Sunday 15 November 2020

The trouble with dropping controls

I literally don’t understand a question that came up on the ISO27k Forum this week. A member asked:


‘Should a control be discontinued because a reassessment showed a lower acceptable risk score?’ 



I find it interesting to pick apart the question to explore the reasons why I don't understand it, and the implications. See what you think ... 

  • Any control may legitimately be ‘discontinued’ (removed, unimplemented, retired, replaced, modified etc.) provided that change has been duly thought-through, assessed, justified, and deemed appropriate for whatever reasons. It may be important, though, to be reasonably certain that discontinuation is, in fact, in the best interests of the organization, and that’s often hard to determine as controls can be quite complex in themselves, and are part of a highly complex ‘control environment’. A seemingly trivial, unimportant, even redundant control (such as an alert) might turn out to be critical under specific circumstances (where other alerts fail, or were accidentally disabled, or were actively and deliberately bypassed by an attacker or fraudster). So, it may be preferable to ‘suspend’ the control for a while, pending a review to determine what the effects truly are … since it is probably easier and quicker to reinstate a ‘suspended’ control if needs be, than it would have been if the control was completely removed and trashed. A dubious firewall  rule, for example, might be set to 'warn and log only', rather than simply being dropped from the ruleset, the reverse of how new firewall rules can be introduced.  On the other hand, a control that is patently failing, clearly not justifying its existence, is a strong candidate to be removed … and potentially replaced by something better (which opens a whole new topic).

  • A ‘reassessment’ might be a reassessment of the risks, the control, the control effectiveness, the business situation, the compliance obligations/expectations, the alternatives and supporting/compensating controls, or something else:  ‘reassessment’ is a very vague term.  It might mean anything on the range from ‘someone changed their mind’ to ‘a full independent investigation was launched, producing a lengthy report that formally discussed all the options including a recommendation to remove the control, which the management body duly considered and authorized, with various caveats or controls around the way it was to be done …’!

  • ‘Lower acceptable risk’ might mean ‘We reduced our risk acceptance level’ but that’s ambiguous – it could mean that you are accepting a lower level of risk than before (management is more risk-averse) or the polar opposite i.e. the level of risk that can be accepted has been reduced (management is more risk-tolerant)!  More likely, the member who posed the question simply missed a comma, intending to say ‘a lower, acceptable risk score’ suggesting that he have decided the risk does not warrant retaining the control, hence ‘discontinuation’ is an option to be considered, as already discussed. 

  • ‘Risk score’ hints at yet another potential minefield - one I've discussed repeatedly here on the blog. How are risks being ‘scored’, exactly? How certain are you that a reduction in the score genuinely reflects a reduction in the risk? If you are totally happy with your risk evaluation and scoring process, why has this question even arisen? If you have some doubts or concerns about the process, discontinuation of a control may not be a sensible approach without additional assurance and assessment, and perhaps the ability to reinstate the control efficiently if it turns out to be needed after all.

  • More generally, removal of, or deliberate decisions not to implement, controls can be a challenging, problematic concept for risk-averse information security professionals. We are naturally biased towards risk reduction through controls. It’s an inherent part of our mind-set, a default approach.  The rest of the world does not necessarily think the same way! To ‘a level-headed business person’, controls may be perceived as costly constraints on business … which means they need to be justified, appropriate and necessary, and worth having i.e. they have a positive net value to the business (benefits less costs, ideally taking full account of ALL the benefits and ALL the costs). Ineffective controls, then, have a negative net value (no benefits, only costs) and are clearly candidates for removal … but removing controls is itself an activity that has risks, costs and benefits too.

That's a confusion of complexity and doubts arising from such a short question! Am I seriously over-thinking it? Well, yes, maybe I am. Still, it amuses me to exercise my grey matter, and I hope I've stimulated you to dig a little deeper when you see a question that furrows your brow. I've said before that some of the most insightful discussion threads on ISO27k Forum arise from seemingly naïve or trivial questions that might easily have been overlooked.