Today on the ISO27k Forum, a newly-appointed Information Security Officer asked us for "a suitable set of
questions ... to conduct security reviews internally to
departments".
I pointed him at "What to ask in a gap assessment" ... and made the point that if I were him, I wouldn't actually start with ISO/IEC 27002's security controls as he implied. I'd start two steps back from there:
- One step back from the information security controls controls are the information risks. The controls help address the risks by avoiding, reducing or limiting the number and severity of incidents affecting or involving information: but what information needs to be protected, and against what kinds of incident? Without knowing that, I don't see how you can decide which controls are or are not appropriate, nor evaluate the controls in place.
- Two steps back takes us to the organizational or business context for information and the associated risks. Contrast, say, a commercial airline company against a government department: some of their information is used for similar purposes (i.e. general business administration and employee comms) but some is quite different (e.g. the airline is heavily reliant on customer and engineering information that few government departments would use if at all). Risks and controls for the latter would obviously differ ... but less obviously there are probably differences even in the former - different business priorities and concerns, different vulnerabilities and threats. The risks, and hence the controls needed, depend on the situation.
I recommend several parallel activities for a new info sec pro, ISO, ISM or
CISO – a stack of homework to get started:
- First,
I find it helps to start any new role deliberately and consciously “on
receive” i.e. actively listening for the first few weeks at least,
making contacts with your colleagues and sources and finding out what
matters to them. Try not to comment or criticize or commit to
anything much at this stage, although that makes it an interesting
challenge to get people to open up! Keep rough notes as things fall
into place. Mind-mapping may help here.
- Explore
the information risks of most obvious concern to your
business. Examples:
- A manufacturing company typically cares most about its
manufacturing/factory production processes, systems and data, plus its
critical supplies and customers;
- A services company typically cares most about customer
service, plus privacy;
- A government department typically cares most about
‘not embarrassing the minister’ i.e. compliance with laws, regs and
internal policies & procedures;
- A healthcare company typically cares most about
privacy, integrity and availability of patient/client data;
- Any company cares about strategy, finance, internal
comms, HR, supply chains and so on – general business information – as
well as compliance with laws, regs and contracts imposed on it - but which ones, specifically, and to what extent?;
- Any [sensible!] company in a highly competitive field
of business cares intensely about protecting its business information
from competitors, and most commercial organizations actively gather, assess and exploit information on or from competitors, suppliers, partners and customers, plus industry regulators, owners and authorities;
- Not-for-profit organizations care
about their core missions, of course, plus finances and people and more
(they are business-like, albeit often run on a shoestring);
- A mature organization is likely to have structured and
stable processes and systems (which may or may not be secure!) whereas a
new greenfield or immature organization is likely to be more fluid, less regimented (and
probably insecure!);
- Keep
an eye out for improvement opportunities - a polite way of saying
there are information risks of concern, plus ways to increase efficiency
and effectiveness – but don’t just assume that you need to fix all
the security issues instantly: it’s more a matter of first figuring out
you and your organization’s priorities. Being information
risk-aligned suits the structured ISO27k approach. It doesn’t hurt
to mention them to the relevant people and chat about them, but be clear
that you are ‘just exploring options’ not ‘making plans’ at this stage: watch
their reactions and body language closely and think on;
- Consider
the broader historical and organizational context, as well as the
specifics. For instance:
- How did things end up the way they are today? What most influenced or determined things? Are there any stand-out
issues or incidents, or current and future challenges, that come up often
and resonate with people?
- Where are things headed? Is there an appetite to
‘sort this mess out’ or conversely a reluctance or intense fear of doing
anything that might rock the boat? Are there particular drivers or
imperatives or opportunities, such as business changes or compliance
obligations? Are there any ongoing
initiatives that do, could or should have an infosec element to them?
- Is the organization generally resilient and strong, or
fragile and weak? Look for examples of each, comparing and
contrasting. A SWOT or PEST analysis
generally works for me. This has a bearing on the safe or reckless acceptance of information and other risks;
- Is information risk and security an alien concept,
something best left to the grunts deep within IT, or a broad business
issue? Is it an imposed imperative or a business opportunity, a budget black hole (cost centre) or an investment (profit centre)? Does it support and enable the business, or constrain and prevent it?
- Notice the power and status of managers, departments
and functions. Who are the movers and shakers? Who are the
blockers and naysayers? Who are the best-connected, the most
influential, the bright stars? Who is getting stuff done, and who
isn’t? Why is that?
- How would you characterize and describe the corporate
culture? What are its features, its high and low points? What
elements or aspects of that might you exploit to further your
objectives? What needs to change, and why? (How will come
later!)
- Dig out and study any
available risk, security and audit reports, metrics, reviews, consultancy
engagements, post-incident reports, strategies, plans (departmental and
projects/initiatives), budget requests, project outlines, corporate and departmental
mission statements etc. There are lots of data here and plenty of
clues that you should find useful in building up a picture of What Needs
To Be Done. Competent business continuity planning, for example, is also
business-risk-aligned, hence you can’t go far wrong by emphasizing
information risks to the identified critical business activities. At
the very least, obtaining and discussing the documentation is an excellent excuse
to work your way systematically around the business, meeting knowledgeable
and influential people, learning and absorbing info like a dry sponge.
- Build your team. It may seem like you’re a team of 1 but most organizations have other
professionals or people with an interest in information risk and security
etc. What about IT, HR,
legal/compliance, sales & marketing, production/operations, research
& development etc.? Risk Management, Business Continuity
Management, Privacy and IT Audit pro’s generally share many of your/our
objectives, at least there is substantial overlap (they have other
priorities too). Look out for opportunities to help each other
(give and take). Watch out also for things, people,
departments, phrases or whatever to avoid, at least for now.
- Meanwhile, depending partly on your background, it may help to read up on the ISO27k and other infosec standards plus your corporate strategies, policies, procedures etc., not just infosec. Consider attending an ISO27k lead implementer and/or lead auditor training course, CISM or similar. There’s also the ISO27k FAQ, ISO27k Toolkit and other info from ISO27001security.com, plus the ISO27k Forum archive (worth searching for guidance on specific issues, or browsing for general advice). If you are to become the organization’s centre of excellence for information risk and security matters, it’s important that you are well connected externally, a knowledgeable expert in the field. ISSA, InfraGard, ISACA and other such bodies, plus infosec seminars, conferences and social media groups are all potentially useful resources, or a massive waste of time: your call.
Yes,
I know, I know, that’s a ton of work, and I appreciate that it’s not quite what
was asked for i.e. questions to ask departments about their infosec controls. My suggestion,
though, is to tackle this at a different level: the security controls in place today are less important than the
security controls that the organization needs
now and tomorrow. Understanding the information risks is key to figuring out the latter.
As
a relative newcomer, doing your homework and building the bigger picture will
give you an interesting and potentially valuable insight into the organization,
not just on the information risk and security stuff … which helps when it comes
to proposing and discussing strategies, projects, changes, budgets etc. How
you go about doing that is just as important as what it is that you are proposing to do. In some
organizations, significant changes happen only by verbal discussion and
consensus among a core/clique (possibly just one all-powerful person), whereas in some
others nothing gets done without the proper paperwork, in triplicate,
signed by all the right people in the correct colours of ink! The nature, significance and rapidity of
change all vary, as do the mechanisms or methods.
So, in summary, there's rather more to do than assess the security controls against 27002.
No comments:
Post a Comment