How does Santa comply with Data Protection Laws?

As a father, I'm naturally keen to protect the Personally Identifiable Information (PII) of my children. Not long after the birth of my son was the infamous incident when Her Majesty's Revenue and Customs (HMRC) lost the PII of every family in the UK with a child under the age of 16... Not a great start.

Another organisation with data on my children is the large North-pole based company run by Santa Claus. Given that he has lists of who has been naughty and nice, and in the assumption that this is a binary definition where everyone falls onto one list or the other, with no scope to fall into a neutral category in-between, these lists must contain the personal data on all children in the world. A further assumption is that the data includes obviously names and addresses of the kids in order to label and subsequently deliver their presents. Data gathered on children in order to put them on one list or the other must include habits and activities throughout the preceding year as well as personal gift preferences in case they ultimately end up on the "nice" list by Christmas Eve.

Data held by Santa on children from the UK is subject to legislation including the UK Data Protection Act 1998. Given that International Law dictates that the North Pole does not fall into the jurisdiction of any one country, Santa is required to demonstrate that appropriate controls are in place to protect this information as it is exported out of the EU. The lack of any national jurisdiction over Santa's organisation also means that he is not subject to any specific local legislation and the onus is therefore entirely on him to put the appropriate controls in place to protect the data.

Data aggregation and data destruction are issues here. Given the PII of every child is held by Santa, the exposure of one or both lists in their entirety would be a significant breach, as demonstrated in the video "Santa gets hacked!". Does Santa keep multiple lists, perhaps segregated by country or ideally smaller geographical areas, to reduce the risk of exposing all data in one go? On the data destruction side, one must presume that once a belief in Santa has gone then a presence on either list is no longer required. The Data Protection Act requires that PII is only held for as long as it is needed, although the aforementioned video suggests that adults and children alike might be affected by a data breach of this kind. I would like assurances that my own data is not only no longer on Santa's systems, but that any logical and physical storage media is appropriately disposed of when no longer needed.

Given my understanding that the storage and processing of this data is all performed at the north-pole and not outsourced or off-shored to another organisation or country, the storage and processing of the data is less of a concern than the transmission and transport of it, particularly around Christmas.

Firstly, the delivery mechanisms for the letters to Santa are somewhat varied. Although the postal service is an acceptable mechanism for delivering this information, the destination address seems quite hazy and the risk of loss mid-delivery is therefore quite high. For those who choose to post their lists by placing them up their chimney stack and using special Santa-magic for transmission, I have concerns over the unknown elements of that delivery mechanism and what controls are in place to protect the data en route. Given that these lists are subsequently found still up the chimney 100 years later, more current data could be exposed in the same way.

Secondly, on Christmas eve Santa sets off with this sleigh and the delivery list. Does this list contain only the information required to deliver the correct presents to the appropriate households or is he taking all the PII around with him? As he enters each house, does he take the list with him or leave it in the sleigh? If the latter, he's leaving himself open to data theft while he's casually downing the latest mince pie and glass of sherry. He may think that the list is safe on the roof, but people got up there to set-up the inflatable Santa and light-up sleigh, so there must be access of some sort.

Finally, is it fair to assume that Santa is moving with the times and now takes the list with him on a smart phone or tablet? The risk of losing a device like this is surely greater than the risk of losing paper records of millions of children. Does he link up to the North Pole to get last minute list updates about those children who won't go to bed on Christmas Eve, moving them from the "nice" list to the "naughty" list during his travels... and is he doing it over your wifi?!? What policies around the use of mobile devices is in place and how are communications between the sleigh and Santa HQ protected? Encrypting the data and doing so from every country he delivers to might create further problems around cryptographic export controls and he may have instead opted for the easier life of sending it in the clear!

Anyway, that's enough from me for this year... I need to get my Freedom of Information request over to the North Pole before tomorrow night. Have a Merry Christmas and a Happy New Year.

Image: luigi diamanti / FreeDigitalPhotos.net

Stable systems leave us unprepared for incidents

Many years ago I worked on the shop floor of a national retailer. When the tills failed for one reason or another, there was a manual process that had to be quickly rolled out. Out came the pocket calculators, hand-written receipts and manual credit-card imprinters. At the time, this was not an uncommon occurrence and all the staff consequently knew what they had to do. The process took a bit longer but we were quite sleek at keeping the traffic moving through the shop, even the time it happened the Saturday before Christmas

Nearly 20 years on and I'm not sure that this would necessarily still be the case. As the IT supporting these services becomes more stable, the instances of outages happen less often and there is less working knowledge of what needs to be done when a failure occurs. Only through training and practice can businesses be sure that their staff know what to do in the event of an incident. Without this, organisations risk losing business due to not being able to sell their goods and services at the time when people want to buy them. The expectations of customers to be able to buy what they want when they want to and be processed as fast as possible are certainly far greater now than they were in the early nineties, and there are more alternative options now for them to make their purchase.

It was an article in The Register which made me consider this as a topic to cover. Although not a recent finding, the article comments on the outcome of the investigation into the crash of Air France flight 447 in 2009 which concluded that after a failure of the autopilot, the pilots did not have sufficient skills and experience to fly the plane manually. This issue resulted in the fight plunging into the Atlantic ocean with the tragic loss of all 228 people on board. The report highlights that as pilots become so dependent on the autopilot, using it for many of the tasks in the flight, that when it is suddenly and unexpectedly not available to them that skills to pilot a plane the "old fashioned" way, may be somewhat rusty.

This highlights the importance of incident training and business continuity exercising. A business continuity event or crisis is something that no business wants to think will happen to it but as I've mentioned in previous posts, there are many external and uncontrollable factors that can introduce this scenario. Don't just test IT failover or run the generators... Test and exercise the people who will be expected to take the reigns, assume "manual control" and make difficult decisions in a short time-frame that may ultimately save costs, reputation and in many cases... lives.

Image: bk images / FreeDigitalPhotos.net

Data destruction - don't forget the printers

Last week my Multi-Function Printer (MFP) gave up the ghost and given its age and the probable cost of repair, I decided to invest in a new one. Despite the fact that it would no longer actually print any more, I'm aware that there is a thriving "repair or spares" market out there and I probably could have got a bit of cash for it intact. However, many modern peripherals of this type store data for spooling print jobs and processing scans and copies. The storage media in the device could still contain details of documents printed, scanned and copied. I know from when I've run multiple-page documents through the document feeder to make multiple collated copies that it will easily store the entire document before churning out the copies. When I think of some of the data that's been through my device, I'm not willing to take the risk of letting it go without taking further precautions.

However, for these type of home/small office devices, the risk is quite low as the storage is integrated into the electronics and as far as I'm aware for this type of device is volatile memory that shouldn't have any data on it once the power is off - the possibility of data remenance in this type of memory is still present though. It is therefore more difficult to interrogate and probably not worth the time of a data thief, given the amount and quality of data they may ultimately expect to get out of it.

Business MFPs used in offices are more likely to be a target as they often contain standard hard drives, storing a lot more data and can be more easily interrogated. Potentially there is a greater reward for the data thief as the information they contain would be more valuable to other parties than what may be contained on a typical home printer. Organisations therefore need to ensure that they don't inadvertently disclose confidential data that has been printed, scanned or copied through these devices by not taking appropriate measures when they are sold or otherwise disposed of.

The case for selling these devices intact is that refurbished office MFPs are still of some value. However, the additional benefit of the office MFP is that the data storage medium can be more easily replaced or appropriately cleansed. This also doesn't have to be a difficult task with many enterprise MFP manufacturers having security documentation (often composed in partnership with organisations such as NIST) for how to ensure that these devices are managed, operated and disposed of securely.

This certainly isn't a new issue and there have been plenty of articles talking about the risks associated with this as well as media reports about the data that has been recovered from devices bought from various organisations. However, My recent MFP replacement prompted me to write this post as these devices are not always appreciated for their data storage capabilities and can be one of the easily missed controls, exposing some of the most confidential information.

Image: renjith krishnan / FreeDigitalPhotos.net

What is the scope of Information Security?

Trying to define the scope of the information security organisation and ensure that the appropriate elements are included is still given much consideration. My view on this is to go back to basics and look at what you are trying to achieve with this function. Information Security is concerned with the Security of Information (shocker!) and in order to achieve this you need to consider what information is; in what forms it is stored, processed and transmitted; and by whom, which mechanism or within what type of environment/container. These factors allow you to assess the vulnerabilities of information in the various formats and situations, what threats are present and therefore what the risk is to that information... this is probably sounding familiar.

When considering the risks around information in IT systems, this includes any piece of IT in your environment from the enterprise level systems management environment to the USB stick on a keyring. These systems will hold information or be capable of holding information which should be classified by the organisation according to its sensitivity. Even devices which don't have an end-user storage capability such as network devices hold device configurations, the disclosure of which to unauthorised parties might compromise the desired obscurity of the network configuration or the intellectual property of the organisation who defined the configuration in the first place.

The "wider than just IT" remit

A key considerations needs to be information in other, non-IT forms: Contracts, financial documentation and HR records on paper are key information assets to the organisation and should be included in any risk assessment. People are the other element for consideration. Who is going to access your information: Employees? contractors? customers? third-parties? Once information has been read then it is transferred to a much more unpredictable storage medium, the human brain. Information that was once in a secure environment within the corporate building becomes "you'll never guess what I've just read about!" on a mobile phone on a train. The reputation of your organisation is therefore an asset at risk. Once in the hands of people, your control over your information is reduced and other controls both IT and non-IT are required to protect the data, from encryption on portable media to awareness training.

In considering the threats and vulnerabilities of information, you need to consider how you manage the information in a number of circumstances, how you control the information assets in your company and how you ensure that your employees, contractors, customers and third-parties are trustworthy enough to have the information, are trained in the importance of information protection and have contractual or legal measures to protect the company from any unauthorised disclosure. You also need to consider the physical environment in which the information is held. It's all very well putting amazing IT controls in place if someone can walk into an office or datacentre and simply stroll away with it.

The ability to respond to adverse events will also act as a key control to reduce risk. The more prepared you are, the faster you can react to any event which threatens the security of information, the more you can limit any damage and the faster you can recover. Incident Management and Business Continuity therefore go hand in hand to address this requirement at different levels. Preparation includes training, good information flows, documented processes, awareness and exercises. Key to this is ensuring that everyone has the ability to identify a security incident and alert the appropriate contact - defining when an incident becomes a security incident is another topic for discussion.

Once all these factors are included with all the IT controls, they must be checked for compliance, which includes not only to internal policies but also to legal and regulatory standards. Many standards with which organisations need to comply will go beyond the IT systems and focus on the information itself, such as data protection legislation.

How the scope pans out

The scope of information security therefore includes elements such as IT Operations, Human Resources, procurement, service management, physical security, incident management, business continuity, legal and compliance. There will be separate departments that implement and manage the controls within the organisation and it is the remit of information security to ensure that the processes they operate take into account the controls required to mitigate the risk and that cooperation is obtained for audit and compliance work. This should be in the form of a working partnership, not a dictatorship.

When you consider particularly the integrity and availbility of information in addition to confidentiality, the scope increases further. As an example, physical security should include not just fences, locks, biometrics and CCTV, but also the physical attributes to maintain the availbility of data such as the ability of the building to resist environmental threats such as extreme weather, the stability of ultilities such as electricity and the resilience of the cooling system in server rooms.

Security can be whatever you make it, and different models will fit different organisations. However, to properly consider all the risks to the information you need to protect, you need to think beyond the IT and look at all the information that is of value to your organisation in any format.

Image: jscreationzs / FreeDigitalPhotos.net

Security Policy: Just carry on as usual

How many times have you questioned the way something is done, either because it may not make sense or might be overly onerous, only to be told that we have to do it that way because the policy says you have to? Do you accept that and carry on or do you question further? Who wrote the policy (and are they even still around)? How did they decide that this was the best course of action? What inflenced their decision in terms of the benefits gained or issues avoided by doing things this way?

It can be easy for policy to become a de facto standard continuing long after the justification for having it in place is no longer there. Additionally, as time goes on, the policy becomes more and more ingrained into the consious of those who follow it that soon nobody questions why any more and new people exposed to the policy are consequently dissuaded from questioning it. This issue is illustrated well by the story of the monkeys in the cage. I like to use this story and I don't know where it originated, so I can't take any credit for it myself. It goes something like this:

There is a cage containing five monkeys. It is a tall cage with a bunch of bananas hanging from the top of the cage out of reach. A ladder in the cage would allow the monkeys to climb up and enjoy the bountiful fruit above. Unsurprisingly, very quickly one of the monkeys starts to climb the ladder to get the bananas and ALL the monkeys get sprayed with ice cold water. The monkey on the ladder quickly retreats and the water stops. Shortly afterwards a second monkey starts up the ladder and all the monkeys get sprayed again and he comes back down empty handed. By the time a third monkey starts up the ladder, the other monkeys pull him down to avoid the ice water spray. Soon none of the monkeys are trying to climb up the ladder as they know what will happen.

One of the monkeys is then replaced by a new monkey who has not witnessed anything that happened to the other monkeys and understandably soon starts up the ladder to get the bananas. Immediately the other monkeys, keen to stay dry, roughly pull him down and implement some physical persuasion to make sure he doesn't try it again. The monkey gets the message and does not try to go up the ladder again. Another of the original monkeys is once again replaced and once again starts to make his way up the ladder. All the other monkeys inflict a beating on the new monkey including, cruicially, the previous new monkey who simply accepts that this is what happens when someone tries to get up the ladder. Perhaps this is something he does to feel part of a new group, whilst not wanting to challenge the status quo without knowing the background and making up for his previous error of judgement in climbing up the ladder himself. When a third original monkey is replaced, the process continues in exactly the same way.

Ultimately all the original monkeys have been replaced and none of the monkeys have ever been sprayed with water. However, none of the new monkeys try to climb the ladder and none of them know why. All they know is "it's just the way we do things around here".

The story illustrates the down-side of policies which are not reviewed with any regularity. I know how easy it can be to let policies stagnate, typically a cost of other business priorities and requirements taking precedent.

The main problem with failing to review and update policies is that your security controls may no longer be applicable to the risks that you face. If you review policies by just reading through the policy to see if anything needs to change, then you're most likely to just say "that sounds about right" and perhaps just change any outdated terminology. This is a false review as it won't address any changes in risk. By reviewing policies from the perspective of a risk assessment done at regular intervals (e.g. after any significant change or incident and at least annually) then you can consider the assets you are trying to protect, the threats against them and therefore the controls that are required to protect them. These new required controls can then be compared to the policy and any gaps reviewed and more appropriate controls applied.

Awareness is another key factor here. By the time all the monkeys have been replaced, the banana acquisition policy may have been updated to remove that crucial ice-cold soaking element. However, if this isn't communicated effectively to the monkeys then they will continue in the belief that the previous policy is still in force, not only depriving themselves of the fruit but continuing to needlessly inflict violence on anyone who tries to climb the ladder.

Another issue with out of date policies is also related to the beating that those poor new monkeys had to take after trying to get up the ladder. The policy was in place, nobody could justify the controls, and questioning or challenging the policy was actively discouraged. Unfortunately this ultimately gives security a bad name and the security department are seen as the bad guys who actively inhibit new ideas and growth. This is converse to the desired stance of security as an enabler to the business, which is how the security plan gets management buy-in, support and of course... funding!

So avoid ineffective controls and a bad reputation by reviewing and updating policies regularly, based on the output of risk assessments and communicating the changes effectively to those concerned. Then nobody needs to get covered with ice cold water, staff can challenge and ask questions without fear of retribution and the business can have all the bananas it can eat.

Image: wandee007 / FreeDigitalPhotos.net

ISO 27001 vs PCI-DSS: Security Management vs Security Controls Standards

I've seen many discussions from people looking to align to ISO 27001 that lead me to believe that there is still quite a misconception about what the standard is and how it works.

For many organisations, the past few years have featured the letters PCI-DSS quite prominently. Brought in to regulate the manner in which credit and debit card data are managed following a number of significant and high-profile losses, the Payment Card Industry Data Security Standard defines in exacting detail the controls that need to be applied to protect the data and how they should be tested and audited. The standard defines specifically the data it needs to protect and applies it to anyone storing, processing or transmitting this data. Consequently, almost all retail companies and any other businesses that accept card payments need to implement it and ensure that any service providers they use also meet the requirements of the standard.

The reason that PCI-DSS is able to be so prescriptive in its security controls and auditing requirements is that there are a significant number of constants in play, regardless of the size of business. The data requiring protection is always the same type (card numbers, cardholder name, expiry date, etc) and the controls for each data type are therefore constant. The threats to the data are the same and the level of impact is only dependent on how many payment cards are being handled. The risk assessment side has already been done in advance and the controls defined to appropriately reduce them. This is all defined regardless of the type of business, size of business or other threats that may be present in wider enterprise of the businesses in question.

Why is ISO 27001 different?

Unlike the security controls-based PCI-DSS, ISO 27001 does not apply to any particular industry sector, type of data being protected or specific risks or threats. It is a security management-based standard that expects the organisations implementing it to work out these factors for themselves and continually assure their effectiveness. You can therefore apply ISO 27001 to a multinational IT services provider, seeking to protect assets including corporate data; client data; research and development data; IT systems; the buildings and datacenters where the data is housed; the staff, contractors & client personnel; and their business reputation. These are all things which have value to the company and which have vulnerabilities of their own, which are subject to threats and which are therefore facing a level of risk from certain internal and external factors.

Conversely, you can also apply ISO 27001 to "Bob's Corner Shop". Bob may run a single shop in which he has assets including himself and a couple of staff, the shop itself, stock/inventory and perhaps a PC on a desk which he uses to keep records of stock levels and maybe customer accounts. These things are still assets to Bob and still have vulnerabilities and threats posed to them. The impact of Bob's PC crashing and having to be rebooted though is somewhat less than the impact to the IT services provider example above losing power to its core IT infrastructure. The risk therefore is different. Bob also needs to consider things like physical and environmental security, but his controls are more likely to be a good lock on the door, a burglar alarm and a modest air conditioning unit - somewhat different to the multi-factor defense in depth biometric controls, 24/7 guard-force monitoring CCTV and complex HVAC systems deployed by the IT company.

The important thing is that the controls you choose to avoid, mitigate or transfer the risk need to be appropriate. A security control is only appropriate if the cost of implementing and running it is less than the cost of the risk it mitigates, should a security event/incident occur. If Bob decides to implement a two-factor biometric access control system for the store and an enterprise-level anti-virus system for his PC, then he'll be spending far more on those controls than the cost of replacing the assets he's trying to protect. If Bob wants to be able to accept credit card payments, then he will most likely chose to pay a fee to a payment processing service, rather than implementing his own PCI-DSS accredited IT network.

It is because of these differences between the various adopters of ISO 27001, their risk levels and appetites, that the controls cannot be prescribed and specific within the standard itself. If ISO 27001 were to mandate controls at the enterprise level, then Bob would never be able to align his business to that standard. Conversely, if the standard were to only implement a door lock and a burglar alarm as the sole physical security controls, this would not appropriately address the risks facing a data centre.

Managing to both ISO 27001 and PCI-DSS is about constantly assessing risk and reviewing measurements of effectiveness which could be taken from audits, events or ad-hoc observations. The main difference between the two is that for PCI-DSS, this is being done by the PCI Security Standards Council who will release updates to the PCI standards in the event that the current controls need updating to address a new set of risks or threats - businesses managing to PCI-DSS will still audit, but just to ensure that they are meeting the defined controls. The risks that might affect the PCI standard will however only be based on new threats or risks only to payment card data rather than an entire enterprise, with any factors that may affect the standard perhaps not occurring very often. The mandate for compliance globally for all organisations handling this data also makes it more difficult to change the PCI-DSS standard too often.

Where PCI-DSS will remain static until the next version is released, the controls implemented for ISO 27001 could change in response to a specific incident, a change of risk profile based on new threats or the change of management risk appetite. Therefire, with support thorough management and down into the organisation, the policies in place for ISO 27001 can bend and flex gradually to deal with changing risks.

ISO 27001 and PCI-DSS sit very well together within an enterprise. The security management to ISO 27001 will assess all risks to the enterprise across all assets and will define appropriate controls to appropriately mitigate those risks to a level within the risk apetite of the company. Provided the ISO 27001 controls defined meet the requirements of PCI-DSS for those systems in scope for handing payment card data, then it fits nicely into the security management system. It may be that the risks assessed for the enterprise mandate stronger controls than PCI-DSS in some areas, in which case an enterprise-wide control will automatically meet the requirements of the PCI-DSS standard. If the risk assessment determines that a lower level of control is required, then provided the systems in scope meet the requirements of the controls in PCI-DSS, all other systems can be managed in line with the lesser enterprise controls.

Photo: Photostock

Event Correlation: There is no such thing as BAU

BAU or Business as Usual is a term that is used to define a number of different things depending on the nature of your business. For projects going through new implementations or changes, the progress through transition, transformation and testing ultimately leads to the point where it is supported by the normal business and technical management processes that will keep it going until the next major change. More generally, BAU is used to describe the steady state of any process, service or infrastructure, the point at which there are no exceptional changes or problems and where it can easily "tick over" in the same way day after day.

BAU can however lead you into a false sense of security. Achieving a steady state of operation should make it quicker and easier to identify issues which arise. However, problems occur when you start to consider regular issues or low-level low-impact incidents which occur on a daily basis, as normal or part of the BAU operation. Once you do that, you may be ignoring the signs of a larger problem which is bubbling away under the surface.

There are a number of shows on TV now that dissect significant incidents and disasters to examine how they were caused. Typically, these incidents are things that are in the public conscious, were heavily reported in the news at the time and either threatened or took lives. Incidents such as plane crashes, train accidents, ferries sinking or industrial accidents of some kind are all subjects of these shows. The key point made by all of these programmes is that these things don't just happen without any warning signs and cannot be attributed to a single issue or failing. These types of incident are a chain of events which have come together to cause a far more significant incident or disaster. The reason that these issues are not identified in time to prevent a disaster is that they are each only visible to different people, have no correlation or visibility in a holistic fashion and more often are not considered to be issues because they are just things that happen as part of Business as Usual.

For a plane crash, the programme wil talk about a number of minor factors which could contribute to an accident: the maintenance team not following proper procedures in order to get their job done quicker, the ground crew who ignore an issue with the plane, the fuel truck driver who incorrectly tries to convert litres to gallons, the pilots who don't get enough sleep and are not fully alert, the air traffic controller working long hours with too many planes to mange, the airport with out-of-date equipment to facilitate landings, the company that transports dangerous materials on the flight without appropriate controls or the airline that pushes for faster turnarounds to make or save more money. These are all typical findings but are all either treated as normal events and not given the visibility at a level that can assess the overall risk to the flight itself. It's not until after the event does someone (typically the team investigating the crash) put all the pieces together to lead up to the event. By then it's too late.

The same applies in information security. Events don't just occur and incidents don't happen without warning, however there are often minor issues which are ignored as "acceptable failings" such as the patches that don't get applied in time, the ongoing virus detections which are quickly handled by the AV and not investigated, that one ID that always seems to log failed access attempts, the documentation not completed during changes as it holds the process up too much and demands from customers and management to respond faster and achieve more in less time. On their own, these are things that may just be treated as BAU occurrences, but may actually be symptoms of a larger problem bubbling away under the surface. The only way you're going to identify the true risk posed by the aggregation of these events is to firstly have visibility of them and secondly to understand how these individual issues might ultimately cause a larger problem. This is where event correlation is important.

There are plenty of options for Security Information and Event Management (SIEM) tool sets to correlate event data from the many technical sources within your environment. The signature of a security event can comprise information from many sources in the network which individually may not seem significant. However, SIEM tools are only part of the solution and although they can sift though potentially millions of alerts and log entries to give a concise and actionable picture of technical events, this then needs to be combined with other information to give you a correlation at a higher level. Process failings and incidents which are not detected through technical measures are also elements which can contribute to a security incident and it may be that a low-level correlated event from your SIEM system, combined with additional information gathered externally, indicates a more significant threat that you are facing. Security management standards such as ISO 27001 define the importance of measuring the effectiveness of all you security controls, not just the technical ones, as an ineffective manual or procedural control can just as easily contribute to a security incident. The human element can not only be the weakest link but is typically also performing the types of controls where failings and effectiveness shortfalls are far more difficult to detect due to no technical monitoring being in place.

The upshot is that it is important to know your operating environment and have an overall view of both minor incidents that may currently be treated as 'normal' as well as the effectiveness of all your controls, both technical and procedural. Only by being able to correlate the risk of each event and though an understanding of how even if individually the risk of each one is negligible, the combined risk is perhaps intolerable, will you be able to predict and prevent the big incidents or disasters.

Photo: David Castillo Dominici

2012: Thinking beyond The Olympics

The London Olympics next year is very high in the public conscious and will continue to be so. The increase in traffic and the number of people using many services including public transport means that those businesses in central London are already gearing up for potential disruption and putting plans in place to reduce the impact of the event. This is certainly a good move for companies in the middle of town but what about the rest of us? If you don't have a significant central London presence then you're probably not too concerned. However, here are some other factors to consider:

Geography: other sites and transport links

It's probably fair to say that central London is going to be worst affected in terms of traffic but there are a number of locations outside of the M25 which will also be holding events. Consideration needs to be given to where spectators will be travelling from and by what means. Spectators from other countries may not spend their entire time at the games, so tourist areas around the country, particularly in the South East will see an increase in visitors. If you're doing business in areas of interest to tourists in general, have you considered the potential impact?

Timeline: when does your plan start and end?

What timeframe do you use when planning for any disruption? Do you start and end at the opening and closing ceremonies or consider inclusion of related events such as the Olympic torch relay and the Paralympics? From the torch relay arriving in the UK on 18th May to the closing ceremony of the Paralympics on 9th September is over 100 days. If you've only planned for three weeks then maybe it's time to rethink?

Suppliers and Customers: secondary and tertiary elements

Your business may not be based in central London or even have a significant presence in and around the capital. What about your suppliers and other third parties on which you rely? Having dealt with the primary consideration of your own business, you then need to consider the secondary impact of your suppliers not being able to fulfil their obligations to you. I've discussed previously about the issues of companies relying on trains and the tube to get their staff into work. These are third parties over which you have no control and no agreed levels of service. It is important to make sure therefore, that those third parties with which you do hold such contracts have considered how they are going the continue to provide the required levels of service throughout the games. The tertiary elements are the suppliers to your suppliers. For key third-parties, it's one thing to have them guarantee a level of service to you but can you be sure that they have undergone the same level of due diligence for their suppliers? The secondary consideration is ensuring your suppliers can still provide services to you, the tertiary consideration is ensuring that they are also considering the same risks to their businesses.

Your customers are the other group with whom you have contracts and to whom you have committed an agreed level of service. As well as making appropriate plans during 2012 for your own benefit, customers will want to see that you are also considering the continued provision of service to them. Where that service relies on infrastructure that will be under increasing demand and pressure during the Olympics, the basis of this requirement is well-founded.

Staff attendance: has everyone got tickets?

How many of your employees successfully obtained tickets for an Olympic event? How many have tickets for the same event? You may not get an idea until the opportunity to book time-off for 2012 comes around, but even then you will have people who wait until closer to the time to book their holiday even though they've had their tickets booked and the dates known for over a year.

Minimum notification periods, the ability of management to reject holiday requests and the threat of disciplinary action for taking time off without approval may not seem as important to some individuals as the seemingly once in a lifetime opportunity to be at the London Olympics. You may know how many staff have requested leave on a particular day but how can you be sure until the day arrives and people turn up (or not)? Being ready for staff shortages during key events is important. You may feel comfortable in the knowledge you can discipline or even dismiss those who deliberately do not turn up for critical duties, but that doesn't help you on the day.

Other events in 2012

The olympics, in isolation, is going to be disruptive enough but don't forget all the regular and special events that happen throughout London that might just add an additional level of complexity and concern to an already busy summer. The Queen's Diamond Jubilee earns us an extra bank holiday in June and will include a number of events around the capital and Wimbledon attracts plenty of crowds and will do the same again across June and July. The Notting Hill carnival promises to once again be bigger and better in 2012 than previous years and there are plenty of festivals and other events across the capital which will help contribute to the mayhem.

Now is the time to act!

Don't leave it until the last minute to prepare yourself for next summer. Act now to make sure you're ready for possible disruptions:

- Think about which of your suppliers may be affected by disruptions
- Consider which critical suppliers you want to approach to discuss their plans to deal with how any disruptions may affect their supply chain.
- Consider how disruptions in London may affect your customers
- Find out who in your company is planning to take time off, well in advance.
- Consider the timeframe you want to plan for. How does this match up to critical times in your own business processes?

Photo: xedos4

Do I trust you with my most precious asset?

Getting security into the mindset of others and helping them to appreciate the benefits that security provides from the outset can be difficult. As you may already have seen, I do like to use analogies to put security into the context of a subject that others are familiar with. For service providers and outsourcers, a useful example is to look at potential customers as parents who are choosing a school for their child. Having been through this process recently myself, I've been able to draw some useful comparisons to with similar examples in business.

For parents choosing a school for their child, particularly the first school for their first child, this can be quite a daunting experience. Your child is your most valuable asset and for the most part you have been their primary influence, been responsible for defining every facet of their existence and for making every choice in their life. You have had complete visibility of everything they do and how each experience has made them the person they are today. The time has come however to entrust part of that responsibility to someone else, someone you don't know and of whom you have little visibility of how well they will continue the work that you have started. You can read reports from Ofsted (the schools inspector) who will define how well the school is performing against others in the area, you can look back into the history of the school and its performance and the exam results it has produced. You may speak to parents of children already in the school to see what they think of it or perhaps listen to rumours and stories in the local conscious about the school.

There is certainly a lot of information about to help parents make a judgement on a school for their child but the key element for many is the point when they get to visit the school and meet the head teacher. Until this point, the information gleaned has either been based on empirical results or second hand information from others. Seeing the environment for yourself and meeting the head teacher and most likely other members of staff will be the first opportunity to form your own opinions and ask your own questions. For many, this may be the differentiator and may be the biggest factor in how you make your decision. The figures will show how good the results are, but parents still want to know how their child will be engaged with and treated during their time at the school and will also want to know that they will be protected from harm and any risks that their children may face during their time there. Parents also have varying preferences for reporting and information. Some will be happy to entrust their child to the school with complete faith and rely only on report cards and parent-teacher meetings to get feedback. Other parents will want to know the minutiae of how each lesson is taught. Much of the assurance parents are going to get from this meeting is their confidence in the school and the staff to keep their child safe and secure in an environment outside of their control. Only if information provided in these meetings is to the satisfaction of the parents will they make the decision to entrust their child to the school.

This is very similar to businesses outsourcing elements of their IT or moving to a managed service. At a time when many companies are feeling the pinch from the economic downturn they may be turning to outsourcing to save costs and for many this may either be their first time or be the most significant move to entrust their data to another organisation. Without anywhere near as much information and visibility of prospective providers as they have of their own company, they will seek to gain as much information and assurance as possible. Analysis of the providers' performance and capabilities will give potential customers a good baseline on a shortlist. The really valuable information to differentiate a service provider from its competitors will come from the detailed and specific information that is exchanged throughout the bid process. Assurances that the supplier can deliver the required solution to the required standards will be a key measure, along with the cost effectiveness of the work. Customers also want assurances which may not be as easily set in stone as the technical design and cost. Making sure that their data is available when they need it will be defined within SLAs and recovery objectives but how can they be sure that the measures that make their information so highly available to them and their customers won't make it available to any unauthorised parties?

Security assurance can often be given in terms of certifications or accreditations held and the results of audits conducted. A visit to a service provider's facility will give customers peace of mind that the physical security controls are sufficient to protect their data, as well as the required environmental and power resilience controls. Customers will bring their own security people to talk to the service provider, and whilst the IT people are discussing how many megabits-per-second they need to transmit their data, gigabytes of RAM to process it and terabytes of disk space to store it, the security people will want to make sure that the data is being transmitted, processed and stored in an appropriate manner with controls that suitably mitigate the risk. The security people need to give assurances to their business that the data they entrust to the service provider is safe and properly protected from threats. This can be a make-or-break factor in any deal and will often require more than just assurances of compliance with any mandated regulatory standards. The security person that the service provider includes in that meeting needs to be able to give the customer the assurances they need that their data will be in safe hands and will be treated with the same care and consideration as if they had maintained it in-house.

Security built into a solution from the start is therefore more than just a technical solution consideration but requires a full risk-focussed assurance role to give potential customers the confidence they need that not only their service but their data will be safe in the service provider's hands.

Photo: Arvind Balaraman

Availability: More than technical resilience

It's easy to let the definition of information security controls become biased in terms of just the IT and not the data or wider assets. The IT, although an asset in itself, is very much a supporting tool to store, process and transmit the data assets. This includes your data and your customers' data and should be classified according to it's value and the impact of loss, unauthorised access or change. Data will include general company confidential data, intellectual property, personally identifiable information or data which if exposed may harm the competitive advantages of the business. Confidentiality is always a key concern for data and availability is typically left to the technical resilience of the IT systems in which the data is contained.

It's only when you look at assets other than the data and consider how to protect those and how they interact with the data that you need to think about more than IT. Other assets include people (staff & contractors), buildings, supporting services/utilities and the reputation of the company. Reputation is always a difficult one when you need to quantify the level of impact of any event, but you can certainly think about the type of events you want to mitigate against to keep customers happy and ensure potential customers want to do business with you. How you deal with the risks against other assets will in turn help to protect this one.

Having systems backed up or having a failover system is all well and good but how do people access that data if their normal routine is disrupted or if they cannot physically access the location where they normally connect to the systems and are not aware of alternative options.

IT failings are only an element of business continuity events. Common causes include business locations being inaccessible or staff journeys being impacted, predominantly for reasons outside of the control of the organisation, such as bad weather. Whenever it snows in the UK, the country tends to grind to a halt, either through inaccessible transport routes or through staff not wanting to risk travelling or not knowing how to handle the conditions properly. Every time we get more than an inch of snow lots of people will ask why we weren't more prepared and why we didn't learn from last time. Someone will typically relay a story about how the last time they flew to Calgary (or similar location) there were fleets of snow ploughs constantly clearing runways and ask why don't we have the same at Heathrow? For most observers, the answer is obvious, Heathrow only gets disrupted a handful of times a year by snow and typically recovers quickly. Calgary however is somewhere people go because they have so much snow and therefore they are far more likely to invest in controls and infrastructure to keep planes landing in all conditions. Where snow is something of an irregular irritation for Heathrow it is an indication of the prime business environment for Calgary, so well worth the investment in the fleet of Ploughs (plus sweepers, blowers and melters).

Industrial action is another continuity consideration. We hear how a day of strikes have caused "so-many-millions of pounds of lost business", well this shouldn't need to be the case. If the only way for staff at a company to continue working is to jump on a train or tube and go to a specific building then that's a significant requirement you are putting onto another organisation with which you have no contracted service levels. If a strike takes out this one and only access mechanism and the only backup options are full to capacity from other companies' staff impacted by the same event, then you leave yourself unprepared.

A Business Impact Analysis (BIA) of all elements of the business will help assess each activity and how the loss of it for different periods of time might impact the business as a whole. Typically the technical roles within the company will know what they need to do if the requirement comes to connect remotely and more often do this on a regular basis. It's the functions that are often considered to be back-office that are perhaps less ready for a continuity event. Functions like procurement, billing and payroll are traditionally office-based activities, working from desktop PCs with data maintained locally. Although a BIA might indicate a minimum disruption to the business if these functions were not able to work for a day, the requirements for a company to buy goods and services, bill their customers and pay their staff become more critical for longer more protracted outages. Suddenly, without these functions, other measures that organisations have in place for resilience can be affected. Automation and remote management capabilities for these functions are all well and good but if they are only going to be used in an emergency, how do you make sure that the people in question know what to do and when?

Exercising in Business Continuity is just as important as any other availability control. There's no point in implementing continuity measures if nobody knows that they are there or what they need to do with them. Any business will hope that it never needs to use its continuity measures and the chances are that any event may happen long after the measures are implemented. Keeping the measures up-to-date and making sure they technically work is one part of testing. Exercising the people is another. These tests should be defined as part of a wider crisis management plan to test against multiple scenarios.

In conclusion, technical resilience is only a small part of ensuring the availability of services and data. An understanding of the criticality of each business area and the impact the loss of any of them for varying periods of time should be understood. Once controls are implemented to reduce the risk or impact of different events, both the controls themselves and the people required to operate them in the event that they are required.

Photo: think4photop

The "Hollywood baddies" approach to security awareness

Training and education for staff who have security responsibilities as a key part of their role should be a standard approach, and given that the people in question are properly qualified to perform their role, they should either be reasonably conversant with their security requirements or certainly understand why they are needed. Security awareness training for staff who feel that security is not a key part of their role is always going to be a challenge. Security professionals will tell staff that security is everyone's responsibility, regardless of their role in the same way that a sales director will tell everyone that they are in the sales team.

Anyone in an organisation that allows physical or logical access to company assets or data that are not already publicly available has a responsibility to protect those assets. If you have access to email, intranet sites, printed material, verbally-communicated information or physical access to a site using an ID card, pin code, physical key or simply authorisation to use a door marked in a way to restrict access, then you need to know what security controls are in place and why. Only through an understanding of the risks that the organisation is trying to mitigate with the controls in place can staff really understand what their security responsibilities are.

Security is a dry subject at the best of times. I fact, well done for making it this far in this post. Staff need to be aware of where they can access and read security policies, how they should respond to requests for information from different parties and how to identify and report security incidents. Putting all this in a PowerPoint presentation with a load of links and technical information probably isn't going to help it sink in.

A good mechanism is to put the staff in the mindset that they have in their everyday lives outside of work and help them to apply these controls in work. Everyone considers information security on a daily basis, whether they know it or not. Everyone has their own assets they need to protect such as their home and contents, perhaps a motor vehicle, the contents of their pockets or bag, including wallet/purse, mobile phone, etc. Everyone has their own controls in place to protect this assets, from simply being careful not to flash money or expensive phones around in public to locking their home or car, or any further security measures such as an alarm. People automatically understand why they have these controls, they do a little risk assessment in their mind to work out the probability and impact of unauthorised access to or loss ofthese assets and apply appropriate controls. Security awareness training that encourages staff to bring this attitude into the workplace is a good first step.

Using case studies is another good mechanism to put information security into context and there are certainly plenty of horror stories out in the public domain of where poor information security has led to a data loss. Talking about a company that lost thousands of credit card details or a government department exposing millions of taxpayers' personal details are good examples of "these are things we don't want to happen in this company" but very quickly you might lose your audience, as they don't necessarily see the detail of the chain of mistakes made to lead to the exposure, and cannot subsequently apply it to their own role. You are probably guaranteed however, that all your staff watch movies and will be familiar with thie plots of the more well-known ones. This is where I call on my "Hollywood baddies" Infosec awareness training.

Basic movie plot: bad guys want to do something bad, good guys need to stop them, bad guys initially seem unstoppable, good guys find a way to break the bad guys plans, bad guys lose/die, good guys save the day/town/country/planet/universe, roll credits. It might seem formulaic, but it's only plot detail and dialogue that will subsequently set one movie apart from another (or just special effects in some cases). In many cases, the way that the good guys find to break the bad guys is by exploiting weaknesses in their information security, not always at the technological level, quite often in the area of security policy not meeting best practice or failures in process controls. It seems that any bad guys implementing best practice information security would be able to have completed their dastardly plans and successfully defeated any attempts by the good guys to stop them.

I find that the best examples are to use films that are well known in the public conscious, which almost all will have seen or at least know the outline of the plot. Box office blockbusters from a few years ago that have been out on DVD for a while and probably been on TV a few times are a good bet. Here are some examples:

[SPOILER ALERT... Just in case]

Jurassic Park: Rogue sys admin turns off multiple security and monitoring systems to steal dinosaur embryos and inadvertently releases live dinosaurs, causing havoc on the island. Malicious activity by insiders with access to critical assets is a typical risk, although more common issues arise from errors or ignorance rather than malice. In the case of people susceptible to coercion for financial benefit, a comprehensive pre-employment screening process helps to identify those who may be more agreeable to such an approach (and something which the owner of the park would surely want to do, given the nature of his business), but this is just the first step and in this case the character in question is well paid and is just greedy. The baddie in Jurassic Park was a single person in control of all IT systems and consequently there is no segregation of duties that might have prevented the extent of damage that was caused and a single person responsible for all administration represents too high level privileges for one person to hold and does not allow for job rotation or avoidance of single points of failure. Talking of single points of failure, the resilience and recovery solutions in place were not sufficient for the risks in place. Even if the bad guy got away with it, the impact of the incident could have been reduced significantly.

The Matrix: Computers enslave the human race, keeping them in an unconscious state to generate power from their biological energy whilst keeping their minds occupied with a virtual world (the matrix) that makes them believe they are really free and living in the real world. Our heroes manage to unplug themselves from the power system and plug themselves into the matrix in an attempt to free the human race. Quite often, characters in the film state that certain IT devices or mechanisms were "built for just one purpose", so clearly the machines don't think much of cloud solutions or Infrastructure-as-a-service? The main security controls missing are a thoroughly implemented access control, authentication and authorisation systems. The good guys manage to plug into the matrix from anywhere. Intrusion detection/prevention seems to have taken a dive too, as it takes the agents, the enforcement mechanisms of the matrix, a good while to locate and then attempt to remove the intruders. The good guys also have telephones dotted around the matrix that allow them to communicate back to their control point, or as I like to call them, Trojans. Clearly, malware protection isn't considered important in the future. A bit more thought to security and those machines could be happily recharging themselves from the human race indefinitely.

There are many more examples. Don't get me started on the bit in I Robot where they can get into the bad guy's HQ through the maintenance ducts which have unprotected entrances on the street, no monitoring or surveillance and lead directly to the critical areas of the building. What is this? The 1960s Mission Impossible TV Series principle of gaining access to any secure installation by turning up in a set of overalls and claiming to be coming to fix the air conditioning?

My personal favourite for a Hollywood Baddies infosec case study for security awareness is Independence Day. The aliens had a great plan to take over the Earth, had the element of surprise over us unsuspecting humans and certainly had more advanced technology to help them than we had. But once again, it's poor infosec that is their downfall. The reason I like this one so much is that it covers a multitude of infosec areas. I frame the plot as a company (the humans) who perform a piece of business (living on the Earth). The contract comes up for renewal and a competitor (the aliens) want to oust the incumbent supplier (kill the humans) and take over the business.

1. Firstly, the aliens make it all the way from their previous world to our moon and set off a powerful signal, clearly announcing their presence and taking the element of surprise away from their business plan. This data leakage gives the competition time to react and takes the edge off their competitive advantage.
2. The positioning of their ships above key global locations does not necessarily signal an intention to attack, they may simply want to say hello to all the world leaders at once? The combination of this with the signal being identified as a countdown to attack is enough for the good guys to take action. Using encryption in their transmissions would have masked this and not given the humans the heads-up. A serious breach of confidentiality there.
3. The authorities still aren't convinced though. However, the helicopter they send up to perform a close-encounters style light show gets blown out of the sky. This removes all doubt of the aliens' plans with still nearly half an hour to spare, giving our heroes plenty of time to escape. Whether this is a gunner with an itchy trigger-tentacle (escalation of privileges) or a ship commander who does not appreciate the need to keep their plans confidential (security integration into job roles), the intent of the aliens is now truly confirmed.
4. When the heroes get to Area 51, they discover that the Roswell UFO legend is actually a craft belonging to one of these aliens, clearly on some sort of data-gathering mission in the 1950s. Since the aliens came back, the ship has fired up and is fully functional. This raises a lot of questions around how the aliens perform asset management, client authentication, leavers process and a number of other security principles which should have rendered the craft inoperable once it had been lost. Clearly, there hadn't been any sort of process or asset audit in the last few decades that might have raised the issue of this lost craft.
5. When a live alien rears it's ugly head, it starts shooting it's mouth off (or brain, to be more accurate) about who they are, what they are doing and what their plans are for Earth. They say that loose talk costs lives and in this case the information imparted is enough for the president to make the decision to increase the force used against the invading force. Clearly the aliens don't operate their own security awareness training to cover the importance of not disclosing confidential information in public. What ever happened to "name, rank and serial number"?
6. Physical security clearly isn't a big concern of the aliens. Our heroes are able to fly the now operational craft straight in through the front door of the mothership unchallenged, with a large nuclear explosive device attached, and successfully dock right in front of the control room. That's like someone walking into your building without any ID, carrying a machine gun in plain view and sitting down next to the IT admins without anyone blinking an eye.
7. What are the chances of the aliens' IT systems and communication interfaces being completely compatible with those used on Earth? Fortunately, this was the case and our heroes are able to successfully infect the systems that run the ships' forcefields with a virus. No Anti-malware and most likely a poor vulnerability management process and patching regime are clearly to blame here, not to mention a clear lack of protection of critical systems from the user domain. Defence in depth clearly another thing that didn't catch on with these baddies.
8. Finally, flying a plane into the main weapon of the spaceship not only destroys the weapon but the rest of the ship. Surely this would have come up as an issue during development and testing? A risk assessment should have pointed out that the shields alone are perhaps not a sufficient mitigating control as this ultimately leads to the defeat and destruction of the invading fleet.

There are I'm sure many more examples, but these are the key ones that I focus on as they cover a significant number of areas at a high level. As nice as it would be to spend an awareness session talking just about Independence Day, this is used just to frame the thoughts of the audience and put it into context with a familiar situation. These principles then need to be applied to the organisation and the required controls applied across the business - with references back to how not applying or breaching these controls turned out bad for the aliens.

Hollywood films are just one familiar scenario that can be used to get the point across but I've found it a useful tool for justifying security controls to non-security people, I have been told that it was a very memorable session and I even find people recommending my security awareness presentation to others, which surely can't be a bad thing.

Photo: Porbital

Information Security vs Formula One Safety

Security is often considered a cost to the business, an overhead that they just have to begrudgingly accept. The pot of gold for any CSO is that magical Security Return on Investment calculation which will justify why the investment needs to be made. Security is a lot like insurance - you need to make the investment now to protect you from an event or events that may happen in the future. The benefit comes from demonstrating how the investment you make now in the controls to remove or reduce the impact of such events is less than the cost of handling the event without those controls.

If we were able to accurately predict with significant certainty, what events were going to happen over the course of a year, how often they would occur and exactly what the cost to the business was going to be be, then security budgets would be both easy to calculate and easily justified. Sadly, there is a significant amount of uncertainty which can lead to an attitude of "we'll worry about it when it happens".

One of my favourite analogies is to consider security like the brakes on a car. A number of people use this example to demonstrate why security should be integrated into any solution from the beginning and why it should not simply be an optional extra tacked on at the end. It can also be used to address attitudes to security and the importance of a well-prepared and executed risk management and security plan to justify security investment. I like to take this example and expand it to compare security investment in business to safety investment in motor racing... In this case, motor racing and more specifically, Forumla One.

The immediate reaction is that the brakes on a car are the things that slow it down and bring it to a stop, which can be the perception of security from a business. However, the brakes are the elements that allow a car to travel fast as the driver knows that the brakes are there when they need them. How fast would a Formula One driver really want to go down the straight if they knew that there were no brakes available as the corner approaches? The brakes enable the car to go fast in the knowledge that when the driver needs to slow down for a corner or to avoid a hazard, that they can do so easily. Lap times are therefore far quicker with brakes than if they were to attempt a lap without them.

That doesn't of course mean that Formula One cars won't ever crash, we know that still happens. The brakes aren't the silver bullet to remove all problems and some might see Security as needing to be just this. The brakes help to ensure that in most circumstances in the event of an incident that the impact (in more than one sense of the word) is reduced and recovery is quicker. Brakes on the car are only one of the protection mechanisms in place. The design of the car, the drivers clothing and all the many monitoring capabilities that the team has to assure the heath of the car are all controls to protect the driver.

The driver is not the only asset that needs protecting, the team's reputation also needs to be considered. Who will want to drive for or sponsor a racing team if it's cars have a really bad safety record? This isn't just about winning races and beating competitors, it's about protecting assets. A key point to make here is that the justification of spend to reduce risk, needs to be assessed on all assets, including people and reputation, not just IT and data.

This analogy could go on for quite a while and become even more multi-faceted, but I'll reign it in here in an attempt to get to the point. Formula One teams spend a lot of money on safety to ensure that their drivers are protected, the money they spend is offset against the ability the car and driver have to drive fast and win a race, collecting prize money and more sponsorship deals. Knowing which safety measures to implement will be based on a risk assessment of the likelihood and impact of events that might impact their ability to win races. By analysing previous incidents, performance of their and other teams and by continually monitoring the state and health of their cars when racing, they can make smart investments, win races and increase revenue.

This is the same for any business. To be successful, they need to look at what what the assets are they need to protect, including data, information systems, infrastructure, buildings, people and the reputation of the organisation. They then need to ensure that they understand the threats to those assets, the probability of that threat causing an incident and the impact it will have to the business - any information on past incidents within their own company or to other companies will aid this assessment and should also be used ongoing to gauge the effectiveness of any implemented controls. The required security investment must be made to clearly meet the output of this assessment in the form of defined controls, technical or procedural, that will reduce the chance of an incident occurring, reduce the impact of an incident if it occurs and allow the business to recover as quickly as possible.

Any Formula One team that makes Safety an afterthought will have the same problems as any business that makes Security an afterthought.

Photo: Pete Keen