Archive for the ‘Internet Security’ Category
Tuesday, October 19th, 2010
Last week I asked if electrical utilities’ IT security is de facto guaranteed by compliance with the NERC CIP standard.
With no disrespect whatsoever intended towards NERC or their CIP standard, I continue my well intended questioning, especially after an esteemed colleague phoned me to discuss my article. So here goes.
The scope of NERC CIP does not include local distribution companies LDCs who bring electricity (or their equivalent in the natural gas industry) “the last mile” to the client. NERC CIP does mandate compliance for electrical transmission and generation utilities . Yet LDCs along with transmission and generation utilities are all capable of causing cascading network failures.
Without overdramatizing the situation, it is possible for a single node failure in any system to potentially cause successive failures to ripple through other networks to which they are connected. This concept equally applies to various types of networks including electrical, telecommunications, and of course specifically to the Internet.
This concept is described in detail with accompanying graphic illustrations the article Model for Cascading Failures in Complex Networks .
The key point here is that even a small electrical distribution network can cause a major blackout by ripple effect.
To keep on point, the role of control software in electrical networks is crucial to their stability. The article published by MIT “The 3 R’s of Critical Energy Networks: Reliability, Robustness and Resiliency” addresses how and why both SCADA and control software play a pivotal role in network stability. With the possibility of LDCs being possible instigators of cascading network failures I therefore suggest NERC CIP should equally apply to all LDCs.
Credit Due to Evolving NERC CIP Standards
I am impressed with three new NERC CIP standards:
- CIP 001-1 — Sabotage Reporting was adopted by NERC in 2009. This standard adds pro-active elements of both identifying and reporting anomalous or suspicious events and activity, and adds real-time response to the existing standard 008-1 Incident Reporting and Response Planning. This is critically important for stopping malicious activity before it causes damage and downtime.
- CIP 010 -1 cyber system categorization is pending. IT important for those responsible for SCADA security but who may have difficulty in cost justifying security budgets to senior executive. I believe this element assists the person creating the cost justification business case increase scope of their business case accordingly.
- CIP 011-1 cyber system protection is pending. This standard is an excellent drill-down to the existing 005-1 Electronic Security Perimeter and 006-1 Physical Security of Critical Cyber Assets, again valuable as a tool for those creating cost justification cases. It provides for the inclusion the appropriate scope for proposed security budgets.
While these standards are excellent additions to NERC CIP they still do not mandate compliance for LDCs.
Have a secure week. Ron Lepofsky CISSP http://www.ere-security.ca/
Tags: LDC, NERC CIP compliance, SCADA
Posted in Information Security, Internet Security, Security Postings | 1 Comment »
Wednesday, May 26th, 2010
A deluge of compliance requirements have inundated organizations, which obligate information security officers to protect; sensitive personal and corporate data from theft; critical data from theft and corruption; medical and health data from theft, surveillance, and destruction.
Fundamental to these security and privacy imperatives is the ability of an organization to restrict control of access to only those individuals with the need and permission to see and change the data in question. Access should be predicated upon the ability to conclusively and positively identify an individual or entity requesting access to data, while being able to deny access to everyone and to everything else.
In my May 4 blog, Forensic Identification Using Skin Bacteria, I discussed this idea. This may or may not come to pass in the future, but it did emphasize the on-going, if somewhat imaginative research, in user identification. A more down to earth and currently available means of verifying identity is two-factor authentication or 2FA.
2FA has been around for a long time and has undergone major improvements. Now the banking industry has adopted it for the magnetic cards we use for credit and debit transactions – a pin number – which is something we know. Smart cards provide the ability to deny or permit the use of any transaction based upon the electronic identification of a card. The card is generically known as a token or something we have that is unique to us.
2FA is critical for some organizational applications and many organizations have the technical capability and financial resources to implement two-factor or even strong authentication.
However, in my opinion, the issue of 2FA is particularly important for individuals doing remote access to their business or personal computers, the reason being that individuals may not have the technical expertise or financial resources to ensure their remote communication sessions are indeed secure.
For example, I see many laptop users at public hot-spots hammering away, presumably over WiFi . (Or why else would they be at a hot-spot?) We know those networks are not secure and, therefore, the users are subject to any number of man-in-the-middle and covert surveillance attacks.
Users may think their sessions are safe as the WiFi access service announces that once a user has paid for the service, their sessions will be encrypted. However, the log-on portion of the payment transaction is wide open!
Or even worse. Many users implement all manner of RDP remote connections to their systems. I have seen numerable instances where identification and authentication by single password is done in the open. Even though the RDP session may be implemented via an unusual port number, there is still the possibility of monitoring the port activity and gaining access to the authentication data.
This problem is exacerbated by using the same user name and password for both an RDP session and for system login.
In my opinion, the bottom line is that all users of remote communication should implement some form of two-factor authentication, especially when using any or a combination of RDP, VPN, Bluetooth, WiFi, and wireless broadband.
My guiding principle for remote communication is that if I perform an unencrypted remote login to a system, then everybody on the Internet just saw my authentication credentials.
Have a secure week.
Ron Lepofsky, CISSP, B.A.SC. (mech eng)
President,
ERE Information Security and Privacy Auditors
http://www.ere-security.ca
Tags: Identity Theft, Information Security, Internet Security, IT Security, Privacy, Security
Posted in Internet Security | 1 Comment »
Wednesday, May 19th, 2010
A recent study at Carnegie Mellon University found the 18 – 25 year old population is most susceptible to spear phishing attacks and fraud. This sounds counterintuitive as this group is assumed to be particularly computer literate. Even more on point, the test group were university students and staff members. For more information please see the article in the RSS feed at www.ere-security.ca entitled “Younger Users Reveal Risky Details”, May 4, 2010.
So what can we learn from this study?
Everybody needs to be trained about phishing by “experience”. The article discusses a tool to simulate attacks and the target web site explains how the simulated attack could have resulted in fraud and how to guard against phishing.
I believe this sort of solution could be effective if sponsored and paid for by an institution that has a vested interest in the cyber security of its user base. Corporations, educational institutions including grade schools, and government agencies could all benefit from this type of cyber education by experience, particularly if the web site kept statistics about those entrapped and determined the level of success of the service over time.
However, spear phishing can still be effective in situations involving coincidence of timing, where the victim is expecting a transaction to occur and coincidentally receives a fraudulent email about that subject. For instance, someone expecting a delivery, email receipt, confirmation of a transaction, may have an irresistable urge to open a phishing email that seems relevant to their transaction.
In these situations it is important to:
- Ensure an anti-virus and anti-malware program first screens these announcement emails.
- The user verify that any attached URL is bone fide, by first searching for the legitimate URL and then comparing with the URL in the announcement email.
- Never include any additional personal information requested by an announcement email.
- Do not open unexpected or unknown attachments in email.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSPERE Information Security and Privacy Compliance Auditors. www.ere-security.ca
Tags: Carnegie Mellon University, Information Security, IT Security, Phishing
Posted in Internet Security | 1 Comment »
Wednesday, April 28th, 2010
You may have read this recent survey conducted by ISACA or the article about the survey posted on CNET April 7 or the more recent article about access and authentication headaches for cloud computing published by SC Magazine April 9.
The message is clear: Remote users watch out for security and privacy threats! Of course there is absolutely nothing new about this message. But then again, there is very little that is new about cloud computing. Only its name.
Forty years ago cloud computing had other names: service bureau computing, remote computing, mainframe service providers, to name a few. Fast forward and we have similar shared services more widely accessible by orders of magnitude because of ubiquitous Internet availability and the flexibility of IP addressing. So the concept of a remote service provider has changed not in the least; one person in their basement running a great application on an NT server with worldwide Internet access is an example of cloud computing.
The security and privacy vulnerabilities are commensurately more serious than legacy service bureau operations with remote access provided typically by dedicated lines. (Anybody know or remember what dedicated lines are?)
The ISAC survey does pose the financial rewards vs. the potential downside costs of risk, with a nifty Risk / Reward Barometer visual. To read the article please see www.ere-security.ca RSS feed, April 7. The idea of doing a risk analysis and BIA on any critical service is nothing new in the security business and, of course, these tools should be used when considering the use of cloud computing.
Further, in my opinion, using a cloud computing resource is much the same as outsourcing an IT service. Any conscientious purchaser of outsourced services should consider, review, and have in writing as part of an SLA, many issues surrounding IT security compliance monitoring, enforcement, and a mechanism for recovering financial losses due to breach of the outsourcing agreement.
For more ideas about how to deal with an IT services outsourcer, please see: www.ere-security.com , IT Security White Papers, Risk Analysis, “IT Security Costs: Outsource vs. Self Deploy”
But I digress.
The fundamental business needs for enforcing access privileges and stringent authentication do not change whether the IT services in question are in-house or in a cloud, as pointed out in the SC Magazine article. By the way, you can see the article at: www.ere-security.ca RSS, April 9.
The issue of who is doing the access and authentication processes is critical to its control. I personally prefer the client retain control, and provide access to employees or users via a proxy service, again under the control of the client. The authenticated users should then be provided VPN access to the cloud based service provider.
However, this is all for not if the security framework of the cloud service provider is not up to snuff, and essentially circumvents all the good works of access control and authentication done by the client. Which brings us right back to the point about the degree of security agreed to and provided by the cloud service provider.
The bottom line here is: The catchphrase cloud computing is new but all its old security headaches aren’t!
Have a secure week.
Regards, Ron Lepofsky, CISSP
President,
ERE Information Security and Compliance Auditors
www.ere-security.ca
Tags: Cloud Computing, Information Security, IT Security, Security Risks
Posted in Internet Security | 4 Comments »
Monday, March 1st, 2010
In an article today entitled Researchers Warn Of SmartPhone Security Threats, conveniently located in the RSS feed on our web site www.ere-security.ca (no self serving here), the researchers in question discuss rootkit vulnerabilities to smart phone operating systems.
From the article, it appears that some people may / would be surprised by rootkits turning up in smart devices. Why would anybody be surprised?
Please don’t get me started about rootkits. For those of you not too familiar with these insidious creations by devious minds, rootkits are nasty programs that are designed to:
Do whatever the author intends, including but not limited to, providing admin privileges to the author, stealing information, damaging the host system, and migrating to other neighboring devices on a network. They are proficient at hiding themselves by using very sophisticated techniques involving system registries, and in turn may hide other malware from anti-virus technology. A very clear summary of the hows / whys / wheres of rootkits may be found at: http://en.wikipedia.org/wiki/Rootkit
I’d like to hear from those of you who:
- Found rootkits on your own or your clients’ devices.
- Were asked by the clients to not bother identifying the vector used by the rootkit to insert itself.
- How you found them; by forensic audit processes for instance?
- Found any software that is supposed to be resident on workstations or servers and identifies rootkits.
- Any rootkit software I’ve tested finds .dll files which appear as unidentified.
- I know there are lots of claims about tools that find / remove rootkits. My question is: has anyone found / built one that conclusively works, without creating too many false positives?
We all know the usual ways to guard against malware. The questions are:
- Why would anybody be surprised when rootkits invade the domain of intelligent portable devices?
- Why do some users of said devices treat security with complete abandon, like the “wild west”?
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditors
www.ere-security.ca
Tags: Information Security, IT Security, Root Kits, Smartphones
Posted in Internet Security | No Comments »
Wednesday, January 6th, 2010
Last week’s blog described the problems caused by insufficient Governance and the root causes of this problem. This week’s blog provides an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Example Situation
The Problem Statement
1. A CIO of a fictitious company identifies weak identity management as a significant risk to the privacy and integrity to corporate information as well as to SOX compliance.
2. The problem has recently arisen due to several factors:
* The external corporate auditors introduced new IT audit control points for monitoring unauthorized and attempted unauthorized accesses to critical servers and critical applications.
* Corporate cost cutting has caused a reduction in the staff levels of the security administration group.
* A cost cutting reorganization has dramatically changed employees’ roles and need to access various servers and applications.
* The group of recently terminated employees which include IT security administrators has raised the potential threat of malicious activity from x-employees plus a diminished capacity for the corporation to adequately administer access privileges.
3. There are insufficient funds for a comprehensive upgrade to the identity management infrastructure to ensure reasonable compliance for SOX.
4. The problem is further obfuscated as the lack of any major security breach makes it appear to senior executives that there are no security threats.
5. Nonexistent IT Governance means decision making about the new risk will be delayed until the next year’s budget cycle.
IT micro Governance Solution
1. If the corporation does in fact have an IT Governance committee that is amenable to reacting quickly with micro Governance decisions, then the CIO can identify to the Governance committee the business risks relating to weak identity management.
2. The governance committee works with the CIO to estimate the cost to the corporation in the event of a security event at $5,000,000 per incident.
3. They build a business case modeled upon the chance of a security event occurring once per year.
a. The CIO estimates the first year annual cost to technically mitigate the risk at $100,000 and $50,000 annually thereafter.
b. The first year mitigation cost / annual loss expectation is $100,000 / $5,000,000 or 2% and 1% thereafter.
c. The Governance committee decides the return is acceptable.
4. The IT Governance committee formally creates a specific task force and IT micro Governance process to mitigate the identity management risk.
5. They engage a third party advisor to expedite the process, so that an aggressive date of fully tested implementation is 6 months.
6. They appoint virtual team leaders to manage each risk management process. The team leaders are comprised of two members of the IT Governance committee, the CIO, three members of the IT security team, 6 business line managers, a member of HR and a member of the CFO’s team. They also have external security consultants and auditors to assist with testing and evaluating the effectiveness of the new process.
7. The virtual team leaders assign other employees to implement the project and to create an ongoing process to monitor, manage, and report on the proposed identity management process.
8. The team creates a detailed project plan to complete the project.
9. The third party consultants and auditors work with the team right from the beginning to design processes and mechanisms to test and report on the degree of success of the new identity management process.
10. The virtual team and IT Governance committee creates a schedule for reporting / feedback / direction meetings as oversight for the new process, including:
a. Evaluating the degree of success of the initial implementation.
b. A subset of the virtual team continues to monitor and report to the Governance Committee.
c. A third party with expertise in calculating IT security risk is assigned the task of re-evaluating the initial ROI or cost avoidance business model in terms of:
i. Was risk correctly estimated?
ii. Is there an ongoing evaluation of the degree of risk reduction?
iii. Can the new process and its budget be integrated into IT security operations / administration. Can the virtual team be disbanded?
Conclusion: Keep it simple.
Sources of Information – Governance Authorities
* ISACA (Information Systems Audit and Control Association) www.isaca.org
* ITGI (IT Governance Institute) www.itgi.org
* Gartner Group www.gartner.com
* IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
* SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382
* The IT Metrics and Productivity Institute http://www.itmpi.org/default.aspx?pageid=198
* MIT Sloan School of Management http://web.mit.edu/cisr/working%20papers/cisrwp349.pdf
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, December 29th, 2009
Last week’s blog introduced my concept of IT security micro Governance. This weeks installment covers the problems caused by insufficient Governance and the root causes of this problem.
Insufficient IT Governance Impedes the Security Team
In dynamic network environments, security issues can quickly appear where there are insufficient funds planned to mitigate new security risks. An active IT Governance process is invaluable to deal with such issues.
Insufficient IT Governance:
* Slows decision making.
* Inhibits communication of risk and associated potential financial loss between the IT Security. Team and executive management.
* Inhibits attaining unplanned, sufficient IT security funding.
Barriers to implementing IT Governance
Well known barriers to attaining IT governance are:
* The all encompassing scope of any Governance is a daunting challenge to face.
* Expensive.
* Time consuming.
* IT security risk can be very difficult to quantify.
* The executives may find it difficult to request additional funds particularly where the IT security team has done an excellent job and there are no expensive security vulnerabilities.
* A false sense of security makes cost justifying security budgets difficult.
* A Governance committee may get bogged down over confusion arising between identifying the content of compliance frameworks with compliance objectives.
* Turf wars over accepting / relegating ownership of responsibilities for various aspects of IT compliance.
* Maintaining longevity of the IT Governance process.
ITSecurity micro Governance as a Practical Alternative
A simplified alternative to the barriers mentioned above creates a bite-sized micro process which will provide the following value to a corporate entity:
* Minimizes the liability of executives with respect to their fiduciary responsibilities for IT Governance.
* Facilitates communications between the Governance Body and the IT Security Team regarding cost justification of unplanned or insufficient budget.
* Provides a regular opportunity for the Security Team to convey top priorities with requests for expedited executive authorization.
* Provides a regular opportunity for executives to convey business priorities that affect IT related risk directly to those responsible for physically managing those risks.
* Minimizes decision time and frustration levels by identifying bite sized issues.
Steps to Implement IT Micro Governance
1. IT Security should identify the top priority IT security risk(s) that require immediate decisions / funding by the executive team.
2. Estimate the ROI or potential cost avoidance by mitigating the risk(s).
3. Formally create a micro-Governance process to address the risk(s).
4. Engage a third party advisor to expedite the process.
5. Create a virtual (temporary) team to manage each risk management process.
6. Assign other management and employees as appropriate to the virtual team.
7. Identify a timeline to complete the project.
8. Identify a mechanism to test the degree of success of the mitigation.
9. Identify a timeline to report the degree of success back to the IT Governance Committee.
10. Assess whether ROI or cost avoidance goals were sufficiently met. *
11. Mandate longevity for the micro Governance process by directing the virtual team to continue monitoring the process and reporting to the Governance Committee.
12. Integrate the process into the IT security operations / administration processes and disband the virtual team.
* It is difficult to obtain data that captures the prevention of a security threat based on a specific action taken. One empirical yet evidentiary based method is to compare the frequency of similar threats before and after mediation steps are implemented.
To assist with calculating IT security related, risk, ROI / cost avoidance, and residual risk, Governance Committees (and IT security professionals) can contract third party expertise in these matters.
Next week’s blog will be an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | 2 Comments »
Tuesday, December 22nd, 2009
This week’s blog is the first of a three part series about my idea for an expedited method of implementing IT security Governance. Your feed back would be most appreciated.
Executive Summary
IT Governance is difficult for most organizations to initiate and maintain as it is an ongoing process, particularly for medium and small institutions. There are many subject experts, vendors, and consultants that cater to implementation, but the inherent difficulties and complexities make the implementation of it an elusive goal for many.
Since Governance is, by definition, strategic and focused over long timeframes, it is not designed to deal with unexpected and potentially costly IT security threats. Threats which can evolve into costly security events. A distraught client once described how a serious access breach within his organization could have been prevented if the senior management had evaluated and acted upon his impromptu but appropriate recommendations to harden access controls. The author proposes a modified process to respond to mitigating threats that require funds exceeding the annual IT security budget. I call this micro Governance.
Definitions of IT Governance
IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent. Four prominent authorities define IT governance on their web sites as follows:
1. ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
2. ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
3. Forrester: … The act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently.
4. MIT Sloan School of Management: IT governance is the process by which firms align actions with their performance goals and assign accountability for those actions and their outcomes.
The three predominant frameworks for implementing IT Governance are provided by ISACA, ITIL and ISO. In a more granular view, the ISO 38500:2008 guiding principles are organized into three prime sections, specifically Scope, Framework and Guidance. The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:
* Responsibility
* Strategy
* Acquisition
* Performance
* Conformance
* Human behaviour
Significance of IT Security Governance for Compliance
Compliance violations may attract all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.
Examples of well known regulatory frameworks and compliance standards are as follows:
* Financial - SOX, Bill 109, Basel II, PCI, SAS 70
* Electrical Infrastructure for North America - NERC CIP
* Privacy – PIPEDA, Red Flag, GLB
* Industry Best Practices - COBIT, ITIL
Next week’s blog will cover the problems caused by insufficient Governance and the root causes of this problem.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | 1 Comment »
Tuesday, December 15th, 2009
My blog this week is a review of a book I recently read, which purportedly was going to tell the reader “What the computer security industry doesn’t want you to know.”
The Myths of Security
By John Viega,
Published by O’Reilly Media Inc.
Printed June 2009
This self proclaimed expose about secrets closely guarded by the security industry fails to tell the reader much of anything new, except the details of John Vega’s history of working with MacAfee – twice.
The word Myths in the title implies, at least to me, long believed truths about to be proved otherwise. These revelations never occurred in the 48 chapters, unless you consider repeating common knowledge in the security industry as new revelations.
A central revelation is that AV vendors have a difficult time keeping up with new malware. There are several chapters dedicated to why AV tools are not effective, why they consume large amounts of computer resources, and the author’s ideas of the AV industry members should collaborate by sharing their knowledge of zero day malware. He further suggests they create “CIST”, the Consortium for Interoperability with Security Technology.
These ideas of collaboration sound viable from a technical perspective, but hardly realistic in a competitive capitalistic environment that favours the strongest vendors. However the author’s suggestions are not revelations of secrets.
Viega goes on to compare the workings of AV with firewalls and with IDS. While these analogies are clever, they are hardly central to the book’s premise of revelation.
I was left scratching my head as the author claims that many AV products have a low degree of usefulness, without providing any statistical, verifiable evidence to prove his point. Unsubstantiated opinion, and in my opinion, overly negative.
Which brings me to the next point about the author’s many references of praise about MacAfee. After 20, I lost count of references to MacAfee, liberally spread throughout the book. This affection and praise for one vendor and twice previous employer certainly challenges the impartiality of the author’s revelations.
It seems the author has liberally substituted hyperbole for fact. For instance the chapter entitled “Google is Evil” says Google’s Adwords creates a conflict of interest between impartiality and profit. Hardly a surprise. The Chapter “VPNs Usually Decrease Security” states the obvious: a compromised VPN’d client workstation indeed is a threat to a host network.
Similarly “The security Industry is Broken” chapter really says security vendors of products and services are not 100% perfect. No further comment is necessary here.
It is not clear to me to whom the book is intended. It can not be for security practitioners with certifications such as CISSP or CISM. In an effort to minimize technical terms, Viega uses a wordy description to circumvent the use of “hashing” ( mentioned in a footnote below the text.)
End users who are not technology savvy might find the book verbose. The few good security recommendations are summarized in a few pages; recommendations which commonly stated in any end-user policy worth reading.
Time reading this book would be better spent elsewhere.
PS I feel guilty writing such a negative article, especially since it is far easier to criticize than to create. So please take my comments with a grain of salt.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Computer Security, Information Security, IT Security, Security Industry, The Myths of Security
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, December 8th, 2009
Last week I posted a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance. Next weeks’ post is part 2 of 2 would greatly appreciate your ideas / feedback / constructive criticism. Thank you in advance for sharing your ideas with me.
Barriers to implementing IT Governance
- All encompassing scope
- Complex PPM Project Portfolio Management
- Expensive
- Time consuming
- Risk is very difficult to quantify
- False sense of security confuses cost justifying security budgets
- Turf wars over accepting / relegating ownership of responsibilities
- Maintaining longevity of the process
Micro – Governance a practical alternative
- Minimize liability of executives / board
- Facilitates communications between Governance and the Security Team regarding cost justification of budget
- Provides a regular opportunity for the Security Team to convey top priorities with requests for executive authorization
- Minimizes decision time and frustration levels by identifying bite sized issues
- Quantify the few most threatening risks
- Create a virtual team with responsibility to mitigate and report
- Measure the results
- Authorize / fund the virtual team
Call to Action
- CEO and CIO discuss a few top priority IT security risks that require immediate decisions / funding
- Formally create a micro-Governance process to address each risk.
- Engage a third party advisor to expedite the process.
- Create a small virtual team to manage each risk management process.
- Assign other management and employees as appropriate to the virtual team.
- Identify a timeline to complete the project.
- Identify a mechanism to test the degree of success of the mitigation
- Identify a timeline to report the degree of success back to the IT Governance Committee.
Assess Financial Cost of Risk and Residual Risk
- document the technical risks
- Translate them into business risks
- Utilize a straw poll for executives to estimate the cost of liability should the risks become realities.
- Utilize a straw poll for technology experts to guestimate the % chance of a onetime occurrence both before and after mitigation steps are applied.
- Compare the cost of risk vs. residual risk to the cost of mitigation
Create Longevity to the Micro- Governance Process(es)
- Direct the virtual team(s) to continue monitoring and report according to a defined schedule Committee
- Otherwise dissolve the virtual team(s)
Sources of Information – Governance Authorities
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, Information Security Compliance, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | No Comments »
|
|
