Strengthening Information Security’s social network

Some security awareness programs simply broadcast messages at the organization. Messages flow from the Information Security function to the audience - specifically an audience dubbed "end users" in many cases, a disparaging term implying low-level staff who use computers (neglecting all others). A more effective approach, however, is to emphasize social networking and socialization of security as a primary driver of cultural change, with bidirectional communications increasing the chances that the awareness program reflects and responds to the business.

Establishing a strong social network of friends and supporters of information security throughout the organization takes commitment and sustained effort on the part of the entire Information Security function. The payback over the medium to long-term, however, makes it an approach well worth considering. An actively engaged and supportive social network will keep the awareness program, and in fact the information security program as a whole, business-aligned and relevant to current security issues in the organization, broadening and deepening the department’s influence. On top of that, you can achieve far more through a distributed network of supportive contacts than you can possibly manage alone.

Support from senior management is great but, in our experience, many of the most well-connected and influential workers are low-ranking individuals. They are ‘people people’ with the common touch, a natural flair for social interaction. 

This is why we're providing a template rôle description for the Information Security Awareness Contact in the Information Security 101 module to get you started if you decide to structure and formalize the rôle to this extent. That may not be appropriate or necessary, depending on how your organization handles such issues. Speak to your management and HR about the concept before going too far down that line, including aspects such as recruiting, guiding/coordinating, motivating and rewarding people who accept the rôle. 

Colleagues in HR, Security Administration, IT/PC Support, Business Continuity, Risk Management, Compliance and Health & Safety may have similar social networks already in place (e.g. departmental reps, fire marshals and first responders). Invest some time in meeting both those colleagues and their best contacts to find out how the arrangements work on both sides, pick up useful tips ... and hopefully make a few solid-gold contacts of your own.

Information risk assessment (reprise)

On ISO27k Forum this morning, an FAQ made yet another appearance. SR asked:

"I am planning to do risk assessment based on Process/Business based. Kindly share if you have any templates and also suggest me how it can be done."

Bhushan Kaluvakolan responded first by proposing a risk assessment method based on threats and vulnerabilities (and impacts, I guess), a classical information-security-centric approach that I've used many times. Fair enough.

I followed up by proposing an alternative (and perhaps complementary) business-centric approach that I've brought up previously both on the Forum and here on the blog:

1. Consider the kinds of incidents and scenarios that might affect the process, both directly and indirectly. Especially if the process is already operating, check for any incident reports, review/audit comments, known issues, management concerns, expert opinions etc., and/or run a risk workshop with a range of business people and specialists to come up with a bunch of things – I call them ‘information risks’. This is a creative, lateral thinking process – brainstorming. Focus on the information, as much as possible, especially information that is plainly valuable/essential for the business. If necessary, remind the experts that this is a business situation, a genuine organizational concern that needs pragmatic answers, not some academic exercise in precision.

2. Review each of those information risks in turn and try to relate/group them where applicable. Some of them will be more or less severe variants on a common theme (e.g. an upstream supply chain incident can range from mild e.g. minor delays and quality issues on non-critical supplies, to severe e.g. sudden/unanticipated total failure of one or more key suppliers due to some catastrophe, such as the Japanese tsunami). Others will be quite different in nature (e.g. various problems with individual employees, IT systems etc.). A neat way to do this is to write each risk on a separate sticky note, then stick them on a white board and briefly explain them, then move them into related/different groups of various sizes and shapes.

3. Discuss and evaluate each (grouped) risk according to its probability (or possibility or chance or likelihood or frequency … or whatever) of occurrence, and the organizational impact (or severity or criticality or trouble or nastiness or scale or cost or size or drama … or whatever) if it ever does occur. Plot them out on a PIG (probability-impact graph). There are several examples here on this blog, plus tips on running risk workshops etc. Instead of the ‘whiteboard’ noted above, those ‘sticky notes’ could be text overlaid on a colourful blank PIG graphic, pre-drawn on a computer screen in, say, Powerpoint or Visio.

4. Once all/most of your identified risks are on the PIG, and you have had a good chance to discuss their wording and positioning and relationships, set aside some time to focus on any in the red zone i.e. severe + high probability risks: these are clearly priorities for the business. What can/should be done to treat them? What needs to be put in place to enable the risks to be treated? Who needs to drive that work (the ‘risk owner’)? How will the resources be found and allocated? When does it need to happen, and how? Continue with the orange zone risks, and the greens too if you are obsessive and have the time and energy (are there existing risk treatments/controls for the greens that might safely be relaxed or retired?). This generates a draft action or risk treatment plan, prioritized according to information risk. Look for opportunities to schedule and align activities where it makes sense, including other parallel activities where applicable (e.g. linking process changes with IT system or supplier changes, business reorganization etc.).

5. Check for any outliers, anomalies, and open issues. Looking at the whole PIG, is there anything that seems odd, or wrong, or worrying? Take an even broader business or strategic perspective: how does this PIG and this set of information risks fit in with other PIGs and other risks facing the organization? Are there issues and constraints in this area that often crop up in other areas too, hinting at a common cause that maybe ought to be tackled too? Again, are there opportunities to hook-on to other business initiative, projects and activities? And how does all this align with and support business objectives?

6. As actions/risk treatments are completed, several information risks on the PIG should move as they become less likely and/or severe – so review, update and reconsider the PIG periodically. Look especially hard for changes such as new or emerging information risks that aren’t yet represented on the PIG. Relevant incidents and near-misses that aren’t adequately reflected in identified risks indicate omissions in your risk identification and assessment process … so look for others too, and make improvements. If necessary, run focus group sessions to address information risks that remain stubbornly stuck in the orange or red zones. If risk treatments aren’t working, what needs to be done to fix them? Are there alternative approaches worth trying? Are there competing priorities or constraints that management needs to address … or are the risks acceptable, in fact (if so, get that in writing! Hold someone senior personally accountable for the risk acceptance decision)? 

7. Keep notes on the risk management process, the workshops, techniques, issues etc. and refine the approach every time it runs. [That’s how I got here, and my journey to enlightenment continues!]

The PIG part of this approach is especially controversial, I know. There are other forms of risk analysis, including truly quantitative approaches (based on actual data and mathematically sound models) and other qualitative methods … but I find this good enough for my purposes, and simple enough that, once they get the hang of it, workshop attendees focus on discussing and understanding and tackling the risks rather than obsessing about the analytical method. YMMV.

For truly business- or safety-critical situations, or if you are uncertain about whether any given approach is OK, you might try several different methods, comparing and contrasting the results for additional insight. Chris Hall has previously suggested involving different groups of people in separate sessions to emphasize their different perspectives, expertise and interests (cool tip - thanks Chris!). It’s hard, though, to bottom-out the reasons for the differences, not least because this is all based around predicting an inherently uncertain future. It’s all crystal ball gazing. This is closer to witchcraft and alchemy than science. There comes a point where it’s better to just get on with it and see how things go, than to continue endlessly refining the analysis or obsessing about the methods. You can always come back later for another gaze, another go at mixing your magic potions. Meanwhile, those risks need treating, the red ones urgently.

Thanks a million

According to Google's Blogger stats, over the weekend this blog topped 1 million page views so I guess we must be doing something right!

It would be hard to come up with something new to say every day, if it weren't for the fact that we are all bombarded by stuff from other blogs and groups, from advisories and committees, and from several billion Websites. There's lots of stuff going on in the world of infosec which keeps me interested and hopefully you too.

My main concern is the human as opposed to technological aspects, hence my overriding interest in promoting good practices in information risk and security governance and management (especially ISO27k and security metrics), security awareness, policies, procedures etc. to keep a lid on social engineering scams, frauds, hacks and malware attacks, ineptitude, thievery, spying, piracy and so forth. Having said that, managing technology requires understanding it (IT especially) so I try my best to keep an eye on that too. And the physical side. And compliance. And risk management.  And business ...

I interpret and react to the news rather than simply passing things on, an approach I hope rubs off on you. I'm expressing personal opinions here, hopefully adding value based on my experience and knowledge. I encourage you all to think about what you read, reinterpret it in your context, be critical and by all means disagree with me. I don't hold all the answers. I know I am outspoken, cranky and off-base sometimes. I'm human too. This blog is my catchpa!

OK, must press on. We have sick animals to tend plus an awareness module to complete. Back soon.

Awareness boosters

The Information Security 101 awareness module update is going well. We might even finish slightly ahead of the deadline, provided I can resist the temptation to keep polishing and adding to the content!

One of the deliverables is a 'menu' of rewards for workers who uphold the information risk and security practices, controls and behaviors we wish to encourage. The rewards are divided into bronze, silver and gold categories.

Bronze rewards are generally free or cheap, and yet welcome - a nice way to thank workers for simply participating in awareness seminars, case study/workshop session or quiz maybe. Here are just a few examples:

• A phone call, personal thank-you note and/or email
• Letter of participation or commendation to be placed in the employee’s personnel file (whatever that means!)
• Relaxed dress code for the recipient – for a defined period such as a day or a week 
• Generic certificate acknowledging a level of competence (e.g. on completion of security induction training - there's a template in the module)
• Note and/or photo on hall-of-fame, newsletter and/or the Security Zone (Information Security's intranet website - again there's a generic website design specification in the module)
• Plain (dull bronze) pin badge or sticker with awareness program logo
• Plain (dull bronze) staff pass lanyard with awareness program logo and stock message (such as how to contact the Help Desk or Site Security)

Moving up a level, silver awards are more valuable and attractive, requiring a little more money and effort:

• Polo/tee-shirt printed with corporate and/or awareness program logo and a relevant quotation or catch-phrase
• Fancy pin badge with awareness program logo and catch-phrase (e.g. “I’m security aware!”)
• Informal party and presentation for the recipient and team (refreshments provided)
• Phone call, personal thank you note and/or email to the award winner plus one to their manager copied to HR, commending them and explaining why they deserve the award
• Business cards with awareness program logo and message, showing the recipient’s name as a 'security ambassador'
• Shiny silver staff pass lanyard with awareness program logo, recipient's name and personalized message

Gold-level awards are of course fancier still, some quite distinctive, special and valuable:

• Fleece or coat embroidered with security awareness logo, quotation and the recipient’s name
• Programmable LED/LCD message badge pre-loaded with suitable rotating messages
• Personalized business card holder containing special business cards showing the awareness program logo and maybe an appropriate awareness message or personal endorsement on the reverse side
• Special name plate, cubicle sign or pin badge engraved with the awareness program logo and the recipient’s name and date
• Smart, high quality, collectable trinkets (e.g. desk clock, watch, laptop bag/carry-all/in-flight luggage bag etc.) engraved/printed with the security awareness logo and ideally the recipient’s name
• Gold staff pass lanyard or carrier, identifying the recipient as a security guru (“Ask me about information security”)

There are more than 50 suggestions along those lines in Information Security 101, some quite innovative, for instance the chance for a one-on-one chat with a senior/executive manager, over coffee, lunch or dinner. Some are designed to reward entire teams such as the leaders in a corporate league table based on departmental or business unit performance, measured using specific security metrics. An awards ceremony or gala dinner might work for some organizations, perhaps as part of an annual security awareness event.

As with all our awareness materials, customers are free to adapt the menu to suit their situation, requirements and constraints (including budget!). The concept is at least as valuable as the menu itself. I must day it's an awareness approach I've personally found very successful in the past, although it may not suit every organization. 

What a contrast to conventional compliance enforcement through penalizing those who don't comply. That may still be needed but hopefully not nearly as often.

Hot potato or mash?

I'm currently working on a couple of interrelated matters concerning ISO/IEC JTC 1/SC 27 business. One is the possibility of renaming and perhaps re-scoping the committee's work. The other is a study period exploring cybersecurity.

They are related because cyber is a hot potato - a bandwagon no less. Some on the committee are raring to disable the brakes and jump aboard.

When asked to describe what cybersecurity is, one expert replied "Budget!". That's more than just a cynical retort. Cyber risk, cyber security, cyber threats, cyber attacks, cyber incidents and cyberinsurance are all over the headlines. Several countries have invested in cyber strategies and units. There is money in cyber, so that's a good thing, right?

As I've said before, the focus on cyber is problematic for several reasons, not least distinctly different interpretations of the very term, a gaping chasm separating two distinct domains of understanding:

1. In informal use (including most journalists and commentators in the blogophere), cyber means almost anything to do with IT, the Internet in particular. The primary concerns here are everyday hackers and malware (or rather "viruses").
   
2. In (some?) government and defense circles, cyber alludes to cyberwar, meaning state-sponsored extreme threats exploiting all means possible to compromise an enemy's critical infrastructures, IT systems, comms, economy and society. Compared to the other interpretation, this off-the-scale nastiness requires a fundamentally different approach. Firewalls and antivirus just won't cut it, not by a long chalk. If anything, those everyday hackers and malware are a source of chaff, handy to conceal much more insidious compromises such as APT (Advanced Persistent Threats) and malicious processor hardware/firmware. Authorities stockpiling rather than disclosing vulnerabilities, and building red teams like there's no tomorrow, hints at what's going on right now.

As if that's not enough, every man and his dog is either coming up with his own unique definition or ducking the issue by remaining (deliberately?) vague and imprecise. There's little consensus, hence lots of confusion and talking at cross purposes.

It is entirely possible that SC 27 might find itself lumbered with the cyber moniker because it's sexy, in which case those different interpretations will have to be addressed at some point. Unfortunately a precedent has been set by ISO/IEC 27032 which unhelpfully refers to "the Cyberspace" - in practice a curious mashup of the Internet and virtual worlds. Quite bizarre.

Worse still, even the cyberwar version of cyber implies it is all about technology: since IT systems, networks and data are the concern, it is implied that technical controls are going to save the day.

My concern is that by going down the cyber alley, the committee, and hence the ISO27k standards, may neglect the rest of information risk and security beyond the technology. Consider these examples:

• The Bradley/Chelsea Manning and Edward Snowden incidents were information incidents but not cyber attacks (at least not as most people would define and use the term) and yet clearly they caused immense damage.
• Many common-or-garden frauds and scams either don’t involve IT at all, or the IT aspect is incidental. They are targeting people, not (just) computers. If someone tricks a corporate financier or a little old lady to authorize or make an inappropriate payment, does it matter whether they are coerced into submitting the transaction online or popping down to the bank branch with a cheque? Would cybersecurity stop naïve investors being taken in by fake lotto wins, or pump-n-dump, penny-stock or pyramid schemes? Somewhere here I have a ‘419’ advance fee fraud letter sent to me in the post in the 80’s, before the Internet and email were invented.
• Piracy and counterfeiting is an enormously costly issue globally: again, cyber plays an incidental role in intellectual property theft. Those container loads of fake Nike trainers arriving at the ports are not cyber attacks. Is it a cyber crime when a new employee brings with them a head-full of trade secrets from their previous employers, plus a box of business cards for all their business contacts?
• Is it a cyber crime when someone uses a fake library card to fool a utility into posting them a bill that they use to set up a credit account and … later … join a government department or apply for a passport? Identity theft existed long before computers were invented. It’s a rare CV that doesn’t at least bend the truth, and I’m sure many claimed courses, qualifications and work experiences are entirely fictitious.
• The secret services will always use conventional tradecraft such as pickpocketing/theft, infiltration and coercion, as well as cyber means. By the way, is ‘cybertage’ (sabotage targeting IT by any means including physical attacks using, say, bombs or electromagnetic pulses, not just hacks and malware) part of your remit, particularly for highly exposed critical infrastructure such as comms, power and water systems?
• The recent brouhaha over fake news and Russian involvement in the US presidential elections is, I’m sure, just the tip of the iceberg. Propaganda and control of the media have always been key tools to influence and manipulate the population. Political parties still use leaflets and posters and house-to-house appearance plus TV and radio advertisements to supplement their online campaigns. These are not so much cyber as societal concerns involving information, very topical here with a general election looming.
• Substantial or total shutdown or failure of GPS and the Internet are credible scenarios in the event of global conflict (cyber war or terrorism or whatever), with horrendous consequences. There are so many vulnerabilities in our IT systems that compromise on a massive scale is not just possible but highly likely, almost certain I’d say, rendering them untrustworthy. What happens if/when, despite all our efforts, the cyber controls plus the IT systems and networks fail – what then? What if, say, ISIS or Anonymous or a superpower holds the entire cyber economy to ransom, instead of just individual organizations? Continuity management has implications at personal, organizational, national and global levels.

Information Security outreach

Further to yesterday's ISO27k Forum thread and blog piece, I've been contemplating the idea of extending the security awareness program into an "outreach" initiative for Information Security, or at least viewing it in that way. I have in mind a planned, systematic, proactive approach not just to spread the information risk and security gospel, but to forge stronger more productive working relationships throughout the organization, perhaps even beyond.  

Virtually every interaction between anyone from Information Security and The Business is a relationship-enhancing opportunity, a chance to inform, communicate/exchange information in both directions, assist, guide, and generally build the credibility and information Security's brand. Doing so has the potential to:

• Drive or enhance the corporate security culture through Information Security becoming increasingly respected, trusted, approachable, consulted, informed and most of all used, rather than being ignored, feared and shunned (the "No Department");
• Improve understanding on all sides, such as identifying business initiatives, issues, concerns and demands for Information Security involvement, at an early enough stage to be able to specify, plan, resource and deliver the work at a sensible pace rather than at the last possible moment with next to no available resources; also knowing when to back-off, leaving the business to its own devices if there are other more pressing demands, including situations where accepting information risks is necessary or appropriate for various business reasons;
• Encourage and facilitate collaboration, cooperation and alignment around common goals;
• Improve the productivity and effectiveness of Information Security by being more customer-oriented - always a concern with ivory-tower expert functions staffed by professionals who think they (OK, we!) know best;
• Improve the management and treatment of information risks as a whole through better information security, supporting key business objectives such as being able to exploit business opportunities that would otherwise be too risky, while complying with applicable laws and regulations.

Aside from the opportunity, there's also a relationship-harming risk too, if (when!) we get those interactions wrong - an information risk that can be treated in the conventional manner:

• We can't totally avoid the risk, short of becoming isolated hermits which would render Information Security pointless and worthless;  
• However, we could emphasize productive interactions and try to cut down on unproductive ones maybe - a form of risk mitigation. We could also be more proactive in this area, for example making sure that Information Security people have the skills and aptitude for forming and maintaining productive relationships with the rest of the business, and the good sense to recognize and respond when things are not going well. Measuring the strength of its business relationships with various other functions or business units would help Information Security improve them systematically where appropriate, implying the value of relationship metrics;
• We could share the risk by collaborating with other risk and assurance functions when interacting, especially the ones that have strong relationships throughout the business. We can learn from and support them, and vice versa. We might also share the risk with the general business by persuading general management that strong internal relationships to specialist functions are valuable assets, worth investing in (e.g. if you are thinking about employing security consultants or taking advice from vendors on security matters, come to us first: we may well be able to assist directly, or broker your supplier relationships).
• We are forced to accept any remaining untreated information risk, like it or not ... but that's not the end of the story. In the event of relationship issues, we could put in place arrangements to deal with them as effectively and efficiently as possible - such as having escalation routes to management, perhaps even incident management or contingency plans in this area. The metrics I mentioned should give us early warning of impending problems, avoiding nasty surprises.

All in all, I see a lot of upside potential, and the downsides can be managed. This idea looks like a winner to me. What do you think?

What to ask in a gap assessment

 

A disarmingly simple question on the ISO27k Forum this morning set me thinking. "RP" asked:

"Does anybody have a generic [set of] high level questions for business departments other than IT, that can be asked during gap assessment?"

As is so often the way with newcomers to the Forum, RP evidently hasn't caught up with past Forum threads (e.g. we recently chatted about various forms of gap analysis, and the markedly different ways that people [including dentists!] use and interpret the term), paid scant attention to forum etiquette (e.g. he/she didn't tell us his/her name), and provided little to no context in which to address the question (e.g. what size and kind of organization is it? What industry/sector? Does it have a functional, certified and mature ISO27k ISMS already, is it working towards one, or is RP just idly thinking about it over coffee?).

Despite that, a couple of us responded as best we could, making assumptions about the context, the meaning and purpose of the 'gap assessment', and RP's situation. I suggesting posing questions along these lines:

"What kinds of information do you use? Tell me more. Which is the most important information for your business activities, and why? What would happen if it was lost, damaged, out of date, inaccurate, incomplete, misleading, fraudulent, or disclosed e.g. on the Web?

Roughly how much of the information you handle is classified? How much is SECRET/TOP-SECRET? [You’d probably need to be security cleared, and have management support, to get a meaningful answer to that!]

What information do you generate? What happens to it? Where does it go? Who uses it, and for what? Would it matter to them if it stopped coming, or was late, or inaccurate, or incomplete, or was disclosed on the Web?

When was the last time you examined your information risks? What was the result? Show me! What changed as a result?

When was the last time you completed a business impact analysis and business continuity planning? Show me! When were your plans last exercised? I’d like to see the results and actions arising. How would you cope if something drastic happened that wiped out your IT systems and data? What about information and IT services, not least your ISPs and CSPs?

What are you doing to protect/secure information that matters to your department? How confident are you that it is adequately secured? 

Tell me about your information security incidents. [If they say “We’ve had none”, you should be worried!] What happened? How long was it before you found out about them? How much damage was caused? What changed as a result?

Are there any laws, regulations, contracts or agreements relevant to information, security, privacy, governance etc. that apply or concern your department? How do you ensure compliance?

When did you last: 

• Review system/network/app access rights for your department?

• Check that your backups and archives are usable?

• Consider what would happen if you unexpectedly lost one or more key people?

• Confirm that all your IT systems and devices and services are patched, secured, monitored etc.? [If the answer is ‘Just before the end of 1999', worry again!]

• Participate in a risk workshop, awareness seminar, security-related training course, business continuity exercise, post-incident review, management review, or IT audit?

• Speak to your colleagues about information risk and security matters?

• Report an information security incident or near-miss?

• Check for fraud?

On a percentage scale (where 0% means not at all and 100% means perfectly), how well would you say you understand:

• Information risk and security, as a whole? 

• Privacy?

• Business continuity?

• Governance?

• The corporate strategy on information risk and security?

• Company policies and procedures in this area?

• What I am doing and why I’m here?"

My friend Anton Aylward suggested a more elegant approach. He would simply start by asking:

"Do you have a set of policies? If so, show me."

Anton quite rightly pointed out that I had made several implicit assumptions in my questions. I also displayed my usual bias towards information risk (not just cyber), being overtly business-driven, and using metrics. I acknowledge all that. It's no secret. It's just how I am.

Anton's simple question and classic auditor request is a starting point. If it turns out they have no [information security-related] policies [and procedures and guidelines], he suggests no response other than perhaps hinting at 'Turn around, walk away, shaking head'! If they have policies, those policies should guide and determine what they ought to be doing, so examining the documentation would provide a basis for follow-up checks and questions (such as mine, or not: actually it's contingent on the requirements stated in the documentation).

I should mention that greybeard Anton has done a lot of audit work. "Show me!" is the #1 audit mantra, backed with a subtle whisper of "Prove it!" leading to the chorus "Go ahead, make my day!"

Establishing requirements is a necessary first stage for many audits, particularly in the case of 'compliance audits' of course. But RP was asking about 'gap assessments' not 'compliance audits': I could be wrong but I don't think that's quite what RP meant.

Re-examining my response and Anton's, it occurred to me that I had made another implicit assumption based on the apparent naivete of RP's question. I assumed RP was new to the game, perhaps about to make his/her first ever foray from IT into The Business - a scary step beyond the comfort zone for most technologists. There be dragons.

Assuming that is indeed the situation, RP taking a genuine interest in what’s important to the business people would be a good foundation for future working relationships. Arguably, finding out about the business (particularly the associated information risks) and forging business relationships is an even more fundamental and valuable starting point than getting answers to generic or customized ‘gap assessment’ questions. Turning this on its head, someone asking business people seemingly inane, inappropriate and presumptive questions is likely to annoy them, potentially harming the prospects of ever forming a productive and open relationship between the business and RP plus the IT or Information Security function RP presumably represents. In my book, that's an information risk worth treating carefully.

If I remember, I'll extend that point another time. In some ways, security awareness is Information Security's business outreach program. Hmmm. By all means remind me about this later.

Internal Control Questionnaires

Further to yesterday's blogging, I normally prepare Internal Controls Questionnaires to structure and record my audit fieldwork. As the illustrative extract above shows, these work nicely as landscape tables in MS Word with the following 4 columns:

1. Check: these are the audit tests, written before the audit fieldwork starts. As well as the classic audit 'show me' and 'tell me about ...', I much prefer open-ended questions and general prompts such as 'check', 'review' and 'evaluate'. ICQs are intended to be used by reasonably competent and experienced  auditors, not spouted verbatim by novices.
   
   
2. SWOT: these record the auditor's first impressions - an initial evaluation of the findings. Is this area a Strength (the findings are good, risks well under control), a Weakness (there are some issues but nothing too desperate), an Opportunity (generally meaning an ‘opportunity for improvement’ i.e. a change that will benefit the business) or a Threat (a significant risk or concern that ought to be addressed in order to avoid a serious incident)?
   
   
3. Notes: briefly state the audit findings. Factual evidence is crucially important to the audit process, and needs to be recorded carefully. For example, I sometimes quote the precise words spoken by auditees in audit interviews, and incorporate or cite relevant extracts from policies, procedures, logs, reports etc. The auditor's comments and interpretation are a valuable output too (e.g. explaining the context and possible consequences), but strong facts speak for themselves and are hard to deny.
   
   
4. Ref: references to hardcopy evidence held in the audit file, all neatly sorted and indexed (by the end of the fieldwork, anyway – I’m often too busy and disorganized before that!). Referencing facilitates many-to-many mapping e.g. several documents (such as policies or interview notes) may be cited from several relevant parts of the ICQ. It's also useful as a check for completeness (is every finding supported by evidence?  Also, was something useful gleaned from every audit interview and document review?). 

The rows systematically cover the audit scope area, with a sensible structure and generally just a handful of headings, derived from the earlier audit risk analysis and planning stage.

Down at the bottom of the ICQ table are 4 rows to summarize the main findings (the most important Strengths, Weaknesses, Opportunities and Threats – these will probably feed into the audit report and presentation) and a final row for an initial conclusion and perhaps recommendations (which also feed into the audit report and executive summary, but usually get modified later once I’ve had time to think more carefully about the audit, and talked it through with audit colleagues plus management).

While other auditors have their own ways of working, the above approach suits me. It evolved over about 2 decades slogging away in the audit trenches. YMMV.

Security culture through awareness

That sums-up our approach to using security awareness as a mechanism to foster a 'culture of security'.  In the spirit of yesterday's blog, rather than wax lyrical, I'll let the diagram speak for itself.  'Nuff said.

InfoSec 101 for management

Today I've revised the management seminar for Information Security 101. Given our deliberately wide brief, there's quite a lot to say even at the relatively superficial 101/introductory level, so we're using thought-provoking pictures (mind maps, process diagrams and conceptual imagery) in place of reams of text and tedious bullet points. The whole seminar works out at just 12 slides ... at least that's the management seminar slide deck we'll be providing to subscribers. They can adapt the content, perhaps incorporating extras or indeed cutting back on the supplied content - and that's fine by us.

In fact, more than that, we actively recommend it! 

Much as we would like to offer awareness materials tailored for each customer, we simply don't have the resources. For starters, we would need to spend time getting to know and then keeping abreast of each customer's specific circumstances and needs ... and being information security related, there are confidentiality implications in that. Instead, we prefer to invest in research and development of high-quality cutting-edge awareness content, delivering editable materials that our valued customers can customize as they wish.

Keeping up with the field is quite a challenge, a fun one for us. In the 3 years or so since the InfoSec 101 module was last revised, we've witnessed the rise of BYOD, ransomware and cybersecurity. Current issues include IoT security and, looking forward, GDPR is set to make big waves in privacy in less than a year's time.

Most months we encourage customers to check and update their induction and other training course materials, picking and choosing from each new batch of NB content as appropriate. On a more subtle level, we're gently hinting that they should be proactively maintaining and refreshing their awareness and training content as a whole because outdated material can literally be worse than useless. 

If you work for a mid- to large-sized fairly mature organization, chances are your security awareness content includes stuff that is no longer relevant and misses out on emerging issues, even if you have someone dedicated to running the awareness and training program. If you are in a small organization with very limited resources, or one that depends on course materials updated 'whenever, if-ever', is it any surprise if newcomers get the impression that information security is unimportant, not a priority?

NIST SP800-53 draft v5

A public draft of NIST SP800-53 revision 5 is worth checking out.

Major changes in this draft:

• "Making the security and privacy controls more outcome-based by changing the structure of the controls;
• Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls;
• Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners;
• Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework;
• Clarifying the relationship between security and privacy to improve the selection of controls necessary to address the full scope of security and privacy risks; and
• Incorporating new, state-of-the-practice controls based on threat intelligence and empirical attack data, including controls to strengthen cybersecurity and privacy governance and accountability."

Comments are invited by September 12^th to NIST.

NIST’s evolving Cybersecurity Framework is also worth a look. Although it's a little too cyber-centric for my liking, it has application well beyond the critical US national infrastructure for which it is intended (e.g. organizations have their own 'critical infrastructures'). I suspect the Framework Core Structure (particularly the 5 functions corresponding to the timeline of an incident) may be one of several ways to 'tag' controls in the next release of ISO/IEC 27002:

Work goes on

We've updated more stuff for the Information Security 101 module today:

• 8 two-page case studies based on commonplace incidents; 
• 13 one-page scam alerts on common scams (yes, 13); 
• Generic job descriptions for an Information Security Awareness Manager, plus an Awareness Officer, and Awareness Contacts (part timers, distributed throughout the organization). 

Ticks are appearing and darkening on the contents listing at a reasonable rate.

Meanwhile, over on the ISO27k Forum, we've been discussing terminology and the pros and cons of various information security frameworks, and CISSP Forum has been yakkin' about quantum crypto key exchange and fake news.  

Oh and we've arranged for the tractor repair man to come over tomorrow to fix a broken valve and solenoid, and I popped down to the vet for antibiotics for 3 sick animals.

Quite a varied and productive day, all in all.

Why infosec?

Today I'm revising the Information Security 101 presentation for general employees, starting with a brief introductory slide addressing questions along the lines of "What's the point of information security?" and "Why are you even telling me about it?".

It's not as easy as you might think to answer such fundamental questions, simply, for someone who may have no background or interest in the topic. So I went Googling for inspiration, and came across this neat list of infosec benefits from a company called Global Strategic:

• Demonstrates a clear commitment to data security- including confidentiality and strict accessibility rules;
• Provides procedures to manage risk;
• Keeps confidential information secure;
• Provides a significant competitive advantage;
• Ensures a secure exchange of information;
• Creates consistency in the delivery our services;
• Allows for inter-operability between organizations or groups within an organization;
• Builds a culture of security;
• Protects the company, assets, shareholders, employees and clients;
• Gives assurance that a third party provider takes your data security (and your business) as seriously as you do

Some of those are not terribly helpful for our awareness purposes. A benefit of information security is security or protection [of information], yes, but that's obvious from the phrase! It doesn't move us forward.

Risk management is definitely a core purpose of infosec. I'm not keen on the idea that infosec 'provides procedures' though. Infosec is an overall approach, rather than simply a set of procedures or processes. "Infosec lets us manage risks" is closer to the mark, I think, or maybe "We use infosec to manage information risks". Hmmm.

Competitive advantage is another good one, although I think I would prefer talk about 'enabling the business'. Whereas managers are presumably familiar with the concept of competitive advantage, I'm not sure about general employees. 'Enabling' is a fairly complex concept too, so "Infosec is good for business" would be an even better way to express it.

Re the notions of securely exchanging information and inter-operability: those seem quite narrow and specific to me - parts of infosec, for sure, but arguably too obscure for a relatively naive audience. They are technocentric, too, whereas we are keen to position infosec more broadly than just IT or cybersecurity. 

Consistency of service delivery reminds me of the CIA triad, an important point since most people naturally think infosec is just about secrecy. I'll have to figure out how to put that, if at all.

I like the point about infosec building 'a culture of security', although it is arguably too vague. We can express the notion as "The way we do things here".

Assurance is yet another important but fairly obscure concept. In plain language, 'trust' is simpler. Infosec is about building (generating and maintaining) trust, being able to trust the organization.

Aside from those points, what else might we say? Maybe something about safety? Compliance is another key driver, well worth mentioning I think.

I'll revise the PowerPoint slide and speaker notes accordingly, and will continue refining the messages as I continue researching and contemplating this topic. Meanwhile, there are about a dozen more slides to update in that presentation, and several more presentations to revise. It's easy for this perfectionist to get completely bogged-down! 

Upating

Another basic information security practice is updating things e.g.:

• Patch promptly (update software)
• Lock-n-load (physical security)
• Counter cons (social engineering)
• Nuke nasties (update antivirus) 
• Read rules (security policies)

Those short alliterative phrases are memory-joggers to catch people's imagination and remind them about the things they ought to be doing regularly.

Conspicuously missing from the list is changing passwords: once upon a time, it was generally accepted practice to force people to change their passwords every few weeks or months. I have never quite understood the rationale for this. It takes effort to think up and commit to memory yet another strong password, and there are security costs when people forget their passwords, so what's the benefit? I suppose it might frustrate someone who has been surreptitiously watching a colleague enter their password every day, trying to figure out what they are typing ... but really? Arguably it would reduce the success rate of repeated brute-force password guesses - that ought to be triggering alarms anyway. I just don't get it and nor, now, does NIST:

"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

That comes from NIST Special Publication 800-63B - Digital Identity Guidelines: Authentication and Lifecycle Management, published in June and recently picked up by the security press.

The list of things to include in the Information Security 101 awareness/training module is becoming clearer by the day.

Passwords, again

A survey of password security on 48 popular websites [by a company selling a password vault system] 'reveals' that several don't enforce password parameters [that pretty much any password vault system would fulfill]. It also reveals an issue for online organizations whose users may or may not use password vaults.

With a click or two, users with password vaults can easily generate and regurgitate very long, complex, unique passwords, no problem. Sensible vault users don't particularly care what password parameters websites define, just so long as the sites don't unduly constrain their choice of long, complex, unique passwords. From my perspective, sites that prevent me choosing passwords longer than, say, 16 characters, or passwords with spaces, punctuation and other "special" characters, are intensely annoying, and also very revealing: such organizations are evidently not clued-up on user authentication. They are inadvertently whispering "Hack us!".

On the other hand, non-vault users need their passwords to be easy enough both to generate and remember. Often that means short, simple passwords, typically the same or similar across multiple sites. They - the users - are the limiting factor. 

Websites that let users set weak passwords are asking for trouble in terms of low-assurance user authentication. 

On the other hand, websites that demand strong passwords are also asking for trouble from users who can't be bothered, or can't remember their passwords, or write them down, or ... whatever.

The managers behind them are therefore stuck between a rock and a hard place.

Some try to deal with this issue by displaying 'password-strength-o-meters', those bars that head from red through orange to green as passwords grow stronger - at least, we presume so. Since there is no universal standard for password strength-o-meters, we can only guess at what they are indicating ... in just the same way that the 'researchers' who produced the 'survey' arbitrarily chose 5 parameters to 'research'.

There might be a better way to deal with this, namely a kind of captcha or automated test to determine whether the person behind the screen has the benefit of a password vault, or not. If so, let the vault take the strain. If not, the users need all the help they can get. A password complexity metric is one approach since people are so much worse (and slower!) at generating long, complex passwords than machines.

Password awareness

Passwords qualify as a basic cybersecurity control, so what should we be saying about passwords? Two key messages, for sure:

1. Choose strong yet memorable passwords: easier said than done given the number of systems we are using these days. Longer pass phrases are better, and we have some useful tips on those.
    
2. Keep passwords secret. Aside from the obvious 'don't disclose or share your passwords with anyone', phishing is definitely a concern in this area ... but it's tricky to explain succinctly.

We'd like to recommend password managers or vaults - and we may do so, in the hope that our customers either supply a 'company sanctioned' one, or permit/encourage their people to use them: that's something to bring up in the management awareness stream, along with accountability.

We could also discuss bad passwords, password cracking/brute force attacks, poorly thought-out system designs that unduly limit password choice, hashing and salting and other controls to protect passwords in storage and when being communicated, and user authentication ... but probably not in the InfoSec 101 module, at least not in the general employee awareness stream.  Maybe we will touch on those for the professionals' stream.

I think that's enough for now. Things may evolve when we write or revise the content, especially as this is just part of the topic area. Phishing, for instance, may lead us into other areas.

Back to basics

September's awareness content will take a back-to-basics look at information risk and security, with an update to the Information Security 101 module.

So what are the basics?

We probably ought to, at some point, introduce the fundamental concepts, principles and approaches such as: 

• Risk and control, both in general and in the context of information;
• Governance, management and compliance;
• The process of identifying, assessing and treating information risks;
• CIA (confidentiality, integrity and availability) requirements; and 
• Various types or categories of security control (e.g. preventive, technical).

Then there are basic security controls, such as:

• Access controls;
• Assurance and trust;
• Backups, resilience and business continuity;
• Firewalls and network security;
• Malware controls;
• Monitoring and oversight;
• Passwords, identification and authentication;
• Patching and system security;
• Policies and compliance;
• Physical security; and
• Awareness (naturally).

Hey, the module is almost writing itself! Pepper the materials with a bunch of everyday examples of information security incidents, breaches and compromises and Bob's your uncle! 

Errrr, in case you missed it, I'm being cynical. For a start explaining all that lot above would certainly take a while. Scratch beneath the surface and it gets quite complex and drags on ... which would be a problem in, say, a short employee induction or security orientation session. 

There's a risk of losing or boring the audience ... and that's another thing: 'the audience' is not a homogeneous blob. Our three parallel streams of awareness content cater for staff in general, managers and professionals/specialists, but those are fairly crude distinctions.

Yet another factor is the organizational context. Our military or governmental clients are in a markedly different situation to, say, those in IT services, finance, healthcare, education, retail or charity. Within each of those industry sectors, some clients are more mature than others. In some organizations, the infosec awareness people would be grateful for awareness opportunities lasting literally just a few minutes. In those with a strong security culture, a few hours on this topic may be feasible.

All in all, it's far from simple to even specify, let alone create, back-to-basics security awareness content. There's clearly a distinct risk of complexity creeping in.

One solution might be to cut back savagely on the more advanced aspects - for instance, "passwords, identification and authentication" could become just "passwords". That would work for the staff stream for some clients, but not all. Dropping I&A makes me uncomfortable as an infosec pro. The same concern applies in, say, "access control". 

Another option would be to focus on the fundamental concepts and axioms that underpin information risk and security management, ignoring the actual controls altogether: conceptual theories might suit the professional stream but would fly way over the heads of most workers. I can picture the eyelids drooping as I complete this sentence!

So, that's where we are today. As always, I'll be updating the blog most days as the work proceeds. It will be interesting (for me at least!) to see how we surmount the challenge. Do tag along for the ride.