Recently in Governance Category

"We are at an interesting juncture today; there are no threats to information technology for which we do not have the tools to combat them" Reliable Security, Steven J Ross. Information Systems Control Journal, Volume 5, 2008, pp 9-10.

Whether or not the author truly believes that this statement is true, it is a definite attention-getter. Other phrase in the article reads "[...]it appears that we know what to do to achieve information security, but we are not doing it". 

My first thought after reading these statements was that the author has no idea what he is talking about, or that he is trying to start a flame war. However, given that the author holds a director position at Deloitte, his thoughts may deserve more consideration.

After giving it some thought, I realized what the flaw in this logic is.

I actually agree with the point-of-view that most (if not all) technology-borne threats can be mitigated or removed.

However, what must never be forgotten is that preventive controls come at a price. And while it may be true that all technology-based vulnerabilities can be mitigated (for example, by stopping to use the technology altogether), the cost of doing so might simply not outweigh the risk of doing it.

The phone rings and the caller ID screen is friendly enough to inform me that the caller is suppressing their number, or the call seems to originate from an area code nowhere near my place of work. Nine times out of ten, I let the call go to voice mail. Even when I am not terribly busy when the call comes in, I do not get much pleasure out of a vendor's cold call.

A few weeks ago I was expecting a phone call and when the phone rang I accidentally answered without checking the screen. Bang; fell right into the trap. Being a security professional, I have multiple layer of defenses prepped, and star performance phrases such as "no budget remaining", "no plans to evaluate products for at least 9 months", "small institution with limited resources", "do you provide deeply discounted educational licenses", etc. are usually enough to scare away cold callers. Not this one though. Maybe I will have to add a high-quality recording of a fire alarm to my desktop as a next lime of defense "Sorry; gotta go. Fire alarm"

My conversation partner stayed friendly and acknowledged that he would likely not earn a dime on our account for at least another year. Even after that, the chances of making a sale would be slim. However, he would still like to come out and meet with us, just to introduce themselves.

A paragraph I just wrote:

An increasingly complex and interrelated landscape of systems and networks increases the need to maintain an appropriate level of documentation and process control. This observation is corroborated by a growing set of requirements that are imposed both from the desire to be a good citizens through practicing due care and due diligence, as well as from an increasing body of law and regulations that pertain directly to information systems management.

That's it. No significance other than me liking the sound of it :-)

As an information security professional, everything you do has to lead to one thing only: confidence in information.

In order to achieve this, it is of paramount importance to have excellent working relationships with the people who actual use the information in your organization (the users) and also with the owners of that information. More often than not, primary users of information are also considered the owners of that information.

Having a separation between information owners, information custodians, and an information security role is a good thing. It will allow the owners to worry about the quality of the information (including risks that might affect that quality), the custodians to look after the data within the requirements set by the owner, and the security role to ensure that the owners know what level of protection they should require, and for helping the custodians do a good job (see: "Security", whose responsibility).

Separation of duty is one of the most powerful tools an information security professional has. But that is exactly what it is: a tool; not a goal.

My family and I live in a very safe suburban neighborhood. The incorporated village has its own police force, and most of the village's budget is spent on it. Much to my surprise, we have been becoming more and more aware of suspicious activities in a house in our area; cars pull up at the strangest hours and leave again within 5 minutes. Usually someone walks over from the car to the house, a handshake is exchanged and the visiting party leaves. Sounds like there is some trade in "stuff" going on.

As with most people, we are not too happy that this is happening on our doorstep. We have repeatedly called the local police department and even had house visits by detectives who were trying to figure out, from our witness statements, what might be going on. The last house visit ended with the detectives reassuring us to call whenever.

Today is a nice day. It is 78 °F (25 °C) and sunny here in Garden City, NY. Today, I decided to actually take a lunch break and stroll over to Subway for a bite. On my way out, I snatched the latest copy of ISACA's Information Systems Control Journal. Although I did not get much past the guest editorial by William C. Boni, titled Mobility Changes (Almost) Everything! (membership required) it was worth a good read. Mr. Boni writes:

"The notion of treating an organization's network as if it is a discrete environment and developing security solutions to guard against the threat of outsiders is dangerously outmoded and an incomplete concept. We need to understand that this pernicious and outdated concept still affects our approach to protection, and many people continue to operate as if physical location is a reliable measure for protecting organizations against risks of information theft or loss."

ISACA Information Systems Control Journal, Volume 3, 2008

Very few active practitioners of the information security trade will disagree that the perimeter is fading, and that we are facing an increasingly mobile workforce. I blogged about this before, and I doubt that this will be my last post on the topic.

I spend too much time thinking about the roles and responsibilities in information security. Fortunately, I am not alone in this. Richard Bejtlich just posted an interesting article. I like the graphic he uses, and I support his analysis.

In Richard's vision, it seems that the role of the information security professional is much more that of a specialist than many practicing professionals believe they are. It also clearly outlines that because of our specialism (specialism as in: focus on a narrow area), we are ideally suited to play an (in-house) consulting role.

Excellent post. Go read it.