26 February 2012

MANAGE RISK BEFORE IT DAMAGES YOU: PART ONE...

Neira Jones on Google+
After my part 1 and part 2 posts on incident response and the last post on cloud computing security, a number of you requested I talk about risk assessments. Since it’s currently my favourite topic, I am more than happy to oblige... First, a few facts:
  • Epsilon was breached in the first quarter of 2011. At the time, they built and hosted customer databases for 2,500 well-known brands and sent more than 40 billion emails a year on their behalf.
  • Not long after, the Sony breach ended up compromising personally identifiable information for more than 100 million of its customers.
Obviously, for both organisations, customer information is a key asset...

Mind the Gap...
For the purpose of this post, I use the more generic definition of corporate governance: the framework of rules and practices by which a board of directors ensures accountability, fairness, and transparency in a company's relationship with all its stakeholders. It is therefore reasonable to assume that all businesses will have some form of corporate governance. Regardless of which framework or best practice research you look at, they will all have the following principles in common:

  • Deliver value;
  • Protect people’s rights, behave ethically and comply with the law;
  • Identify and manage risk;
  • Promote systematic disclosure (or transparency) so that accountability is effective.

In the two breach examples given earlier, it is also a fair to assume, given the size of the companies, that both were governed by such a framework at the time of the breaches. Where did it all go wrong then? Let’s call this the “Infosec Gap”... I am sure we can all agree that a CISO should at least have the four bullet points above as their core objectives. However, bringing infosec risks to their rightful place on the Board agenda takes a certain kind of CISO, which was discussed in an earlier post. Chicago mayor Rahm Emanuel once told a gathering of corporate executives: “You never let a serious crisis go to waste. And what I mean by that it's an opportunity to do things you think you could not do before.” Going back to Sony, it was therefore not surprising that they rapidly hired a high profile CISO to ensure “the security of Sony's information assets and services”.

First things first...
So, assuming we have managed to address the “Infosec Gap”, we’re left with ensuring the “security of information assets and services”. Because we are all governed by material pressures, it would be unrealistic to think that we should embark on all encompassing programmes to secure all assets. Therefore, we should make it our aim to understand the business strategy and core values and what our organisation’s key assets are. A word of warning: the IT organisation is not best placed to understand what key assets are and often makes the wrong assumptions. Our first step therefore should be to ensure we have an up-to-date asset register linked to the corporate governance framework. As assets can vary from Information Assets (e.g. intellectual property, financial data, email, application) to Physical Assets (e.g. media storage, network, desktops, printers, mobile devices) to Service Assets (e.g. firewalls, anti-virus, proxy servers, user authentication) to Human Information Assets (staff or otherwise), the trick is to make sure that all stakeholders are involved in the creation of the corporate asset register. The next step will be to prioritise the assets according to their importance to the organisation. Panic not, there should be a lot of information already available in the Business Continuity and Disaster Recovery functions of your organisation: after all, their role is to ensure that the business continues operating in the event of a crisis and they should have a fairly good idea of what is “key” to the business. And of course, we must never let the asset register become “shelf-ware”, which means we’ll have to assign accountabilities to senior executives for the on-going maintenance of the register. After all, it contains the crown jewels...

So, what about the Risk Assessment then?...
Well, that’s just it. You now have a corporate asset register, with all assets categorised in order of importance. All you have to do now is identify the potential threats to those assets, assess the vulnerability of those assets to those threats, and apply suitable controls to protect those assets, according to the organisation’s risk appetite... but that’s for the next post...
In the meantime, if this sparked your interest, you could look at ISO 27001...

If you like this post, you may also like Part 2...

Until next time...