The InfoSec Blog

Now this is interesting!

With code visibility, you and your vendors become partners in trying to make something work. The vendor can’t over-promise, but you can’t over-assume either. This may be one of main hidden reasons for IT failure, the two sides of the transaction not being on the same page.
Read the rest of this entry »

Here http://thecipblog.com/?author=3 I found this quote:

“In order to be designated ‘critical information infrastructure’, how many deaths would the failure of a network have to cause?” asks Matthew Holt, the author of this blog article.

He raises a good point. He asks if “death of people” would be a legitimate category of criteria to use when determining the level of criticality of an ICT system”. His answer is “yes”, and the number is
“one”. Well OK, death is death and irreversible, but there are many other failure modes that are not death and may be too much trouble to reverse. I suppose one example of a “worse case scenario” would be a take-over of your nation by a foreign totalitarian oppressive regime. Or an attempt that leaves you in war-zone or one of the refugee camps that litter the Third World.
Read the rest of this entry »

http://www.chron.com/disp/story.mpl/business/steffy/6666406.html

[...]

Hanni, who lives in California, is the founder of the Coalition for an
Airline Passengers Bill of Rights, the group that’s spearheading efforts
in Congress to prevent airlines from imprisoning passengers on delayed
flights.

In a lawsuit filed in Houston Tuesday, she claims that Delta Air
Lines was behind the hacking, accusing the world’s largest carrier
of conspiracy and invasion of privacy.

Hanni believes Delta wants to crush her attempts to force better
customer service on the airline industry, which has fought mightily
to ensure it can treat passengers shabbily.

Perhaps this isn’t on the same scale as cars that are designed to explode and kill the passengers, but the model is the same. Can we see Hanni standing for the Presidency in a couple of decades? No, seriously, there does seem to be some skulduggery here that impacts privacy.
Read the rest of this entry »

As I’ve said before, you should not ask yourself what policies to write but what you need to control.  If you begin with a list of polices, you need to adapt the reality to the list. The risk is that you create a false sense of control of security.

The threat-risk approach is ‘technical’, and as we’ve discussed many times, the list of threats cannot be fully enumerated, so this is a ridiculous approach.

Basing policy on risk is also a fruitless approach as it means you are not going to face some important points about policy.

Policy is for people. Its not technical, its about social behaviour and expectations.
Policy can be an enabler, but if you think only about risk you will only see the negatives; your policies will all be of the form “Don’t do that“.
Policies should tell people what they should do, what is expected of them, give them guidance.

Policies also have to address the legal and regulatory landscape. As such they may also address issues of ethics, which again is not going to be addressed by a threat-risk approach.

All in all, if you follow Mark’s advice you may write policies that seem OK, but when it comes to following them it will be like the song from the 70s by The Five Man Electric Band:

Sign Sign everywhere a sign
Blocking out the scenery breaking my mind
Do this, don’t do that, can’t you read the sign

and people will feel put upon and that the company is playing Big Brother. You will have heavy-handed rules that are resented and not clearly understood by all employees.

Policies are there to control the behaviour of people in the corporate setting. Think in terms of people and behaviour, not in terms of threats and risks.
Policies are to guide and control behaviour of people, not of machines and software.

Think of policies as having these kinds of objectives and you will be on a firm footing:

• Shift attitudes and change perspectives
• Demonstrate management support
• Assure consistency of controls
• Establish a basis for disciplinary action
• Avoid liability for negligence
• Establish a baseline against which to measure performance and improvement
• Coordinate activities

and of course something important to all of us toiling in InfoSec

• Establish a basis for budget and staffing to implement and enforce the policies

Policies need to be created from the point of view of management, not as a set of techie/geek rules, which the threat/risk approach would lead to.

Not least of all because, as I’m sure Donn Parker will point out, managers don’t want to hear all that bad stuff about threats; they want policies that encourage staff to contribute to the profitability of the
company.

Related articles

• How to create an effective social-media policy for your company (smartblogs.com)
• 6 Tips For Great IT Security Policies (itexpertvoice.com)
• Helping Employees Get Corporate Security Policy (pcworld.com)
• Creating an Enterprise Employee Social Media Policy (itexpertvoice.com)