Welcome to NBlog, the NoticeBored blog

I spy with my beady eye ...

8 Aug 2020

NBlog Aug 8 - musing on ISO/IEC 27014 & infosec governance



This morning I've been studying the final draft of the forthcoming second edition of ISO/IEC 27014 "Governance of information security", partly to update ISO27001security.com but mostly out of my fascination with the topic.

Section 8.2.5 of the standard specifies the governance objective to "Foster a security-positive culture":
"Governance of information security should be built upon entity culture, including the evolving needs of all the interested parties, since human behaviour is one of the fundamental elements to support the appropriate level of information security. If not adequately coordinated, the objectives, roles, responsibilities and resources can conflict with each other, resulting in the failure to meet any objectives. Therefore, harmonisation and concerted orientation between the various interested parties is very important. 
To establish a positive information security culture, top management should require, promote and support coordination of interested party activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs. Information security responsibilities should be integrated into the roles of staff and other parties, and they should support the success of each ISMS by taking on these responsibilities."
Not bad that although, personally, I would have mentioned senior management setting 'the tone at the top', in other words influencing the entire corporate culture through their leadership, decisions, direction and control, particularly in the way they behave.

For example, even though management may formally insist upon ethical behaviour as a policy matter, if managers in fact act unethically, push the boundaries of ethicality through their decisions and priorities, or simply tolerate (turn a blind eye to, fail to address) unethical/dubious activities, that can severely erode if not destroy the value of the policy. Workers observant enough to spot the disconnect between theory and practice are, in effect, enabled or even encouraged to decide for themselves whether to comply with the policy. 

In a disciplinary situation, management's failure to enforce compliance with any policy (by themselves or others) might be a viable defence for a worker accused of policy noncompliance. Aside from those that are literally unworkable and unenforceable, an unenforced policy can be a liability, a risk at least.

One way to address this issue is to separate out and bolster the compliance, oversight and assurance activities. It is perfectly reasonable to expect and require managers to comply fully with the organisation's policies and directives, otherwise why would they mandate them? Therefore, there should be suitable processes in place to identify and deal with noncompliance by anyone, not least management. Putting such arrangements in place is a governance activity. 

Another complementary approach is for management to avoid formalising policies that they don't truly support. If they aren't willing to 'walk the talk', it is unreasonable for them to insist that workers comply. Being role models is an important part of leadership and governance.

A third technique is for management to think-through the compliance, and assurance aspects when formulating policies, documenting them either within the policies themselves or in separate policies on accountability, compliance, monitoring and assurance - which is the approach we've taken with our policy templates and accompanying security awareness materials

And so our cunning plan falls into place. Policies are merely Lego bricks in a bigger governance structure.

7 Aug 2020

NBlog Aug 7 - what is operational resilience

Seeing the term 'operational resilience' being bandied about right now, I thought I'd take a closer look, starting with the definitions.

So what is 'operational resilience'?  It is:
  • "a set of techniques that allow people, processes and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification." says Gartner.
  • "both a process and a characteristic of an organization to adapt rapidly to changing environments and needs. It is an organizational trait that allows it to carry out its mission or business despite the presence of operational stress and disruption. In other words, it is the organization's ability to handle and control external factors that may hinder it from functioning." says Techopedia.
  • "financial resilience" says Accenture (begging the question: What is financial resilience?).
  • "the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover, and learn from operational disruptions" says the Bank of England.
  • "the ability of an organisation to adapt rapidly to changing environments. This includes both the resilience of systems and processes and more generally the ability of the organisation to continue to operate its business in the event of disruptive events." says KPMG.
  • ... and so on.
Some commentators focus on specific aspects that interest or concern them - financial stability for example, and systemic failure of highly integrated and interdependent industries. The blogs and papers I've read so far mostly concern the financial industry, presumably reflecting initiatives and pressure in this area from the UK banking authorities, but the fundamental principles are universal and far from new. 

In a business context, I see no practical distinction from business continuity. It's about management ensuring that the organisation's critical activities (business units, processes, systems, relationships/supply chains, whatever) are able to continue operating more-or-less normally despite potentially disruptive incidents of various kinds - COVID19 for instance.

Except perhaps under rare circumstances, no sane manager would argue that critical business activities should be fragile or flaky, so isn't this simply stating the bleedin' obvious: existential risks must be addressed adequately, surely? Well, no, there's more to this due to the implications:
  • The criticality of business activities varies between activities and over time, hence there are complexities and dynamics, not least the matter of identifying the critical aspects that need to be addressed;
  • 'Becoming resilient' is trickier than it seems with lots of possible approaches;
  • 'Becoming resilient' is also potentially very costly, especially if the objective is more than merely scraping through, barely remaining in business;
  • At the same time, 'becoming resilient' has substantial business benefits in terms of better performance, capacity and flexibility, increasing the ability to cope with or take advantage of changes and unexpected situations, even under normal everyday circumstances;
  • Resilient organisations have more options available, with less possibility of disastrous changes and omissions;   
  • There are generally competing demands on the resources necessary for resilience, and other objectives ... such as "being efficient and profitable"; 
  • There are governance, compliance and assurance aspects, in addition to risk and business continuity management;
  • The requirements of various stakeholders need to be taken into account, some of which may conflict (e.g. some owners may desire a low-risk low-profit investment, while others may be happy to accept more risk in order to gain more profit; any suppliers and customers who are highly dependent on the organisation have a markedly different perspective than those with no particular ties or loyalty). 
Therefore operational resilience is a management imperative in any organisation that expects to remain in business,  and yes that's another definition to add to the list.

31 Jul 2020

NBlog July 31 - who's for a Pimms?



Within a year or so, organisations will be able to have their Privacy Information Management Systems certified compliant with ISO/IEC 27701, thanks to a new accreditation standard ISO/IEC TS 27006 part 2, currently in draft.

A PIMS is very similar to an Information Security Management System, hence compliance auditing and certification are also very similar – so much so that I’ve heard some certification bodies are already taking the initiative by issuing PIMS certificates despite their not being formally accredited for that.

Potentially, a PIMS certificate may become the generally-accepted means of demonstrating an organisation’s due care over privacy and personal data protection – a way to assure data subjects, business partners, the authorities and courts that they have, in fact, adopted good privacy practices. 

A PIMS should materially reduce an organisation’s risk of suffering privacy breaches.   However, as with an ISMS, ‘materially reduce’ is not quite the same as ‘eliminate’.  In the less likely event that a privacy breach occurs, despite having a PIMS, compliance certificates for the organisation and if appropriate its information service suppliers (e.g. cloud or marketing services) may be a credible part of the organisation’s legal defence against prosecution under GDPR or other privacy laws and regs, but they would still need to explain why the breach occurred and what they have fixed to prevent a recurrence.  The PIMS should at least structure the response to the breach, including corrective actions addressing the root causes, hence there should be something substantial behind the usual vacuous PR statements about ‘taking this matter very seriously’.

29 Jul 2020

NBlog July 29 - boost your ISO27k ISMS with SecAware Take-off


SecAware ISMS Launchpad comprises a set of templates for the mandatory documentation that every compliant Information Security Management System must have: a basic ISMS strategy, scope, Statement of Applicability, Risk Treatment Plan, information security policy, that sort of thing. If your organisations only needs an ISO/IEC 27001 certificate, this tidy stack of templates forms a stable, compliant platform from which to launch your ISMS. For a paltry $99, download Launchpad and get started today!

Hot on its tail, today we announce the next phase of our mission to convince every organisation to manage its information risks properly.

If your organisation sees the value in going a little beyond the bare minimum, SecAware ISMS Take-off takes you to the next stage. 

Take-off provides all of these:

The Take-off materials primarily concern management. An ISO27k ISMS is, after all, a management system.

Template #2 "Strategic objectives for information risk and security management" for instance specifies:

  • "Enhance and protect the value of information by ensuring adequate confidentiality, integrity and availability"
  • "Manage (i.e. identify, evaluate, treat and monitor) information risks cost-effectively and competently" 
  • ... plus four other key objectives. 

It also lays out four non-goals to be crystal clear about what the ISMS is not expected to do (such as destroying value by costing more than it saves). All in all, this neat little single-page template packs a punch and will surely resonate with your executives.

Since there is no explicit requirement in ISO/IEC 27001 for management to document the organisation's strategic objectives, a minimalist ISMS could get by and be certified compliant without one. However, there are substantial business advantages in formulating and stating the objectives. 

A ISMS based on both Launchpad and Take-off demonstrates management's commitment to protect information for sound business reasons, not just for the sake of a certificate.

SecAware ISMS Take-off
is on sale today
for just $375


Don't hang around though:
we can't hold these special launch prices forever

28 Jul 2020

NBlog July 28 - an interesting risk metric

We were chatting over coffee this morning about an organisation that is recruiting at the moment. Having been through the cycle of advertising, preselecting/long-listing, interviewing and short-listing candidates, their references came back negative, forcing the organisation to reboot the recruitment process.

On the one hand, that's a disappointing and somewhat costly outcome. It suggests, perhaps, that the preselection and interviewing steps could be tightened up. Were there warning signs - yellow or red flags that could/should have been spotted earlier in the process?

On the other, it also indicates that the selection/recruitment process is effectively identifying and weeding-out unsuitable applicants, avoiding what could have turned out to be even costlier incidents down the line if the appointments had been made and the new recruits had turned out to be unsuitable.

So, Proportion of shortlisted candidates rejected as a result of poor references is one of several possible measures of the recruitment process, with implications for risks and opportunities, costs and benefits. Very high or low values of the metric, or adverse trends, or sudden changes, may all be cause for concern and worthy of investigation, whereas middling, "neutral" values are to be expected.

The metric probably wouldn't have even occurred to me except that I happen to be documenting information security controls for joiners, movers and leavers at the moment for the next phase of SecAware ISMS templates. Information risks should be taken into account during the recruitment process. Confirming applicants' identities, taking up references, confirming employment histories and qualifications on their CVs, and running other background checks (e.g. for criminal records or credit issues) can be important controls if legally permissible, especially for appointments trusted roles - and, by the way, that includes internal transfers and promotions as well as new recruits.  

24 Jul 2020

NBlog July 23 - infosec roles & responsibilities



For the next phase of SecAware ISMS, I'm documenting the management process for determining and allocating information risk and security responsibilities. 

The procedure itself is straightforward - just one page of written instructions covering a simple four step process - but a raft of examples of the activities various functions perform in relation to information risk and security takes it up to six pages, even though the examples are presented tersely as bullet points.

It turns out there may be several corporate functions, teams and individuals, each performing numerous activities relating to information risk and security.  

Admittedly, my knowledge in this area has accumulated in the course of working mostly for large, relatively mature organisations, a couple of which had all of the functions staffed by professionals busily performing virtually all of the activities. Small-to-medium sized organisations don't have the luxury of being able to carve-up the work among dedicated teams of specialists, so they usually get by with multi-tasking and perhaps assistance from third parties. Information risk and security is tougher for micro-organisations, particularly if they don't even have anyone who appreciates the need to manage information risk and security, privacy, compliance, business continuity etc

The ISO27k framework can help all types and sizes of organization provided it is interpreted and applied sensibly according to the business context and needs. Even though a multinational bank, say, might have specialists within HR and other functions whose job it is to prepare job descriptions, vacancy notices, training plans etc., our generic list of information risk and security activities may be a useful prompt to confirm that they have all the bases covered. A micro-company will not need to perform every listed activity, and will have no choice but to concentrate on the few that matter most. Either way, the process of management deciding what the necessary activities should involve and, where appropriate, assigning responsibilities to the relevant workers, corporate functions or third parties, is much the same and hence worth laying out in a generic procedure.

As I'm drafting the procedure, I'm itching to mention related aspects such as governance, accountability, access control, competence, oversight, monitoring, resilience and more ... but those would be distracting details. Paring away peripheral issues to concentrate on the matter at hand (the essentials for an ISO/IEC 27001-compliant ISMS) is a cathartic experience for me, a big picture thinker by nature. Laser-focusing is hard for me! Meanwhile, this blog is my relief valve: there, I've brought up some other matters and acknowledged their relevance without turning the procedure into War and Peace. 

The same point about focus applies to the job descriptions we are providing: our templates outline the role and what is expected of workers in just one side of A4 per job. Again, they are generic, stating typical key requirements for significant roles in general terms with the intention that customers customise them as necessary, probably elaborating on certain aspects that happen to be more important to them.  


As the templates fall into place, we'll release the next phase of SecAware ISMS in a week or two. I would like to cover commonplace management controls, drawn from '27001 Annex A, but I need to remind myself that I'm not Tolstoy. We're providing just the bare bones and inspiration to get customers' ISMSs up and running, not The Whole Enchilada. It's quality not quantity that matters most.

UPDATE: SecAware ISMS Take-off is on sale now, including this template.

17 Jul 2020

NBlog July 17 - an appetite for risk



Today we've been chatting about this on the ISO27k Forum
"Let's assume that the company is willing to accept risks with a potential financial impact less than $50k. Obviously after performing risk assessment, we need to decide which treatment option we should follow. In case when the potential impact of the risk is below $50k - (risk appetite), we should accept the risk, right? 
 
My question is: what happens if for some reason, multiple Low Risks (below risk appetite value/already accepted) occur at the same time? Should the Risk Appetite represent an aggregation of all low risks or just reflect the appetite for a single risk?"
I suggested considering 'coincident risks' as another entire category or class of risks, some of which may well be above the risk appetite/acceptance threshold even if the individual risks fall below it. 

It gets worse. There are many other coincidences, errors, failures, issues and exceptional circumstances that could occur - in extremis, it's an infinite set of possibilities given all the permutations and combinations.

Our collective failure to identify and take seriously the possibility of a pandemic landed us in the poo we’re in now. Even those organisations that did have pandemic controls in place have found the going tougher than anticipated, some discovering that their stockpile of sanitizer and masks had not been properly stored and maintained, and hence was next to useless when called upon. 

Trust me, it can be a sobering exercise to run a risk workshop focused on rare but extremely impactful events, the outliers that we tend to ignore in routine risk management because it’s hard enough dealing with the commonplace extreme events, let alone the rarities. Every well-managed organisation needs to deal sensibly with the scarily vague “something else happens and lands us in serious trouble” situations, when classical scenario planning runs out of steam. There are far too many possibilities to even enumerate, let alone evaluate and treat individually: a more general-purpose approach is required. 

That line of thinking leads us through incident and crisis management into business continuity planning, in particular the resilience and contingency aspects. Insurance is another possibility, for some but not all situations: insurance against unbounded classes of incident can be risky for both the insured and the insurers, although business interruption insurance is available, at a price, with various constraints as the insurers protect their own businesses against interruption. Hopefully.

16 Jul 2020

NBlog July 16 - tips on preparing successful proposals


"The Winning Business Case: how to create a compelling conceptual, analytical and pitch model that your audience will love" is a free eBook from OCEG - more than 20,000 words of advice about generating and pitching a business case for investment in some sort of risk-based project or initiative.

The Open Compliance and Ethics Group identifies as: 
"a global nonprofit think tank that helps organizations reliably achieve objectives, address uncertainty and act with integrity ... We inform, empower, and help advance our 85,000+ members on governance, risk management, and compliance (GRC). Independent of specific professions, we provide content, best practices, education, and certifications to drive leadership and business strategy through the application of the OCEG GRC Capability Model™ and Principled Performance®. An OCEG differentiator, Principled Performance enables the reliable achievement of objectives while addressing uncertainty and acting with integrity. Our members include c-suite, executive, management, and other professionals from small and midsize businesses, international corporations, nonprofits, and government agencies. Founded in 2002, OCEG has locations around the globe."
The eBook lays out and explains 15 activities or steps in the process. The sequence and of course the details within each step may vary according to circumstances but it's a comprehensive, well-written document, worth studying if you need to justify investment in risk or security management projects or related areas such as  compliance, assurance, cybersecurity, business continuity and ISO27k. 

With some adjustments, the process could also be valuable for operational budgets too: securing next year's budget for a business department or function is similar to getting approval for a project, especially if management takes a longer-term, strategic view rather than being solely annual in focus. 

Thinking more broadly still, it could be useful for other kinds of proposal, such as when bidding for consultancy work. Maybe if prospective clients had a better appreciation of the effort it takes to prepare bids and proposals for them, they might be more inclined to engage with suppliers like us to discuss and clarify both their requirements and the offer on the table, rather than clamming-up so rudely! 

It's quite a lot to read and comes across as a little theoretical in places, as if the authors are recounting techniques picked up from an MBA course or business textbook, but that's just my impression and may simply reflect the authors' style. This caught my beady eye for example:
"Uncertainty is not the same as risk. Risks can be calculated; uncertainty can’t. For example the risk that your next coin-flip will be heads is 50-50. On the other hand, what are the odds that regulators will overhaul their treatment of your industry in the next 20 years? Instinct might suggest an overhaul will probably happen, but you can’t model the chances of specific outcomes over that long a period. It’s uncertain."
I disagree with the assertion that "risks can be calculated [whereas] uncertainty can't", but if that's how they choose to distinguish and use the terms here, fair enough. At least they have offered definitions.

I particularly appreciate the advice to do the legwork, contacting, explaining and discussing the proposal with individuals who will in due course make the final decision in a forthcoming board or executive committee meeting. That's a trick I've learnt the hard way over the years but I seldom see it suggested in print. Writing a sound business case, proposal, business plan, budget request etc. is only half the battle. Influencers and decision makers need to be persuaded and convinced to support - or at least not block - the proposal, which takes time and effort, mostly one-on-one. Appreciating that 'socialising' our proposals is a worthwhile if not necessary part of the process is a good start for those of us who over-rely on formal proposals and rational arguments based on facts and models, ignoring the emotional and personal aspects at our peril. 

15 Jul 2020

NBlog July 15 - ISO27k ISMS products

Having drafted a generic requirement specification for systems supporting an ISO27k ISMS, I’m slowly trawling the Web for products the hope of finding apps, templates and services that we would be willing to use ourselves and recommend to our consulting clients.

So far I’ve found about 20 commercial or open-source ISMS systems plus maybe twice that number of risk management systems, plus quite a variety of more focused systems supporting incident management, business continuity, vulnerability management, patch management etc. It’s a confusing, sprawling and dynamic market … so I’m also working on a structured evaluation process that will help us pick out gems from the stones on offer, depending on our own and our clients' specific needs.

Along the way, I've picked up murmurings of discontent from customers saddled with low-quality content supplied with some ISO27k ISMS systems and toolkits. Aside from variation between the products, could it be, I wonder, that some of the products currently on offer are inadequate because customers vary so much in size, complexity, maturity etc. having different expectations or requirements? Could this be a side-effect of ISO27k's intended application to all organizations, resulting it being jack-of-all-trades and master-of-none? 

We could develop generic content specifically targeting particular market segments or types of organisation ... but instead we've started with the basics that every ISO27k ISMS needs with the intention of offering optional add-ons, giving customers more choice. 

One of those options is to develop custom materials and support individual customers to implement and optimise their ISMSs using appropriate systems/tools, provided we can convince management of the value of our consultancy services - and that's a tough sell, especially during COVID-19. Doing it all in-house may be a viable option if the organisation has the people with the requisite skills, competencies, knowledge and experience. That seems unlikely if there is no ISMS already in place - catch 22. There's also the matter of the time needed for people to learn the ropes and get up to speed with the ISMS, given all the other things on the go: the longer things drift along, the more the organisation remains subject to information risks that may not be managed effectively.

I'm working on other options too. More info to follow. Watch this space.

10 Jul 2020

NBlog July 11 - the small but perfectly formed ISMS


Consulting for small organisations lately to design and implement their ISO/IEC 27001 Information Security Management Systems, resourcing constraints often come to light, particularly the lack of information security expertise and knowledge in-house. I have previously taken this to indicate lack of understanding, support and commitment from senior management, insufficient priority relative to all the other important stuff going on, hence my abiding interest in elaborating on the business case for investing in information risk and security management. Currently, though, I’m gaining a new-found appreciation of the realities of running a small business where even IT may be done on a shoestring, leaving information security way out on a limb.

With barely enough cash-flow to sustain the business during COVID-19 and the obvious need to focus on core business activities, it’s no surprise if ISO27k implementation and certification projects take a back seat for now. That delaying tactic, however, leaves the business more exposed meanwhile, increasing the probability and impacts of incidents that should have been avoided, prevented or mitigated. It can lead to missed business opportunities and customer defections as they turn to certified competitors rather than waiting for the assurance an ISO/IEC 27001 compliance certificate would bring. It reduces trust and devalues brands. All in all, it’s a risky approach.

Putting the ISMS implementation on hold is not the only option, however. With some creative thinking, it is possible to keep the project moving along, albeit at a slower pace:
  • A bare-bones minimalist ISMS, barely adequate to satisfy the standard’s mandatory requirements, may not deliver all the business benefits of good practice information risk and security management ... but it is both certifiable and better than nothing. A small but perfectly formed ISMS demonstrates the organisation’s genuine commitment to information risk and security management, gaining the assurance value of the certificate to third parties without the investment necessary for a full-blown ISMS. Furthermore it is a perfectly valid and sensible starting point, a platform or basis from which to mature the organization’s information risk and security management practices as and when it proves its value. It's a pragmatic approach. Being a pragmatist, I like that.
  • Partnering with consultants reduces the pressure on employees, demonstrates management’s support (more than just the intention to resume the ISMS project ‘at some point’), and keeps up the momentum. Based on our practical experience and knowledge of the standards, we can generally help clients navigate the process by the shortest and most direct route, perhaps making small diversions only where it makes business sense. Speaking for myself, I’m happy to regulate my involvement according to the client’s wishes, matching their pace with mine. Having a portfolio of clients and interests on the go lets me juggle priorities, complete fill-in jobs and manage my workload (within reason! I’m merely-human, not super-human!).
  • Even if the ISMS project itself is parked, there are still things that can be done, seizing opportunities that arise elsewhere to remove roadblocks or put in place building blocks to help jump-start the project at some future point. For example, since information risk is the main driver for ISO27k, it is possible to weave a subtle but consistent emphasis on risks into routine business activities, business meetings, policies and so on. Quietly gathering details of incidents, risks, controls, compliance obligations, assurance needs etc. can be done as a background activity, preparing for the fateful day when the parking brake is released.
One of my fill-in jobs has been to prepare and release SecAware Launchpad - a coherent suite of essential template materials for those minimalist ISO27k ISMSs I mentioned. When pared-down to the bones, there’s not a vast amount of mandatory documentation for ISO/IEC 27001 certification, hence Launchpad is lightweight and cheap (a bargain at just $99, for now anyway!). I almost completely resisted the temptation to provide additional bonus content, incorporating just a few brief notes of explanation here and there where the standard itself isn’t clear.

My next fill-in job is to package-up more of that supplementary content as an optional extra add-on for organisations that need more guidance and want to build a more complete, functional and valuable ISMS. We have gigs of material already prepared through the NoticeBored service plus the experience of using the ISO27k standards since before they became ISO27k, so it’s mostly a case of deciding what is necessary, looking for it and then adapting and rebranding it into another SecAware ISMS support package. I'll announce the new package here and of course on SecAware.com when it is released.