The InfoSec Blog

The Truth About Best Practices

Posted by Anton Aylward

An article on Linked entitled 'The Truth about Practices" started a discussion thread with some of my colleagues.

The most pertinent comment came from Alan Rocker:

I'm not sure whether to quote "Up the Organisation", ("If you must have a
policy manual, reprint the Ten Commandments"),  or "Catch-22" (about the
nice "tidy bomb pattern" that unfortunately failed to hit the target), in
support of the article.

Industry-wide metrics can nevertheless be useful, though it's fatal to
confuse a speedometer and a motor.

However not everyone in the group agreed with our skepticism and the observations of the author of the article.
One asked

And Anton aren't the controls you advocate so passionately best practices? >

NOT. Make that *N*O*T*!*!*!  Even allowing for the lowercase!

"Best practices" is an advertising line of self-aggrandization invented by the Big Name Accounting Firms when operating in Consulting Mode.Information Security SWOT Analysis

Which Risk Framework to Use: FAIR, FRAP, OCTAVE, SABSA …

Posted by Anton Aylward

What framework would you use to provide for quantitative or qualitative risk analysis at both the micro and macro level?  I'm asking about a true risk assessment framework not merely a checklist.


Yes, this is a bit of a META-Question. But then its Sunday, a day for contemplation.

When does something like these stop being a check-list and become a framework?

COBIT is very clearly a framework, but not for risk analysis and even the section on risk analysis fits in to a business model rather than a technology model.

ISO-27K is arguably more technology (or at least InfoSec) focused that COBIT, but again risk analysis is only part of what its about. ISO-27K calls itself a standard[1] but in reality its a framework.

The message that these two frameworks send about risk analysis is

Context is Everything

(You expected me to say that, didn't you?)

I'm not sure any RA method works at layer 8 or above. We all know that managers can read our reports and recommendations and ignore them. Or perhaps not read them, since being aware of the risk makes them liable.

Ah. Good point.
On LinkedIn there was a thread asking why banks seem to ignore risk analysis .. presumably because their doing so has brought us to the international financial crisis we're in (though I don't think its that simple).

The trouble is that RA is a bit of a 'hypothetical' exercise.