tag:blogger.com,1999:blog-28316355820329596682024-03-05T16:08:18.380+00:00KanSecurity ResourcesInformation security management, information risk management and CybersecurityKanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-2831635582032959668.post-26071645645046676302020-04-12T12:06:00.002+01:002020-04-12T12:07:28.802+01:00Black Swans and other things<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiedKfwkJtc1c1rdqV0WkTskOmd1Qd86U4ETugnoob7uiizVGPBkjuhfuijbafz5ENVgp5XBhCdhbKx9fq5ex7ZTzrLcJqgp11HDXPycBd7g3Arrte5Lp5sU6I7_MsrBgW6HUdyZd4LFF4/s1600/Swan.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="146" data-original-width="222" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiedKfwkJtc1c1rdqV0WkTskOmd1Qd86U4ETugnoob7uiizVGPBkjuhfuijbafz5ENVgp5XBhCdhbKx9fq5ex7ZTzrLcJqgp11HDXPycBd7g3Arrte5Lp5sU6I7_MsrBgW6HUdyZd4LFF4/s200/Swan.png" width="200" /></a></div>
<br />
<h2>
Back swans and other things.</h2>
<div class="MsoNormal">
<o:p></o:p></div>
For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security.<br />
<div class="MsoNormal">
Two [of many] questions<i> [the context throughout this blog are businesses, organisations, and information and cyber security]</i>. <o:p></o:p></div>
<div class="MsoNormal">
</div>
<ol>
<li>Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question.</li>
<li>Why, given the current situation of COVID-19, were many businesses unprepared?</li>
</ol>
<br />
The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm. <br /><br />The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced simply because not all the evidence is made available or reported. In fact, it could be suggested that unless an organisation’s hand has been forced, breaches and any resulting negative activity will be kept as quiet as possible. <br /><br />Does this distort the statistics that pop out? Yes, of course it does but confirmation bias leads us down the path of believing all swans are white or, <i>not taking seriously what we don’t see</i> [Taleb].<br /><br />Following a large data breach hindsight bias leads us down the path of, we knew about this all along, so why was no action taken? CISO, you’re fired. Unless CISO is a complete numpty, they will know and will have communicated the many challenges in the information and cyber security environment, much of which is unseeable, unknown. <br /><br />COVID-19, described as a pandemic [WHO], is causing untold misery at the human level as well as the business level. But, is it an outlier, a Black Swan event that was unexpected; came out of nowhere?<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOkwzQhrPEsIN8JYFoWK1y3ClswEm3EcOBNTMGBg62QJ_zUl4gLtZjKZohZg8VxITDLDkiH126htJvAoJbwtb0A_MCCH3aNMUe2NCqeo7L41ouEbMjrspK9xgY5feoiXQhfpfUBjNCbKk/s1600/table.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="272" data-original-width="1222" height="140" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOkwzQhrPEsIN8JYFoWK1y3ClswEm3EcOBNTMGBg62QJ_zUl4gLtZjKZohZg8VxITDLDkiH126htJvAoJbwtb0A_MCCH3aNMUe2NCqeo7L41ouEbMjrspK9xgY5feoiXQhfpfUBjNCbKk/s640/table.png" width="640" /></a></div>
<div>
<i>Figure 1 - Nothing scientific in this, just observation. Nassim Taleb’s criteria summarised to the nth degree</i></div>
<div>
<i><br /></i></div>
<div>
A top-down view suggests that pandemics are not a Black Swan events. That is to say,<i> not all criteria</i> [Taleb] have been met. However, when drilling down to a particular cause of a pandemic, COVID-19, it does meet all criteria [IMHO], and thus could be described as a Black Swan event. </div>
<div>
So, based upon this I have two thoughts:</div>
<div>
<ol>
<li>Pandemics in general are not Black Swan events. History is full of examples of pandemics. Therefore, some level [base line] of contingency should be in place. But, in this instance, the type of virus was an unknown-unknown.</li>
<li>COVID-19 is a Black Swan, because as a particular strain of virus [all mutations considered], it is an outlier and no amount of planning for this unknown-unknown could be have been in place. The only contingencies that could have been planned for were at the pandemic level [the baseline].</li>
</ol>
<div>
What does all this mean, in my eyes at least?</div>
<div>
The world is a slightly different place [that goes without saying really] and businesses [organisations] of any type, sector, size are going through the ringer. Some will survive, sadly many will not. Could some of the challenges have been planned for? Yes, at the higher level. Of course, this is hindsight bias, planning for a pandemic/epidemic/weather/damage to business objectives, brand/keeping the business going could all have been planned for as a base line; ensuring continuity rolls down to a granular level.</div>
</div>
<div>
<ul>
<li>Now, working from home [reaction to the situation], should I use a web-based conferencing system? Yes, I need to. Everyone is using Zoom, let’s follow the trend. In the short term why not, because <i>I’m happy to compromise the long term</i> [John A Zachman]. Meaning, that I don’t care about the long-term security/data protection implications, I need a short-term solution, and because<i> I cannot see the long-term negative implications</i> [confirmation bias]. Hindsight now tells us [as it did with the Zoom CEO] that basic security measures should have been in place. Too late.</li>
</ul>
</div>
<div>
Do I need to put in place contingency for ‘a’ pandemic? Yes, that is the ideal. But I cannot see the long-term implications, so I don’t. I will simply rely upon a short-term reactive solution.</div>
<div>
<br />But the world is different now. Surviving businesses will look [in hindsight] one hopes at the business continuity; contingency planning; disaster recovery. But CISO [and similar] may say, hang on a minute, let’s do this the right way. At the moment <i>we react for immediate gratification</i> [Zachman] from the bottom-up [put in a UTM box etc.], it is now time to plan and implement top-down. </div>
<div>
<br />We cannot plan for the next COVID-nn because we don’t know what it will look like [presumably]; we cannot plan for the next zero-day exploit, we don’t what that will be. But we can plan for a pandemic; for an epidemic; for the weather; for protecting the business and its brand. Top-down, and not bottom-up.</div>
<div>
<br />We are in this together; we always have been, it’s just that some fail to recognise their own biases that impacts upon the whole system.</div>
<div>
<div>
<i>Disclaimer:In an attempt to discover some answers, I looked at the work of Nassim N Taleb [The Black Swan 2007; and Fooled by Randomness, 2001], as well as other works based upon cognitive bias, and specifically confirmation bias; self-serving bias; hindsight bias. I can of course be accused of using various biases within my thinking; but I’m not attempting to persuade others [you], I’m simply putting down what is in my head whether right, wrong, or simply indifferent.</i></div>
</div>
<div>
<i><br /></i></div>
<div>
[NRL]</div>
<div>
<br /></div>
<br />
<div class="MsoListParagraphCxSpFirst" style="mso-list: l0 level1 lfo1; text-indent: -18.0pt;">
<br /></div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-35371621899134932272020-03-25T11:17:00.003+00:002020-03-25T11:17:34.288+00:00Info and Cybersecurity tips - working from home<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<img border="0" data-original-height="366" data-original-width="488" height="149" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtV6q1PmkeTjWgd7huGHuHUoI6oJOjVCy8RLwZren5ui1cELLTB2w-Li7-Ot5iwmDSc5WyiT2gvU2-Z39oGgYSgqgqIjA0hQBJcpSYOHf4IOkNi03OiyyHb2ZPXQB_ieyvk1qi87lIigE/s200/Trlogo.jpg" width="200" /></div>
<h2 style="clear: both; text-align: center;">
<span style="color: #cfe2f3;">Working from home - hints and tips</span></h2>
<div>
Pretty sure you will have seen so many hints lately about working from home, using laptops and so forth. </div>
<div>
<br /></div>
<div>
First, if you have not heard of KanSecurity Ltd - it is based in Carlisle, Cumbria, and in fact has been for a good number of years. As a company it provides, advice; guidance; help; training, on all matters related to information and cybersecurity. Nigel, the owner, is a veteran [25 years] and has been working in the world of information and cybersecurity for over 30 years. So, work is mainly with larger organisations and businesses BUT, KanSecurity Ltd is here to help micro, small and medium businesses in any way it can. </div>
<div>
<br /></div>
<div>
Lets face it information and cybersecurity is complex, and not always fully understood by your IT Service Provider. KanSecurity works with your IT Service Provider, not against them. So whilst they will do a brilliant job of sorting out IT - is that IT Security, Computer Security, Information Security or Cybersecurity? There's a question for you. KanSecurity looks at it all!</div>
<div>
<br /></div>
<div>
Here are some tips if you are working from home with your own or work laptop/workstation/device of any other kind:</div>
<div>
<br /></div>
<div>
<h4>
<span style="color: #ead1dc;">Follow health and safety guidelines</span></h4>
<div>
<ul>
<li>Make sure cables do not become trip hazards,</li>
<li>Do not create a fire hazard when using electrical sockets</li>
<li>Place drinks away from any devices so that in the event of spillage there is no impact on the device</li>
<li>If eating, take time away from the device to do so</li>
<li>If possible use anti-bacterial wipes [or similar] to keep the keyboard and mouse or trackpad clean</li>
</ul>
<h4>
<span style="color: #d9ead3;">Using your laptop</span></h4>
<div>
<ul>
<li>Sit comfortably</li>
<ul>
<li>Not too far, not too close</li>
<li>Adjust your seating if necessary</li>
</ul>
<li>Follow the company policy [if there is one of course] on using display screen equipment </li>
<ul>
<li>The display should be positioned so that you look down into the monitor</li>
<li>Take a break away from the screen, at least every hour</li>
</ul>
<li>Avoid glare on your screen</li>
<ul>
<li>Draw the blinds if necessary</li>
</ul>
<li>Keep pets away from the laptop and the cables.</li>
</ul>
<h4>
<span style="color: #ead1dc;">Communicate</span></h4>
</div>
</div>
</div>
<div>
<ul>
<li>Communication is important; don’t become isolated when working on your own</li>
<ul>
<li>Talk to your manager and team colleagues </li>
<li>Call them,</li>
<li>Use online conferencing apps if you have one. If not try Skype. </li>
</ul>
<li>If email is your only means of communication work through them methodically</li>
<ul>
<li>Acknowledge receipt of emails and if necessary go back with more detailed responses later; but don’t forget.</li>
</ul>
<li></li>
<li>Do not become embarrassed or stressed or pressured with technical challenges </li>
<ul>
<li>Talk with a colleague,</li>
<li>Talk to your help desk</li>
<li>Someone will help you.</li>
</ul>
</ul>
<h4>
<span style="color: #d9ead3;">Online security</span></h4>
<ul>
<li>Always have a virtual private network [VPN] active before doing any personal or work related stuff. I use two types - one on my phone and one on all laptops. So, before accessing the WWW or sending out emails make sure the VPN is active. Why? It keeps the communications between your device and the big bad world private [for want of a better word].</li>
<li>If you are using a company laptop - do not go hunting for dodgy websites - your company will know. Just because you are working from home with a company device, it still means the IT team will have an inkling that you are on a bingo site [or some such thing]. If it is your own device - still don't do it! This is when your IT is most vulnerable and there are bods [aka criminals] out there that will take full advantage.</li>
<li>If not required, keep your webcams covered up; switch-off the device microphone. And if your laptop has a rear facing cam, cover that up as well.</li>
<li>Please do not click on links in an email or a text message if you do not know the source of the mail or message. Get rid! If you have an IT Help Desk, let them know - they will take the appropriate action.</li>
<li>Make sure that any anti-virus, anti-malware apps you have are working, up to date, and monitoring for malware. </li>
<li>Don't plug external devices into your laptop USB [or similar] ports, unless you are specifically enabled to do this.</li>
<li>If your laptop or other device becomes infected with malware</li>
<ul>
<li>do not panic</li>
<li>don't touch anything</li>
<li>call your help desk immediately [you should have been given full instructions on this beforehand]</li>
<ul>
<li>explain exactly what is happening and they will advise from there on in.</li>
</ul>
<li>If you are able - switch off the Internet Access on your device</li>
<ul>
<li>Win 10 - bottom right of your screen you will see the access icon,</li>
<li>Left click mouse,</li>
<li>On the list that pops up you will see your home router showing - click - disconnect.</li>
</ul>
<li>Still do not touch anything - listen to help desk.</li>
<li>If it turns out to be a false alarm - <i>do not be embarrassed or stressed</i> - you did the right thing - you reported it. </li>
<ul>
<li>Switch your Internet Access back on - make a cuppa - crack back on.</li>
</ul>
</ul>
<li>Always remember that some of the data [information] you are working with may be confidential - keep it that way. </li>
<li>If you print something - keep it covered up and lock it away at the end of the day. </li>
<ul>
<li>When the lockdown has ended, take any printed material back into work for filing or secure destruction.</li>
</ul>
<li>Whilst it would be good to suggest that your home router [and indeed home network] is fully secure - but unless you know exactly what you are doing - don't start trying to muck around with stuff. </li>
<ul>
<li>The ideal is that the home router passwords are not set at the default, and that your home network is segregated - work stuff and personal stuff. </li>
<li>If you have the time [at yep, that may well be possible now] change the default passwords on the router [get the instructions - in one of the kitchen draws probably - if not go to your ISP's webpage and look for instructions] and then let those in the household know. Any they don't share it with anyone else! </li>
</ul>
</ul>
</div>
<div>
Don't be clicky-click happy - look at what you are doing first, ask yourself the question, is this legit - then go clicky-click if you are good with it.</div>
<div>
<br /></div>
<div>
<span style="color: #fff2cc;">Communicate - this is one is so important - don't feel isolated</span> - chat to someone if you are getting stressed, pressured or simply you don't know how to do something with your IT. It is alway far better to ask the question or seek help, than to sit there getting into a tiswas. </div>
<div>
<br /></div>
<div>
Keep well and if you need help - email me</div>
<div>
KanSecurity [<a href="mailto:contact@kansecurity.com" target="_blank">Nigel</a>] </div>
<div>
<br /></div>
<div>
<a href="https://1.1.1.1/" target="_blank">VPN [DNS resolver] = Warp [1.1.1.1]</a></div>
<div>
<br /></div>
<br />KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-72126193051255746732020-03-19T17:19:00.003+00:002020-03-19T17:28:22.024+00:00Rise of the Checklist<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0Bawd6FKwNkADNkpXVD0LFeIZKUg-vxNnWk-DqeQBgTokO9mLf-QWdWXYQPtbx8stFgpm7cLcHrIy3D2NFVqxLQYX4dmDnrd802k1BWABHR7xTrGxb980WJgBQ8a3-7rXsJ9n9ZiayJM/s1600/Meteor.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="201" data-original-width="338" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0Bawd6FKwNkADNkpXVD0LFeIZKUg-vxNnWk-DqeQBgTokO9mLf-QWdWXYQPtbx8stFgpm7cLcHrIy3D2NFVqxLQYX4dmDnrd802k1BWABHR7xTrGxb980WJgBQ8a3-7rXsJ9n9ZiayJM/s320/Meteor.jpg" width="320" /></a></div>
<h2>
Rise of the checklist</h2>
<div>
<br /></div>
<div>
<br /></div>
<br />
<div class="MsoNormal">
With thanks to the coronavirus, there has been a rise in
checklists; what you should or shouldn’t do and so forth.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div>
<div class="MsoNormal">
Well here is another one, but this time with a twist.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Let’s suggest for the moment that there is no business
continuity plan [BCP] in place, or if there is a plan [created to satisfy a
client] but quite frankly isn’t worth the paper upon which it was printed, then:<o:p></o:p></div>
<div class="MsoNormal">
</div>
<ul>
<li><span style="font-family: "calibri" , sans-serif; font-size: 11.0pt; line-height: 107%;">What
did the IT team have to put in place, at a rush and without testing [probably]
to enable staff to work from home?</span></li>
<ul>
<li><span style="font-family: "calibri" , sans-serif; font-size: 11.0pt; line-height: 107%;">Make a list</span></li>
</ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">What did the HR team have to put in place, at a rush and without testing [probably] to enable staff to work from home?</span></span></li>
<ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">Make a list</span></span></li>
</ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">What did the payroll team have to put in place at a rush to ensure that staff can continue to be paid?</span></span></li>
<ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">Make a list</span></span></li>
</ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">What did team leaders have to put in place, at a rush, to ensure that staff working from home are supported; do not feel isolated; do not become stressed?</span></span></li>
<ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">Make a list</span></span></li>
</ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">What did the business have to put in place, at a rush, to ensure that the business premises remained physically secure whilst everyone was working from home?</span></span></li>
<ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">Make a list</span></span></li>
</ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">What is going to happen when everyone comes back into the office; what needs to be checked?</span></span></li>
<ul>
<li><span style="font-family: "calibri" , sans-serif;"><span style="font-size: 14.6667px;">Make a list</span></span></li>
</ul>
</ul>
</div>
If you haven’t got it yet, this is called learning lessons; the purpose is to learn from the mistakes made during the current crises so that if ever the world goes awry again, you have a workable plan.<br />
<br />
Regrettably if that 100-mile-wide meteor is headed in your direction, no amount of planning is going to help. Sorry.<br />
<br />
Looking at the table above you will probably notice that there are various departments/functions/services of the business that come into play. They do not sit in isolation; they work together.<br />
<br />
Whilst in this day and age the emphasis is upon disaster recovery (DR) in the event those cybers come attacking, the reality of a pandemic is upon the world. Your business continuity [DR is a subset of the business continuity] plan should have been documented, tested, reviewed, tested again, and maintained.<br />
<br />
So, with the lesson learned process in mind, and whilst at home shooing the cat away from the keyboard, the business needs to start looking at how it is going to improve matters once the COVID-19 has bitten the dust.<br />
<br />
If you haven’t cottoned onto the irony of a raft of cybersecurity checklists being published by those who have Certified you or trained you in information and cyber security, then corona is the least of our problems. Subtle as a brick.<br />
<br />
For all your information and cyber security training needs…😀<br />
<br />
KanSecurity Ltd [NRL]<br />
<div>
<br /></div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-76273637923170729662020-03-03T16:56:00.000+00:002020-03-03T16:57:03.870+00:00A laptop called information<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixmesFI6g-bycwNuB-JnDbwiowfpb96-wlqerdZpc3AkIXZou_om8Rf0lfFqfFMUMkqE2M9_j7JyOBTJinh5WH2sjTUEtG-yZEPXOmV6JKmzMIBqlWsHZ6A7aFufV6RTrN1ji4pVvSaBM/s1600/Info.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="239" data-original-width="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixmesFI6g-bycwNuB-JnDbwiowfpb96-wlqerdZpc3AkIXZou_om8Rf0lfFqfFMUMkqE2M9_j7JyOBTJinh5WH2sjTUEtG-yZEPXOmV6JKmzMIBqlWsHZ6A7aFufV6RTrN1ji4pVvSaBM/s1600/Info.png" /></a></div>
<h2>
Information asset – a laptop too far</h2>
<div>
<br /></div>
<div>
<div>
An asset is most often defined as being something of value [to the business]; a resource that has economic value.</div>
<div>
<br /></div>
<div>
In accounting terms, ‘of economic value [to the business]’ means, a resource that has the ability to generate financial benefit [or loss]. </div>
<div>
<br /></div>
<div>
An information asset could be defined as being a body of knowledge [information], a resource that has economic value, [benefit, or loss to the business]; where a body of knowledge is the collection of information gathered together in one or more places.</div>
<div>
<br /></div>
<div>
For example: an information asset [a body of knowledge] that is intellectual property [IP] could be said to have financial benefit; it is has economic beneficial value to the rightful owner. However, if other parties gain unlawful access to the IP for their financial benefit, this could impact upon the lawful owner’s rights. How important then is that IP to its rightful owner? </div>
<div>
<br /></div>
<div>
To put it another way; if the lawful owner of the IP does not put mechanisms in place to protect the resource [the IP in this case], what would be the consequence?</div>
<div>
<br /></div>
<div>
Some information could simply enable the business to function within legal and other boundaries, but yet still be referred to as an information asset.</div>
<div>
<br /></div>
<div>
For example, employee Information could benefit the business by enabling it to function effectively, and within data protection compliance boundaries. Therefore, any unlawful use [theft, destruction] of this information could result in regulatory action, and any action the employee may take. This could have negative economic consequences on the business [potential for loss]. Thus, this information is an asset, an information asset.</div>
<div>
<br /></div>
<div>
But what of the laptop? It is device that has been purchased [or leased] that is physical in nature; in use to enable the human being to access the digital world. Other uses are available, a doorstop for example.</div>
<div>
<br /></div>
<div>
Given a laptop; a word processing application; and a human being, the latter could select keys on the laptop keyboard to form symbols that eventually creates meaning [perhaps a letter to a customer]. Similar in many ways to taking a clean sheet of paper, and a pen to create the letter. </div>
<div>
<br /></div>
<div>
The letter, whether output to a sheet of paper or onto a laptop screen is formed of symbols that when taken as a whole conveys some meaning [information] to a reader [the author; the customer]. </div>
<div>
<br /></div>
<div>
Are the paper/pen combination information assets? Are the laptop/word processor/screen combination information assets? Strangely enough no, they are simply tools. </div>
<div>
<br /></div>
<div>
Does the information [the letter] actually know its own worth, its value to the business? Most unlikely. </div>
<div>
<br /></div>
<div>
This being the case then, mechanisms to identify the information’s value should be considered. If the identification indicates high value, the next step in the process would be to ensure that other mechanisms are identified to protect the information. </div>
<div>
<br /></div>
<div>
Naturally this is based upon the fact that the information is unable to determine its own value or worth to the business. It should be noted that no A.I.s were harmed whilst forming that conclusion.</div>
<div>
<br /></div>
<div>
In summary:</div>
<div>
<ul>
<li>If information is identified as having economic value [benefit or loss], whether high or low, to the business it is an information asset, a resource having value.</li>
<li>The information has zero knowledge of its own value. It simply sits there staring at you. </li>
<li>The tools to create the information [pen/paper, laptop etc] are also assets; resources; tools.</li>
<li>The paper/pen, laptop etc, do not know their true value either. They too sit staring at you until you use them to create, oh let’s see, information. </li>
<li>The human being determines the information’s value, puts appropriate mechanisms in place for its protection, and by so doing recognises, perhaps, that physical assets are also in need of protection mechanisms.</li>
<li>Knowing the type and whereabouts of information assets would be quite handy, as would knowing the relationship between them and their [physical] assets.</li>
<li>The human being; the information assets; and the physical assets form part [!] of a whole – an information system, that needs mechanisms in place for its protection.</li>
</ul>
Calling a laptop an information asset is, in my opinion, odd [for want of a better word]</div>
</div>
<div>
<br /></div>
<div>
KanSecurity Ltd (NL)</div>
<div>
<br /></div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-37498793692966364352020-02-24T11:26:00.001+00:002020-02-24T11:26:37.147+00:00Sleepless nights, and business owners<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsJpLnWild3XlgUbX4PbNBteETMQR_XSql1_NBHsHbU10tI_Hp6sLBc8h6MTy-rNEAazkBK-OxldWMjdldEILeGtru5oGKX3cTDfPCSdBlRhgAPjW10Tuoft_Qhy7Bpegc3mBx95IbTPo/s1600/Business.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="199" data-original-width="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsJpLnWild3XlgUbX4PbNBteETMQR_XSql1_NBHsHbU10tI_Hp6sLBc8h6MTy-rNEAazkBK-OxldWMjdldEILeGtru5oGKX3cTDfPCSdBlRhgAPjW10Tuoft_Qhy7Bpegc3mBx95IbTPo/s1600/Business.jpg" /></a></div>
<br />
<h3 style="margin-top: 0cm;">
<span style="font-family: "arial" , "helvetica" , sans-serif;">What keeps the business owner up at night?</span></h3>
<h1 style="margin-top: 0cm;">
<o:p></o:p></h1>
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;">I am talking about owners of the micro, small, and in some cases medium sized business; those owners who on a daily basis put their heart and soul into building their business and doing all they can to keep it running successfully; making profit; keeping customers happy; employing people etc.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The farthest thing from their minds will be information and cyber security. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">It could even be suggested that the mere mention of the subject is likely to result in a furrowed brow followed by, this is what I pay the IT Service Provider to look after.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">It is not surprising then that the evangelist, having worked in the information and cyber security space for many years, comes across disinterest; disregard; and perhaps just a bit of indifference when the subject is raised.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">That is not meant to insult the business owners, it’s simply a fact of the evangelist's life.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">For 20 years and more so many thoughts around how to change mind-sets have come; gone; and come back again without too much forward movement. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">For the evangelist this is simply a case of, ‘I don’t understand why you don’t understand’.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">It is abundantly clear then that addressing the ‘lack of understanding’ has got to be a priority; but then it always has been. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Perhaps it is the language (and acronyms) of information and cyber security that is one of the challenges. Admittedly a whole new level of strangeness. When added to the IT Service provider speak, then perhaps talk of and for example, information security management systems (ISMS), will be a step too far. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">If the business owner is already paying an IT Service provider, and listening to IT speak, why pay for additional services, and cope with the strangeness that is information and cyber security? Besides, if the talk is about ‘cyber’, then surely that is IT; isn’t it?</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The UK National Cyber Security Centre (NCSC) provides a considerable amount of excellent advice; but they can only do so much. The advice given will not necessarily be in-line with your specific business context. The local IT Service Provider will of course be of value. However, it is not simply a case of a new firewall or AV or a UTM box; there is much more to the challenge.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">The information and cyber security professional will provide their knowledge and experience; use NCSC (and other) guidance; work with IT Service Provider; but place it all into an information and cyber security context that meets your specific business need. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">All that is required is you, the micro, small or medium sized business owner. We can show you the watering hole; show you how and when to drink; the types of water to be cautious of; and other hazards found at the watering hole. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">Getting down to completing the task of drinking is up to you. If you don’t drink what is likely to happen to you and your business?</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;">It might just keep you up at night.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: arial, helvetica, sans-serif;">KanSecurity (NL) </span><br />
<div>
<br /></div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-91969044138638243492020-02-17T13:03:00.002+00:002020-02-17T13:03:23.390+00:00The Statement of Applicability<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuXbjaCI1UFdpbPCDcSY0EaR_33-Ccv0llzwii-mXjFIQd8qgSNgN81EsQnl2JY6kLFbhByqaKugFACESBq83NuSETcbJBW779aCesdIqMwR55v-Um1-UCbX6HVuUQFxDpn38OISvf2GU/s1600/Lock.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="164" data-original-width="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuXbjaCI1UFdpbPCDcSY0EaR_33-Ccv0llzwii-mXjFIQd8qgSNgN81EsQnl2JY6kLFbhByqaKugFACESBq83NuSETcbJBW779aCesdIqMwR55v-Um1-UCbX6HVuUQFxDpn38OISvf2GU/s1600/Lock.png" /></a></div>
<h2>
<span style="color: #cccccc;">ISO/IEC 27001:2013 and your SoA</span></h2>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
The journey that sees an organisation gaining its Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) must include the creation of a statement of the applicable controls (or measures) used within the scope of the ISMS.</div>
<div>
<br /></div>
<div>
The Statement of Applicability (SoA) is a mandatory requirement, and is a 'statement' of the controls (or measures) you have implemented in response to the options you have selected to treat a particular risk.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhazp2iSMr_-ZpmA-_aVHFsBcpBiigTf39yUjIMrSfgOn1FH0ILsSJ0-ANlMpdSHxlvE6lMBN4AaAhfr1ELxWzK26VLS2kWg3ki6b9PdiIXCpHeNFAFagyp6Eh6Wya3741YP_yeCnGdYZE/s1600/SoA+%25283%2529.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="491" data-original-width="1600" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhazp2iSMr_-ZpmA-_aVHFsBcpBiigTf39yUjIMrSfgOn1FH0ILsSJ0-ANlMpdSHxlvE6lMBN4AaAhfr1ELxWzK26VLS2kWg3ki6b9PdiIXCpHeNFAFagyp6Eh6Wya3741YP_yeCnGdYZE/s640/SoA+%25283%2529.jpeg" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
The simple diagram above (and yes it is simple) shows that the SoA is an 'output' document!</div>
<div>
<br /></div>
<div>
I am going to say that the following is all theory, but only because it causes so much angst.<br />
<br />
<ul>
<li>Having identified within the scope of your ISMS the source; the cause; the event; and consequence of a risk, and found through analysis and evaluation that it is unacceptable, the business makes the decision to 'treat' the risk in some fashion.</li>
<ul>
<li>It doesn't matter for the moment what area of the information and cyber security space this risk presents itself, it is the response process that is of concern here,</li>
</ul>
<li>The business may decide that given its context, and the scope of the ISMS (and business need) that the most appropriate response will be to<i> modify the level of risk</i> by implementing a control (other options are available of course).</li>
<li>The process will be planned (including 'change'), and its progress to implementation tracked within the risk treatment plan (RTP). </li>
<li>All details related to 'this' risk will find their way onto the risk register.</li>
<li>At any given point, the statement detailing the status of all controls within scope can be generated at the touch of a button (key stroke). </li>
<li>Given this statement and the RTP a 3rd party (Certifying Body) auditor will sample a number of the stated controls, and track-back to the 'decision making' processes. They are checking to see if the management system is working as required by the standard. </li>
<ul>
<li>If it is stated that a control has been implemented but in reality it hasn't, then the management system is not working.</li>
</ul>
<li>Irrespective of any 3rd party audit, the senior information risk owner for the business, whether known as the SIRO or perhaps the CFO, CISO, CIO, CTO etc, will be in a position to sign-off on the statement as it will show all applicable '<i>internal</i>' controls, implemented or being implemented, that address the information and cyber security risk. </li>
</ul>
Why the angst?<br />
<br />
<ul>
<li>The lack of an effective risk process which results in;</li>
<ul>
<li>the application of controls (measures) as a knee-jerk reaction rather than a methodical approach to managing information and cyber security risk,</li>
<li>the fudging of a statement of applicability based upon no decision making process save for checking the wind direction,</li>
</ul>
<li>Believing that Annex A to ISO/IEC 27001:2013 (27K1:13) is the only set of controls that can be used;</li>
<ul>
<li>It is not mandatory,</li>
<li>They are out of date,</li>
<li>They are only a reference to ensure that no '<i>necessary controls have been overlooked</i>'. Other control catalogues/lists/references can (and in most cases, should) be used. Indeed, you can create your own if there is a need,</li>
<li>Sector based extensions to Annex A can be used, for example; if the business is a Cloud Service Provider, a Broker, a Peer or indeed a Consumer of cloud services. </li>
</ul>
</ul>
There are some rules around the SoA for 27K1:13;</div>
<div>
<ul>
<li>It should contain all necessary controls,</li>
<li>It conforms to the business's specification of its necessary controls,</li>
<li>If a variation on an Annex A control is used, and excludes that actual Annex A control entirely then the business must provide the rationale for exclusion,</li>
<li>The SoA must be entitled, the Statement of Applicability. <i>With the exception of the SoA, 27K1:13 <b>does not give names to documents</b>.</i></li>
</ul>
</div>
<div>
<br /></div>
<div>
On a final note regarding Annex A, and to quote ISO/IEC 27007:2020 (Guidelines for information security management systems auditing):</div>
<div>
<i>Necessary controls can be ISO/IEC 27001:2013, Annex A controls, <b>but they are not mandatory</b>. They can be controls taken from other standards (e.g. ISO/IEC 27017) or other sources, or they can have been specially designed by the organization.</i></div>
<div>
<br />
If you are looking for further guidance, <a href="mailto:contact@kansecurity.com" target="_blank">please get in touch</a></div>
<div>
<br /></div>
<div>
KanSecurity Ltd (NL)</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-63448077314408818142020-02-09T12:11:00.002+00:002020-02-09T15:38:22.074+00:00Information and Cyber security<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCzN9BzIbLKm6td7Ynmlz0-bCcn3iyj12ECqDvUHX-feg5tZU2doIKTdlRIB3U37yehdsqqY3iRcZP9uSxIr-qHrACujCm2HjgBfw49_uwrPy-REksARMXAK-__4Ba8HMvbIeEUXZu86Y/s1600/NicePic.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="269" data-original-width="201" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCzN9BzIbLKm6td7Ynmlz0-bCcn3iyj12ECqDvUHX-feg5tZU2doIKTdlRIB3U37yehdsqqY3iRcZP9uSxIr-qHrACujCm2HjgBfw49_uwrPy-REksARMXAK-__4Ba8HMvbIeEUXZu86Y/s320/NicePic.jpg" width="238" /></a></div>
<h2>
<span style="color: #cccccc;">Information and Cyber security</span></h2>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<br /></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
I know that the most obvious thing to do is use the phrase, cyber security. But to me it is so much more than that, and will be the reason I always use the phrase <b>information <u>and</u> cyber security.</b></div>
<div>
<b><br /></b></div>
<div>
Perhaps that is not such a good thing from a marketing perspective. However, I am going stick my heels in and go against the grain. Being a tad flippant about this; I am able to justify securing (in whatever way) information, but the cyber? I've personally not come across any cybers that needed securing, unlike Dr Who of course.</div>
<div>
<br /></div>
<div>
Moving away from flippancy, to me it comes down to a word, 'intent'. What are the intentions of those acting against us as businesses; as humans; and as nations in such a negative (criminal) way?<br />
<br />
Published more or less on a daily basis will be the statistics that demonstrate just how many records (containing information) are lost. But, the records may not simply be lost (stolen), they could be destroyed or perhaps encrypted.<br />
<br />
A phishing attack that attempts to exploit the weakness of a human into clicking on a link within an email or its attached document has an end objective. The criminals' intent may well be to extort money from its victim (ransomware). Whatever that end objective the outcome to the victim could be catastrophic.<br />
<br />
It was stated by Alvin Toffler, Powershift: Knowledge, Wealth and Violence at the Edge of the 21st Century,1990 that:(note: the bulleted list has been paraphrased, and the words in <i>italics</i> are my thoughts):<br />
<ul>
<li>The pool of potential knowledge <i>and information </i>in the world is virtually inexhaustible,</li>
<ul>
<li><i>Note: The storage needs are beginning to outstrip the amount information/data that is being accumulated. IARPA and others are developing the means to store data onto DNA.</i></li>
</ul>
<li>Information is valuable for trade when you have it and someone else wants it,</li>
<ul>
<li><i>Note: The information a business has is of value to someone else, but to whom and why?</i></li>
</ul>
<li>Information, unlike goods, cost nothing to move around,</li>
<ul>
<li><i>Note: Well, at least very little cost in relative terms, but yet still easier to transport.</i></li>
</ul>
<li>Information can be shared, and then used over and over again, without exhaustion. It is effectively an infinite resource,</li>
<ul>
<li><i>Note: It is an infinite resource from which revenue can, legitimately or not, be generated.</i></li>
</ul>
<li>Information may become valueless as a result of some new information that supercedes or invalidates it.</li>
<ul>
<li><i>Note: as an infinite resource, once some of it has become of little value, it can be replenished.</i></li>
</ul>
</ul>
In September 1975 an article published within Proceedings of the IEEE entitled: The protection of information in computer systems, by J.H. Saltzer and M.D. Schroeder, outlined the mechanics of protecting computer-stored information from unauthorised use or modification. Perhaps of further interest (indeed, concern) is that this paper made reference to many other academic papers going back to at least 1967 many of which studied privacy; information security; programming; cryptography for privacy, to mention just a few.<br />
<br />
The concern I suppose must be that the discussion has been going on for 53 years (and more) around the protection of information (and privacy). So, just why did it all go horribly wrong, and make no mistake it has gone horribly wrong.<br />
<br />
Information (and its data) is something that we work with daily: personal data; companies merger and acquisition information; the designs for a new product that will take a business from simply ticking-over to one that becomes a major global player; the order-of-battle for a particular navy, army or airforce; a users login credentials; or the readings from your smart (gas/electricity) meter.<br />
<br />
All of this information and its data have a level of sensitivity that is important to the human, to a business, to a government. But, it is also of interest to those individuals and groups who have a less than legitimate reason for acquiring the knowledge.<br />
<br />
But, and this is the challenge; does the CEO, CFO et al have any interest in knowing that the debate around protecting information and its data has been going on for greater than 53 years, and yet records in vast quantities continue to be removed, unlawfully, from the business and other environments. Whilst many executives are simply 'solution' rather than 'problem' driven, learning lessons is an important part of life.<br />
<br />
Forgetting about the information and its data when considering 'security' is going to end up costing, and not just financially; there could well be a human cost.<br />
<br />
This brings us around to the technology. Whether it is called cyber or IT or technology, I don't think it matters too much. What is clear in 2020 is that technology continues to bash on regardless. In many different ways the world is a better place for it, but it is also a problem space that needs serious consideration.<br />
<br />
The discussions on where 'cyber' originated, its companion cyberspace, or whether cyber is a noun, an adjective or an adverb is not going to be continued here. What will be continued is the discussion on, 'intent'.<br />
<br />
The technology in the office or in our pockets will: aid the manufacture of products; move utilities (gas, electricity, and oil) around; manage the movement of shipping, airplanes, trains, cars, lorries; help in generating nuclear energy, and so on.<br />
<br />
However the intent is not to gather information for financial purposes, but to use and to abuse sensitive information to disrupt or destroy the ability of airplanes to navigate safely; to spin up centrifuges; to cause operational technology (OT) devices to run amok in the manufacture of products.<br />
<br />
Where one human manipulates technology for a positive purpose, others will use it for negative purposes.<br />
<br />
But the technology, and perhaps its purpose can be (is), flawed.<br />
<br />
Take privacy for example. It's not technology itself, it is a concept backed by legislation and regulation that humans demand. But, technology and its purpose can manipulate that concept for other purposes. Social media may well protect the privacy of one human being from another, but does it protect the privacy of those humans from the business itself?<br />
<br />
Technology can and does map a user's mouse cursor movement within a web page. Why, and does the user know that the movement is being mapped?<br />
<br />
Using a device to gain access to the Internet to stream films, documentaries, or a television series whilst staying at a hotel is such a part of modern life. What could possibly go wrong? Using that same device to access the Internet in order to draft work reports online; what could possibly go wrong?<br />
<br />
An awful lot is simply the answer!<br />
<br />
Technology is wonderful, but it is flawed, our use of it is also potentially flawed. A young teen sitting in their bedroom has access to a vast quantity of information technology tools that could (will) negatively impact upon a business, another human being, a government. It is down to 'intent', knowledge that the information technology is flawed and the ease at which another human being can be manipulated.<br />
<br />
Call it cyber security or cybersecurity, one doesn't care, but I'm going to call it, <b>information <u>and</u> cyber security </b>because simply they are locked together and separating the two is neigh on impossible. Of course you will have your opinion, this one is mine.<br />
<br />
KanSecurity (NL)</div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-5224309648424214852020-02-07T09:14:00.005+00:002020-02-07T09:14:38.149+00:00Risk and context<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7bmh-m4vWlas51ipP2K2HJZcaEqMqREB6lwU8iCEMvEOR68oCpJ8UbMQQYrIypFhqwgRudOMxaY86q7fK5YETASFMEJDJJfXWNsrDMa4NAjKDEO3bVkaWDU30ULvkc1YuXTA7ldS3EeY/s1600/Three.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="146" data-original-width="148" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7bmh-m4vWlas51ipP2K2HJZcaEqMqREB6lwU8iCEMvEOR68oCpJ8UbMQQYrIypFhqwgRudOMxaY86q7fK5YETASFMEJDJJfXWNsrDMa4NAjKDEO3bVkaWDU30ULvkc1YuXTA7ldS3EeY/s200/Three.jpg" width="200" /></a></div>
<h2>
<span style="color: #cccccc;">Risk tree...for Certification</span></h2>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
This being the 3rd in the series about information and cyber security risk; but who's counting?</div>
<div>
<br /></div>
<div>
ISO/IEC 27001:2013 (27K1:13) sets out the requirements for an information security management system (ISMS). <a href="https://www.iso.org/isoiec-27001-information-security.html" target="_blank">ISO tells us</a> that an ISMS is:</div>
<blockquote class="tr_bq">
a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.</blockquote>
<div>
There are some key words and phrases within that statement:</div>
<div>
<ol>
<li>Sensitive company information,</li>
<li>Secure,</li>
<li>People, processes, and IT systems,</li>
<li>Risk management process.</li>
</ol>
Starting at the top; information, sensitive information to be more precise that if not protected (kept secure) could perhaps result in a negative consequence. Keep in mind though, risk is not just about the negative, it is also about opportunities.</div>
<div>
<br /></div>
<div>
Can 'sensitive' (whatever that means) information actually protect itself, or is there a need to include other components to help protect this 'asset' such as people; processes; and information technology (IT) systems?</div>
<div>
<br /></div>
<div>
A second question; what does sensitive mean? Of course, it is going to mean different things to different businesses; what is sensitive to one may not be sensitive to another. It's all a matter of <b>context</b>, and <b>context </b>is very important.</div>
<div>
<br /></div>
<div>
In order to develop a risk management process the first item on the agenda must be the identification and understanding of the<b> context</b> for which this risk process is to be developed; i.e.: the environment in which the business operates, and is able to function. </div>
<div>
<br /></div>
<div>
Knowing the <b>context </b>will, perhaps, explain just what 'sensitive' means to the business. It will also tell us the people that may be involved (internal and external), the additional processes that may be required, and given that technology is the one ring to rule them all, what IT systems may be involved, wherever they may be.</div>
<div>
<br /></div>
<div>
Having said all of that there is another oddity to think about; well a few of them, but let us stick with one for the moment.<br />
<br />
What is meant by an asset, and in particular an information asset? 27K1:13 does not help answer the question, it doesn't define the term. A quick peek at ISO/IEC 27000:2018 (ISMS, overview and vocabulary) states, <i>"Information is an asset that, like other important business assets, is essential to an organization’s business and, consequently, needs to be suitably protected." </i>Going further afield to the <a href="https://csrc.nist.gov/glossary" target="_blank">National Institute of Standards and Technology (NIST) and its Glossary</a> does not help either.<br />
<br />
In which case:<br />
<ul>
<li>Asset, something of value (to the business),</li>
<li>Information, any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual. An instance of an information type. (NIST)</li>
</ul>
Therefore:<br />
<ul>
<li>The business that creates, processes, stores, shares, transmits knowledge of its own <i>intellectual property (IP) </i>in the form of data would, one suggests, be referring to an <i>information asset</i>. IP has value to the business, and when in the form suggested, it becomes an information asset,</li>
<li>The business that creates, processes, stores, shares, transmits knowledge of <i>personal data</i> in the form of data, this too can be referred to as an <i>information asset</i>. The value in this case is to the data subject, but it is likely to be of value (in a slightly different context) to the business. </li>
</ul>
The tools:<br />
<ul>
<li>A device (workstation, laptop, smart phone, pad of some description) that helps a user (or indeed another device) in being able to create, store and then transmit IP is simply that, a tool. </li>
<li>An application sitting on the device (or elsewhere) is yet another tool that facilitates the creation, storing and transmission.</li>
<li>The tools are assets (items of value) in their own right, but</li>
<li><b>These tools are not information assets! </b> </li>
</ul>
<b>Important:</b> if you have not already worked it out, <b>there is a relationship going on here between the information, the tools, and the user. </b>And this relationship is most important when looking at risk!</div>
<div>
<br /></div>
<div>
Things to take away:</div>
<div>
<ul>
<li>Know what is meant by an ISMS;</li>
<li>Look at the context of the business to understand where information and cyber security risk will be positioned (scope);</li>
<li>Get to know what assets (those items of value to the business) are within scope,</li>
<li>Look for the relationship between the information assets and the many, and varied tools that are used within scope.</li>
</ul>
As a final thought; when reflecting upon the many and varied tools used within the business (think about: people; processes; IT systems, for a start) where are the 'weaknesses' or 'vulnerabilities' most likely to be found - the tools or, the information?<ul>
</ul>
</div>
<div>
KanSecurity (NL)</div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-4689497545830220242020-02-06T10:09:00.000+00:002020-02-06T10:09:13.825+00:00Risk and Certification<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgp8lE1gkybtRrylh928FScf5mrOslFLUTTx59Jn5k4nhFyDCvnqX_wuhSXFqL2u1DJQvUD-VGpjUlcvq0C9ICOcbtPyASKVxpTc4d04EhK1LWfiQ491gMEGttQksDMRS2IfY2ePXgQzs/s1600/risk2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="315" data-original-width="473" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgp8lE1gkybtRrylh928FScf5mrOslFLUTTx59Jn5k4nhFyDCvnqX_wuhSXFqL2u1DJQvUD-VGpjUlcvq0C9ICOcbtPyASKVxpTc4d04EhK1LWfiQ491gMEGttQksDMRS2IfY2ePXgQzs/s320/risk2.jpg" width="320" /></a></div>
<h2>
<span style="color: #cccccc;">Risk too...for Certification</span></h2>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
The previous discussion on information and cyber security risk was focused toward the micro and small business; the purpose being an attempt to get their ball-rolling on looking at risk.</div>
<div>
<br /></div>
<div>
Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) needs the business to seriously focus on information and cyber security risk. In fact, clause 6 (Planning) and its sub-clauses are all focused on risk; this is the 'plan' element of the plan, do, check, act (PDCA) dance. On the other hand, clause 8 (Operation) and in particular 8.2 and 8.3 are all about carrying out risk assessment and treatment, the 'do' element of PDCA.</div>
<div>
<br /></div>
<div>
The International Organisation for Standardisation (ISO) does not dictate to your business any particular process or methodology for risk. But, whatever process you adopt it must produce <i>consistent, valid and comparable results (clause 6.1.2b).</i> If not, the system will collapse because, and let me be frank about this, it will not be an effective. </div>
<div>
<br /></div>
<div>
ISO/IEC 27001:2013 (27K1:13) is split into two parts - Clauses, and Annex A. Whilst the clauses will need some serious interpretation, it is Annex A that appears to cause one of the biggest challenges.<br />
<br />
Let's bust a myth here; Annex A is catalogue of 114 controls, and as pointed out within ISO/IEC 27003:2017 (information security management system, guidance) they are a <i>generic representation of controls </i>and as highlighted in 27K1:13 under note 1 within <i>clause 6.1.3c;</i> Annex A is there <i>to ensure that no necessary controls are overlooked. </i>Although Annex A is important, you are justified in using other control catalogues (e.g.: NIST SP 800-53r5 (or 4)) if they are more appropriate when addressing the business risk treatment options. <b>It is a business decision, not an ISO or Certifying Body decision.</b><br />
<b><br /></b>
Another myth to bust is one that is centred upon why a particular control (or set of controls) has been implemented. There is a simple answer to this conundrum; it is because the business has identified a need through the risk assessment process; a decision has been made to treat that risk (in someway) and has implemented a particular control (or measure). <b>It is a business decision, not an ISO or Certifying Body decision. </b><br />
<br />
The problem (and it is a serious problem) is when a business has simply knee-jerked, implemented a control (usually a technical one) without actually justifying (through the risk process) its need. In terms of your ISMS, and your certification, the cracks will start to form. If they do then any Certifying Body (CB) auditor worth their salt, will point these cracks out to you.<br />
<br />
Final (for today at least) myth to bust is the Statement of Applicability (SoA). To kick-off, this is a required document (<i>Clause 6.1.3d</i>) that contains the <i>necessary controls</i>. To this end it is an output document, not an input document. It is the output of your risk process all tied up with a nice neat bow. If your CB is due to audit your ISMS on Tuesday, then run the SoA off on the Monday - fresh, uptodate and ready to go. One final point on the SoA. This is a seriously important document, not simply for CB audit purposes, because it contains a 'roadmap' of your information and cyber security controls, and the status of those controls. Should the document ever fall into the wrong hands, just think about the consequences for a second or two. In fact, why not simply do a risk assessment on the information that the SoA contains, and determine what if any treatment/controls need to be put in place to protect (secure) that information.<br />
<br />
Points to take away:<br />
<br />
<ul>
<li>Information and cyber security risk management is central to your ISMS;</li>
<li>ISO does not dictate the risk process you adopt; there are stacks available - some good, some not so good - it's your choice. But, whatever you do, you <b>must</b> do something;</li>
<li>On the understanding that as a business you are in fact planning and operationally conducting risk assessments, the output (treatment/controls) will be a <b>business decision</b>, based upon its needs, not those of ISO or the CB.</li>
<li>Annex A is a reasonable (if a bit out of date) catalogue of controls; others are available, and you can use them or, design your own. On the understanding of course that you have justified why your are doing what you are doing through the risk process.</li>
<li>Your SoA is an output document that should be kept confidential to the business.</li>
<li>The direction of travel is - risk assessment process --> treatment options --> controls (measures). <b>Not</b>, controls (measures) then fudge the risk process later on down the line. </li>
<li>There is an awful lot more to achieve for example; the 'check' element of the PDCA dance has not yet been covered. Think about monitoring and reviewing the controls (measures) you have adopted. Do they remain valid?</li>
<li>Last (but not least) - communicate. Talk to people (internal and external stakeholders), let them know what is happening, or seek guidance. Whatever you do, communicate. </li>
</ul>
KanSecurity (NL)<br />
<br />
<br />
<br />
<b><br /></b>
<b><br /></b>
<br />
<br />
<i><br /></i>
<i><br /></i></div>
<div>
<br /></div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-77754458318270345522020-02-05T10:35:00.001+00:002020-02-06T15:00:39.103+00:00Risk and micro, small business<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgge22FwcahJU78QRwfUep0ndFpHadvyW-yYArU2g_RjrjrMoOG2bMlJLMTXC0KAl6_1SGne8lAuouhbhR4iJ0xJjA-ELhGtghET0venm0AgOY7KhgqdvW4pLYZzQXK3jUro6HewrX70b0/s1600/risk.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="133" data-original-width="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgge22FwcahJU78QRwfUep0ndFpHadvyW-yYArU2g_RjrjrMoOG2bMlJLMTXC0KAl6_1SGne8lAuouhbhR4iJ0xJjA-ELhGtghET0venm0AgOY7KhgqdvW4pLYZzQXK3jUro6HewrX70b0/s1600/risk.jpg" /></a></div>
<h2>
<span style="color: #cccccc;">Risk; why is it so difficult?</span></h2>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
<span style="color: #cccccc;"><br /></span></div>
<div>
Information security risk management, or if you wish cyber security risk management; either way it appears to cause a bit of a problem.</div>
<div>
<br /></div>
<div>
Over many years now I have seen and audited different concoctions, the majority of which fail completely to be effective in managing the risk. </div>
<div>
<br /></div>
<div>
That said, I have also seen some scarily good processes, many of which are application driven rather than spreadsheet driven. This is an out and out plug, but the best and most effective examples have usually be driven by <a href="https://acuityrm.com/" target="_blank">Acuity Risk Management's Stream application</a>. </div>
<div>
<br /></div>
<div>
However, for the <b>micro or small business</b> the best approach is to keep things simple, for the moment at least.</div>
<div>
<ul>
<li>Risk description - there are excellent definitions for risk published within various ISO documents. However it all boils down to the following:</li>
<ul>
<li>Source (what is the source of the thing that could happen - internal or external parties)</li>
<li>Event (what is going to occur)</li>
<li>Cause (why could it happen), and</li>
<li>Consequence (what is the likely negative outcome to the business objectives).</li>
</ul>
<li>Example - a member of staff (source) accidently clicks on a link within an email that results in data being encrypted (event) due to the lack of training/awareness/admin/technical measures being in place (cause), resulting in a loss of availability of data, potential loss of reputation, regulatory fine and so on (consequence). </li>
<li>Example - the MD decides to negotiate with a script kiddie (criminal) to reduce the ransom following a successful ransomware attack, resulting in the business now being tagged as an easy mark that could result in even further damage to the reputation of the business. </li>
<ul>
<li>You decide the source, the event, the cause, and the consequence.</li>
</ul>
</ul>
In both examples above (simple but potentially devastating nonetheless), what could/should have been put in place to reduce the likelihood of the consequences being realised? Whilst contemplating that question the next set of questions will be; now that something negative has happened, what measures are in place to recover and get back to business as usual; and what lessons has the business learned from the experience?</div>
<div>
<br /></div>
<div>
In simple risk based terms then:</div>
<div>
<ul>
<li>Walk through some scenarios to describe risk, then</li>
<li>Identify ways (measures) in which as a business the event, the cause, and the consequences can be reduced to a minimum (acceptable to your business and its context). These measures, by the way, will be administrative, physical and technical in nature,</li>
<li>Where practicable put the measures in place (and review them every now and again to ensure they remain effective).</li>
<li>Make sure that everything is documented; fire up a word processor or similar. Keep a record of what it is the business has done, it may be very useful in the future. </li>
</ul>
The obvious question is; is that it? No, not really is the answer to that. But, importantly especially for the <b>micro or small business</b> you have started on the journey. </div>
<div>
<br /></div>
<div>
<b>What you do not want to do is:</b></div>
<div>
<ul>
<li>Put measures in place (especially high cost technical measures; the ubiquitous magic box) until you can describe the risk to the business, and able to justify the spend. </li>
</ul>
Understanding and managing information and cyber security risk can be administratively technical and quite often demanding. But for the <b>micro and small business</b> it is probably best to keep things simple.</div>
<div>
<br /></div>
<div>
Will the above simple process make you <b>UK-GDPR (DPA2018)</b> or <b>EU-GDPR</b> (it had to be said) compliant. No! It will certainly help, yes, but fully compliant. No! If the worst were to happen and despite your best efforts the business suffered a personal data breach, the documented actions that you have put in place, <b>might</b> help if the regulator (ICO) comes a-knocking.<br />
<br />
If you need help or simply some guidance <a href="mailto:contact@kansecurity.com" target="_blank">let me know</a></div>
<div>
<br /></div>
<div>
KanSecurity (NL)<br />
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-18755375803092518502020-02-04T10:49:00.001+00:002020-02-04T10:53:05.159+00:00Personal data or PII<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFFLxrlKpzXzeubHkwTv_DnWKO91zLc_hR9IpL0ikejm4kIQPKcaaGfmL9U3BkSdiKQDohtgm1pP6XfPCcWh4PHc_7poBGQz6IaZzW4ydfhw-O_VOKyVCGvj5RthyphenhypheniCwtCff1UgNZ7OKM/s1600/Data.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="118" data-original-width="177" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFFLxrlKpzXzeubHkwTv_DnWKO91zLc_hR9IpL0ikejm4kIQPKcaaGfmL9U3BkSdiKQDohtgm1pP6XfPCcWh4PHc_7poBGQz6IaZzW4ydfhw-O_VOKyVCGvj5RthyphenhypheniCwtCff1UgNZ7OKM/s320/Data.jpg" width="320" /></a></div>
<br />
<br />
<br />
<h2>
<span style="color: #cccccc;">PII or not to PII, that is the question</span></h2>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">PII,
or personally identifiable information, is used an awful lot to describe
something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as,
personal data.</span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">What is personal data vs PII?</span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)).</span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. (Office of Management and Budget Guidance for Grants and Agreements, Chapter II, Part 200, Sub-part A, Section 200-79).</span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">Take away points:</span></span></div>
<div>
<ul>
<li><span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">The focus of EU-GDPR (UK-GDPR/DPA2018) is:</span></span></li>
<ul>
<li><span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">To protect the interests of a data subject by regulating the activities of the [data] controller and [data] processor who process data that incorporates personal data, and</span></span></li>
<li><span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">It is the definition of personal data that in fact<b> triggers</b> the EU-GDPR, and <b>not</b> PII.</span></span></li>
</ul>
</ul>
<span style="font-size: 14.6667px;"><span style="font-family: inherit;">There is a bit of confusion however, especially with a number of ISO standards, for example:</span></span></div>
<div>
<ul>
<li><span style="font-family: inherit;"><span style="font-size: 14.6667px;">PII rather than personal data - ISO/IEC 27018:2019 (</span>Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).</span></li>
</ul>
The final take away point is please ensure that you are using the correct definitions and where ISO standards are concerned read the small print in which acknowledgment is made of 'local' legislation and regulation.</div>
<div>
<span style="font-size: 14.6667px;"><span style="font-family: inherit;"><br /></span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">References: CyBOK v1.0; KanSecurity mindmaps; others as shown.</span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;"><br /></span></span></div>
<div>
<span style="font-size: 11pt; line-height: 107%;"><span style="font-family: inherit;">KanSecurity (NL)</span></span></div>
<div>
<span style="font-family: "calibri" , sans-serif; font-size: 11.0pt; line-height: 107%;"><br /></span></div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.comtag:blogger.com,1999:blog-2831635582032959668.post-72867242734340845932020-02-04T09:35:00.001+00:002020-02-04T09:42:13.324+00:00Compliance or Conformity<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsn2zhPzGFBiA2kxhyphenhyphenuxHRTM2MCT6d8IJ2qzgtxnsGnrzDoi9FjcdguoZaOZv587RxI1ViOXDfoxJkRRJP74C-GX8k97fz3o0EMKk7p7DfK4VthTeho64stvZaWpAeU8Qn-yuIulW1qck/s1600/CompliancePic.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="background-color: #cccccc;"><img alt="" border="0" data-original-height="161" data-original-width="375" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsn2zhPzGFBiA2kxhyphenhyphenuxHRTM2MCT6d8IJ2qzgtxnsGnrzDoi9FjcdguoZaOZv587RxI1ViOXDfoxJkRRJP74C-GX8k97fz3o0EMKk7p7DfK4VthTeho64stvZaWpAeU8Qn-yuIulW1qck/s320/CompliancePic.jpg" title="This Photo by Unknown Author is licensed under CC BY-NC" width="320" /></span></a></div>
<br />
<h2>
<span style="color: #cccccc;">Compliance is not security, or is it?</span></h2>
<div class="MsoNormal">
<o:p></o:p></div>
<br />
<br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div class="MsoNormal">
There is a view (anecdotal) <span style="mso-spacerun: yes;"> </span>that compliance is not security. To be more
precise, information and cyber security.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
For those aware of this standard, ISO/IEC 27001:2013
(information security management system, requirements) asks those organisations
seeking certification to conform to its requirements. <o:p></o:p></div>
<div class="MsoNormal">
On the other hand, the Payment Card Industry (PCI) security
standards, and for example the Data Security Standard (PCI DSS), requires compliance.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Conformity or compliance; in the cases above they both seek
to achieve something similar; security, in the context of information and cyber
security, by ensuring that important data assets are protected (specifically card
holder data for PCI DSS, and ‘other’ sensitive and critical information/data for
ISO/IEC 27001:2013).<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Having generalised with the use of the word ‘other’ for
27001, in truth if card holder data were in scope then in fact ‘other’ would
include cardholder data. But, if by ‘other’ it is meant confidential company financial
data (not card holder data), or perhaps special categories of personal data
(not card holder data) then PCI DSS does not come into play.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
However, in both cases, the objective is to manage the risk
to what can be suggested as being sensitive and (or) critical data. In one it asks us to conform to requirements, the other it
asks us to be compliant.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
Many a tech company and cyber security company, having
jumped onto the (EU) GDPR bandwagon back in 2016, offered solutions to
enable an organisation to become compliant to the Regulation. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The bandwagon jumping antics of many of these businesses is
an entirely different topic of conversation; in the meantime, how do they in
fact determine that their customers are compliant to the (EU) GDPR simply by
offering a technical solution?<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Coming back to the original question of compliance and
security; (EU) GDPR has a number of Articles (and recitals) directing
controllers and processors to manage risk (likelihood and severity) and to
respond by implementing appropriate technical and organisational controls. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
In part only (many more non-security related obligations must
be met), and in order to reach a degree of compliance, the risk associated with
the processing of personal data by a controller and processor from an
information and cyber security standpoint must be managed and levels of risk treated
in some fashion to assist in complying with the Regulation. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
ISO deprecated the use of the word compliance from its
management system vocabulary preferring the use of the word conform or
conformity, and forgetting that in fact conformity means, ‘compliance’ with
standards, rules or laws (thank you Google), the simple answer is; given the
context of information and cyber security, compliance is a valid word to use
and given the context, compliance can indeed be used with the word security.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
KanSecurity (NL)</div>
</div>
KanSecurity Musingshttp://www.blogger.com/profile/05610649934716658688noreply@blogger.com