We were discussing which should be done first and someone said:
The first has to be risk assessment as it is foundation of information
security. You first need to know where is the risk before putting up
any controls to mitigate that risk. Putting up adhoc controls will not
make the controls effective nor will it protect the organizations
against the risk.
While I understand the intent, I think that is very prejudicial language.
Donn Parker makes a very good case that we have the cultural context - read that sophistication and awareness of the baseline risks - to see that there should be a set of baseline controls. IAM, firewall, AV, backups and so forth. We don't need to leave the assets exposed to threats while we we wait around for a Risk Analysis to tell us that these baseline protective controls are needed.
You don't need to know the specific risks any more than you need to know the specific risks to have a lock on the front door of your house and close your windows.
I certainly wouldn't call this approach "ad-hoc".
We were discussing which should be done first and someone commented:
Many times, we find that the Control Objectives and controls become
prominent before an ISMS is properly established. Where can a SOA stand
if the assets are not identified and risk is not assessed and approved
by the ISMS Management.
As I've said, I think this is a fallacious argument.
If you buy a house or a car there are locks already installed.
They are installed regardless of any specific threats or any knowledge of the assets contained. Many (new) houses come equipped with additional security features such as alarm systems, steel-cased doors
and frames and such like. These are BASELINE features that are implemented without any identification of assets or any formal Risk Analysis or approval process.
Please note: I am not saying that a house owner might not institute additional controls such as an insurance policy that identifies specific assets or a guard dog that is taught the boundaries (aka 'scope') it has to protect.
http://news.discovery.com/earth/megastorm-californias-other-big-one.html
Just in the last 15 years, since microwave technology aboard satellites
produced images of water vapor in the atmosphere, scientists have come
to realize that most major winter rainstorms over California, and
virtually all flooding episodes, are the result of the unloading of
airborne streams of tropical moisture that have come to be called
"Atmospheric Rivers." (Hence the name, ARk - Atmospheric Rivers 1,000.)
The scenario envisions nearly a month of uninterrupted rainfall over
northern and southern California.
"The hypothetical storm depicted here would strike the U.S. West Coast
and be similar to the intense California winter storms of 1861 and 1862
that left the central valley of California impassible," the authors
said. "The storm is estimated to produce precipitation that in many
places exceeds levels only experienced on average once every 500 to
1,000 years."
In addition to property and "business interruption" losses of anywhere
from $725 billion to $1 trillion, the team estimated that emergency
managers would be faced with the task of evacuating 1.5 million people
during the storm and its aftermath. "The numbers that have been
presented here are shocking, no doubt about it," observed co-author
Laurie Johnson, a private planning specialist who worked on Katrina
Hurricane recovery. Such a storm could pose "a fiscal crisis that will
cascade through every level of government."
All that is says is that 1,000 years storms exist, and can occur. The only thing new here is they understand more about the mechanisms of these 1,000 years storms when they do happen, not that one is imminent.
I've got some more news for you: one day, the sun will Red Giant and engulf the entire Earth. The damages will exceed a trillion dollars. The probability of this is 1.0 .... in astronomical time-scales.
The logic or risk analysis that equates a once in five billion years event that has an impact of trillions of dollars with monthly events that cost hundreds of dollars is lunacy.
There are many inconvenient events that do occur on a monthly basis [again with probability 1.0] that cost hundred, even thousands of dollars, and we 'just live with them'. If you doubt that statement look at the incidents of automobile deaths and injuries and of deaths and disabilities due to pollution. I'm sure any insurance company or government statistics office will be happy to supply you with the details.
One thing is very clear: we are not good at recognizing where the real threats and risks are.
Someone on a forum I subscribe to suggested that there is a major risk of network administrators misusing their privileges. Why admins rather than CFOs, CEO or other staff, I don't know.
"Major"?
As in often?
As in large impact that stops the business operating?
If its that bad why not just get rid of them?
Its probably easier to automate their job than that of the CFO.
I've written here and elsewhere that many people from a technical background don't understand 'risk'. Not only do businessmen view risk differently, but risk only occurs when you have something that may offer an advantage - else why would you be doing it?
The limiting case is gambling at a casino or playing . You be against odds because because you might win. Business take business risks because they can make a profit.
But in gambling and business you can only loose as much as you bet, and you have a pretty good idea of the odds - in a casino you know them for sure. In InfoSec we don't know the odds (except when they are a certainty, like SPAM or Viruses).
So think in business terms.
Companies employ system and network administrators.
Big deal.
They also employ accountants and CFOs.
Who do you think could cause more harm to the business?
A network admin reading other people's mail or a CFO that defrauds the company by writing phony cheques?
So if a network admin is a "major" threat because of what he _might_ do, *if* you employ a scum-bag and *fail* to do a background check or get him pizzed off, then what grade of threat do you think a similar CFO rates?
Context, I keep telling you, is Everything.
A colleague in InfoSec made the following observation:
My point - RA is a nice to have, but it is superfluous. It looks nice
but does NOTHING without the bases being covered. what we need
is a baseline that everyone accepts as necessary (call it the house
odds if you like...)
Most of us in the profession have met the case where a Risk Analysis would be nice to have but is superfluous because the baseline controls that were needed were obvious and 'generally accepted', which makes me wonder why any of us support the fallacy or RA.
It gets back to the thing about the Hollywood effect that is Pen Testing. Quite apart from the many downsides it has from a business POV it is non-logical in the same way that RA is non-logical.
