Responding to security questionnaires

Over the past decade or so, 'supplier questionnaires' have become A Big Thing in the business world.

Organizations have long appreciated that there are risks associated with doing business (well, fancy that!) and most quite reasonably wish to mitigate those risks, particularly in business-to-business relationships. Increasingly that involves checking out prospective suppliers' information security and privacy arrangements* as part of the supplier evaluation, selection and contracting process. A common approach is to ask prospective and current suppliers to complete security/privacy questionnaires. Being self-assertions by organizations with an obvious interest in securing the business, the assurance value of questionnaires is limited although it may be reinforced by suitable legal wording in the contracts and agreements arising: essentially, the suppliers formally confirm that their questionnaire responses are accurate, complete and valid, and/or formally accept their security and privacy obligations going forward. 

That's all very well from the customer perspective, but what about the prospective suppliers? Aside from the administrative overhead of answering numerous and often lengthy questionnaires, there's the issue of being pressured into disclosing sensitive and valuable information. Remember, this step is often before contracting or building mutual trust through productive working relationships.

* By the same token, if an organization intends to disclose or share sensitive or valuable information with its partners, customers or the authorities, it ought to be every bit as concerned about the recipients' information security and privacy arrangements before proceeding.

BCM for WFH

Since home and mobile workers rely on IT to access critical business systems and corporate data, and to communicate with others, organisations need a robust IT network infrastructure that extends to workers' homes or wherever they hang out. If, in reality, the infrastructure turns out to be fragile and unreliable, business activities are likely to be equally fragile and unreliable, leading to frustration and grief all round. In other words, the extended IT infrastructure is quite likely business-critical.

Working From Home or on the road can increase various information risks relative to conventional office-based work, due to factors such as:

• Use of cloud computing services*;
  
  
• Workers using their own or shared devices and internet connections for work purposes, raising questions about their suitability and security, ownership of and access to any intellectual property or personal information on them;

Novel insider threat

A post on LinkeDin this morning led me to a news piece about an IT professional's attempt to divert/steal his employer's payoffs for a ransomware infection, back in 2018.

According to the article, his attempt ultimately failed, largely due to his inept and naive execution ... but I have not come across this particular insider threat before. It was a new one on me, a man-in-the-middle attack layered on top of the ransomware.

Incident notification procedure [UPDATED x2]

I have developed a generic procedure documenting the incident notification process for sale through SecAware. 

I'm surprised how involved, complex, time-boxed and fraught the disclosure process turned out to be - depending, of course, on the nature and scale of the incident (perhaps a ransomware or malware infection, privacy breach, hack or fraud), who needs to be informed about it, and how to do so.

Metrics episode 3

Lately, I've read a couple of articles complaining that metrics are driving things inappropriately, either stating or implying that metrics should be abandoned.

It's pretty obvious (if you think about it) that measuring the wrong things is - at best - a pointless waste of effort, and potentially harmful if it leads things in the wrong directions, taking attention from the things that truly matter.  

Likewise, measuring the right things in the wrong way leads to disappointment and frustration.  

However, neither of those issues is a valid argument to stop measuring. They are good reasons to measure the right things competently, easier said than done maybe but surely better than the alternative.

I've already mentioned which are the right things to measure: the Things That Truly Matter. Of course that is context-dependent, and changes over time ... so one approach is to consider the organisation's long-term (strategic), mid-term (tactical) and short-term (operational) objectives. For bonus points, recognise that those are linked, not independent variables: operating activities support the achievement of tactical goals and strategic objectives.

Measuring things competently implies using the appropriate measurement approaches to gather, analyse, report, and most of all use metrics sensibly. A useful approach here is to work backwards along that sequence: how and what the metrics will ultimately be used for determines what needs to be reported (along with how, by whom, when and in what format), indicating the need for suitable statistics and commentary, hence a reasonable specific demand for raw data on the subject matter. 

OK, I'll leave it there for today. There's a chainsaw with my name on it, and a couple of trees in the wrong places. 

   

Metrics episode 2

In the management context, measuring requires that we consider aspects such as:

• What is important: what do we need to achieve/avoid and, by implication, what is not [so] important, the stuff we can afford to ignore or perhaps monitor passively. Score bonus points for determining importance specifically in relation to achievement of the organisation's business objectives, goals, aims, purposes, visions, missions, targets, strategies, plans, future state or whatever, given that I'm talking about measuring in the corporate management context. There is clearly a strong emphasis on the future here, although where we are now and how we got here may also have some relevance (e.g. if the organisation has done particularly well in innovation or market penetration  or resilience or whatever, management should probably retain and protect those capabilities, ideally enhance and build upon them - avoid inadvertently harming them anyway).

    
• What does 'success' look like: develop a deeper understanding of the desired future state, elaborating on the meaning of and characteristics behind 'successful'.
    
• What are our levers: the relevant factors or aspects that we will attempt to set/manage/control.
  
  
• How will we know whether our actions are having the desired effect: what changes do we anticipate, and for those what are the possible indications or signs of changes. 
  
  
• What shall we measure: along with related issues such as how and when and who will measure, and conversely what can we safely ignore, and for how long.    

Once measurements start flowing, we can either use them proactively to drive achievement of our objectives, or not: sometimes our measurements are needed for other purposes and audiences such as assurance for senior management or other stakeholders (who should really have followed the same analytical/metrics design process but typically just accept what we offer!).  Metrics that are not actually used or useful in practice have negative value: they cost resources to generate and report, and can be distracting (a form of security theatre).  Metrics that 'sort of work' may need changes to improve them or replacement by something better, sending us back to the analysis.     

eWaste safety hazards and information risks

A warning in the New Zealand Information Security Manual caught my beady eye yesterday:

“Electrical and electronic equipment contains a complex mix of materials, components and substances, many which can be poisonous, carcinogenic or toxic in particulate or dust form. Destruction and disposal of WEEE [Waste from Electrical and Electronic Equipment] needs to be managed carefully to avoid the potential of serious health risk or environmental hazard.”

Disposing of eWaste presents environmental and safety hazards arising from noxious/toxic/carcinogenic chemicals such as gallium arsenide (GaAs) and polychlorinated biphenyls (PCBs), plus the obvious dangers when handling sharp-edged metal or plastic chassis fragments, wires, printed circuit boards and CD/DVD discs plus leaky electrolytic capacitors and old batteries. While there may be money to be made by extracting and recycling valuable metals and reusable components, subsystems and modules, that's really a job for specialists with the requisite knowledge, tools, safety gear and market.

Oh, and the appropriate security controls. 

Memories of an O.F.

I freely admit to being an Old Fart, old and plenty farty enough to remember a time even before the DTI Code of Practice was released and then in 1995 became BS7799, making information security A Thing.

OK so I'm not quite so old as to remember when computers were women in rank and file, studiously calculating missile trajectories, but I've read about them and I remain fascinated by the early mechanical, electro-mechanical and then electronic computers - initially single-purpose tools such as that nice Mr Babbage's difference engine, then machines capable of various tasks using toggle switches, punched tape and cards to program their instructions.

Back in the 80's when I escaped the genetics lab to become a net/sysadmin, computer security was just becoming important: people (particularly managers, few of whom had a clue about IT) were vaguely concerned about these new fangled, complicated, mysterious and expensive computers. Securing data processing hardware was seen as important given its book value and fragility. Even clueless managers could appreciate the need for physical security controls for physical computers - locks and keys, Halon, computer rooms and computer pros in white lab coats jealously guarding their big beige babies. 

Well, most could. Some managers didn't get it even then.