Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Dec 14, 2018

NBlog Dec 14 - choosing ISO27k products

On ISO27k Forum today, a new member asked for advice on whether a 'complete package' would help the organization achieve ISO/IEC 27001 certification.

It's hard to answer without knowing more about the organization and its people (especially the management and specialists), their experience and maturity in respect of information risk and security, and ISO management systems, and the business context.  For example:
  • A small engineering company is in a different position to, say, a large charity, a government department or a multinational: its complexity, information risks, information security controls and other factors vary;
  • A company in a heavily-regulated industry such as healthcare, finance or defense is probably more compliance-driven, its management and workforce more comfortable with structured and systematic ways of working than, say, a retailer or farmers' cooperative;
  • An organization that is 'surrounded' or owned by ISO27k-certified organizations may be under more pressure to implement than a pioneer, especially if there are commercial pressures or contractual/regulatory obligations in this area (e.g. for privacy reasons);
  • A patently insecure organization that has suffered one or more serious infosec incidents, breaches, compliance failures etc. is likely to be under more intense pressure to reform and 'get secure' than one which is (or believes itself to be) relatively secure, doing OK at the moment but maybe looking into ISO27k as a strategic opportunity, supporting other initiatives and complementing other management systems maybe;
  • A mature, specialized, narrowly-focused, relatively simple and stable organization (such as a steel mill) probably needs far less flexibility in its ISMS than one which is highly dynamic, growing fast, chasing different markets and proactively innovating (such as manufacturer of IoT things).
Also, despite the additional wording in the original query, I'm not at all sure what a 'complete package' is. That might mean any of the following, alone or in combination:
  • Documentation e.g.:
    • Sets of ISO27k and possibly other standards (the core set of ISO/IEC 27000, 27001, 27002, 27003 and 27005 are almost universally recommended);
    • Generic template/skeleton ISMS documentation such as scope, SoA, RTP etc.;
    • Generic infosec policies and procedures etc.;
    • Generic project/program plans, frameworks etc.;
    • Generic, structured methods/approaches etc.;
    • Tailored documentation to suit the general type/size of business, industry etc.;
    • Bespoke or heavily customized documentation, competently tailored to suit a particular organization;
  • ISMS-related consultancy-type services of various kinds e.g.:
    • Training and awareness services for individuals, teams or the entire organization;
    • Help with the program and project governance and management aspects e.g. planning, resourcing, metrics, targets, project risk management;
    • Mentoring, guidance and advice for the CISO/ISM, ISMS implementation project manager/team and perhaps others e.g. senior management, risk management, IT audit, IT, Facilities, HR, Operations, Privacy ...;
    • All manner of gap analyses, reviews, audits, benchmarks etc. to assess and report on the current situation and help determine future directions, priorities etc.;
    • Full-time hands-on ISMS project and program management leading to permanent ISM and CISO roles;
    • Part-time local and/or remote support, advice, mentoring etc. for the permanent on-site team - including perhaps assistance with the recruitment and training of such a team;
    • Business development consultancy e.g. help to re-position and market the organization as an ISO27k-certified secure, trustworthy, reliable supplier or whatever;
  • Systems e.g.:
    • IT systems specifically supporting an ISO27k ISMS, or any kind of ISMS, or more generally information risk and security-related;
    • Document Management Systems, possibly pre-loaded with [generic but hopefully customizable, relevant and suitable] ISO27k ISMS documentation;
    • Learning Management Systems, possibly pre-loaded with ISO27k-related training materials, courses, tests etc.;
    • Private, hybrid or public cloud-based apps;
    • Structured methods, frameworks and approaches in this area, with or without IT components; 
  • Something else!
Some of those options above are much more valuable than others (note: 'valuable' is not the same as 'expensive': some are free!). Comprehensive materials and support services might suit your organization (if you can afford them, and if they cover all your requirements!), but you might be better off with an appropriate selection and combination of point-solutions addressing more specific weak-points and needs, complementing and reinforcing the organization's existing resources and capabilities.

Lastly, I'll throw-in another important factor to consider: the nature, quality and value of the products (both goods and services) depends heavily on the suppliers or sources - their competence, experience, expertise (both depth and breadth), quality assurance, creativity and so forth. Are they new to the market, full of brash enthusiasm and bright ideas but short on history and perhaps credibility? Are they old, established, set-in-their-ways maybe? Are they ISO27k specialists (e.g. they ONLY offer ISO27k training courses), broader ISO27k and infosec suppliers (e.g. they provide training plus consulting plus systems) or generalists (e.g. the auditing/accounting/business consultancies)? Are they well-known and highly respected in the field with glowing customer references, or relatively unknown with dubious credentials? Oh and are you certain the products on offer are what will actually be delivered (avoiding the old bait-n-switch scam)?  

I hope this general advice helps. I appreciate that it raises far more issues than it answers ... but hopefully those questions and considerations are a lot more useful than the alternative "Well, it all depends!"

Dec 8, 2018

NBlog Dec 8 - bashing tick-n-bash

Auditing compliance with rules defined in policies, standards, laws and regulations is just one audit approach, commonly and disparagingly known as tick-n-bash auditing.

The rule says X
but you do Y
……. BASH!

It is like being rapped over the knuckles as a kid or zapping a trainee sheep dog through its radio-controlled shock collar. It's a technique that may work in the short term but it is crude and simplistic. The trainee/auditee is hurt and ends up resentful. Strong negative emotions persist long after the tears have dried and the bruising has gone down, making it counterproductive. It’s best reserved as a last resort, in my considered opinion.*

Certification audits are ultimately compliance audits but even they can be performed in a more sympathetic manner. The trick is to combine bashing (where justified) with explaining the requirements and encouraging compliance. It means motivating not just dragging people, and a lot more listening and observing to understand why things are the way they are.

Sometimes there are genuine, legitimate reasons for noncompliance, like for example finding better ways to do things or competing priorities. Sometimes noncompliance achieves a better outcome for the organization and other stakeholders. Actively looking for and exploring such situations turns the audit into a more positive exercise, even if it turns out that noncompliance was indeed unjustified and problematic: the investigation will often turn up root causes that deserve to be addressed, enabling us to treat the disease, not just ameliorate the symptoms. 

Competent, experienced auditors appreciate the value of downgrading relatively minor findings to ‘minor non-conformance’ status, or even on occasions ‘letting things ride’ with informal comments and motivational words of encouragement to the auditees. That then makes any remaining major issues stand out, focusing everyone’s attention on the Stuff That Really Matters – matters to the organization and other stakeholders, for legitimate business reasons. It’s no longer just a matter of “The rule says X”: there are reasons why rule X exists, reasons that deserve attention. Rule X is simply a means to an end, not an end in itself.

From there, it’s but a small step towards effectiveness and efficiency-based auditing, a more sophisticated and intelligent approach than crude compliance auditing. The idea is to identify sub-optimal activities that might usefully be adjusted to improve the outcomes, ultimately achieving business objectives and success. The approach focuses on the positives, on finding creative solutions that most benefit the organization (and, by the way, the individual auditees: more carrot = less stick!). The very premise that some activities might be ‘sub-optimal’ implies a deeper level of understanding about what ‘optimal’ actually means in that context, and a wider appreciation of good practises and alternatives. Being able to recite the rules verbatim, and carry a big stick, is no longer the mark of a good auditor!

In the ISO27k context, the information security controls recommended by ISO/IEC 27002 are intended to address specified control objectives. However, they aren't guaranteed always to achieve those objectives in any given situation, nor are those objectives necessarily relevant and sufficient. Both the control objectives and the controls are generic - general advice intended to suit most organizations. Both need to be interpreted in the specific context of a particular organization. Both may need to be supplemented, extended modified or ignored in various circumstances. That complexity makes it too tough for straightforward compliance auditors, apparently, demonstrating a fundamental limitation of the tick-n-bash approach. That's why an ISO/IEC 27001 compliance certificate confirms the presence of a 'management system' for information risk and security, rather than a secure organization with all the appropriate information security controls in place.

ISO/IEC 27001 specifies that internal audits must be performed on the Information Security Management System but does a poor job of explaining them, in particular it uses the word 'conforms', a synonym for 'complies' with the unfortunate implication that auditing is compliance auditing:

Taking my own medicine, I ask myself "Why? Why does the standard equate auditing with compliance auditing?" The answer lies with the experts responsible for the ISO27k standards, in their biases and prejudices about auditing ... which in turn reflects their experience of auditing ... which I presume is largely compliance auditing ... and so the loop continues. 

Breaking the committee out of that vicious cycle is an objective I have thus far failed to achieve but the current round of standards revision presents another opportunity, a chance to explain, persuade and hopefully convince. Not bash, oh no. 

Longer term, I'd like to push ISO27k further into the realms of assurance and accountability, and beef-up its advice on governance, information risk management, business continuity, and business for that matter. The business context and objectives for information security would be fascinating to explore and elaborate further on. One day maybe. I've learnt to pick my battles though: it takes a winning strategy to succeed in war.

* PS  I have the same philosophy in security awareness and training. To me, security awareness and training works best as a positive, motivational and inspirational technique. Dire warnings and penalties may be necessary to curb inappropriate behaviors and instill discipline but that's a last resort, best reserved for when other techniques have failed. Clearly, I'm no sadist.

Dec 7, 2018

NBlog Dec 7 - who owns the silos?

Michael Rasmussen has published an interesting, thought-provoking piece about the common ground linking specialist areas such as risk, security and compliance, breaking down the silos.

“Achieving operational resiliency requires a connected view of risk to see the big picture of how risk interconnects and impacts the organization and its processes. A key aspect of this is the close relationship between operational risk management (ORM) and business continuity management (BCM). It baffles me how these two functions operate independently in most organizations when they have so much synergy.”

While Michael’s perspective makes sense, connecting, integrating or simply seeking alignment between diverse specialist functions is, let's say, challenging. Nevertheless, I personally would much rather collaborate with colleagues across the organization to find and jointly achieve shared goals that benefit the business than perpetuate today's blinkered silos and turf wars. At the very least, I'd like to understand what drives and constrains, inspires and concerns the rest of the organization, outside my little silo.

Once you start looking, there are lots of overlaps, common ground, points of mutual interest and concern. Here are a few illustrative examples:
  • Information risk, information security, information technology: the link is glaringly obvious, and yet usually the second words are emphasized leaving the first woefully neglected;
  • Risk and reward, challenge and opportunity: these are flip sides of the same coin that all parts of the business should appreciate. Management is all about both minimizing the former and maximizing the latter. Business is not a zero-sum game: it is meant to achieve objectives, typically profit and other forms of successful outcomes. And yes, that includes information security!
  • Business continuity involves achieving resilience for critical business functions, activities, systems, information flows, supplies, services etc., often by mitigating risks through suitable controls. The overlap between BCM, [information] risk management and [information] security is substantial, starting with the underlying issue of what 'critical' actually means to the organization;
  • Human Resources, Training, Health and Safety and Information Risk and Security are all concerned with people, as indeed is Management. People are tricky to direct and control. People have their own internal drivers and constraints, their biases and prejudices, aims and objectives. Taming the people without destroying the sparks of creativity and innovation that set us apart from the robots is a common challenge ... and, before long, taming those robots will be the next common challenge.

Dig deeper still and you'll also find points of mutual disinterest and conflicts within the organization. Marketing, for instance, yearns to obtain and exploit all the information it can possibly obtain on prospective customers, causing sleepless nights for the Privacy Officer. Operations find it convenient or necessary to use shared accounts on shop-floor IT systems in the interest of speed, efficiency, safety etc. whereas Information Risk and Security point out that they are prohibited under corporate-wide security policies for accountability and control reasons.

You could view the organization as a multi-dimensional framework of interconnections and tensions between its constituent parts, all heading towards roughly the same goal/s (hopefully!) but on occasions pulling any which way at different speeds to get there. To make matters still more complex, the web of influence extends beyond the organization through its proximal contacts to The World At Large. That takes us into the realm of chaos theory, global politics and sociology. 'Nuff said.

All the organization's activities fall under the umbrella of corporate governance, senior managers clarifying the organization's grand objectives and optimizing the organization's overall performance by  establishing and monitoring the corporate structures, hierarchies, strategies, policies and other directives, information flows, relationships, systems, management arrangements etc. necessary to achieve them. Driving alignment and reducing conflicts is part of the governance art. Silos are governance failures.

Dec 2, 2018

NBlog Dec 2 - Acceptable Use Policies

A question came up on the ISO27k Forum about an Acceptable Use Policy. I'll take this opportunity to dispense a few Hinson Tips (free, worth every penny!). 

AUP isn’t a generally-defined and globally-agreed term. Even “policy” has a spectrum of meanings. So, regardless of what any of us might think or claim it means, what matters is the organization that’s using it – the organizational context. What does your management expect an AUP to be? To achieve? To look like? You should get some useful clues from other similar materials in other areas such as IT, HR and Finance, other functions that to some extent formally express directives. They may or may not be called AUPs, so take a look around the policy-related guidance materials, and preferably talk to the original authors about their work. You will probably pick up some useful tips, maybe even some help to knock your materials into shape. 

Some organizations use AUPs formally, stating employees' obligations for legal purposes. Personally, I prefer conventional policies and employment-related contracts, terms and conditions, rulebooks etc. for that purpose.  I treat AUPs more as guidelines than policies ... but even so that’s on the premise that a ‘guideline’ CAN and generally SHOULD incorporate obligations defined in various policies, laws and regulations – in other words, despite the name, a guideline includes and revolves around mandatory elements. Its purpose, for me, is to explain those obligations in plain language and thereby encourage people to comply. 

Employees shouldn't need to consult a lawyer to figure out what is expected of them. Management should ensure not only that employees are instructed, but they are also helped to understand and fulfill their obligations.

There are various ways to ‘explain and encourage’ employees. A useful approach is to lay out examples covering both acceptable AND unacceptable activities, hence the AUPs in our awareness and training materials look something like this little extract:

The language is reasonably simple and straightforward (avoiding the technobabble and pseudo-legalese that afflicts some of our esteemed colleagues!) and we’re using the obvious green and red color cues plus the ticks and crosses to emphasize do’s and don’ts. We try to have roughly the same number of each, countering the tendency for the whole thing to preach “Thou shalt not …” And separating the reds from the greens gives an otherwise jumbled list a little structure. We’re trying hard to encourage and make it easy for even reluctant, busy, distracted and disinterested readers to read. 

For the same reason, we also take the position that ‘less is more’, meaning that our AUPs have less than 500 words each. They are all one-pagers with a two-column layout. That’s quite a challenge for the AUP author [me!] since words are at a premium which means condensing the AUP down to essentials. Aside from careful wordsmithing, it’s worth asking “If someone barely has the time or interest to glance at this, what are the key messages we’d must put across?”. That approach in turn begs questions about what happens to the other stuff that we’re forced to leave out. For us, it’s easy enough because we also provide briefings and seminar slide decks and conventional policy templates etc., a coherent and comprehensive package of goodies and awareness activities supporting the AUP, all covering the same infosec topic ...

... Which brings up another part of our approach: we don’t try to cover everything all at once. We deliberately break things down into a series of distinct topic areas, allowing us to focus and go into a bit more depth on each topic, moving ahead month-by-month to cover the entire field

Consuming the elephant one bite at a time

If you think one or more AUPs would be useful in your organization but are unsure about the format, you might like to prepare or compile a variety of AUPs in different styles, giving management the chance to consider the options and choose the best ones or the best bits. As well as AUPs from within the organization, look for examples from other organizations (including ours!) to see the range of styles and formats in use. Once you get management's agreement and generate something that is acceptable to all parties, that becomes the template for others ...

... And that's how we work too. All our security awareness and training materials are prepared from templates, making it easier to adopt and stick to a consistent look-and-feel. The templates pre-set things such as:
  • Page/paper size and orientation;
  • Language for spell-checking;
  • The font, font sizes and colors, both for plain content plus the titles, headings, hyperlinks etc. using 'styles';
  • Headers and footers with titles, page numbering and our copyright notice;
  • Page layouts e.g. columns, tables;
  • Document structure e.g. cover page, main headings;
  • Boilerplate text such as sources of further information and contacts at the bottom of almost everything (sometimes customized according to the topic);
  • Miscellaneous formatting e.g. line thicknesses and colors, arrowheads;
  • Diagrammatic styles e.g. the risk-control spectrum and PIG diagrams you'll see pop up occasionally on this very blog;
  • Metadata such as tags to make it easier to search for specific kinds or items of material. 

Our full suite of templates has evolved in the course of a decade and is still being tweaked from time to time. In particular we review and where necessary modify the whole lot annually at the start of the calendar year: updating the copyright notices triggers that process. We try to keep a lid on minor changes during the year in order not to introduce noticeable inconsistencies, so the annual template re-vamp is our opportunity to address any little issues and if appropriate adopt more significant changes, sometimes retiring templates that are no longer proving useful.

Another source of change is the creation of new formats or styles of awareness materials, such as the AUP seen above. New items normally take a couple of iterations and adjustments before stabilizing and being templated, becoming part of the set. 

Finally, there are other tricks of the trade in researching, writing and polishing awareness and training materials that both are and appear professional. A suite of templates is an excellent start but just as important is the way the templates are used, and of course the quality of the information content. We take pride in our work. We care about spelling and grammar. We consider our audiences, and we learn and improve systematically. We're perfectionists by nature. That's the secret weapon that gives us an edge over the usual rather amateurish and slapdash awareness and training content that is so common out there, the stuff that gives our profession a bad reputation. We must do better, raising our game. We're doing our bit. What about you?