Wednesday, August 27, 2008

Compromised integrity

Two words we often use in InfoSec... compromise and integrity. But their origins outside of technology are of interest to me today.

Specifically,

Compromise - To expose or make liable to danger, suspicion, or disrepute.

and

Integrity - Steadfast adherence to a strict moral or ethical code.

What do I mean by this? I mean asking yourself how what these things mean to you as a member of a community (substitute nation, organization, company, family).

In the tech world, when a machine gets compromised, there is often a battle between the security team and... well, everyone else. Security says, once it's compromised it can't be trusted again - reformat and rebuild from scratch. The techs often say "that'll take hours" or worse, "that'll take days" and of course, it's a critical system. Management agrees, after all, it's going to cost us money to take those services down. And no, there are no hot spares or quick reloads available. In the end, the risk is made clear and the machines are replaced.

But what happens when the human soul's integrity is compromised? Many security folks have been a part of internal investigations. Often evidence isn't entirely clear how much an insider may be compromised. Did they make a one-time mistake? Or are they actually malicious? Again, the security folks often recommend termination and replacement. Again, there is often some (but not nearly as much) push back - especially if that person is critical to the organization.

Those who read Geek Girl Detective know how devastating it can be to a company when someone in an important position becomes compromised. It could be the end of the organization itself. But again, is it better for an organization to implode, minimizing the damage of the compromise, or explode with a devastating shockwave of litigation?

I've been told recently that no person should be replaceable. Same is true when designing systems. However, in either case, is this always feasible? No. But it's on the table as something that should be thought about and planned for - People and computers.

Thursday, August 7, 2008

What is the bare minimum we can do and still operate as a business?

In her column, The Agency Insider, Linda McGlasson writes in a post GLBA and Security Avoidance Questions - Why Are We Not Surprised? about GLBA compliance.

Thee post is about her dismay when hearing "What is the bare minimum we can do and still operate as a business?" from many large banks. She goes as far as saying that hearing that is "the number one sign that there is something wrong with the approach many financial services companies are taking on GLBA."

Okay, granted on the surface, this statement does appear to be like sloppiness, cheapness, and/or general dereliction of duty.

But wait, let's unpack this:

Is she saying that banks should spend MORE than necessary on GLBA compliance?

Does spending more on GLBA compliance entail better security?

Audit checklists and industry regs usually do not always entail improved risk management. But hey, for argument's sake, let's just assume GLBA Compliance = adequate security.

Now, let's restate and clarify:

"What is the bare minimum amount of risk management we can do and still operate as a business?"

But what's wrong with adequate (or minimum amount). It's that tipping point where it becomes too costly to protect an asset than to lose it. That's risk management and just plain dollars and sense.

Okay, but what is that bare minimum? How do you know what that is?

Wouldn't knowing what the minimum amount of risk management needed imply a thorough examination of risk and the value of the protected services and assets?

So to truly make that statement, banks will have be doing some pretty darned good risk assessment.

And to choose the bare minimum, means they are making an informed decision about the tradeoff between business value and risk mitigation.

The only problem I see with all of this is banks should not be asking their auditors "what is the bare minimum I need to do?"

They should be asking their security people.

And they should be answering in a manner that makes sense to someone who's job it is to choose how money is spent for the overall good of the organization.