Philosophical phriday - compliance risk

A cat caught in a tangled web

According to a vendor's promotional video interview I saw recently, the 'cybersecurity compliance burden' has allegedly become so significant that [customer] organisations are eagerly buying [their] software tools and services to help them manage and fulfil their obligations. The vendor's argument goes that, instead of accumulating a ragtag bunch of policies and other controls relating to user Identification and Authentication (I&A), for instance, it makes sense to: 

  1. Identify all the cybersecurity-related laws, regulations and standards that apply to the organisation;

  2. Examine them for any security control requirements relating to, say, I&A;

  3. Rationalise the I&A controls down to the smallest set that satisfies all the requirements - the lowest common denominator;

  4. Design, implement, use, manage and maintain those I&A controls;

  5. Have the I&A controls checked or audited to gain assurance that the compliance requirements are met. 
OK so far? Sounds reasonable, right?

Hmmm, well I have a few concerns with that approach.

Starting with #1: simply identifying which cyber laws, regs and standards are or are not applicable is harder than it seems - not simple at all. Consider NIS 2 for instance, which takes several pages of legalese to define the critical infrastructure organisations to which it applies ... and then allows for EU nation states to refine the applicability criteria, including or excluding organisations according to their national contexts. Furthermore, NIS 2 requires or encourages applicable critical infrastructure organisations to impose similar [contractual] obligations on their suppliers. 

NIS 2 is just one of many potentially relevant compliance drivers in the area of cybersecurity, so it is not hard to come up with a very long shopping-list, especially for a large, complex and multi-national organisation in heavily-regulated industries.

Broader still, since confidentiality, integrity and availability are important considerations for most if not all forms of information, there may be information security implications in laws and regs on seemingly unrelated topics, way outside the usual cyber/privacy areas. Laws and regs are, themselves, forms of information with stiff integrity requirements. Ultimately, since law involves submissions and judgements in court, information security is vital for forensic evidence. 

In short, information security is relevant to all laws and regs in various ways. Therefore, step #1 could be seen as the converse challenge to identify applicable laws, regs and standards that do not have some material bearing on the organisation's cybersecurity. Either way, there are lots of them!


#2 is tricky too. What are 'security controls'? What is 'I&A'? What are 'requirements'? How 'related'? These seemingly esoteric questions are challenging for those who delve deep into step #2. Since privacy laws, for instance, concern personally-identifiable information, it could be argued that all their specified controls (however that term is defined) constitute I&A controls - even those that are quite distinct with little if any relation to identification and authentication per se. 

Aside from I&A, a complex interlocking and overlapping mesh of controls is necessary to mitigate the wide range of unacceptable information risks ... so multiply the effort to explore, say, I&A by N where N is a large but uncertain number.  


Surprise surprise, #3 is not easy either. The language of well-written compliance texts is formal and definitive, leaving little to no wiggle-room that might allow applicable organisations to escape their obligations 'on a technicality'. Details matter, so even a generic good-practice control that 'broadly' satisfies a legal/regulatory requirement may be found inadequate in practice and deemed noncompliant in court. Potentially, even controls that are stronger/better than those mandated could lead to problems if the compliance obligation is too explicit.

Conversely, some compliance texts such as NIS 2 pose a different challenge, in that they are deliberately non-specific in order to apply to a diverse range of situations, and to allow the authorities to interpret them according to the implementation contexts.

Either way, the phrase 'lowest common denominator' is a red flag to information risk and security professionals, since it strongly implies doing barely enough to satisfy the compliance obligations, as opposed to doing what's best for the organisation, its stakeholders and society at large. Some may feel scraping past low hurdles is adequate: pro's remain concerned at the residual information risks, including those that are not even addressed by current, applicable compliance texts. A forward view implies preparing now for quantum-resistant cryptography, for instance, going beyond current legal obligations. Getting ahead of the game means more options to take the most efficient path. Wise investment trumps kneejerk expense.


While the other steps are quite laborious, intense and costly, #4 is where the bulk of the control costs are incurred ... and where the main benefits are generated - hopefully more than enough to offet all the costs, otherwise why bother at all? Compliance management tools/systems/apps/services have limited value here, except perhaps that the other steps help rationalise the requirements, prioritise the implementation efforts and clarify various controls or aspects that are particularly important. That's a marginal effect on the most value-intensive step.


#5 is also a mixed-bag. On the one hand, credible, high-quality compliance evidence supporting the presence and effectiveness of a particular control may be sufficient for multiple compliance obligations specifying that control ... but maybe not, particularly where compliance checks revolve around tick-n-bash auditors using prescriptive checklists.


At a more general level, the suggested approach is patently compliance-driven, suggesting that the organisation has no agency - no choice but to comply with demands imposed upon it by the authorities. It is also minimalist, seeking the simplest and hopefully least cost way to clear the compliance hurdles by the slimmest of margins. It is static or retrospective in the sense of examining current laws and regs, whereas laws and regs gradually evolve, are variously interpreted by the courts, and are occasionally withdrawn, updated or replaced.

Last but not least, there are several uncertainties here, making the compliance approach risky as well.

I appreciate this is a negative, critical, even cynical perspective, over-emphasised to make various points. I plan to return to this topic soon with a more balanced piece offering alternatives to the compliance-led strategy. To whet your appetite, I'm hinting at value-driven businesslike approaches. Maybe. 

Popular posts from this blog

Pragmatic ISMS implementation guide (FREE!)

Image
Early this morning ( very  early!) I remotely attended an ISO/IEC JTC 1/SC 27/WG 1 editing meeting in London discussing the planned revision of ISO/IEC 27003:2017 . Overall, the meeting was very productive in that we got through a  long  list of expert comments on the preliminary draft standard, debated the objectives of the project and the standard and reached consensus on most points. In summary: 27003 is to be revised to align with the current 2022 releases of ISO/IEC 27001 , 27002 and 27005 : These changes are  mostly  minor aside from the new section 6.3 on ISMS changes.
Read more

Two dozen information risks that ISO forgot

Image
Selecting the wrong controls - controls that are inappropriate, ineffective, too costly, impracticable, fragile, unnecessary, counterproductive or whatever, often as a result of blind faith in fads and fashions of the day and FOMO e.g. MFA, AI, cyber Failing to select the right controls - controls that are ideal for the particular situation, both now and in perpetuity, for whatever reason - mostly ignorance and prejudice Selecting and implementing controls at the wrong time or in the wrong way (where 'wrong' includes ineffective, inappropriate, sub-optimal e.g. bolting on controls rather than designing and building them in) Inept and inaccurate identification, analysis and quantification of risk, including reliance on p oor quality (incomplete, inaccurate, out of date, misleading, unreliable ...) information about actual risks, particularly subtle and emerging risks plus those involving deliberate concealment and misdirection e.g. fraud, misinformation, disinformation, propagan
Read more

ISMS internal audit priorities

Image
A thread on the ISO27k Forum sparked my imagination over coffee this morning. Hope had previously asked for assistance with an ISO/IEC 27001:2022 audit plan.  Bhushan offered a lengthy and generally sound response explaining how to use a spreadsheet with tabs to plan and record the audit work performed on 100% of the main body clauses and 50% of the 93 Annex A controls, day-by-day. That's OK ... except it wasn't entirely clear that he was interpreting and elaborating on the standard's actual requirements. ISO/IEC 27001 does not explicitly require, for example, that (as Bhushan stated) "ALL the management system clauses from 4 to 10 AND their sub-clauses need to be listed and audited" in an ISMS internal audit, although evidently he interprets it in that way. In clause 9.2.1, the standard states a requirement for internal audits to provide information on whether the ISMS conforms to the organization’s own requirements for the ISMS plus the requirements of the stan
Read more