The IRMS – a new angle on information security and risk management

photo[1]I have recently returned from a conference that I might not have ordinarily attended or even been able to justify, namely the Information & Records Management Society (IRMS) conference in Brighton.

I had been invited to participate in a panel session on Monday morning entitled “Adapt or Die: Is Records Management still relevant in a World of Big Data” alongside Christian Toon (@christiantoon) and Phil Greenwood of Iron Mountain, and Sarah Norman of HM Treasury. Not only was it an excellent discussion, but it struck me quite how similar the challenges are between the IRM world and the risk management/CISO world.

We answered a question around how can the IRM folks avoid only getting funded and have attention paid to them after an emergency, and it immediately struck me that this is exactly what happens with security. Another related question concerned connecting effectively to the business and I was able to relate the tasks of the IRM function to the Confidentiality, Integrity & Availability (CIA) goals of the information security professional, and how the two goals are very similar.

Even the opening speech spoke about IBM’s Four V’s of big data (quoted), namely:

  • Volume: Enterprises are awash with ever-growing data of all types, easily amassing terabytes—even petabytes—of information.
  • Velocity: Sometimes 2 minutes is too late. For time-sensitive processes such as catching fraud, big data must be used as it streams into your enterprise in order to maximize its value.
  • Variety: Big data is any type of data – structured and unstructured data such as text, sensor data, audio, video, click streams, log files and more. New insights are found when analyzing these data types together.
  • Veracity: 1 in 3 business leaders don’t trust the information they use to make decisions. How can you act upon information if you don’t trust it? Establishing trust in big data presents a huge challenge as the variety and number of sources grows.

Isn’t this exactly the sort of thing that CISO’s have to grapple with every day?

The world of the IRMS and the world of the Infosec Professional are very closely related it seems, and I think this relationship is one that needs to be explored by both communities further to ensure mutual goals are more easily met.

Christian Toon and me looking rather spiffy

Christian Toon and me looking rather spiffy

On a personal side I had a great time speaking with the vendors, watching a few presentations and taking part in the pub quiz (we didn’t win..). There was even a black tie gala dinner on Monday that was an absolute blast that culminated in my friend, Christian Toon, being awarded a fellowship of the IRMS which was just fantastic to to be able to see.

I am sincerely hoping to go to next years event, and perhaps hoping even more that by then the argument to attend will be much easier as our industries begin to forge closer ties.

The EU, Porn, and Hollywood

And if that title doesn’t attract attention I don’t know what will…

Unfortunately (for you) while this title is accurate the rest of this post may not quite deliver what you are expecting or hoping for. Just a few days ago (Thursday 16th May) I attended for the first time an ISSA-UK chapter meeting in Bristol where Marcus Alldrick, Richard Hollis and myself were presenting (in that order) to the great and the good of the south west infosec community.

Marcus Alldrick emphasises...

Marcus Alldrick emphasises…

Marcus’ presentation of The EU’s Proposed Data Protection Regulation, It’s Life Jim But Not As We Know It was very well received with a huge amount of interaction to the point of a  twenty minute overrun. I have tended to avoid expending too much energy on draft legislation like this as it often changes dramatically the closer it gets to publication (MA201 CMR 17 is a good example of this), and so the view that Marcus presented was a welcome one. Although his deck was content rich he put it across in his own inimitable style and I found it hugely educational. One point that came across loud and clear is that if it gets enacted in its current format one of the most sought after roles in any company will be that of Chief Privacy Officer for the job security alone (the role must be filled by the same person for a minimum of two years!).

...and Richard hills boasts

…and Richard Hollis boasts

Second up was Richard Hollis with his hotly anticipated Deep Threat – Top 10 Lessons to Learn from the Online Adult Entertainment Industry. While the expected jokes and euphemisms came thick and fast underneath it were some startling and very interesting lessons, but namely that the adult entertainment industry simply does information security far better than the rest of us; they are single minded, have a lot to lose, and ultimately see the “battle” with maintaining security as just that… it’s a war which they are determined to win. A fascinating insight into an often overlooked industry with some great lessons summarising the underlying security ethos of this industry.

I'm a little teapot

I’m a little teapot

Finally it was my turn. To be honest I was somewhat apprehensive following these two presentations; there was a huge amount of interaction to this point and while my presentations somewhat relied on audience participation the main points I was raising were quite high level and in some cases not often talked about. I shouldn’t have worried. I had an absolute blast talking about different elements of risk management and getting some excellent feedback, comments, questions and of course different opinions. My case was obviously helped by the fact that I was handing out prizes for each correct answer identifying a quote to a film! The presentation itself is below along with a few snippets of the presentation itself taken from the back of the room.

I have always been impressed with the ISSA-UK meetings, the quality of the discussion between people and to be honest the great value that membership of this association brings. I am very much looking forward to more of these, and if asked to present again at one of their sessions. My thanks to Alan and Gabe (@infoseccrow) for giving me the opportunity to present here.

UFOs Dirty Dancing and Exploding Helicopters (PDF)

Use Your Nose and Gut to See The Real Picture

avatars-000032667477-7n71zy-cropAfter the high energy of the conferences last week it was always going to be a challenge coming back to the humdrum of day to day work. Reviewing someone else’s audit findings was never going to be the quickest way to get those energy levels up!

This was compounded somewhat by what I found myself reading of course; this was a audit report on an environment that had a very limited scope, i.e. type of work being carried out, type of data being handled, type of resources required to complete the task. The auditors however were coming in from a very strictly controlled, somewhat binary view of the world. The upshot of this was that there were a lot of findings along the lines of:

  • Workstations have access to the internet.
  • Physically secured environment within the office (of the same company) required.
  • Firewall must separate development environment from the rest of the office.

On the face of it these findings are perfectly acceptable, but what they don’t do is take into account the bigger picture.

The group that was being audited did not have access to any sensitive information, PI or even intellectual property. They required access to the internet as they were a creative group that uses multiple types of resources from the web, and they were already on a secured VLAN.

Unfortunately they failed to understand what was in front of their faces throughout the entire audit and assessment process (in fact, they remind me of the type of auditor that Javvad recently showed us in his latest video)  They didn’t observe their surroundings fully, understand the working environment, nor comprehend the true purpose of the audit, namely to reduce risk not squash the life out of some very expensive resources and make it difficult to do their job.

They did everything by the book.

There is always a time and a place for a slightly more maverick approach in my opinion. There are times when as an auditor you need to go with what your nose tells you is bad, or your gut tells you isn’t right. No kind of by-the-book approach will let this happen. Let’s elaborate on these two approaches a little more:

Using your nose

This is quite literally “smelling” out the findings. Just because a document has been presented and all seems in order, or just because an activity is shown to be in normal use doesn’t always mean everything is in order. I have spent many enjoyable hours discussing with colleagues the tricks and traps that people use to fool auditors and assessors (some of the simpler ones are in Javvad’s video!). I even heard one where freshly printed documents were deliberately given coffee stains to give the impression that they had been around for some time, or people being sent home for the day when the auditor was around. Smelling this out requires a slightly cynical nature and a “poacher-turned-gamekeeper” approach. You might see a name occur too often, or the same approval date on documents that were obviously written at different times and approved by different approvers, but they are all indicators that something may be amiss.

Using your gut

A “gut feeling” is a very difficult thing to define, and to be honest not always as reliable. i often think it is because you have observed something subconsciously that make it a gut feeling. Using your nose is based upon an observable phenomenon whereas using your gut is not. They can be very good indicators that something is not quite right and deserve to be investigated further; the real skill however is knowing when to stop. Burning up half of your audit time because of a gut feeling is unprofessional, a waste of time and is doing both you and the auditees a huge disservice. However it can pay off huge dividends when you get it right in what is uncovered.

I want to caveat the above however; I don’t want to come across as though auditing is some kind of cat and mouse arms race (or any other kind of mixed metaphor). Any good audit or assessment is always going to be open, collaborative and educational and this needs to be the goal from the outset. However, many auditees are placed under huge pressure to pass an audit and sometimes will feel a high risk, deceptive, strategy is the only way to retain their jobs. I myself was once told in no uncertain terms “do whatever it takes to pass the audit” (and of course did).

What I really want to see in the industry is a move away from the checkbox and clipboard approach to auditing and assessing as the natural conclusion of that is a deeply unpleasant homogenisation of controls and environments that stifles creativity, and ultimately reduces the ability of a business to deliver to its clients and to its shareholders.