Is it authenticated? Is it just a scan? Is it just my external environment? Is it only my card holder systems?
I know the council is trying to do their best with outlining the standards but their still is a serious lack of consistency across QSA’s and organizations. I found this so frustrating that I developed the cartoon below to represent my opinion.
Basically Mr. CEO here is not meeting PCI compliance and his QSA’s are all telling him something different. Even better is the new standards and enforcement that all the QSA’s themselves are trying to understand? Will any big enterprise be able to make compliance?
Security Survey Polls Added
The polls are open!
While visiting this site please check out the new IS Management page and contribute to the voting polls.
If you would like to see new or different polls added let me know.
03.17.09
Security Breach Resources
Pulling security breach trends for different industries the past few months I came across a few good sources to help anyone that needs specific data.
Two sites I found with an abundance of information were:
Privacyrights.org hosts a chronological list of breaches several years back until present date with a brief description of the breach and the number of records affected.
Datalossdb.org hosts the actual breach notification letters that have been sent out.
For statistics and trends use these resources.
-
http://resources.mcafee.com/content/NAMcAfeeCriminologyReport (Requires Registration)
-
http://resources.mcafee.com/content/NAUnsecuredEconomiesReport (Requires Registration)
In general it looks like breaches frequency is about the same in 2007 and 2008. Problems seem to be related to basic items such as laptop theft, data left unencrypted, and your usual intruder attack.
03.04.09
HIPAA and the Stimulus Bill
Is HIPAA Really changing?
Here is a good summary link of the changes.
I think John did a good job outlining the key changes. There is no point in regurgitating the information he has already covered in detail. Overall there are changes to penalties, new breach rules, business associate responsibilities, and more.
What I find interesting is that according to his article HHS is now responsible for issuing guidance specifying technologies and methodologies. To date I haven’t seen anything yet posted on their site, but they have until February 17, 2010 before the Act is in effect.
I believe many government based organizations currently fail these controls miserably. It will be good to start seeing some accountability. I just hope they lay out the expectations clearly unlike when PCI was first issued. I also hope there is some visibility into the ratings of each entity moving forward.
In the mean time here are a few good older links to help entities make sure they are at least in tune with current expectations.
01.30.09
Authoritative List of Compliance Documents
For anyone looking to find or understand the main key compliance documents across the following industries, regulations, regions of the world the link below has a good list.
http://www.unifiedcompliance.com/forms/tracked_documents.php
Industries, Regulations, Regions:
- Sarbanes Oxley Guidance
- Banking and Finance Guidance
- NASD NYSE Guidance
- Healthcare and Life Science Guidance
- Energy Guidance
- US Federal Security Guidance
- US Internal Revenue Guidance
- Records Management Guidance
- NIST Guidance
- ISO Guidance
- ITIL Guidance
- US Federal Privacy Guidance
- US State Laws Guidance
- EU Guidance
- UK and Canadian Guidance
- Other European and African Guidance
- Asia and Pacific Rim Guidance
- System Configuration Guidance
Also, some of these are already linked off this site. If anyone is feeling like they have some free time feel free to send me links to the listed documents and I will add them to the Links page.
01.12.09
Working Toward ISO 17799/27001 Business Continuity Management Compliance
This document is written with the assumption that the organization follows ISO and has implemented many of the controls (including Disaster Recovery), but may be lacking in the area of business continuity management. This document aims to consolidate and leverage the work already done for other ISO controls to jumpstart the BCP compliance efforts.
The first step in compliance is to develop and implement a BCP management process. The process needs to identify the critical business processes within the organization and incorporate management requirements.
Process:
- Identify critical business processes and associated assets. Create a template or leverage the disaster recovery (DR) documentation (Note: The DR information may not be complete enough as it usually only includes recovery of technology functions and may exclude important business functions or process that do not rely on technology.) and send to managers requiring them to document their critical business processes by location.
- Identify the consequences in the event of a disaster. Again most of this should be in a DR plan.
- Identify controls to reduce risk.
- Ensure information for business operations is available.
- Ensure BCP is integrated within business processes and includes security.
- Ensure that plans are updated and tested on a regular basis.
Below is a sample that can be used and quickly put together to help meet some of this compliance. Use Excel and list the critical business processes in a matrix associated with each geographic location as shown below.
The next step is to identity the results of different events by doing a business impact analysis. Continuity plans have to be developed to for quick restoration of operations and should be integrated with information security and other key management processes. Controls that can be put in place to reduce risk should be identified.
The Threat should define “Who”
The Event should define “What, Where, and When”
The table below is an expansion of the above. (Threats are repeated for consistency)
After the assessment the following must be done:
- Continuity plan(s) must be created.
- Roles and responsibilities must be documented. Most should have already been done for other ISO controls, but there may need to be a few short statements added to reflect business continuity compliance.
- Procedures and processes must be documented. Many of these should have already been documented as a part of incident response, disaster recovery, change control, and other standard operations. A few additional procedures may need to be created like the process of documenting and updating plans.
Plans must have the same framework. This means all departmental plans must be a on a standard template. A centralized escalation and evacuation plan should be developed. Evacuation plans can simply state follow building evacuation procedures. Escalation plans in most cases can follow standard disaster, emergency services, or incident response plans.
Plans need to address:
- Roles and responsibilities of key staff (i.e. BCP coordinator, executive management, and users)
- Summary pointing to the documents that have recovery procedures for operations. In many cases these procedures are in the disaster recovery area or part of the standard operating function.
- Testing of plans. This needs to track and schedule each element and when its tested.
- Storage of plans at alternate locations
- Ownership of plans
- Fallback procedures
- Resumption procedures
- Awareness and Training
- Review of plan(s)
Putting everything important together is the key to the business continuity plan. Many of the items above exist within many organizations but they have not been organized or consolidated in one area. A document detailing each of these items and consolidating them all in one location is the key to passing the assessment. If you are already working towards ISO compliance then Business Continuity Management is just one more minor component that can be accomplished quickly by consolidating a large amount of information in one place and creating a document (plan) that organizes and explains everything that needs to be done with these documents if there disruption to business operations. In some cases there may need to be department level plans that are a close mirror to the main plan but focus more on departmental operations. Some assessments will look for both centralized and departmental plans.
For more information you can also review that actual ISO/IEC 17799/27001 documentation and the BS 25999-2 Specification.
