Does ISO 27001 compliance need a data leakage prevention policy?
On one of the ISO-27000 lists I subscribe to I commented that one should have a policy to determine the need for and the criteria for choosing a Data Loss Prevention mechanism.
I get criticised occasionally for long and detailed posts that some readers complain treat them like beginners, but sadly if I don't I get comments such as this in reply
Anton
Data Loss is something you prevent; you enforce controls to prevent data
leakage, DLP can be a programme, but , I find very difficult to support
with a policy.
Does one have visions of chasing escaping data over the net with a three-ring binder labelled "Policy"?
Let me try again.
Policy comes first.
Without policy giving direction, purpose and justification, supplying the basis for measurement, quality and applicability (never mind issues such as configuration) then you are working on an ad-hoc basis.
The #1 Reason Leadership Development Fails
http://www.forbes.com/sites/mikemyatt/2012/12/19/the-1-reason-leadership-development-fails/
I wouldn't have though, based on the title, that I'd be blogging about this, but then again one can get fed up with fed up with purely InfoSec blogs, ranting and raving about technology, techniques and ISO27000 and risk and all that.
But this does relate somewhat to security as awareness training, sort of ...
My problem with training per se is that it presumes the need for indoctrination on systems, processes and techniques. Moreover, training assumes that said systems, processes and techniques are the right way to do things. When a trainer refers to something as “best practices” you can with great certitude rest assured that’s not the case. Training focuses on best practices, while development focuses on next practices. Training is often a rote, one directional, one dimensional, one size fits all, authoritarian process that imposes static, outdated information on people. The majority of training takes place within a monologue (lecture/presentation) rather than a dialog. Perhaps worst of all, training usually occurs within a vacuum driven by past experience, not by future needs.
An “11th Domain” book.
http://www.infosectoday.com/Articles/Persuasive_Security_Awareness_Program.htm
Gary Hinson makes the point here that Rebecca Herrold makes elsewhere: 
Awareness training is important.
I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:
First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore "the facts". We speak of decisions drive by articles
in "glossy airline magazines" and by often distorted cultural myths. "What Would the Captain Do?", or Hans Solo or Rambo might figure more than "What Would Warren Buffett Do" or "What Does Peter Drucker Say About A Situation Like This?". We can only be thankful that most of the time most managers and executive are more rational than this, but even so ...
Tight budgets no excuse for SMBs’ poor security readiness
http://www.zdnet.com/tight-budgets-no-excuse-for-smbs-poor-security-readiness-2062305005/
From the left hand doesn't know what the right hands is doing department:
Ngair Teow Hin, CEO of SecureAge, noted that smaller companies
tend to be "hard-pressed" to invest or focus on IT-related resources
such as security tools due to the lack of capital. This financial
situation is further worsened by the tightening global and local
economic climates, which has forced SMBs to focus on surviving
above everything else, he added.
Well, lets leave the vested interests of security sales aside for a moment.
I read recently an article about the "IT Doesn't matter" thread that basically said part of that case was that staying at the bleeding edge of IT did not give enough of a competitive advantage. Considering that most small (and many large) companies don't fully utilise their resources, don't fully understand the capabilities of the technology they have, don't follow good practices (never mind good security), this is all a moot point.
Social Engineering and sufficency of awareness training
Someone asked:
If you have a good information security awareness amongst
the employees then it should not a problem what kind of attempts
are made by the social engineers and to glean information from
your employees.
Yes but as RSA demonstrated, it is a moving target.
You need to have it as a continuous process, educate new hires and educate on new techniques and variations that may be employed by the 'social engineers'. Fight psychology with psychology!
Risk Analysis Makes No Sense … does it?
- Image via Wikipedia
Take a look at this article.
http://www.zdnet.com/blog/security/security-engineering-broken-promises/6503
You're back? What did you think of it?
OK, now look again, scroll down the section titled "Risk Management". It picks up on a number of themes I've discussed and has this interesting observation:
Prioritization of security efforts is a prudent step, naturally. The problem is that when risk management is done strictly by the numbers, it does deceptively little to actually understand, contain, and manage real-world problems. Instead, it introduces a dangerous fallacy: that structured inadequacy is almost as good as adequacy, and that underfunded security efforts plus risk management are about as good as properly funded security work.
Guess what? No dice:
The author goes on to illustrate a number of ways that the approach we as the InfoSec community have preached and practised makes no sense.
The FBI risk equation
It seems that to make better cybersecurity-related decisions a senior FBI official recommends considering a simple algebraic equation:
risk = threat x vulnerability x consequence
rather than solely focusing on threat vectors and actors.
To be honest, I sometimes wonder why people obsess about threat vectors in the first place. There seems to be a beleive that the more threats you face, the higher your risk, regardless of your controls and regardless of the classification of the threats.
Look at it this way: what do you have control over?
Why do you think that people like auditors refer to the protective and detective mechanisms as "controls"?
Yes, if you're a 600,000 lb gorilla like Microsoft you can take down one - insignificant - botnet, but the rest of us don't have control over the threat vectors and threat actors.
What do we have control over?
Vulnerabilities, to some extent. We can patch; we can choose to run alternative software; we can mask off access by the threats to the vulnerabilities. We can do things to reduce the the "vulnerability surface" such as partitioning our networks, restricting access, not exposing more than is absolutely necessary to the Internet (why oh why is your SqlServer visible to the net, why isn't it behind the web server, which in turn is behind a firewall).
Asset to a large extent. Document them. Identify who should be using them and implement IAM.
And very import: we have control over RESPONSE.
Did the FBI equation mention response? I suppose you could say that 'awareness' is a part of a response package. Personally I think that response is a very, very important part of this equation, and its the one you have MOST control over.
And response is - or should be - totally independent of the threats
since it focuses on preserving and recovering the assets.
I think they have it very, very confused and this isn't the most productive, most effective way of going about it. But then the FBI's view of policing is to go after the criminals, and if you consider the criminals to be the threat then that makes sense.
But lest face it, most corporations and are not in the business of policing. neither are home users.
Which is why I focus on the issue of "what you have control over".
Related articles by Zemanta
- School Spy Program Used on Students Contains Hacker-Friendly Security Hole (wired.com)
- The Top 10 Reports For Managing Vulnerabilities (lockergnome.com)
- FBI searching for 'Flavor Flav Bandit' (seattlepi.com)
- Why Security Vendors are loosing (tech.bl0x.info)
- Editorial: Flawed F.B.I. Background Checks (nytimes.com)
- FBI details surge in death threats against lawmakers (americablog.com)
