Posts Tagged ‘Information Security’
Monday, March 1st, 2010
In an article today entitled Researchers Warn Of SmartPhone Security Threats, conveniently located in the RSS feed on our web site www.ere-security.ca (no self serving here), the researchers in question discuss rootkit vulnerabilities to smart phone operating systems.
From the article, it appears that some people may / would be surprised by rootkits turning up in smart devices. Why would anybody be surprised?
Please don’t get me started about rootkits. For those of you not too familiar with these insidious creations by devious minds, rootkits are nasty programs that are designed to:
Do whatever the author intends, including but not limited to, providing admin privileges to the author, stealing information, damaging the host system, and migrating to other neighboring devices on a network. They are proficient at hiding themselves by using very sophisticated techniques involving system registries, and in turn may hide other malware from anti-virus technology. A very clear summary of the hows / whys / wheres of rootkits may be found at: http://en.wikipedia.org/wiki/Rootkit
I’d like to hear from those of you who:
- Found rootkits on your own or your clients’ devices.
- Were asked by the clients to not bother identifying the vector used by the rootkit to insert itself.
- How you found them; by forensic audit processes for instance?
- Found any software that is supposed to be resident on workstations or servers and identifies rootkits.
- Any rootkit software I’ve tested finds .dll files which appear as unidentified.
- I know there are lots of claims about tools that find / remove rootkits. My question is: has anyone found / built one that conclusively works, without creating too many false positives?
We all know the usual ways to guard against malware. The questions are:
- Why would anybody be surprised when rootkits invade the domain of intelligent portable devices?
- Why do some users of said devices treat security with complete abandon, like the “wild west”?
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditors
www.ere-security.ca
Tags: Information Security, IT Security, Root Kits, Smartphones
Posted in Internet Security | 1 Comment »
Wednesday, February 24th, 2010
This week’s blog is Part 4 of 5 parts of a series.
If you are in security no doubt you have been challenged by management about your security expenditures. I have often heard executives say that they regret authorizing sufficiently large security budgets because they can’t tell if the expenses were worthwhile. It’s a good point. I’ll try to address it in this blog.
Measuring the Effectiveness of Mitigation
It is paramount to close the risk management loop by comparing planned and actual results of mitigation.
Goal is to clearly identify if risk level has changed and what consistent metrics will be used to base a conclusion. Once again, this may be difficult to accomplish directly, but there certainly are metrics for measuring and comparing the results of implementing mitigation. The metrics should always:
- Produce repeatable, consistent results.
- Be understandable.
- Be reasonably simple to use over time.
The following is a good starting list of metrics that can be used for consistently measuring and reporting on risk:
- Architectures for measuring risk – Enterprise Information Security Architecture (EISA) (8), (9)
- a. The U.S. Department of Defense (DoD) Architecture Framework (DoDAF). (10)
- Extended Enterprise Architecture Framework (E2AF) from the Institute For Enterprise Architecture Developments. (11)
- Federal Enterprise Architecture of the United States Government (FEA). (12)
- Capgemini’s Integrated Architecture Framework. (13)
- NIH Enterprise Architecture Framework. (14)
- Open Security Architecture. (15)
- The Open Group Architecture Framework (TOGAF). (16)
- Zachman Framework. (17)
- Control points from the COBIT framework. (18)
- Vulnerability assessments.
- Penetration tests.
- Time trends in frequency of occurrence and the real costs of security events, privacy violations, and policy compliance violations.
- Time trends in cost to recover from events.
- Time trends in frequency of policy compliance violations that do not necessarily cause any financial losses, such as identifying Trojans, viruses, rootkits, unauthorized logins, attempted port scans, frequency of dropped packets, frequency of password lifecycle, breaches, and frequency of rescheduled / cancelled IT Security Governance meetings with business managers.
This part of the series may be a little dry. In fact it is very dry. But if you ever want to have a process done “by the book” many of my references will come in handy. If you can take another “dry” blog, the next blog will cover the same subject but from a return on investment perspective. I hope it will be helpful!
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditor
www.ere-security.ca
Tags: Cost of IT Security Compliance, Information Security, IT Security, Risk of IT Security Compliance
Posted in Information Security | 2 Comments »
Wednesday, February 17th, 2010
This week’s blog is Part 3 of 5 parts of a series.
I think that too often security people try to “fix” every security problem. That is not realistic or required. Many times, it is sufficient to just identify security risks and problems to management and get them to make a decision on how they want to deal with it.
But the operative phrase is “decision on how they want to deal with it.”
Calculating the Cost of Mitigation
Security professionals are well acquainted with determining the costs of mitigation. Senior executives sometimes think they too are familiar with these costs, based upon ads they read about anti-virus and firewall technology.
The danger here is that it is too easy for all concerned to focus on technology as the primary mitigation for security and compliance. It is well documented in standards published by industry experts such as NIST- 88 series (3), ISACA CoBIT (4), PCI Security Standards – PCI (5), and NERC – CIP 02 – 09 (6).
It is well advised to consider mitigation steps that include:
1. Re-engineering processes, both technological and people processes.
2. Policy – people and technology
3. Technical security.
4. Physical security.
5. People processes.
6. Training and awareness.
7. Third party auditing to verify the effectiveness of all the above.
From an IT Security Governance perspective the optimal cost point for mitigation is where the total costs of risk and mitigation are lowest. This point can be graphically determined as in Exhibit 3 – Optimal Cost Point for Mitigation.
Exhibit 3 – Optimal Cost Point for Mitigation (3) This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca
Once mitigation costs are determined, it is important to express to the IT Security Governance committee that mitigation only goes so far, and that some residual risk remains even after spending on mitigation. The residual risk can be expressed as the cost of risk that remains after mitigation is implemented. As shown in Exhibit 4 – Mitigation Cost vs. Chance of Event Occurrence, expenditures on mitigation reduce the cost of exposure to risk.
Exhibit 4 – Mitigation Cost vs. % Chance of Event Occurrence This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca
The IT Security Governance Committee may decide to deal with residual risk by:
1. Accepting the risk.
2. Moving the risk (insurance).
3. Further mitigation.
Calculating Return on Security Investment (ROSI) (7)
Once the total cost of security mitigation is determined by including any costs for managing residual risk, then it is straightforward to calculate the return on security investment, as follows:
ROSI = cost of mitigation / cost of risk
When calculating ROSI it is important to allocate mitigation costs on a pro-rated basis across all costs of risk to which they apply. In this way ROSI can be more accurately calculated and evaluated by each profit and loss manager and associated stakeholder.
The next blog will deal with figuring out if the cost of mitigation were worth it!
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditor
www.ere-security.ca
Tags: Cost of IT Security Compliance, Information Security, IT Security, Risk of IT Security Compliance
Posted in Information Security | 4 Comments »
Thursday, February 11th, 2010
This week’s blog is Part 2 of 5 parts of a series.
I know it is time consuming to do the analysis for building a business case. I’ve seen the frustration on the faces of security types who present business cases for their budget and management gives them a rough time.
Hopefully these articles will be helpful.
The next logical step would be to associate an actual cost to each event. Various methods can be used either separately or together with the implementation of an averaging metric to estimate the cost per occurrence of an event. These methods may include:
1. Soliciting expert advice from financial management, lawyers, and risk management consultants.
2. Conducting a straw poll of stakeholders, each estimating the downside cost of an event.
3. Participating in a fact gathering survey of similar businesses, each of which provides factual and straw poll estimates of the cost of an event.
4. Purchasing statistical information from industry experts regarding the cost of an event.
5. Obtaining statistical information from industry associations about the cost of an event experienced by their membership.
Using a similar methodology, the next step is to determine the likelihood of an event occurring. The most useful ways of expressing likelihood is in % chance of an event occurring in any one year.
However, any likelihood estimate should also be adjusted to account for changes in security environment. There are typically evolving waves of new threats that may affect likelihood of occurrence, such as these previous waves:
1. Viruses
2. Malware of all sorts
3. DDOS
4. Identity Theft
The likelihood estimate can then be used to:
1. Qualitatively express cost vs. likelihood as in Exhibit 1 – Potential Cost vs. % Probability of Occurrence.
2. Calculate the quantitative Annual Loss Expectancy.
Exhibit 1 – Potential Cost vs. Probability of Occurrence (1)
This exhibit can’t be shown in the blog but you can see it in a whitepaper on the ERE web site www.ere-security.ca
Obviously want to prioritize the mitigation steps to dealing with high risk / high cost situations first.
Annual Loss Expectancy (ALE) (2)
The step from qualitative to quantitative risk analysis logically occurs at this point, where the team evaluating risk triages the results of Exhibit 1 in order to decide upon those risks where they intend to focus.
The potential cost of those risks can be determined by calculating their Annual Loss Expectancy. The annual loss expectancy is the annualized estimated cost for the occurrence of any type of event. This number is useful for comparison with the annual cost of mitigation. ALE for an event is calculated by multiplying the previously determined of the cost of the event and the chance of its occurrence.
Annual loss expectancy = cost of event x chance of occurrence
Next week I will discuss the ins and outs of calculating the cost of minimizing risk and how to present this to the executives.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditor
www.ere-security.ca
Tags: Cost of IT Security Compliance, Information Security, IT Security, Risk of IT Security Compliance
Posted in Information Security | No Comments »
Thursday, February 4th, 2010
This week’s blog is Part 1 of 5 parts of a series.
Over the years many IT security professionals have told me about their challenges of getting the appropriately sized security budget approved. In my opinion many senior executives believe that if they have not endured a serious security breach, then there simply are not any security risks. That is my motivation for writing this series.
Executive Summary
IT security and security compliance are expensive to successfully achieve. Now pile on privacy compliance and an array of regulatory compliance obligations and the costs skyrocket.
The key to getting the IT Security Governance committee to fund the appropriate compliance budget is to speak their language.
In order to do that, risks need to be expressed in terms of costs for executives. Specifically costs need to be identified as: Potential cost of losses, mitigation costs, the total costs (potential cost of losses + mitigation costs) and residual costs.
In order to be clear and meaningful for the intended audience, the material should be presented graphically, presenting changes in both cost and risk over time.
This trending analysis is most useful for supporting the ability of the IT Security Governance committee to make well informed decisions on how to most effectively invest in security, thereby deriving optimal payback for stakeholders.
Identifying Risk and its Business Impact
The costs of risk associated with IT security / privacy and non compliance of regulatory / standards and the resulting negative impact on business can be broadly identified as follows:
1. Loss of revenue or production due to unavailability of production resource.
2. Time and effort to recover from a security related loss of production.
3. Legal.
4. Damage to brand.
5. Regulatory compliance violations.
6. Privacy compliance violations.
7. Damage to client and vendor relationships.
8. Loss of intellectual, competitive or proprietary information.
9. Un-captured profits resulting from inability to demonstrate to clients / vendors / partners a strong security process.
The cost of risk is the resulting impact on business that may be incurred should a risk become a reality or an event. Determining the cost of a potential event is difficult at best. However, it can be accomplished by employing one or more quantitative and qualitative methods, and should be undertaken by those most qualified to do so.
Those most qualified are unit profit and loss managers, stakeholders, and executives with insight into quantitatively how an event would affect their work domain.
The cost of various types of events can be viewed as categories of low, medium, and high cost. This qualitative analysis is not useful in itself, but it may assist management on how to prioritize the order in which they will perform a more in depth risk analysis.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security and Privacy Compliance Auditors
www.ere-security.ca
Tags: Cost of Security Compliance, Information Security, IT Security, Risk of Security Compliance
Posted in Information Security | 7 Comments »
Wednesday, January 6th, 2010
Last week’s blog described the problems caused by insufficient Governance and the root causes of this problem. This week’s blog provides an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Example Situation
The Problem Statement
1. A CIO of a fictitious company identifies weak identity management as a significant risk to the privacy and integrity to corporate information as well as to SOX compliance.
2. The problem has recently arisen due to several factors:
* The external corporate auditors introduced new IT audit control points for monitoring unauthorized and attempted unauthorized accesses to critical servers and critical applications.
* Corporate cost cutting has caused a reduction in the staff levels of the security administration group.
* A cost cutting reorganization has dramatically changed employees’ roles and need to access various servers and applications.
* The group of recently terminated employees which include IT security administrators has raised the potential threat of malicious activity from x-employees plus a diminished capacity for the corporation to adequately administer access privileges.
3. There are insufficient funds for a comprehensive upgrade to the identity management infrastructure to ensure reasonable compliance for SOX.
4. The problem is further obfuscated as the lack of any major security breach makes it appear to senior executives that there are no security threats.
5. Nonexistent IT Governance means decision making about the new risk will be delayed until the next year’s budget cycle.
IT micro Governance Solution
1. If the corporation does in fact have an IT Governance committee that is amenable to reacting quickly with micro Governance decisions, then the CIO can identify to the Governance committee the business risks relating to weak identity management.
2. The governance committee works with the CIO to estimate the cost to the corporation in the event of a security event at $5,000,000 per incident.
3. They build a business case modeled upon the chance of a security event occurring once per year.
a. The CIO estimates the first year annual cost to technically mitigate the risk at $100,000 and $50,000 annually thereafter.
b. The first year mitigation cost / annual loss expectation is $100,000 / $5,000,000 or 2% and 1% thereafter.
c. The Governance committee decides the return is acceptable.
4. The IT Governance committee formally creates a specific task force and IT micro Governance process to mitigate the identity management risk.
5. They engage a third party advisor to expedite the process, so that an aggressive date of fully tested implementation is 6 months.
6. They appoint virtual team leaders to manage each risk management process. The team leaders are comprised of two members of the IT Governance committee, the CIO, three members of the IT security team, 6 business line managers, a member of HR and a member of the CFO’s team. They also have external security consultants and auditors to assist with testing and evaluating the effectiveness of the new process.
7. The virtual team leaders assign other employees to implement the project and to create an ongoing process to monitor, manage, and report on the proposed identity management process.
8. The team creates a detailed project plan to complete the project.
9. The third party consultants and auditors work with the team right from the beginning to design processes and mechanisms to test and report on the degree of success of the new identity management process.
10. The virtual team and IT Governance committee creates a schedule for reporting / feedback / direction meetings as oversight for the new process, including:
a. Evaluating the degree of success of the initial implementation.
b. A subset of the virtual team continues to monitor and report to the Governance Committee.
c. A third party with expertise in calculating IT security risk is assigned the task of re-evaluating the initial ROI or cost avoidance business model in terms of:
i. Was risk correctly estimated?
ii. Is there an ongoing evaluation of the degree of risk reduction?
iii. Can the new process and its budget be integrated into IT security operations / administration. Can the virtual team be disbanded?
Conclusion: Keep it simple.
Sources of Information – Governance Authorities
* ISACA (Information Systems Audit and Control Association) www.isaca.org
* ITGI (IT Governance Institute) www.itgi.org
* Gartner Group www.gartner.com
* IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
* SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382
* The IT Metrics and Productivity Institute http://www.itmpi.org/default.aspx?pageid=198
* MIT Sloan School of Management http://web.mit.edu/cisr/working%20papers/cisrwp349.pdf
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, December 29th, 2009
Last week’s blog introduced my concept of IT security micro Governance. This weeks installment covers the problems caused by insufficient Governance and the root causes of this problem.
Insufficient IT Governance Impedes the Security Team
In dynamic network environments, security issues can quickly appear where there are insufficient funds planned to mitigate new security risks. An active IT Governance process is invaluable to deal with such issues.
Insufficient IT Governance:
* Slows decision making.
* Inhibits communication of risk and associated potential financial loss between the IT Security. Team and executive management.
* Inhibits attaining unplanned, sufficient IT security funding.
Barriers to implementing IT Governance
Well known barriers to attaining IT governance are:
* The all encompassing scope of any Governance is a daunting challenge to face.
* Expensive.
* Time consuming.
* IT security risk can be very difficult to quantify.
* The executives may find it difficult to request additional funds particularly where the IT security team has done an excellent job and there are no expensive security vulnerabilities.
* A false sense of security makes cost justifying security budgets difficult.
* A Governance committee may get bogged down over confusion arising between identifying the content of compliance frameworks with compliance objectives.
* Turf wars over accepting / relegating ownership of responsibilities for various aspects of IT compliance.
* Maintaining longevity of the IT Governance process.
ITSecurity micro Governance as a Practical Alternative
A simplified alternative to the barriers mentioned above creates a bite-sized micro process which will provide the following value to a corporate entity:
* Minimizes the liability of executives with respect to their fiduciary responsibilities for IT Governance.
* Facilitates communications between the Governance Body and the IT Security Team regarding cost justification of unplanned or insufficient budget.
* Provides a regular opportunity for the Security Team to convey top priorities with requests for expedited executive authorization.
* Provides a regular opportunity for executives to convey business priorities that affect IT related risk directly to those responsible for physically managing those risks.
* Minimizes decision time and frustration levels by identifying bite sized issues.
Steps to Implement IT Micro Governance
1. IT Security should identify the top priority IT security risk(s) that require immediate decisions / funding by the executive team.
2. Estimate the ROI or potential cost avoidance by mitigating the risk(s).
3. Formally create a micro-Governance process to address the risk(s).
4. Engage a third party advisor to expedite the process.
5. Create a virtual (temporary) team to manage each risk management process.
6. Assign other management and employees as appropriate to the virtual team.
7. Identify a timeline to complete the project.
8. Identify a mechanism to test the degree of success of the mitigation.
9. Identify a timeline to report the degree of success back to the IT Governance Committee.
10. Assess whether ROI or cost avoidance goals were sufficiently met. *
11. Mandate longevity for the micro Governance process by directing the virtual team to continue monitoring the process and reporting to the Governance Committee.
12. Integrate the process into the IT security operations / administration processes and disband the virtual team.
* It is difficult to obtain data that captures the prevention of a security threat based on a specific action taken. One empirical yet evidentiary based method is to compare the frequency of similar threats before and after mediation steps are implemented.
To assist with calculating IT security related, risk, ROI / cost avoidance, and residual risk, Governance Committees (and IT security professionals) can contract third party expertise in these matters.
Next week’s blog will be an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | 3 Comments »
Tuesday, December 22nd, 2009
This week’s blog is the first of a three part series about my idea for an expedited method of implementing IT security Governance. Your feed back would be most appreciated.
Executive Summary
IT Governance is difficult for most organizations to initiate and maintain as it is an ongoing process, particularly for medium and small institutions. There are many subject experts, vendors, and consultants that cater to implementation, but the inherent difficulties and complexities make the implementation of it an elusive goal for many.
Since Governance is, by definition, strategic and focused over long timeframes, it is not designed to deal with unexpected and potentially costly IT security threats. Threats which can evolve into costly security events. A distraught client once described how a serious access breach within his organization could have been prevented if the senior management had evaluated and acted upon his impromptu but appropriate recommendations to harden access controls. The author proposes a modified process to respond to mitigating threats that require funds exceeding the annual IT security budget. I call this micro Governance.
Definitions of IT Governance
IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent. Four prominent authorities define IT governance on their web sites as follows:
1. ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
2. ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
3. Forrester: … The act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently.
4. MIT Sloan School of Management: IT governance is the process by which firms align actions with their performance goals and assign accountability for those actions and their outcomes.
The three predominant frameworks for implementing IT Governance are provided by ISACA, ITIL and ISO. In a more granular view, the ISO 38500:2008 guiding principles are organized into three prime sections, specifically Scope, Framework and Guidance. The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:
* Responsibility
* Strategy
* Acquisition
* Performance
* Conformance
* Human behaviour
Significance of IT Security Governance for Compliance
Compliance violations may attract all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.
Examples of well known regulatory frameworks and compliance standards are as follows:
* Financial - SOX, Bill 109, Basel II, PCI, SAS 70
* Electrical Infrastructure for North America - NERC CIP
* Privacy – PIPEDA, Red Flag, GLB
* Industry Best Practices - COBIT, ITIL
Next week’s blog will cover the problems caused by insufficient Governance and the root causes of this problem.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | 1 Comment »
Tuesday, December 15th, 2009
My blog this week is a review of a book I recently read, which purportedly was going to tell the reader “What the computer security industry doesn’t want you to know.”
The Myths of Security
By John Viega,
Published by O’Reilly Media Inc.
Printed June 2009
This self proclaimed expose about secrets closely guarded by the security industry fails to tell the reader much of anything new, except the details of John Vega’s history of working with MacAfee – twice.
The word Myths in the title implies, at least to me, long believed truths about to be proved otherwise. These revelations never occurred in the 48 chapters, unless you consider repeating common knowledge in the security industry as new revelations.
A central revelation is that AV vendors have a difficult time keeping up with new malware. There are several chapters dedicated to why AV tools are not effective, why they consume large amounts of computer resources, and the author’s ideas of the AV industry members should collaborate by sharing their knowledge of zero day malware. He further suggests they create “CIST”, the Consortium for Interoperability with Security Technology.
These ideas of collaboration sound viable from a technical perspective, but hardly realistic in a competitive capitalistic environment that favours the strongest vendors. However the author’s suggestions are not revelations of secrets.
Viega goes on to compare the workings of AV with firewalls and with IDS. While these analogies are clever, they are hardly central to the book’s premise of revelation.
I was left scratching my head as the author claims that many AV products have a low degree of usefulness, without providing any statistical, verifiable evidence to prove his point. Unsubstantiated opinion, and in my opinion, overly negative.
Which brings me to the next point about the author’s many references of praise about MacAfee. After 20, I lost count of references to MacAfee, liberally spread throughout the book. This affection and praise for one vendor and twice previous employer certainly challenges the impartiality of the author’s revelations.
It seems the author has liberally substituted hyperbole for fact. For instance the chapter entitled “Google is Evil” says Google’s Adwords creates a conflict of interest between impartiality and profit. Hardly a surprise. The Chapter “VPNs Usually Decrease Security” states the obvious: a compromised VPN’d client workstation indeed is a threat to a host network.
Similarly “The security Industry is Broken” chapter really says security vendors of products and services are not 100% perfect. No further comment is necessary here.
It is not clear to me to whom the book is intended. It can not be for security practitioners with certifications such as CISSP or CISM. In an effort to minimize technical terms, Viega uses a wordy description to circumvent the use of “hashing” ( mentioned in a footnote below the text.)
End users who are not technology savvy might find the book verbose. The few good security recommendations are summarized in a few pages; recommendations which commonly stated in any end-user policy worth reading.
Time reading this book would be better spent elsewhere.
PS I feel guilty writing such a negative article, especially since it is far easier to criticize than to create. So please take my comments with a grain of salt.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Computer Security, Information Security, IT Security, Security Industry, The Myths of Security
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, December 8th, 2009
Last week I posted a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance. Next weeks’ post is part 2 of 2 would greatly appreciate your ideas / feedback / constructive criticism. Thank you in advance for sharing your ideas with me.
Barriers to implementing IT Governance
- All encompassing scope
- Complex PPM Project Portfolio Management
- Expensive
- Time consuming
- Risk is very difficult to quantify
- False sense of security confuses cost justifying security budgets
- Turf wars over accepting / relegating ownership of responsibilities
- Maintaining longevity of the process
Micro – Governance a practical alternative
- Minimize liability of executives / board
- Facilitates communications between Governance and the Security Team regarding cost justification of budget
- Provides a regular opportunity for the Security Team to convey top priorities with requests for executive authorization
- Minimizes decision time and frustration levels by identifying bite sized issues
- Quantify the few most threatening risks
- Create a virtual team with responsibility to mitigate and report
- Measure the results
- Authorize / fund the virtual team
Call to Action
- CEO and CIO discuss a few top priority IT security risks that require immediate decisions / funding
- Formally create a micro-Governance process to address each risk.
- Engage a third party advisor to expedite the process.
- Create a small virtual team to manage each risk management process.
- Assign other management and employees as appropriate to the virtual team.
- Identify a timeline to complete the project.
- Identify a mechanism to test the degree of success of the mitigation
- Identify a timeline to report the degree of success back to the IT Governance Committee.
Assess Financial Cost of Risk and Residual Risk
- document the technical risks
- Translate them into business risks
- Utilize a straw poll for executives to estimate the cost of liability should the risks become realities.
- Utilize a straw poll for technology experts to guestimate the % chance of a onetime occurrence both before and after mitigation steps are applied.
- Compare the cost of risk vs. residual risk to the cost of mitigation
Create Longevity to the Micro- Governance Process(es)
- Direct the virtual team(s) to continue monitoring and report according to a defined schedule Committee
- Otherwise dissolve the virtual team(s)
Sources of Information – Governance Authorities
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, Information Security Compliance, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | No Comments »
|
|
