Systematically improving professional services

My beady eye has been caught by another excellent thought-provoking Protiviti article by Jim DeLoach with Randy Armknecht concerning board-level blind spots.

I highly recommend reading and contemplating Are There Blind Spots in Your Boardroom?

Jim and Randy offered ten practical suggestions for boards to address the issue. Here they are with my thoughts and ideas on how to apply them in other contexts, besides the boardroom, such as within the information risk and security management team for example:

1. Assess whether current board culture, composition and agendas are fit for purpose in the current disruptive business environment.
   
   
   Assess the current team culture, composition, priorities, skills & competences, expertise, relationships, interests etc. with a view towards the future. How should the team evolve or adapt to changing circumstances, building on past successes and learning from failures?

Measuring and managing ethics

KPMG's Soft Controls model caught my beady eye this week:

KPMG are evidently using these 8 factors to analyse, measure and help clients manage their corporate cultures, claiming that "Our model gives organisations a valid tool for getting a clear picture of the current organisational situation, confront it, and break through the silence and passivity." Hmmm, 'silence and passivity', really KPMG? Well OK, whatever. It appears to be a viable approach.

ISMS implementation project guidance checklist

This checklist will be appended to a new SecAware guideline on implementing an ISMS, elaborating clause-by-clause on ISO/IEC 27001 - essentially, our version of ISO/IEC 27003.  It offers pragmatic guidance for information security managers and CISOs - nothing too obscure or complex.

---oooOOOooo---

Project definition, justification, scoping and planning

⬚  Study the standards, in depth: complete lead implementer training if possible.

⬚  Study the business, in depth, to understand its objectives, strategies, culture, governance arrangements, existing information risk and security management etc.

⬚  If the organisation has a defined, structured approach for this phase, use it!

⬚  Build a business case that identifies and promotes the business benefits of the ISMS.

⬚  Look beyond ‘security’ and ‘compliance’ e.g. helping management to manage business risks, supporting/enabling other business initiatives and strategies.

Mil-spec management lessons

 

"A calamity can often strike without warning. Whether it be generated by humans or a natural disaster, leaders need to be ready to direct their teams in the aftermath. In order to be ready for crisis, leadership skills, like any others, must be practised over and over beforehand. So the way you lead in the quiet times helps to build the skills you need when you have to dig deep."

That paragraph plucked from this month's impressive NZ Airforce newsletter about the military response to the devastating flooding caused by cyclone Gabrielle here in Hawkes Bay caught my beady eye this morning. 

The idea of practicing incident management as well as incident handling or operations on relatively small incidents makes perfect sense.

27001 & climate change

Like other ISO management systems standards, ISO/IEC 27001:2022 has just been amended to incorporate two small wording changes:

• “The organization shall determine whether climate change is a relevant issue” (clause 4.1);
  
  
• “NOTE: Relevant interested parties can have requirements related to climate change.” (clause 4.2).

So, it is fair to ask what has climate change got to do with information risk and security? Is it even relevant? Having been been mulling that over for quite some while now, I've come up with a dozen points of relevance:

For more on those twelve, read "Secure the Planet".

The clock in that image is a reminder that time is pressing, so here are half-a-dozen things information risk and security professionals can do to help.

Innovative approaches to ISO/IEC 27001 implementation

This week I've read an interesting, inspiring piece by Robin Long exploring the costs, benefits, approaches and strategic options for implementing ISO27k.  

I like Robin's idea of trying things out and banking some 'security wins' before committing to a full implementation. A full-scope ISMS is a major commitment requiring strong understanding and support from management, requiring a high degree of trust in the team and CISO/ISM/project leader as well as the [planned] ISMS. Demonstrating and celebrating security wins is a good way to build trust and sustain it, once the ISMS is running.

I'm also intrigued by the possibilities of unconventional, creative, less boring approaches to implementation project planning - for example, instead of plodding sequentially through ISO/IEC 27001, clause-by-clause, think about:

Categorised plans

Prompted by a thread on the ISO27k Forum, I've been contemplating the categorisation planning process I mentioned in yesterday's blog.

This is just a rough diagram to illustrate the concept.  Very rough.  "Rough as" as we say down here on the Far Side.

Using security enquiries by customers as a security metric

On CISSPforum, Walt Williams suggested a novel security metric:

"If your organization has customers that ask you to complete questionnaires before engagement, track those against logos added or better revenue brought in. You’re now tracking your return on investment and a key risk of if your security is not good enough, those are the businesses you loose.Do the same with each customer that asks for your ISO certification or SOC 2 report.

You have an excellent metric that allows you to track that return on investment and shows security as a revenue generating part of the organization.

My organization’s last quarter internal company meeting had the Senior Revenue officer publicly acknowledge and thank InfoSec for our role in landing their biggest customer.

It doesn’t get much better than that."

So, inspired by Walt's intriguing idea, I prepared a conventional metric specification using a combination of the Goal-Question-Metric approach (as ably described by Lance Hayden - a method as useful in information security as in other fields) followed by a PRAGMATIC evaluation (as ineptly described by yours truly plus Krag Brotby - a subjective assessment of the value of the metric in the presumed context of a mid-to-large commercial organisation):

A pragmatic alternative to the SuperCISO [L O N G]

Yet again this morning, something on the ISO27k Forum caught my imagination, firing-up my sleepy caffeine-deprived neurons. We have been chatting lately about what is expected of the Chief Information Security Officer role - namely an exceptional mixture of knowledge, skills and competences possessed by the 'SuperCISO'. 

Today, Nigel Landman referred us to an interesting article by JC Gaillard at Medium.com.  

JC's repeated assertions that 'cybersecurity is not purely technical' caught my beady eye: the 'cyber' bit clearly suggests that it is 100% purely tech ... but those of us who have swallowed the ISO27k pill recognise that information security requires more than just securing the bits-n-bytes. This is yet another example of the confusing use of language - specifically 'cyber'. Many professionals immersed in the field take 'cyber' implicitly to include technology plus other aspects but the general perception Out There is very strongly and perhaps exclusively technical. 

For the majority, cybersecurity equates to IT security or, more specifically still, it refers to hacker attacks and malware infections via the Internet. For that reason, the recently revised and reissued standard ISO/IEC 27032, formerly on 'cybersecurity', was re-titled to clarify that it covers Internet security, specifically - an important part of the information security landscape and cyber area, but not the whole thing. It falls short on intellectual property protection, for instance, plus insider threats and plan ol' fashioned accidents that cause a significant number of incidents, despite not being 'attacks'.    

[\rant]

As to whether we need CISOs at Exec Committee or Board level, I agree with JC.

What do auditors do, and for whom? [L O N G]

Once again, my day kicked off with a stimulating and fruitful debate on the ISO27k Forum as members responded to a request for help to find accredited Information Security Management System certification auditors who will add value to the organisation above and beyond the ISO/IEC 27001 conformity certificate.

The original poster copped some grief from the forum in appearing to seek certification auditors who would be kind on the organisation, supporting its business objectives more strongly than its conformity with the standard ... but a follow-up message clarified the position. Aris confirmed to us that he sought: 

"advice on where (in cases of an ISO audit) and how (in cases of an Internal audit) our ISMS could/should be improved, but I need that advice to be meaningful, grounded, and delivered in a way that has the best probability it will be absorbed by the business. In other words, I would like this process to offer real value to the business, besides just being seen as a transactional, bureaucratic overhead."

... which seems entirely appropriate and ethical to me. Nicely put!

Fuelled by two strong coffees, I've been mulling over a further response from my pal Chris Hall - an experienced and respected auditor and consultant who expressed the opinion that the role of a certification auditor is:

"... simply to assess whether the organisation conforms to the requirements of clauses 4 to 10 of ISO27001. That is all. And to report on it, pointing out where the ISMS does not conform ..."

I see things a little differently and (as usual!) more complex/nuanced in practice than Chris indicates. 

BCM for WFH

Since home and mobile workers rely on IT to access critical business systems and corporate data, and to communicate with others, organisations need a robust IT network infrastructure that extends to workers' homes or wherever they hang out. If, in reality, the infrastructure turns out to be fragile and unreliable, business activities are likely to be equally fragile and unreliable, leading to frustration and grief all round. In other words, the extended IT infrastructure is quite likely business-critical.

Working From Home or on the road can increase various information risks relative to conventional office-based work, due to factors such as:

• Use of cloud computing services*;
  
  
• Workers using their own or shared devices and internet connections for work purposes, raising questions about their suitability and security, ownership of and access to any intellectual property or personal information on them;

Incident notification procedure [UPDATED x2]

I have developed a generic procedure documenting the incident notification process for sale through SecAware. 

I'm surprised how involved, complex, time-boxed and fraught the disclosure process turned out to be - depending, of course, on the nature and scale of the incident (perhaps a ransomware or malware infection, privacy breach, hack or fraud), who needs to be informed about it, and how to do so.

Using ChatGPT more securely

Clearly there are some substantial risks associated with using AI/ML systems and services, with some serious incidents having already hit the news headlines within a few months of the release of ChatGPT. However, having been thinking carefully and researching this topic for couple of weeks, I realised there are many more risks than the reported incidents might suggest, so I've written up what I found.

This pragmatic guideline explores the information risks associated with AI/ML, from the perspective of an organisation whose workers are using ChatGPT (as an example).  

Having identified ~26 threats, ~6 vulnerabilities and dozens of possible impactful incident scenarios, I came up with ~20 information security controls capable of mitigating many of the risks.

See what you make of it. Feedback welcome. What have I missed? What controls would you suggest? 

ISMS management reviews vs ISMS internal audits

Over on the ISO27k Forum this week, Ray asked us for "guidance on conducting and documenting 'Management Reviews' that include the agenda items required by the standard in 9.3. Any templates shall be much appreciated." 

Forumites duly offered advice and agendas. So far so good!

However, I made the point that ISO/IEC 27001 does not require/insist that management reviews take the form of periodic management meetings, specifically, although that is the usual approach in practice. 

Personally, since they are both forms of assurance, I advise clients to plan and conduct their ISMS management reviews and ISMS internal audits similarly, with one critical and non-negotiable difference: auditors must be independent of the ISMS, whereas management reviews can be conducted by those directly involved in designing, operating or managing the ISMS. This is not merely a compliance matter or protectionist barrier: auditor independence brings a fresh perspective and valuable insight that insiders simply cannot match. 

In my considered opinion, independence and formality follow a continuum through these activities:

mmmmmm, More Meaningful Management Metrics

For about a week, I've enjoyed following and participating in an expansive discussion thread on LinkeDin about the value of measurement and metrics for management, debating various issues that can occur both in theory and in practice.

One straw-man argument is that 'managing by the numbers' can imply a myopic focus on commonplace business metrics such as stock price or annual profit, both of which can be manipulated to some extent by managers even at the expense of long term resilience and commercial success, let alone other business objectives. Despite Taylor's outmoded 'scientific management' experiments having been debunked a century ago, some LinkeDinners in the thread evidently still believe that science (in the form of numeric data) and management are poles apart. 

I beg to differ. That's so last century!

Management is complex, dynamic and nuanced, hence I accept that simplistic or crude metrics can't possibly address the entire practice. For example, speed is obviously a key metric for a racing car: however, going fast is just one part of racing, even on the drag strip. Staying on-track with both vehicle and driver holding together for the duration of a meet are also important for the team manager, the whole team in fact. An exploding drag car might conceivably project sufficient material across the line to qualify in record time, but there would be nothing left to compete in the final! 

To what extent do you trust the robots?

This Sunday morning, fueled by two strong coffees, I'm cogitating on the issue of workers thoughtlessly disclosing all manner of sensitive personal or proprietary information in their queries to AI/ML/LLM systems and services run by third parties, such as ChatGPT.

This is clearly topical given :

(1) the deluge of publicity and chatter around ChatGPT right now, coupled with 

(2) our natural human curiosity to explore new tech toys, plus 

(3) limited appreciation of the associated information risks, and 

(4) the rarity of controls such as policies and Data Leakage Protection technologies. 

Furthermore, even if we do persuade our colleagues (and, let's be honest, ourselves!) to be more careful and circumspect about whatever we are typing or pasting into various online systems, the possibility remains that the general nature of our interests and queries is often sensitive.

ISO 27001 templates and services on sale

For organisations planning to implement ISO/IEC 27001 for the first time, the standard's requirements can be confusing, especially given the amount of dubious advice available on the web. For instance, one issue that crops up frequently on the ISO27k Forum and here on the blog is that the information security controls in Annex of the standard A are not required - in fact, they are not even recommended or suggested, despite what some non-experts advise. Annex A is provided as a checklist, a prompt to ensure we have considered a wide range of information risks. 

The standard's main body clauses, in contrast, formally specify the functional requirements for an Information Security Management System. In order for an organisation to be certified, the ISMS must be designed to fulfil the specified requirements, and must be operational, managing whatever information security controls and other treatments are appropriate given the organisation's information risks. 

In short, implementing '27001 is not a simple box-ticking compliance exercise. 

This Easter, we are offering:

• ISMS Launchpad - a complete set of templates for all the essential ISMS documents such as the scope, Risk Treatment Plan, Statement of Applicability and a corporate information security policy (on sale at US$239, normally $399). Every certified organisation needs these docs, at least.

Black hawk down ... but not out

I've long been fascinated by the concept of 'resilience', and surprised that so many people evidently misunderstand and misrepresent it ... so please bear with me as I attempt to put the record straight by explaining my fascination.

Resilience is not simply: 

• Being secure
• Being strong
• Recovering effectively, efficiently or simply recovering from incidents
• Avoiding or mitigating incidents
• Any specific technical approach or system
• Any particular human response, action or intent
• A backstop or ultimate control
• Heroic acts
• A construct, something we design and build
• Something that can simply be mandated or demanded
• Specific to particular circumstances, situations or applications

It's bigger than any of those - in fact bigger than all of them, combined. Resilience is all of those, and more ...

Resilience is:

• A general concept, a philosophy, a belief
• An engineering and architectural approach

Using AI/ML to draft policy

This week, I am preparing a new template for the SecAware policy suite covering the information risks and security, privacy, compliance, assurance and governance arrangements for Artificial Intelligence or Machine Learning systems. With so much ground to cover on this complex, disruptive and rapidly-evolving technology, it is quite a challenge to figure out the key policy matters and express them succinctly in a generic form.

Just for kicks, I set out by asking GPT-4 to draft a policy but, to be frank, it was more hindrance than help. The draft was quite narrowly focused, entirely neglecting several relevant aspects that I feel are important - the information risks arising from the use of commercial AI/ML services by workers, for instance, as opposed to AI/ML systems developed in-house.

The controls it espoused were quite vague and limited in scope, but that's not uncommon in policies. It noted the need for accountability, for instance, but didn't clarify the reasons nor explain how to achieve accountability in practice. It was not pragmatic.

ISMS support tools (episode 4 of 4)

This final episode in the series about specifying and selecting ISMS support tools/systems concerns the general usability requirements typical of almost any computer system, such as:

• Intuitive, easy to use;
• Interoperable;
• Facilitates customisation where appropriate;
• Readily maintained;
• Well supported, documented etc.;