Welcome to the SecAware blog

I spy with my beady eye ...

31 Jan 2016

Information risk and security in business relationships

When the full title for February's NoticeBored security awareness module became unweildy, we adopted the working title "Securing business relationships". The ambiguity in that shortened version led me to ask myself:

"What are we actually concerned about: securing relationships, securing business, or securing information?"

Answering that rhetorical question turned out to be an interesting diversion from the slog of writing the materials. For what it's worth, I've done my best to recall the train of thought sparked by my little poser  ...

1) NoticeBored is an information security awareness service so naturally information security is our primary interest - it's our central concern.

2) Information security, in turn, comprises a comprehensive suite of controls  to mitigate unacceptable risks to information, hence we find ourselves increasingly referring to 'information risk and security' in the same breath.* 

3) While the nature of the information content varies according to the type of relationship and the associated business activities, information is undeniably an important part of every relationship [I elaborate on that point below]. In straightforward commercial relations (buying a simple commodity product online for instance), the vendor typically provides the buyer with, or makes available, a lot of information e.g.:
  • General information about the vendor’s organization – a combination of hard facts, advertisements, impressions, opinions and perceptions and expectations that comprise the brand;
  • Basic product information: functions and features, technical specifications, prerequisites, prices, promotions, marketing collateral (glossies), samples etc.;
  • Contact details;
  • More specific/detailed pre-sales product information including availability, delivery methods etc.;
  • Negotiating the deal e.g. break points for volume discounts, special checkout offers, extended guarantees, supplementary services and related products;
  • Details of the sales order processing and delivery process;
  • Sales contract with various terms and conditions of sale and details of both parties;
  • Sales invoice and/or receipt;
  • An offer, promise or guarantee of quality, suitability etc. whether express or merely implied;
  • Receipt, dispatch note, delivery note;
  • The actual product – goods or services (which may themselves be information);
  • Installation/configuration information, user manual, quick-start leaflet;
  • Information on the product packaging or otherwise accompanying it;
  • Support, maintenance or servicing information, recalls, updates and patches;
  • Information on the vendor’s other products including betas and advance notice of new products;
  • Loyalty card, discount codes etc.

.... while the buyer typically furnishes information such as:
  • Background information about the buyer and their organization – a combination of hard facts, impressions, opinions and perceptions again;
  • Contact details;
  • Their requirements: proposed use, functions and features, prices, quantities, demands and wishes, constraints, concerns etc.;
  • Pre-sales inquiries e.g. seeking further information about prerequisites, features or options, and clarifying their expectations;
  • Negotiating the deal, possibly including details of competitive offers;
  • Details of the procurement and payment or settlement process;
  • A signed contract or agreement, or an acknowledgement click at least;
  • A purchase order and payment notice with details of the payment made, or payment card number or payment service information for identification, authentication and authorization purposes, plus delivery and invoice addresses;
  • Post-sales support requests, queries, complaints, improvement suggestions, feedback comments, and perhaps additional requirements.

As I said, that’s a lot of information, way more than just a few bits-n-bytes! Remember we’re talking here about a straightforward sale and purchase, and we've only considered information flowing directly between the parties, ignoring pertinent information flowing to and from third parties such as the tax man, affiliates, agents and other middle-men, 'product review' sites, and the vipers' nest that is online customer feedback and reputation through social media.

As if that's not enough already, the volume, complexity and importance of the information inevitably go up in more complex business transactions and interactions – strategy consulting, for instance, or financial/tax/legal advice, plus other types of business relationships such as interactions with owners and authorities, and IT outsourcing or service provision such as cloud computing – and changes gradually during the course of long-term relationships, partnerships and joint ventures that mature over the years.

4) Much of that information is both valuable and vulnerable to some extent. In classical information security terms, three aspects are key:
  • Confidentiality can be important for anything sensitive, proprietary or private - like for instance the personal information, card numbers, and commercial details concerning the specific order (negotiated terms, quantities, discounts, delivery dates etc.). The simple fact that a transaction is taking place, along with details about the parties to the transaction and the specific products, may be deemed sensitive information in some circumstances (e.g. when buying weapons): this is an example of the sensitivity and value of metadata;
  • Integrity concerns the accuracy, validity, completeness and credibility of the information, for example simple errors and omissions on the invoice could invalidate the contract or materially affect the value to either party. Distinctly misleading impressions are often generated quite deliberately through unethical marketing, and unsupported claims often surface 'accidentally' in the course of sales pitches and negotiations. Fraudulent purchases are always a concern, especially for online cardholder-not-present sales. In short, the very nature of commerce implies a reliance on trust between the parties: 'If I give you this money, you will deliver what I want - right?'.
  • Availability of information can almost as much of an issue as availability of the products and the buyers' cash! It can be a mission to obtain solid, reliable, accurate information from some vendors, even something as simple as a price, while others seem to want to distract us with irrelevancies. The buyer, meanwhile, isn't legally committed to the deal until they pass the true point of sale, generally by authenticating themselves to authorize the payment or executing the sales contract: until that crucial piece of information arrives, the vendor cannot count on the deal. 

5) In addition to those vulnerabilities, there are threats (such as unscrupulous vendors and buyers, plus various third parties - competitors, fraudsters, social engineers, hackers, VXers, the NSA and other - wanting to get in on the act or sabotage things, as well as genuine mistakes, technology failures and so forth) and impacts (such as abandoned, unprofitable or unworkable deals, shoddy or otherwise inappropriate products, privacy breaches and identity fraud) ... together constituting risks. Few relationships would survive serious or repeated information security or privacy incidents, at least not without substantial concerns and issues going forward. Securing information is therefore a vital part of securing and maintaining effective relationships.

6) Relationships are a vital and integral part of business. As I'm running out of steam, I don't feel the urge to expand on that point so I'll leave it as an exercise for you, dear blog reader. By all means go ahead and tell me about business activities that don't directly or indirectly involve relationships by commenting below - although admittedly we might need to acknowledge that some business relationships are internal, within the corporation, as opposed to external.

Summing up, the honest if trite answer to "What are we really talking about: securing relationships, securing business, or securing information?" is simply "Yes!"


* As opposed to 'information security risk', a phrase which pops up repeatedly in the ISO27k standards. That's another distinctly ambiguous term that I might lay into in due course.

26 Jan 2016

Privacy wars: US v The World

Fundamentally different approaches to privacy in the US compared to most of the rest of the world, the EU in particular, are causing headaches for organizations, governments and regulators on both sides.

For a while, the Safe Harbor arrangement was deemed adequate by the EU, enabling data on EU citizens to be passed to and processed by US organizations that pinky-promised to take care of it. Surprise surprise it didn't last. Self regulation - well not even that, simply asserting compliance - was a joke.

Snowden's recent revelations concerning mass surveillance by the NSA have opened a bigger can of worms: it seems the US gummt can bully its way past even its own legislative controls, and gag the companies it forces to disclose whatever information it demands. Ostensibly, the EU does not permit that kind of thing - although since EU countries face the same threats of terrorism, anarchy and chaos, I would not be aghast to discover that surveillance is simply more discreet in the EU, aside from the cosy 'five eyes' arrangements actively exploiting differences of law between the partners.

With impending changes to EU privacy laws likely further to extend both the definition of personal data and the privacy controls required, and the recently-enacted CISA law in the US, the stage is set for an almighty bun-fight.

Those fundamental differences of approach I mentioned underly all of this. As I understand it:
  • Personal information about a person belongs to that person, in the EU. They may choose to provide it to organizations, but it remains theirs, hence they still have control over it (or at least they should have*); 
  • Personal information about a person belongs to whover holds it, in the US. The person cedes ownership and control when they provide it to organizations.
Three obvious solutions include:
  1. Stopping the transfer of personal data on EU citizens to the US ... and stopping the unauthorized surveillance/interception/theft of such information by the NSA or other gummt bullies;
  2. Giving up on the EU privacy principles, and on privacy as we know it;
  3. Forcing US organizations - including the gummt - to provide decent privacy controls over personal data.
All three options are costly, disruptive and less than satisfactory.

Perhaps we need something less obvious? Maybe tokenizing personal information would help? Maybe dismantling Big Brother would help, if it's not too late already.


* On a personal note, I'm currently battling a French company that is refusing to delete my personal data and stop spamming me unless I first provide even more personal data to prove to them that I am really me. Oooh the irony of it.

25 Jan 2016

Metrics thought for the day

Where relevant, using current business metrics (also) for information risk and security purposes can be cost-effective if suitable raw data are already being gathered: the additional analysis, reporting and use incur relatively little incremental cost, especially if largely automated.

Corollary: when searching for metrics in any area of information risk and security, don't forget to check through existing business metrics alread in use for anything suitable, either as-is or with minor changes.

It would be easier to identify such metrics if the organization maintained a metrics inventory or database ...