An article on Linked entitled 'The Truth about Practices" started a discussion thread with some of my colleagues.
The most pertinent comment came from Alan Rocker:
I'm not sure whether to quote "Up the Organisation", ("If you must have a policy manual, reprint the Ten Commandments"), or "Catch-22" (about the nice "tidy bomb pattern" that unfortunately failed to hit the target), in support of the article. Industry-wide metrics can nevertheless be useful, though it's fatal to confuse a speedometer and a motor.
However not everyone in the group agreed with our skepticism and the observations of the author of the article.
And Anton aren't the controls you advocate so passionately best practices? >
NOT. Make that *N*O*T*!*!*! Even allowing for the lowercase!
Their economic model is to come up with one 'analysis' and set of recommendations and use a mail-merge like customization of the report for each customer, so converting 'consulting' into a mass-production product rather than one which needs individual attention and individual, and therefore more expensive, working. Yes, it makes economic sense for them. No doubt for some clients any advice is better than none, so a 'one size fits all' won't actually cause harm.
However, as Alan says, the '"tidy bomb pattern" that unfortunately failed to hit the target' is an apt description.
The flawed assumption is that 'one size fits all', Well yes, Lycra swimming suits and panty hose will fit many size women because Lycra is both stretchy and supportive, but the 'best practices are not Lycra. What is good for one company may be irrelevant for another and destructive for a third. Much of what Peter Drucker wrote pre-dates the use of this phrase, but from his earliest writings he makes the point that consultants have to look to what is and not try to fit companies onto the Bed of Procrustes.
I've long said that there are not such things as Best Practices; there are only good (please note the lower case 'g') practices and what is good for you may not be good for me. We recognize and accept this in other aspects of our lives.
The "Best" fits in with marketing in true Madison Avenue style; why should anyone want anything other than *The* *Best* ??
Controls are about business and controls should only ever reflect risk analysis and be part of risk management.
I came into audit from IT operations. Luckily I had enough business knowledge to accept without argument the idea that as an auditor it was not my job to fix things, but to report to management on the threats, vulnerabilities and risks, and it was up to management to decide which risk they would accept and which they would decide to implement controls to remediate.
Read that again: it wasn't my business either as an auditor or as IT operations to make that decision. Management makes the decision where to allocate budget, what risks to accept and what risks to manage. In operations I might make detailed operating decisions within those instructions -- that's what a management hierarchy is about. Different businesses may be subject t the same market forces, but that doesn't mean they should all respond in the same way. Each one will want to, need to, address its 'competitive advantage' in a different way. That expression of difference is what the market is about.
I'm know to many practitioners for the line
Context is Everything
and that is what applies here. The controls that need to be applied, for example in a ISO-27000 framework context, may be described as broad brush in the Annex to ISO-27001, but the detailed Statement of Applicability for any particular scope at any particular form (and any
point in time) may pick and choose from them and further, may decide to implement the controls in different ways.
Yes, you may call "making use of ISO-27000" or COBIT, NIST or FAIR or FMEA a "Best Practice" in the sense that its better to make use of them than not, the idea that ISO-27K is the best, that is better than NIST or FAIR or FMEA or COBIT -- or ranking them in any order -- is completely missing the point.
The root idea is that the Big Name Accounting and Consulting firms know what is best for you. Personally I think that kind of paternalist arrogance is unfounded.
You might want to read "Dangerous Company" -- there's a review at http://www.thinktrade.net/book-review-dangerous-company.php
There are however Baseline Practices.
These are, basically
- Comply with the law
- Do a risk analysis
- Base you controls on the risk analysis
Donn Parker expounds on using these principles in practice. From them he derives a set of controls that you should use as a baseline. This is no more outrageous than recommending wearing an overcoat in the rain or warm clothes in cold weather. Its better described as 'prudence'. If you're connecting the the Internet you need a firewall. Don't download that executable just because the you got mail saying that you've won a lottery you didn't even know about. Prudence.
If you want to call widespread prudence "Best Practices" to inflate the idea and impress less critical minds than this august (yes its still August) body then go ahead, I can't stop you. But don't attribute the idea to me.
- Analog Risk Assessment method, ARA (noticebored.com)
- David Lacey on the Origins of ISO27k (tripwire.com)
- Basing ISO27k standards on risks (noticebored.com)
- 60% of Australian Organisations Are Not Effectively Managing IT Risks: ISACA Australia White Paper (sys-con.com)