Wednesday 22 February 2012

ISO27k standards development - there has to be a better way

From time to time I update ISO27001security.com with news on the ISO/IEC 27000 standards, including information from the meetings of ISO/IEC JTC 1/SC 27.  Having contemplated the rate of progress on the updates to ISO/IEC 27001 and 27002, I feel the need to comment in general terms about the ISO/IEC process for developing and publishing standards.

Firstly, the process is convoluted and slow - so slow in fact that it may be outpaced by rapid technological changes (developing cloud security standards being a topical example, let alone something such as BYOD).  On the other hand, one of the key benefits of standards is to bring stability and order to the rather chaotic world around us.  It certainly helps to form a broad international consensus on the terms and concepts we use, and that in turn facilitates a common understanding of the complex issues we face.  Standards such as ISO/IEC 27000 are extremely valuable in formally defining terms that are bandied about yet often have subtly if not grossly different meanings.  Distilling disparate definitions down to such succinct, specific and generally-accepted wording is a difficult task for the standards' authors, but we all benefit.

Secondly, a rant about the quality and utility of the ISO/IEC 27000-series standards.  I am speaking specifically here about the ISO27k standards since I don't know enough about others to comment on them.  Well-written standards such as ISO/IEC 27000, 27001, 27002 and 27005 have proven popular and are being widely used, whereas others have practically disappeared without trace.  ISO27k standards currently under development by SC27 fall across a similar quality spectrum.  Despite (and often because of) the rather bureaucratic processes used to develop standards, the quality and utility of the final products is distinctly variable.  Anyone with a commercial management background who looks dispassionately at the way ISO27k standards are developed would probably agree that there are some fundamental flaws in the process:
  • ISO27k projects are sometimes (cynics would say 'often'!) initiated with no clear idea about what they are intending to achieve, nor how they are going to do it.  Sure, there are Study Periods that are presumably meant to consider and firm-up the requirements for new standards, but we are lucky if the terms of reference and other materials they generate are of any use at all, and it is pot luck whether the published standard (if it ever surfaces) bears any relationship to the original terms of reference.  Similar projects in the commercial world, at least, are far more carefully and explicitly specified than this.

  • Outside of ISO/IEC, business cases are the conventional way to initiate major projects.  Given that almost every ISO27k standard is the product of literally hundreds, maybe thousands of man-hours of work from teams of international experts over several years, these are indeed major projects, although in some cases you could be forgiven for thinking otherwise if all you see is the end product!  Business cases are perhaps the most obvious expression of an extremely important management control, namely management's careful consideration of the proposals, seeking adjustments or clarifications where necessary, followed by approval of and investment in those projects that are deemed to be cost-effective and in the organization's best interests.

  • Organizations that run their projects effectively manage the scope, schedule and resources carefully.  Most assign dedicated, full-time project managers, often trained and experienced professionals, to major projects.  Project managers, in turn, are usually supported by structures such as Project Offices, plus a raft of policies, procedures and guidelines concerning how projects are managed and tracked, and sometimes assurance functions such as Internal Audit.  The equivalent in SC27 at least consists of one or two editors per standard supported by an over-worked Secretariat whose main job seems to be organizing meetings and battling ISO/IEC's obtuse content management system.

  • In  the commercial world, a senior manager is usually nominated as the owner or customer of a major project, and is held accountable by management for its delivery.  In other words, projects are governed as well as managed.  The SC27 equivalent of the project owner/customer is effectively SC27 itself, meaning the entire committee of (mostly) volunteers who also staff the projects (spot the lack of segregation).  To make matters worse, SC27 runs a substantial portfolio of projects (of which the ISO27k standards are only a part) and has very little time to oversee, consider, manage, direct or control each one.
ISO/IEC does document its processes formally, to some extent.  The "ISO/IEC Directives", along with a number of supporting standards, are meant to direct those developing International Standards (plus Technical Reports and Publicly Available Specifications).  Part 1 of the Directives titled "Procedures for the technical work" in fact concerns the initiation of projects developing standards.  Part 2 lays down the "Rules for the structure and drafting of International Standards". 

Part 1 of the Directives states an intriguing objective: "Within the framework of these procedures, the work may be accelerated and the task of experts and secretariats facilitated both by progressive introduction of new technologies and modern programme management methods."  I say intriguing because last year I was involved with an ad hoc ISO group exploring the possible use of collaborative working. In practice, the group was mired in bureaucracy and achieved very little except a rather lame proposal to spend another year looking into things. All its meetings were held by phone conference in the early hours of the morning, NZ time, and frankly I haven't had the energy let alone the inclination to attend. Collaborative tools such as email and Google Docs that would have really helped are evidently too cutting-edge for some of the members who would rather argue about the suitability of the tools than try them out. It's not that the people involved have nothing to offer, rather that the working practices and the ample opportunities to disrupt make it almost impossible for us to progress or contribute productively. The whole experience has been intensely frustrating. Guess I'm not cut out for this. 

BYOD awareness activity

A creative university research project suggests the possibility of a security awareness exercise associated with BYOD and laptop security: why not offer a bounty for laptops and other ICT devices "stolen" from their owners in the office and delivered to the Information Security Manager this Friday?  The bounty might usefully reflect the value of the information on the device.

If nothing else, the stunt will raise awareness of the physical security risks associated with portable IT devices - which sounds like A Good Thing from my perspective!

Best let Site Security know this is happening in advance.  As to whether they are encouraged to try to prevent the 'thefts' or not, that's your call.

Thursday 9 February 2012

BYOD security awareness - follow up

Having just released a brand new security awareness module on BYOD (Bring Your Own Device), we have been surprised (in a nice way!) with the level of interest this topic has generated for us, more so than, say, the cloud computing security awareness module we put out last April.

I've been pondering what's going on here.  What's so special about BYOD?  What makes BYOD security awareness sexier than cloud computing security awareness?

First off, BYOD is quite new.  The concept has been around for a while but as soon as it picked up the BYOD tag and started appearing in the computer press about a year ago, it has started to buzz.  In other words, it's a hot topic.  Well OK, but so is (and was, last April) cloud computing, so hotness alone is not enough to account for the differing levels of interest in these topics.  Strike one.

Second, "BYOD" is a distinctive, easily-searched term, so our awareness materials got some instant Web exposure purely by dint of using the term.  Great!  Cloud computing, in contrast, is not so distinctive.  Search for "cloud" and you'll find a lot of weather sites.  Search for "cloud computing" and there are plenty of commercial offerings out there, desperate to relieve your corporation of the contents of its IT budgets.  Search for "cloud security" and the field thins noticeably, putting it on a par with "BYOD" alone or "BYOD security".  So that's not quite it either.  Strike two.

Exploring "BYOD security" on the Web is a frustrating pastime. Most of the stuff that Google knows about is facile ("Like this blog item!" I hear you say), and nothing much is new or different.  The same few concepts are trotted out time and again.  And just like cloud computing, most of the 'security advice' pushed by the journalists, vendors and other pundits is to implement technical controls, or "solutions" as some insist on calling them.  Take for instance this short article in SC Magazine which talks about tiered mobile management functionality, broad platform support (which evidently means Android and iOS), and "mobile management solutions" (bzzzzzzzt, there we go, buzzzword bingo), or this piece concerning IBM's move into Mobile Device Management having consumed a minnow. Apparently Big Blue's MDM stuff helps achieve "policy compliance", by which I think they mean technical conformance with some sort of technical standard, not what I would call a policy.  But that's just me, being picky with the marketing droids as always.

So maybe, just maybe there is a merest hint that people might be looking for information on ways to tackle their BYOD security issues.  For some reasons, they either don't look or are satisfied with what they find from the big cloud vendors, but BYOD is a different ball-game.

Compared to technical controls, security awareness is conspicuously absent from most of the stuff Out There in Security Land, but that's a near universal finding, a truism if you like.  The main reason, I suspect, is that the firewall and antivirus vendors who have dominated the IT security industry for more than a decade have engineered the market, their oh-so-valued customers, to expect "technical solutions" to all their security issues, often implying that installing whizz-bang-software X or appliance Y will magically solve everything because, of course, they make $lots from selling X and Y to organizations that swallow their bait.  To be fair, WE run firewalls and antivirus software too - but to us, they and various other IT/technical controls are just part of a far more comprehensive suite of information security controls ... and mere commodities at that.  Can you honestly tell the differences between AV products from different AV vendors?  I bet in a blind tasting, you would be hard pressed to pick out your normal security solution from any other instant-security-in-a-box.

So perhaps that's the difference.  In cloud computing, the dominant vendors such as Amazon and Google already have a stranglehold on the market (both supply and demand sides) and can gloss-over the information security issues, selling their "solutions" to a receptive market on the strengths of their respective brands, and their sheer size.  Ask awkward questions about data ownership or confidentiality (including privacy) and no doubt the sales people start to fidget but then push back with scaleability, access from anywhere, and all that hand-waving that led to the term "cloud" in the first place. I suspect some cloud customers may not even appreciate the information security issues they are taking on: how many information security professionals have made the time to research the issues and timidly raise their hand from the back before the CIO confidently announces they are being 'outplaced to the cloud to save the company $loads!'?  How many have thought through the security implications of even the simplest of cloud services such as webmail and online backups?  We have, and they are scary.

But with BYOD, not only is information security a major concern but (as yet) there are no dominant vendors pushing their technical solutions down our throats, in other words there are no full-on sales pitches to displace those nagging questions from the back of the class about data ownership and confidentiality (including privacy).  Oh and compliance.  And copyright.  And all the other security issues that are associated with BYOD.  The issues are of no greater concern than with cloud, really (less in the sense that employers have the upper hand with their employees over what they do with their personal devices, while their relationships with the major cloud service providers are in a different league), but the technical solutions in BYOD, and particularly the vendors pushing them, are comparatively weak.

At least it gives those of us who believe in the value of human factors as much as technology a chink of light, an opportunity to remind organizations that there is more to security than just buying the shiniest technology from the pushiest sales creatures.  That BYOD security policies are not technical security standards.  That helping their staff, managers and IT pros understand, rehearse and polish their respective roles in the security show will actually make a difference to the performance.

Oh and by the way, even those shiny IT security gizmos have to be specified, designed, developed, tested, implemented, maintained, managed and, oh yes, used by PEOPLE.  Fallible humans, just like me.  People who create bugs in software, and misconfigure technologies, and disable or bypass controls that get in our way.  People who fail to appreciate that we are as much part of both the problem and the solution as the technology.