Who's for a Pimms?

Within a year or so, organisations will be able to have their Privacy Information Management Systems certified compliant with ISO/IEC 27701, thanks to a new accreditation standard ISO/IEC TS 27006 part 2, currently in draft.

A PIMS is very similar to an Information Security Management System, hence compliance auditing and certification are also very similar – so much so that I’ve heard some certification bodies are already taking the initiative by issuing PIMS certificates despite their not being formally accredited for that.

Potentially, a PIMS certificate may become the generally-accepted means of demonstrating an organisation’s due care over privacy and personal data protection – a way to assure data subjects, business partners, the authorities and courts that they have, in fact, adopted good privacy practices. 

A PIMS should materially reduce an organisation’s risk of suffering privacy breaches.   However, as with an ISMS, ‘materially reduce’ is not quite the same as ‘eliminate’.  In the less likely event that a privacy breach occurs, despite having a PIMS, compliance certificates for the organisation and if appropriate its information service suppliers (e.g. cloud or marketing services) may be a credible part of the organisation’s legal defence against prosecution under GDPR or other privacy laws and regs, but they would still need to explain why the breach occurred and what they have fixed to prevent a recurrence.  The PIMS should at least structure the response to the breach, including corrective actions addressing the root causes, hence there should be something substantial behind the usual vacuous PR statements about ‘taking this matter very seriously’.

Boost your ISO27k ISMS with SecAware Take-off

SecAware ISMS Launchpad comprises a set of templates for the mandatory documentation that every compliant Information Security Management System must have: a basic ISMS strategy, scope, Statement of Applicability, Risk Treatment Plan, information security policy, that sort of thing. If your organisations only needs an ISO/IEC 27001 certificate, this tidy stack of templates forms a stable, compliant platform from which to launch your ISMS. For a paltry $99, download Launchpad and get started today!

Hot on its tail, today we announce the next phase of our mission to convince every organisation to manage its information risks properly.

If your organisation sees the value in going a little beyond the bare minimum, SecAware ISMS Take-off takes you to the next stage. 

Take-off provides all of these templates:

The Take-off materials primarily concern management. An ISO27k ISMS is, after all, a management system.

Template #2 "Strategic objectives for information risk and security management" for instance specifies:

• "Enhance and protect the value of information by ensuring adequate confidentiality, integrity and availability"
  
  
• "Manage (i.e. identify, evaluate, treat and monitor) information risks cost-effectively and competently"
   
• ... plus four other key objectives. 

It also lays out four non-goals to be crystal clear about what the ISMS is not expected to do (such as destroying value by costing more than it saves). All in all, this neat little single-page template packs a punch and will surely resonate with your executives.

Since there is no explicit requirement in ISO/IEC 27001 for management to document the organisation's strategic objectives, a minimalist ISMS could get by and be certified compliant without one. However, there are substantial business advantages in formulating and stating the objectives. 

A ISMS based on both Launchpad and Take-off demonstrates management's commitment to protect information for sound business reasons, not just for the sake of a certificate.

SecAware ISMS Take-off

An interesting risk metric

We were chatting over coffee this morning about an organisation that is recruiting at the moment. Having been through the cycle of advertising, preselecting/long-listing, interviewing and short-listing candidates, their references came back negative, forcing the organisation to reboot the recruitment process.

On the one hand, that's a disappointing and somewhat costly outcome. It suggests, perhaps, that the preselection and interviewing steps could be tightened up. Were there warning signs - yellow or red flags that could/should have been spotted earlier in the process?

On the other, it also indicates that the selection/recruitment process is effectively identifying and weeding-out unsuitable applicants, avoiding what could have turned out to be even costlier incidents down the line if the appointments had been made and the new recruits had turned out to be unsuitable.

So, Proportion of shortlisted candidates rejected as a result of poor references is one of several possible measures of the recruitment process, with implications for risks and opportunities, costs and benefits. Very high or low values of the metric, or adverse trends, or sudden changes, may all be cause for concern and worthy of investigation, whereas middling, "neutral" values are to be expected.

The metric probably wouldn't have even occurred to me except that I happen to be documenting information security controls for joiners, movers and leavers at the moment for the next phase of SecAware ISMS templates. Information risks should be taken into account during the recruitment process. Confirming applicants' identities, taking up references, confirming employment histories and qualifications on their CVs, and running other background checks (e.g. for criminal records or credit issues) can be important controls if legally permissible, especially for appointments into trusted roles - and, by the way, that includes internal transfers and promotions as well as new recruits.  

Infosec roles & responsibilities

For the next phase of SecAware ISMS, I'm documenting the management process for determining and allocating information risk and security responsibilities. 

The procedure itself is straightforward - just one page of written instructions covering a simple four step process - but a raft of examples of the activities various functions perform in relation to information risk and security takes it up to six pages, even though the examples are presented tersely as bullet points.

It turns out there may be several corporate functions, teams and individuals, each performing numerous activities relating to information risk and security.  

Admittedly, my knowledge in this area has accumulated in the course of working mostly for large, relatively mature organisations, a couple of which had all of the functions staffed by professionals busily performing virtually all of the activities. Small-to-medium sized organisations don't have the luxury of being able to carve-up the work among dedicated teams of specialists, so they usually get by with multi-tasking and perhaps assistance from third parties. Information risk and security is tougher for micro-organisations, particularly if they don't even have anyone who appreciates the need to manage information risk and security, privacy, compliance, business continuity etc. 

The ISO27k framework can help all types and sizes of organization provided it is interpreted and applied sensibly according to the business context and needs. Even though a multinational bank, say, might have specialists within HR and other functions whose job it is to prepare job descriptions, vacancy notices, training plans etc., our generic list of information risk and security activities may be a useful prompt to confirm that they have all the bases covered. A micro-company will not need to perform every listed activity, and will have no choice but to concentrate on the few that matter most. Either way, the process of management deciding what the necessary activities should involve and, where appropriate, assigning responsibilities to the relevant workers, corporate functions or third parties, is much the same and hence worth laying out in a generic procedure.

As I'm drafting the procedure, I'm itching to mention related aspects such as governance, accountability, access control, competence, oversight, monitoring, resilience and more ... but those would be distracting details. Paring away peripheral issues to concentrate on the matter at hand (the essentials for an ISO/IEC 27001-compliant ISMS) is a cathartic experience for me, a big picture thinker by nature. Laser-focusing is hard for me! Meanwhile, this blog is my relief valve: there, I've brought up some other matters and acknowledged their relevance without turning the procedure into War and Peace. 

The same point about focus applies to the job descriptions we are providing: our templates outline the role and what is expected of workers in just one side of A4 per job. Again, they are generic, stating typical key requirements for significant roles in general terms with the intention that customers customise them as necessary, probably elaborating on certain aspects that happen to be more important to them.  

As the templates fall into place, we'll release the next phase of SecAware ISMS in a week or two. I would like to cover commonplace management controls, drawn from '27001 Annex A, but I need to remind myself that I'm not Tolstoy. We're providing just the bare bones and inspiration to get customers' ISMSs up and running, not The Whole Enchilada. It's quality not quantity that matters most.

UPDATE: SecAware ISMS Take-off is on sale now, including this template.

An appetite for risk

Today we've been chatting about this on the ISO27k Forum: 

"Let's assume that the company is willing to accept risks with a potential financial impact less than $50k. Obviously after performing risk assessment, we need to decide which treatment option we should follow. In case when the potential impact of the risk is below $50k - (risk appetite), we should accept the risk, right? 

 

My question is: what happens if for some reason, multiple Low Risks (below risk appetite value/already accepted) occur at the same time? Should the Risk Appetite represent an aggregation of all low risks or just reflect the appetite for a single risk?"

I suggested considering 'coincident risks' as another entire category or class of risks, some of which may well be above the risk appetite/acceptance threshold even if the individual risks fall below it. 

It gets worse. There are many other coincidences, errors, failures, issues and exceptional circumstances that could occur - in extremis, it's an infinite set of possibilities given all the permutations and combinations.

Our collective failure to identify and take seriously the possibility of a pandemic landed us in the poo we’re in now. Even those organisations that did have pandemic controls in place have found the going tougher than anticipated, some discovering that their stockpile of sanitizer and masks had not been properly stored and maintained, and hence was next to useless when called upon. 

Trust me, it can be a sobering exercise to run a risk workshop focused on rare but extremely impactful events, the outliers that we tend to ignore in routine risk management because it’s hard enough dealing with the commonplace extreme events, let alone the rarities. Every well-managed organisation needs to deal sensibly with the scarily vague “something else happens and lands us in serious trouble” situations, when classical scenario planning runs out of steam. There are far too many possibilities to even enumerate, let alone evaluate and treat individually: a more general-purpose approach is required. 

That line of thinking leads us through incident and crisis management into business continuity planning, in particular the resilience and contingency aspects. Insurance is another possibility, for some but not all situations: insurance against unbounded classes of incident can be risky for both the insured and the insurers, although business interruption insurance is available, at a price, with various constraints as the insurers protect their own businesses against interruption. Hopefully.

Tips on preparing successful proposals

"The Winning Business Case: how to create a compelling conceptual, analytical and pitch model that your audience will love" is a free eBook from OCEG - more than 20,000 words of advice about generating and pitching a business case for investment in some sort of risk-based project or initiative.

The Open Compliance and Ethics Group identifies as: 

"a global nonprofit think tank that helps organizations reliably achieve objectives, address uncertainty and act with integrity ... We inform, empower, and help advance our 85,000+ members on governance, risk management, and compliance (GRC). Independent of specific professions, we provide content, best practices, education, and certifications to drive leadership and business strategy through the application of the OCEG GRC Capability Model™ and Principled Performance®. An OCEG differentiator, Principled Performance enables the reliable achievement of objectives while addressing uncertainty and acting with integrity. Our members include c-suite, executive, management, and other professionals from small and midsize businesses, international corporations, nonprofits, and government agencies. Founded in 2002, OCEG has locations around the globe."

The eBook lays out and explains 15 activities or steps in the process. The sequence and of course the details within each step may vary according to circumstances but it's a comprehensive, well-written document, worth studying if you need to justify investment in risk or security management projects or related areas such as  compliance, assurance, cybersecurity, business continuity and ISO27k. 

With some adjustments, the process could also be valuable for operational budgets too: securing next year's budget for a business department or function is similar to getting approval for a project, especially if management takes a longer-term, strategic view rather than being solely annual in focus. 

Thinking more broadly still, it could be useful for other kinds of proposal, such as when bidding for consultancy work. Maybe if prospective clients had a better appreciation of the effort it takes to prepare bids and proposals for them, they might be more inclined to engage with suppliers like us to discuss and clarify both their requirements and the offer on the table, rather than clamming-up so rudely! 

It's quite a lot to read and comes across as a little theoretical in places, as if the authors are recounting techniques picked up from an MBA course or business textbook, but that's just my impression and may simply reflect the authors' style. This caught my beady eye for example:

"Uncertainty is not the same as risk. Risks can be calculated; uncertainty can’t. For example the risk that your next coin-flip will be heads is 50-50. On the other hand, what are the odds that regulators will overhaul their treatment of your industry in the next 20 years? Instinct might suggest an overhaul will probably happen, but you can’t model the chances of specific outcomes over that long a period. It’s uncertain."

I disagree with the assertion that "risks can be calculated [whereas] uncertainty can't", but if that's how they choose to distinguish and use the terms here, fair enough. At least they have offered definitions.

I particularly appreciate the advice to do the legwork, contacting, explaining and discussing the proposal with individuals who will in due course make the final decision in a forthcoming board or executive committee meeting. That's a trick I've learnt the hard way over the years but I seldom see it suggested in print. Writing a sound business case, proposal, business plan, budget request etc. is only half the battle. Influencers and decision makers need to be persuaded and convinced to support - or at least not block - the proposal, which takes time and effort, mostly one-on-one. Appreciating that 'socialising' our proposals is a worthwhile if not necessary part of the process is a good start for those of us who over-rely on formal proposals and rational arguments based on facts and models, ignoring the emotional and personal aspects at our peril. 

ISO27k ISMS products

Having drafted a generic requirement specification for systems supporting an ISO27k ISMS, I’m slowly trawling the Web for products in the hope of finding apps, templates and services that we would be willing to use ourselves and recommend to our consulting clients.

So far I’ve found about 20 commercial or open-source ISMS systems plus maybe twice that number of risk management systems, plus quite a variety of more focused systems supporting incident management, business continuity, vulnerability management, patch management etc. It’s a confusing, sprawling and dynamic market … so I’m also working on a structured evaluation process that will help us pick out gems from the stones on offer, depending on our own and our clients' specific needs.

Along the way, I've picked up murmurings of discontent from customers saddled with low-quality content supplied with some ISO27k ISMS systems and toolkits. Aside from variation between the products, could it be, I wonder, that some of the products currently on offer are inadequate because customers vary so much in size, complexity, maturity etc. having different expectations or requirements? Could this be a side-effect of ISO27k's intended application to all organizations, resulting it being jack-of-all-trades and master-of-none? 

We could develop generic content specifically targeting particular market segments or types of organisation ... but instead we've started with the basics that every ISO27k ISMS needs with the intention of offering optional add-ons, giving customers more choice. 

One of those options is to develop custom materials and support individual customers to implement and optimise their ISMSs using appropriate systems/tools, provided we can convince management of the value of our consultancy services - and that's a tough sell, especially during COVID-19. Doing it all in-house may be a viable option if the organisation has the people with the requisite skills, competencies, knowledge and experience. That seems unlikely if there is no ISMS already in place - catch 22. There's also the matter of the time needed for people to learn the ropes and get up to speed with the ISMS, given all the other things on the go: the longer things drift along, the more the organisation remains subject to information risks that may not be managed effectively.

I'm working on other options too. More info to follow. Watch this space.

The small but perfectly formed ISMS

Consulting for small organisations lately to design and implement their ISO/IEC 27001 Information Security Management Systems, resourcing constraints often come to light, particularly the lack of information security expertise and knowledge in-house. I have previously taken this to indicate lack of understanding, support and commitment from senior management, insufficient priority relative to all the other important stuff going on, hence my abiding interest in elaborating on the business case for investing in information risk and security management. Currently, though, I’m gaining a new-found appreciation of the realities of running a small business where even IT may be done on a shoestring, leaving information security way out on a limb.

With barely enough cash-flow to sustain the business during COVID-19 and the obvious need to focus on core business activities, it’s no surprise if ISO27k implementation and certification projects take a back seat for now. That delaying tactic, however, leaves the business more exposed meanwhile, increasing the probability and impacts of incidents that should have been avoided, prevented or mitigated. It can lead to missed business opportunities and customer defections as they turn to certified competitors rather than waiting for the assurance an ISO/IEC 27001 compliance certificate would bring. It reduces trust and devalues brands. All in all, it’s a risky approach.

Putting the ISMS implementation on hold is not the only option, however. With some creative thinking, it is possible to keep the project moving along, albeit at a slower pace:

• A bare-bones minimalist ISMS, barely adequate to satisfy the standard’s mandatory requirements, may not deliver all the business benefits of good practice information risk and security management ... but it is both certifiable and better than nothing. A small but perfectly formed ISMS demonstrates the organisation’s genuine commitment to information risk and security management, gaining the assurance value of the certificate to third parties without the investment necessary for a full-blown ISMS. Furthermore it is a perfectly valid and sensible starting point, a platform or basis from which to mature the organization’s information risk and security management practices as and when it proves its value. It's a pragmatic approach. Being a pragmatist, I like that.
• Partnering with consultants reduces the pressure on employees, demonstrates management’s support (more than just the intention to resume the ISMS project ‘at some point’), and keeps up the momentum. Based on our practical experience and knowledge of the standards, we can generally help clients navigate the process by the shortest and most direct route, perhaps making small diversions only where it makes business sense. Speaking for myself, I’m happy to regulate my involvement according to the client’s wishes, matching their pace with mine. Having a portfolio of clients and interests on the go lets me juggle priorities, complete fill-in jobs and manage my workload (within reason! I’m merely-human, not super-human!).
• Even if the ISMS project itself is parked, there are still things that can be done, seizing opportunities that arise elsewhere to remove roadblocks or put in place building blocks to help jump-start the project at some future point. For example, since information risk is the main driver for ISO27k, it is possible to weave a subtle but consistent emphasis on risks into routine business activities, business meetings, policies and so on. Quietly gathering details of incidents, risks, controls, compliance obligations, assurance needs etc. can be done as a background activity, preparing for the fateful day when the parking brake is released.

One of my fill-in jobs has been to prepare and release SecAware Launchpad - a coherent suite of essential template materials for those minimalist ISO27k ISMSs I mentioned. When pared-down to the bones, there’s not a vast amount of mandatory documentation for ISO/IEC 27001 certification, hence Launchpad is lightweight and cheap (a bargain at just $99, for now anyway!). I almost completely resisted the temptation to provide additional bonus content, incorporating just a few brief notes of explanation here and there where the standard itself isn’t clear.

My next fill-in job is to package-up more of that supplementary content as an optional extra add-on for organisations that need more guidance and want to build a more complete, functional and valuable ISMS. We have gigs of material already prepared through the NoticeBored service plus the experience of using the ISO27k standards since before they became ISO27k, so it’s mostly a case of deciding what is necessary, looking for it and then adapting and rebranding it into another SecAware ISMS support package. I'll announce the new package here and of course on SecAware.com when it is released.

The day the Earth stopped spinning

Here's something we don't see very often, well for no more than a fraction of a second, normally, discreetly tucked away at the bottom left corner of the browser window.

Today was different. Today the message was there long enough for me to grab that little screen shot.

Meanwhile, I had to wait

s e v e r a l

l   o   n   g

m i n u t e s

for the Google search results to appear.  

Minutes I tell you, minutes! Several of them! Shock! Horror! 

My little world stood still for a moment, my online life on hold.

In an instant, I realised that not only have we grown accustomed to near instantaneous access to Google's gigantic Web catalogue, but that I am actually quite dependent on it. I do sometimes use other search engines but I always scurry back to Google because it works well, almost always. The only reason I am bloggering on about it here is that a Google service failing is so unusual, exceptional in fact. Almost unheard of.  

The technology to achieve that outstanding level of service in terms of capacity, performance and reliability is awesome in both scale and cost, and yet most Google services appear free to use (well OK, they're not really free: we provide our search terms and a fair amount of personal information in return, plus Google's commercial services are charged at commercial rates. But at least we can opt out if we choose). 

It appeared the problem wasn't in our "broad"band, as is so often the case down here in rural NZ. Other websites carried on working, including Blogger (now a Google service), allowing me to start writing this piece. The outage appeared to be limited to Google's search engine.

Beyond that superficial observation, I have no idea what actually happened. Was it maybe a break in the Internet pipes - a literal break due to some oik wielding a back hoe, a trawler snagging an undersea cable, a nasteriod smashing into a comms satellite, or a virtual break due to misrouting? Did a Google server, rack or datacentre drop offline for some reason - maybe a power cut, fire or flood somewhere? Was it a wayward comma in a scripted automatic update, or an operator accidentally leaning an elbow on a keyboard? Was it a cyber attack? A bug? A design flaw? An overheated CPU shutting itself down? A test?

As I say, no idea.

As of now it appears to be working normally. I can't tell at this point whether Google search is in a recovery mode, having automatically detected the break in service and failed over to some other server somewhere. Such is the beauty of the Web: I don't need to know where the services are provided from. I don't even need to know the IP addresses of the web servers. I simply type my search phrase into the Google.com search form, and off it goes like a diligent, super-efficient librarian.

Yes I have my tongue firmly in-cheek but this failure was unusual enough to make me ponder cyber-resilience and recovery. If an outage of a single Web service for several minutes is noteworthy, what does that say about our dependence on the Web as a whole? What if the Web stops working one da

Of APTs and RPTs

Do you recall when APTs were A Thing? Advanced Persistent Threats were exemplified by Stuxnet, a species of malware that was stealthy enough to penetrate the defences of an Iranian nuclear fuel processing plant ten years ago, persistent enough to undermine numerous layers of control, and sophisticated enough to over-speed and wreck the centrifuges without alerting the plant operators until the damage was done.  

We seldom hear of weapons-grade APTs these days, suggesting they are no longer newsworthy or effective. Maybe they have gone the way of the trebuchet or musket ... but I believe it's much more likely that APTs have become even more sophisticated, stealthier and more damaging now than ever before, especially given the ascendance of IoT, IIoT and 'cyber-physical systems'. Now, Things are A Thing.

Meanwhile, we are frequently constantly assaulted by ordinary, conventional, old-school malware - Retarded Persistent Threats as it were.

In contrast to APTs, RPTs are relatively crude and commonplace - more blunderbuss than sniper's rifle but every bit as devastating at close range. Despite becoming increasingly sophisticated and capable, they are presumably well behind APTs, especially given governmental investments in cyber capabilities as part of national defence spending.

RPTs 'persist' in the sense that they steadfastly refuse to go away. Bog-standard malware has dogged computer systems, networks and users since the 1980s. It has grown in prevalence at least as fast as IT, and in some ways it has driven advances in IT. The few percent of system resources needed to run today's antivirus packages and firewalls would surely have brought systems from previous decades to their little silicon knees.

Whereas most RPT incidents are, well, incidental in relation to our global society, they threaten the very large number of vulnerable systems, individuals and organisations out there. It has become painfully obvious during COVID-19 that vanishingly few organisations stand alone, immune to the global repercussions. We are all entangled in, and highly dependent upon, a global mesh of information, goods and services. Just as a single COVID case causes knock-on effects, an RPT incident creates ripples.

We're lucky that, so far, neither real-world nor cyber-world viruses have tipped us over the edge, triggering the zombie apocalypse that preppers fear. With their additional stealth and firepower, APTs may one day push things a byte too far - and then what? Perhaps those preppers aren't so loco as they may seem. Perhaps it's not such a crazy idea to build and secure our virtual bunkers to protect the information we'll need when zombies emerge from the forest. I guess I should carve this blog piece onto a rock, an information archival medium proven to last thousands of years. I wonder if these strange hieroglyphics will mean anything when the rock is dug up? 

Come to that, I wonder if they mean anything now! Are these merely the incoherent ramblings of a paranoid infosec geek, or have I struck a chord? Comments are welcome. Chisel away.

SecAware ISMS LaunchPad

We have just released ISMS Launchpad, a suite of mandatory ISO27k materials - templates for each of the documents required for organisations to be certified compliant with ISO/IEC 27001:2013.

The idea is to get you past the initial staring-blankly-at-a-blank-page stage, trying to figure out what the standard really means by "Statement of Applicability", "ISMS Scope" or whatever.

We know how daunting this can be, especially for small companies that want or need to implement the ISO27k standards but lack the resources and expertise. We appreciate that it is tricky to interpret the wording of the standards and come up with documentation that will satisfy the certification auditors' expectations. 

With nobody to turn to except Alexa and maybe the ISO27k Forum, it's hard to navigate the ISO27k universe unaided.

So, this is what we set out to provide:

1. All the mandatory docs as specified in the main body of '27001 and required of all organisations seeking certification, even those that choose not to adopt any of the Annex A controls (yes, it can be done!).
2. Workable, realistic, pragmatic templates. We have interpreted the standard strictly, going just a little beyond the absolute bare minimum only where it makes good sense.
3. A completely generic approach - a starting point for any organisation. Aside from the obvious differences in, say, size/complexity and industry, we appreciate that organisations vary in their information risks (e.g. contrast a SaaS cloud service provider against its customers).  
4. A simple, solid, stable starting point. As the name suggests, Launchpad is a sound basis, a platform to build upon, regardless of where you expect to end up. Even large, complex organisations are well advised to avoid over-complicating things: the ultimate aim of the ISMS is to enable the organisation to achieve its business objectives through cost-effective information security management. Please don't construct a paper tiger!
5. Top-quality content, naturally. We've been doing this stuff professionally for a long time, since way back when BS 7799 was conceived. 
6. Excellent value for money. We firmly believe that cost should not be a barrier to adoption of the ISO27k standards ... so we've priced Launchpad very competitively*. 

You'll find file listings, descriptions and of course the price on the SecAware website. 

By all means email me for further information. Launchpad is a platform for us too: we'd love to help you design and launch a stellar ISO27k ISMS, so let's talk!

* If you have already forked-out for an "ISO27001 toolkit" only to find it is not quite what you needed, all is not lost. Launchpad can plug the gaps and replace the bits that fell off.