Category: Information Security
by Jeffrey Morgan
Information and cybersecurity are somewhat mythical subjects and many misconceptions abound. Here are a few examples of the many myths surrounding cybersecurity:
- Information and cybersecurity programs are built on technology.
- Cybersecurity programs are expensive.
- Information and cybersecurity programs should be managed by Information Technology staff.
- The greatest cybersecurity threats come from outside your organization.
- Your IT staff would be able to detect a breach or other anomaly.
Do you believe in any of these myths? If so, keep reading because all five of these statements are false.
According to the 2018 Ponemon Institute Data Breach Study[i], the average total cost of a data breach is $3.86 million. Data breaches aren’t the only type of devastating cybersecurity problem and global costs for ransomware are expected to reach $11.5 billion[ii] in 2019. Malware can quickly bring a halt to your business activities and we have seen municipal services brought down for over a week because of infections that were a result of failure to follow policies and procedures.
Non-fiscal consequences of information security problems may have a more significant long-term impact on your organization than fiscal consequences and may include loss of reputation and litigation.
Information Security disasters are almost always a reflection on organizational management and the worst time to find out that you didn’t have a comprehensive cybersecurity program is in the aftermath of a breach. Most cybersecurity events occur for one of three reasons:
- People didn’t do what they were supposed to do (i.e. patching, backing up, checking logs).
- People did something they weren’t supposed to do (i.e. using inappropriate web sites, inserting flash drives, opening links on phishing e-mails).
- People have no idea what they are supposed to do (lack of policy, procedures throughout the organization).
Knowing what your staff is doing is a basic management responsibility. Show me a cybersecurity incident, and I will show you a chain of supervision and management failures that go all the way to the top of an organization.
Boards and governing bodies are beginning to see it this way too, and currently, senior C-level executives lose their jobs in roughly one-third of breaches[iii] and other cybersecurity events.
Quite simply, information and cybersecurity are management responsibilities and good information security programs require ongoing management attention. Managers don’t need to be cybersecurity or technical experts; they do need to ensure that appropriate controls, policies, and procedures are in place. Your IT department isn’t the solution; management principles are.
Depending on what research you read, somewhere between 60 and 90 percent of cybersecurity problems are caused by human error. In my experience, 90 percent sounds about right, although it could easily be closer to 100 percent. This all fits right in with W.E. Deming’s theory that 94% of problems in an organization are a result of management failures.
Major information breaches occur daily and only a small percentage of these make headline news. The most infamous of these include Equifax, Marriott, Yahoo, Target, and Anthem. In many local governments and smaller enterprises, the cybersecurity programs are not sufficiently robust to even identify whether a breach has even occurred.
A small sampling of 2018 information security incidents from the county and municipal sectors includes:
- City of Atlanta
- St. Lawrence County, New York
- Adams County, Wisconsin
- Otsego County, NY
- 50 central New York school districts
What most breaches have in common is that technology didn’t fail – people failed. Policies, procedure, and management failed. In the Equifax breach, someone failed to apply current patches to servers with known vulnerabilities. The CEO, Richard Smith, lost his job over the incident, but he wasn’t the culprit who failed to patch. He did handle the incident poorly, though.
If you take a proactive approach to cybersecurity, you have control over what you do and how you do it. However, in the aftermath of a breach, you may find your organization under investigation by the US Office of Civil Rights if the breach involved PHI and criminal charges may be involved as well. Your response may be dictated by state and federal regulators and you will have lost control of the process. A proactive approach to cybersecurity is clearly more desirable.
How would your organization be able to identify a breach? In the case of Adams County, WI the breach went on undetected for over five years and resulted in the disclosure of PHI and PII of over 250,000 residents. Five years! Would your staff be able to detect a breach?
Would you know how to respond to a breach? When it comes to cybersecurity, you must know how to respond to disasters before they happen and developing an incident response plan is part of the process of building a comprehensive information security program. A disciplined approach forces you to think about everything so that when a disaster of some sort does occur, you are prepared to deal with it immediately. However, if you have taken a comprehensive approach to cybersecurity, a disastrous problem is far less likely to occur. And, if it does occur, the response and cleanup is considerably easier.
Most information and cybersecurity programs are caused by people, so why are most cybersecurity programs built on technology? The foundation for a great cybersecurity program is policy and procedure.
Often, when I talk to executives and managers, their response to information from me is something like, “Wow. This is great information. I’ll show it to my IT people.” This is a pretty clear indication that they didn’t hear anything I just presented. This is understandable; most managers have been conditioned to believe that information security is an IT responsibility.
As an executive, you will be held accountable for a serious cybersecurity incident, especially if the problem was caused by lack of policy, procedure, and management oversight.
The conventional wisdom in local governments is that information and cybersecurity are functions that should delegated to an IT Director or CIO. As is the case with most conventional wisdom, this view is wrong.
Cybersecurity is often treated as a form of black magic where wizards practice their secret arts in the data center. In reality, the processes, procedures, and activities that your staff should be performing routinely are well-known and widely published. Are your staff members following these publicly available standards?
Over the last several decades, many comprehensive standards and frameworks for information and cybersecurity have grown and matured. These frameworks have been developed by large workgroups of brilliant people who have devoted their professional careers to the study of information security. Local governments rarely implement these frameworks and instead rely on ad hoc programs designed by staff members untrained in information security practices and procedures. None of these standards or frameworks recommends delegation of cybersecurity to IT staff; all of them recommend comprehensive approaches that include the participation of directors, executives, and senior managers in building a comprehensive plan.
The good news is that this problem is simple to fix. Building a solid, standards-based cybersecurity program is a team effort and the majority of controls that should be implemented are not technical in nature, but administrative.
How do you know if you have a standards-based cybersecurity program or an ad hoc one? It is easy to identify a real cybersecurity program and six elements distinguish a comprehensive program from a poor one:
1. Comprehensive Security Policy. For most municipal governments, this document should probably consist of 25 or more pages and at least 40- 50 policies, but probably many more. Good security policies are typically developed over a long period of time
2. Acceptable Use Policy. This document describes standards for using company-owned resources, ownership, reporting requirements, etc. but may also address the use of social media, work-at-home policies, and a great deal more.
3. Risk Assessment Report. Risk assessments are a requirement of every standards-based security framework. If you don’t have a relatively current risk report, your security program doesn’t meet the standards of any generally accepted information security framework.
4. Documentation. Extensive documentation demonstrating compliance with your organization’s security policy should be readily available at all times. Do you have evidence that backups are validated? Are logs checked? Excellent documentation is a required component of a true information security program.
5. Management participation. Participation of directors and senior managers in an information security program is a requirement. For most county and municipal governments, managing and understanding the scope of information and the regulatory requirements are beyond the knowledge, skills, and abilities of the IT staff.
6. Accountability. A good cybersecurity program requires participation of staff and management throughout the organization. Responsibility and accountability for the many tasks must be clearly documented so everyone understands their part.
There are many moving parts to a good cybersecurity program and the formula for it looks something like this:
There is no reason for the existence of ad hoc information security programs, especially in the public sector. There are numerous generally accepted and widely available frameworks for building a comprehensive information security program. These are either free or dirt cheap and they describe exactly how to build an information security program in any organization. A comprehensive approach is not expensive and there are not necessarily capital expenses involved.
You can use any of the following documents to begin building a comprehensive information and cybersecurity program.
This is the international standard for building an information security program. It is available from the ANSI web store for $138. It is roughly 30 pages and describes exactly how to build a comprehensive security program for any organization from scratch.
This framework was created by NIST (The National Institute of Standards and Technology) and it is a risk-based approach to developing a cybersecurity program. It is available for free.
The HIPAA Security Rule is a federal regulation (45 CFR parts 160, 162, 164) for protecting PHI, but it can also be used as a framework for building an information security program. If you have PHI (most counties do) to protect, you could start your program by building it on HIPAA and then use one of the other frameworks to supplement what HIPAA misses. A common misconception about HIPAA is that it is an onerous regulation that is difficult to comply with. In truth, HIPAA sets a low bar and you will definitely need to supplement a HIPAA compliance program with additional policies and procedures.
Building a comprehensive, standards-based cybersecurity program is a straightforward process. In general, we recommend an approach something like this:
a governance committee.
The membership of your governance committee should include people who are expert in various aspects of the information you maintain. For a county government, this might include the county recorder, corporate compliance, public or mental health, human resources, the county attorney, and information technology. A senior executive and a board member should also be on the committee.
- Get a risk assessment.
Risk assessment is an absolute requirement. If you have someone on the staff skilled in this, you can do it internally. If your organization has never gone through a risk assessment process, you should contract an outside firm for the first one unless you have staff members who are capable of objectively performing one. Risk assessments should be carefully scoped.
- Create an asset inventory
A complete, current inventory of all your information assets including digital data, applications, physical information (paper records), and hardware is an absolute requirement. Most local governments don’t have this information in detail that would stand up to any kind of audit.
- Create a
comprehensive security policy.
A primary responsibility of your governance committee will be to draft a comprehensive security policy that addresses your organization’s unique needs relative to risk. The policy should be approved by your governing board. You can and should build your program on any of the three frameworks described above. You’ll have to decide which one is the most appropriate depending on your unique business requirements.
- Create a
risk management plan
The risk assessment process will identify many shortcomings in your information security program. It is the responsibility of your board and senior executives to identify risk appetite and priorities for risk mitigation.
Does all you have read so far sound straightforward and simple? It is.
There is no reason for any local government agency not to implement a comprehensive cybersecurity program. While the steps are simple, it may not be easy to implement and the problems you encounter are more likely to be administrative and procedural rather than technical. Technical implementation of a cybersecurity program is the easiest part; getting the management structure right is much more difficult.
If you proceed down the path to standards-based cybersecurity, you may find that it takes six months to a year to put all the policy and procedural components into place, get a risk assessment, make a plan, and implement it, but this all depends on the availability of resources and your commitment to the project.
Building a security program on standards and best practices may require no capital expenditures but it requires time and attention from managers throughout your organization. In general, local governments don’t lack the funding for technical controls and many of them already have all the required technology in place. What local governments are generally missing are clear policies, procedures, and accountability.
If you would like assistance with your program, give us a call. We provide comprehensive management services for information security and can help you through every step of the process. Visit our website for more information on our services for local governments.
For a detailed multimedia overview of cybersecurity in local
government, watch our video, Cybersecurity,
risk, and liability in local government.
In this video, “Cybersecurity, cyber risk, and liability in local government,” I ask and answer 11 questions that local government executives and elected officials should be able to answer about their cybersecurity programs and it provides actionable information on building a cybersecurity program in the public sector. Watch it now! In 28 minutes you’ll get a complete overview of cybersecurity in the public sector, learn how to evaluate your program, assess your risk, and build a comprehensive standards-based program from the executive perspective. Questions answered include:
1. What kind of information do local governments collect and maintain?
2. Is local government regulated?
3. What regulations apply?
4. What are the risks?
5. What’s the liability?
6. How are they assessing and managing risk?
7. How do you build a cybersecurity program in the public sector?
8. What does the management structure look like?
9. How do you staff it?
10. How much does it cost?
11. What are the responsibilities of directors, managers elected officials and staff throughout the organization?
Watch it and don’t forget to subscribe. If you like it, LIKE IT and thanks for watching.
© Copyright Jeffrey Morgan, 2018
PHI Breach detection in county government
The Office of Civil Rights (OCR) maintains a list of HIPAA breach investigations which currently lists over 400 open breach investigations.
One interesting breach is Adams County, Wisconsin which was leaking information undetected for over five years from 2013 and it highlights the lack of controls counties have in place for detection of security anomalies.
It’s pretty easy to determine whether or not counties have appropriate controls in place. The first question to ask is do they have a risk assessment? If your local government organization doesn’t conduct ongoing periodic risk assessments, you aren’t compliant with the HIPAA Security Rule. So, if you don’t have a risk assessment, get one so you can identify potential problems.
There are roughly 40 policy requirements for the HIPAA Security Rule and HIPAA sets a low bar in comparison to ISO/IEC 27001 and NIST CSF. If your county security policy doesn’t have these 40 policies in place, with corresponding processes and procedures you aren’t compliant with HIPAA.
We offer a low-cost 90 minute HIPAA workshop to help you assess your level of HIPAA compliance. The worst time to find out that you aren’t compliant is after a breach!
© Copyright Jeffrey Morgan, 2018
HIPAA’s not just for hospitals
Most counties and behavioral health organizations aren’t compliant with the HIPAA Security rule, but don’t take my word for it. Download the HIPAA Security Rule directly from HHS and read it over the weekend. If you want to talk about it, grab a 30-minute slot in my calendar and we’ll discuss your security policies and procedures at no charge.
Read more about our HIPAA services for counties and behavioral health organizations.
For more background, read Jeff’s articles on HIPAA
- Risk assessments for local governments and SMBs. CIO.com, May 2017.
- HIPAA as an umbrella for county/municipal cybersecurity. CIO.com, April 2017.
- County and municipal cybersecurity – Part 2. CIO.com, April 2017.
- County and municipal cybersecurity – Part 1. CIO.com, March 2017.
- May I see your comprehensive security policy please? CIO.com, October 2016.
- The ACA and the death of medical privacy. CIO.com, August 2016.
- Why should county commissioners and executives care about HIPAA? Careers in Government, February 2018.
© Copyright Jeffrey Morgan, 2018
© Copyright Jeffrey Morgan, 2018
Failure of boards and mangers to address information security is expensive and the preventable, poorly handled Equifax breach may end up costing the company as much as $1.5 billion in direct costs by the time it all plays out (SeekingAlpha, 9/29/17). This lack of management attention was clearly demonstrated when Equifax acting CEO, Paulino do Rego Barros, Jr. told a congressional hearing “he wasn’t sure whether the company was encrypting consumer data.”
This problem is systemic and pervasive across the business landscape. In a January 10th article, the Wall Street Journal reported that “Board committees dedicated to information technology risks and strategy are still rare. Just four Fortune 100 companies operate one.” Moreover, only 37% of corporate directors “feel confident the company they serve is properly secured against a cyberattack,” In the broader arena of SMBs and local governments, board and management oversight of information security is even rarer and 37% seems grossly optimistic.
An even more disturbing revelation from that WSJ article was that some boards have “devised a response plan, including creating of a bitcoin account from which to pay ransoms.” I suppose there is a justifiable and quantifiable business case for this position from the board’s perspective, but it really sticks in my ex-military craw that any organization would negotiate with and reward criminals. Prevention and resilience are better policies.
What’s the role of the board and management?
There is no mystery about what boards and executives should be doing to ensure their organizations are paying attention to information security. Section 5 of ISO/IEC 27001 describes 18 requirements for “top management” with respect to developing an organizational information security management system (ISMS). These requirements include policy development, resource allocation, continual improvement, documentation, reporting, and a great deal more.
NACD (National Association of Corporate Directors) offers a 16-hour cyber-risk certificate course for directors. Upon completion of the course and an exam, participants receive a certificate from Carnegie Mellon University. NACD also publishes a free, informative, 44-page Cyber-Risk Oversight Handbook that describes “five principles for effective cyber-risk oversight,” along with a wealth of other information that includes an appendix with 48 questions boards should be asking management about Cybersecurity.
For local governments, ICMA publishes Local Government Cyber Security: Getting Started as well as other information. This guide has some useful information, but it doesn’t begin to approach the depth and quality of the NACD handbook. I would recommend that school board members, county commissioners. and city council members download and read the NACD handbook as well as the Growing Impact of Cybercrime in Local Government. The public sector doesn’t take cybersecurity seriously and local governments are in possession of huge deposits of PII and PHI.
My problem with the discussions of “the cyber” from both of these organizations is that they fail to address the broader discipline of “information security.” This isn’t simply a matter of semantics and cyber-risk has to be understood in the broader context of an overarching information security (InfoSec) program to be truly effective.
To put it simply, if senior leadership isn’t an integral part of your information security program, you don’t really have a program. Boards and executives should routinely devote CPU cycles to the issue, just as they would to any other critical business issue.
Making the case
The argument for comprehensive information security programs for even very small enterprises is simple, powerful, and backed by a constantly growing body of evidence. Failure to secure information costs money – and lots of it. The Anthem breach, in which the company was found to be neither negligent nor liable, cost them roughly $414 million and the Target breach cost $230 million (SeekingAlpha).
While the fiscal argument may make the best case for a security program, it sometimes takes a while to get traction because executives in smaller organizations may not immediately see how these gigantic breaches relate to their business. Consequently, one of my preferred techniques for making the case is to get the corporation counsel or municipal attorney involved from the start.
Bring lawyers and money
Lawyers begin making the connections faster than the rest of the team, especially if regulatory compliance issues are involved. They quickly connect the dots between stupid mistakes, negligence, breach, forensic and regulatory investigations, fines, public embarrassment and the inevitable litigation. In most organizations, the lawyers tend to be highly regarded and they can see the whole movie playing in their head. They instinctively know that they won’t be playing the part of the hero unless they get the show going so they do a pretty good job of rallying the troops.
In one organization for which I developed a comprehensive policy, the process took several months of collaborative work with a large committee of stakeholders that included board members, management, HR, attorneys and staff. The discussions sometimes became contentious, but the team approach was worth the effort because everyone was invested in the final product. It took the organization two years to fully implement the policy and when the first periodic risk assessment came due, one of the Director’s said “you mean to tell me that this is going to cost money?”
Yeah, it costs money; but it costs a hell of a lot less money than a breach.
You might appreciate my video on Equifax breach:
© Copyright Jeffrey Morgan, 2018by
NIST Cybersecurity Framework
Version 1.0 of the NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) celebrated its fourth birthday in February. The CSF is a “risk-based approach to managing cybersecurity risk… designed to complement existing business and cybersecurity operations.” I recently spoke with Matthew Barrett, NIST program manager for the CSF, and he provided me with a great deal of insight into using the framework.
NIST (National Institute of Standards and Technology) is a division of the U.S. Department of Commerce, and they have been involved in information security since the 1970s. On May 11, 2017, President Trump signed Executive Order 13800 requiring all federal agencies to use the CSF, so if you conduct business with these entities, you are likely to hear a great deal more about it in the near future.
Current State of Cybersecurity
To begin the conversation, I asked Matthew what he thought about the current state of cybersecurity in business and government.
“I think there is a bit of an awakening going on to the true importance of just how foundational cybersecurity is,” he says. “It used to be that businesses were based on trust, and it is still the case. Increasingly, we’ve built out our technological infrastructure and more and more important over time is digital trust. I’m not sure whether all parties understood when they were implementing those technologies just how much that pendulum was going to swing from traditional trust models to the digital representations of those trust models. It’s not an overnight thing. There’s a cascade. I see a ripple that has started that hasn’t completed its way across the pond.”
The CSF in a Nutshell
If you have worked with other security standards or frameworks based on best practices or compliance approaches, the CSF provides a different viewpoint. It is not intended to be used as a standalone framework for developing an information security program. Rather, the CSF is designed to be paired with other frameworks or standards such as ISO/IEC 27000, COBIT 5, ANSI/ISA 62443, and NIST SP 800-53. It is also meant to be customized rather than being used as a process or activity checklist. The CSF has three components – the core, tiers and profiles.
The core of the framework has five functions – identify, protect, detect, respond and recover. These functions can be thought of as outcomes and aligned with them are 22 categories, 98 subcategories, 125 outcomes and 287 informative references (controls). The core, with all the informative references, is also available in Excel format which can make a handy template to add to your cybersecurity policy and control toolkit. According to Matthew, becoming comfortable with these five functions and the associated concepts at the leadership level tends to be the first stage of the adoption curve.
Determining the organization’s tier is often the second step in adoption. The tiers are a useful tool and they “provide context on how an organization views cybersecurity risk and the processes in place to manage that risk.” There are four tiers: partial, risk-informed, repeatable and adaptive. Although the tiers don’t officially function as a maturity model, it is difficult for me not to see them as such.
However, Matthew explained the CSF’s position on maturity models: “We take exception to the way maturity models are applied where everyone has to get the highest mark on the maturity scale. That’s a great ambition. Rooted in the real world of things, we know that people have budgets, and those budgets are finite. More so than the way people tend to implement maturity models, we’re trying to highlight that you can pick and choose.”
“In my mind’s eye,” Matthew continued, “I picture a tier that isn’t even on the map. A tier zero. There’s a group of people who have managed to short-list high-impact items, and that’s about all they do relative to cybersecurity. For most people, that’s a temporary stopping point. Some people stop there and never get to dynamic, iterative cybersecurity risk management.”
Based on my own personal observations in the field, most SMBs, local governments and even many larger entities probably fall into Tier 1, and the only way to realistically get to Tier 2 is for management to become risk informed. However, getting executives and boards interested in information and cybersecurity is a formidable hurdle.
If an organization is truly a part of national critical infrastructure, remaining at Tier 2 would be troubling. Tier 3 is the first tier that defines organization-wide policy as a requirement, and I would personally see Tier 3 as the minimally acceptable target for most organizations, but this is my opinion rather than NIST’s or Matthew’s.
The tiers do provide a solid tool for organizational management to realistically evaluate their cybersecurity program and make rational, pragmatic, informed business decisions for program improvements going forward. Taking the leap from Tier 1 to Tier 2 is probably the most difficult step for most organizations. Once an organization gets to Tier 2, management has accountability and consequently more motivation to move forward.
NIST recommends that the framework be “customized in a way that maximizes business value,” and that customization is referred to as a “Profile.”
Matthew believes that all cybersecurity programs have three things to do and three things only:
- Support mission/business objectives;
- Fulfill cybersecurity requirements; and
- Manage the vulnerability and threat associated with the technical environment.
The CSF provides a seven-step process for creating or improving a cybersecurity program using a continuous improvement loop:
- Prioritize and scope
- Create a current profile
- Conduct a risk assessment
- Create a target profile
- Determine, analyze, and prioritize gaps
- Implement action plan
Profiles can be used as a tool to provide a basis for prioritization, budgeting and gap analysis.
One of my personal rants is on the disinterest so many executives show toward information security. I am always irritated when I see IT and security managers unilaterally commit an organization to cyber risk without obtaining informed consent from senior management. Often, these staff members make decisions that are far outside the scope of their roles and authority, and I think some executives prefer their own blissful state of ignorance. This leaves too much room for managers to claim “I never knew. Mistakes were made.” Like both ISO 27001 and COBIT 5, the CSF clearly defines management’s role in information security processes, so the CSF can be used as a powerful tool to engage boards and managers and hold them accountable for risk and budgeting decisions.
Matthew’s response to my rant was diplomatic. “I wonder whether the very nature of cybersecurity professionals makes us hold on to risk decisions rather than distribute them portfolio style. Smaller, less impactful risk decisions that are distributed. Distribute decisions, empower folks, and there is accountability around that empowerment, as well.” The CSF provides tools to distribute this risk.
Adoption and Implementation Trends
Results from a 2015 Gartner poll claim that about 30% of organizations have adopted the CSF and by 2020, 50% of organizations will have adopted it. I am skeptical of this assessment. Based on personal observation of the SMB and local government sectors, I would be astonished to find that even 25% of them have formal information security programs based on any framework or standard, let alone the CSF.
However, CSF has been used and customized by a diverse group of organizations such as the Italian government, the American Water Works Association, Intel, the Texas Department of Information Resources, and many others. Case studies can be found on the NIST CSF website.
It’s always good to look at information security programs from multiple viewpoints and the NIST CSF provides many excellent tools to do just that. NIST provides many additional materials on using the framework and they can be found on the CSF Homepage. The site also has an excellent 30-minute video presentation of Matthew providing an overview of the framework.
This article first appeared in Security Magazine.
© Copyright Jeffrey Morgan, 2018
Information security and cybersecurity are huge problem areas in county and municipal governments. In this six-page article on the subject, I cover the information every county and municipal leader should know including a summary of problems, barriers, specific solutions, and resources. The free document is available here. The intended audience is CEO, CAO, CFO, COO, County or city manager, county commissioner, city council member, or other senior management personnel in the public sector. This is a reprint of my two-part article published in CIO.com last year.
Click below to download.
Want to talk about information security in your organization? Click on the link below to e-mail me and schedule a time to talk.
Don’t hesitate to e-mail me. Initial consultation are free.
© Copyright Jeffrey Morgan, 2018by
J.S. Bach’s sublime “Fugue in C-sharp-minor,” from Book One of Das Wohltemperierte Klavier (BWV 849) was published in 1722. It has five voices and three subjects, so it is a triple fugue. Let’s take a look at what Bach and his excellent work can teach us about building a rock-solid information security program.
1. Keep it simple
The slow and stately four-note subject is simple but pregnant with possibility. Through each iteration and each addition of a new component, the piece becomes a lovely, dense mesh of darkness and light. Ultimately, the thrilling climax can send emotional waves through your body leaving you weeping, emotionally drained and forever changed. Each element is simple in itself, but when combined, an extraordinarily complex web of sound is created.
If your perimeter firewall has 5000 rules, you’re probably doing something wrong, especially if you are a relatively small organization. Likewise, if your policy documents are incomprehensible to the average end user, there is a problem. One IT staff on which I was doing an assessment claimed their policy was secret, and when I finally got hold of it, it turned out it wasn’t a policy at all – it was simply a copy of a federal agency’s policy framework written in govspeak. There was nothing there that would communicate performance and behavioral expectations to management, end users or the IT staff.
Printed music, a score, is simply a set of instructions for a performer. It’s not music until a performer brings it to life. Bach’s scores provide the minimal amount of information required to do just that and they leave a great deal of the interpretation to the performer (assuming good taste and common sense, of course).
Your information security plans and documents are similar; they’re just documents until you bring them to life and put them into practice. In many enterprises, these documents exist only on a shelf and are never used. Dust off those documents if you have them and make sure they have been implemented, followed and enforced. If you don’t have the documents, you had better get to work. Follow Bach’s lead and keep it all as simple as possible. Don’t count on common sense, though.
Bach chose a five-layer framework for this fugue. How many layers does your security program have? Comprehensive policy, procedures, guidelines, technical controls, administrative controls, physical controls, awareness and training are all part of the mix.
The common mistake I have seen in audits is that organizations often depend on only one layer – technical controls. Many security programs, probably in the majority of enterprises, consist of a firewall and some antivirus software but policy, procedure, guidelines and training are often non-existent. If you depend on technical controls alone, your score is 80-90% incomplete.
Musicians learn resilience, often the hard way, as soon as they begin doing recitals. The only way to be prepared for anything is to over-practice and over-rehearse so that no matter what happens, your fingers keep going even if your brain shuts down. You have a great amount of time to prepare, but only one chance to get it right when it actually counts.
Practicing and planning for the inevitable information disaster is the only way to survive it. If you’ve done this well, you can keep performing without anyone but an expert noticing the glitch. If you do it badly, the show is interrupted and you may never get a second chance.
4. Continuous improvement
A good music teacher shows you how to practice using mindfulness rather than rote repetition. Each iteration should be made better than the last by analyzing every aspect of what you’re doing. Walter Giesking wrote about this sort of approach in his book and he might be considered music’s version of W. Edwards Deming.
What sort of program for continuous improvement do you have in place? It doesn’t happen by itself unless you had a great teacher, coach or mentor. Great performers analyze every aspect of every performance and do a root cause analysis so they don’t make the same mistakes again. Well run organizations and great managers do the same, but the majority keeps making the same mistakes over and over again. Public humiliation in front of colleagues and coworkers doesn’t often seem to be a motivating factor in the business world, but it definitely is in the world of musical performance.
Listen to the voice of your network and your end users and pay attention to logs and metrics. Too many IT directors are tone deaf to the voices of their customers and I have seen many organizations that pay no attention to security logs and metrics at all. They can’t distinguish between the sound of a perfectly tuned network and an out-of-tune one. Don’t be that patronizing, know-it-all ass of a CIO – listen to everything and everyone.
If you are unfamiliar Bach’s c-sharp-minor masterwork, you can listen to Hélène Grimaud’s performance in which the fugue begins at about 3:15. For a different approach, Sir András Schiff’s version begins at about 2:40. There is no accounting for taste and everyone has their favorite.
If you are fascinated by the music and want to learn more, my favorite recording of the entire set is Angela Hewitt’s, which is part of my car mix for long trips. If you are new to Bach, it can be a life-changing experience.
If you want to improve your information security program, there are numerous resources from which to choose. IS0/IEC 27000, NIST, and COBIT 5 for Information Security all provide great starting points. Which is your favorite?
© Copyright Jeffrey Morgan, 2017
This article was first published on CIO.com at https://www.cio.com/article/3240972/data-protection/5-things-js-bach-can-teach-you-about-information-security.html
Security Policy Checkup Service
For county and municipal government.
Is your security policy up to current standards? Here’s how we can help for a low fixed rate:
This fixed-fee service is designed for counties and municipalities and includes:
- Initial web workshop with management and key stakeholders.
- Completion of a survey to identify your organization’s procedures, practices and specific security requirements.
- Review of your security policy and acceptable use policy against best practices and your organization’s requirements.
- Web workshop to discuss results.
- Written report with specific recommendations for improving your policies.
How to get started
- e-mail us for a quote/SOW.
- We’ll send you a Statement of Work with an NDA (Non disclosure agreement). Sign it and return with a purchase order.
- We will promptly schedule a web workshop to gather information.
- We will discuss your concerns and complete a brief survey in order to understand your organization’s requirements.
Who should be involved?
We can perform this study for an authorized executive. However, we believe that working with a cross-functional workgroup consisting of Legal, HR, IT and executive management, and possibly other departments will help build a foundation for a more solid information security program in the long term.
Don’t have a security policy?
We can help. e-mail us to schedule a time to discuss the development of a custom security policy tailored to fit your organization.
Read more about this service at: http://www.e-volvellc.com/security-policy-checkup/
© Copyright Jeffrey Morgan, 2016by
Next week, I am scheduled for a semi-annual risk assessment with my dentist. He performs a very specific, highly focused type of risk assessment that is totally worth the $125 it will cost. In addition to performing specialized maintenance (hypersonic cleaning), he will provide a threat assessment (for oral cancer, cavities, periodontal disease and other anomalies). I’ll leave his office confident that my mouth is in a low-risk situation for the next six months as long as I continue to follow best practices and perform daily maintenance procedures. I am only vulnerable to these threats if I fail to follow a daily program of brushing and flossing.
I could always choose to save the small fee for these risk assessments and wait for a major dental disaster to occur. The problem with this approach is that a single incident may cost thousands of dollars if I need a root canal or some other type of procedure. Ten years of checkups are less costly than even a single disaster.
Enterprise IT risk assessments
Unfortunately, in the world of local government and SMBs, the most common approach to risk management is to allow a major catastrophe to occur before realizing the value of an enterprise risk management program.
I am at a loss to explain it. Incidents or problems involving your information and IT infrastructure are far more costly than risk management programs. Data loss, breaches, major downtime, malware, lawsuits and fines for compliance violations may cost hundreds of thousands or millions of dollars. They can permanently shut down your small business or really irritate your board of directors in a corporate environment. In the public sector, constituents pay for major screw-ups through increased taxes while the events are often covered up and the culprits skirt the blame and keep their jobs.
When was your organization’s last risk assessment? Can you put your hands on the report? If you haven’t had a risk assessment recently, it’s a safe bet that your policies are sorely lacking. Defining an organizational policy for risk assessment is an essential component of any comprehensive suite of security policies. Both HIPAA and GLBA require periodic risk assessments, but it is a sound practice for all types and sizes of organizations.
Where to start?
If you haven’t previously conducted an enterprise IT risk assessment you should carefully consider your starting point. For example, if you have few or no security policies, it may be wise to form an IG (information governance) committee and begin by developing of a comprehensive set of policies, procedures, standards and guidelines. On the other hand, your management team may benefit from the kind of wake-up call that a devastatingly thorough risk assessment can produce. A 100-page report that says you suck at security and risk management on every page may be just what you need to get everyone’s attention.
The results of a risk assessment should be used to reduce your organization’s risk exposure, improve CIA (confidentiality, integrity and availability), initiate positive change, and begin building a security culture. While using risk assessments as a punitive device isn’t the best approach, such reports often expose malfeasance and incompetence of proportions so vast that appropriate consequences are in order. In other words, if you have been paying a CIO $200,000 and the assessment uncovers gaping policy, security and privacy holes, you should certainly replace the CIO with one who has the required skill set.
Scope the project carefully
Risk assessments come in a lot of flavors and the specific purpose and scope must be worked out with the auditors in advance. A few years ago, a client of mine released an RFP for a risk assessment after we worked extensively on the development of their information security policies. The proposals ranged from $15,000 to well over $150,000. This can happen even with a pretty clear scope. Big 4 firms, for instance, have hourly rates that may be several times what a local, independent practitioners may charge. NIST SP 800-30 provides valuable information on how to perform risk assessments, including some information on scoping.
Risk assessments may be qualitative or quantitative. You may be able to do some of the quantitative work in-house by gathering cost data for all your assets in advance of the assessment. Regardless of the scope and approach, the auditors will ask to see lots of documentation.
One positive outcome of a risk assessment is that it may force your management team to rethink EVERYTHING – in-house application development, infrastructure support, IT staffing & responsibilities, LOB (line of business) staffing & responsibilities, budgets, and just about everything else related to the manner in which your organization is run.
Risk assessments are way cheaper than disasters, so go schedule your checkup.
© Copyright Jeffrey Morgan, 2017by