Risks, Risks Go Away, Come Back Another Day

rain34Risk Management can be a tricky business, and this is coming from a fairly straightforward perspective with a simple view of risk management (which means even I can understand it!). To the lay person the purpose of risk management is to find the risks and then remove the risks to the organisation, otherwise why bother?

The clue of course is in the word management. Many information security professionals already know that you can do one of four things to your risks, once identified:

  1. Mitigate (aka Manage), that is implement a control or carry out at activity that reduces the risk.
  2. Avoid, or basically just stop doing the thing that is causing the risk.
  3. Transfer, or just give the risk to someone else, like an insurer or a third party vendor.
  4. Accept, or just face facts that this risk is the price you pay for doing business in this area.

So let’s assume you have completed your risk assessment and applied at least one of these actions to each risk, does this mean you are done? Does this mean you have successfully removed all of your risks from your organisation? Unfortunately, not by a long chalk.

Risks are always going to be present in your organisation; there are the ones you know about albeit reduced, the ones you think are too small to worry about, and finally the risks you have no idea about.

With the risks you know about even though you have reduced them, even though they may have gone from scoring an 8 to a 4 (in ISO 27005 parlance) they still exist! They can still happen, and worse still, the day after you have measured it, your assumptions are technically out of date. And just to really make your day, they may have even evolved and become unrecognisable and therefore invalid in your risk register.

The smaller risks you deem to be at an acceptable level will also suffer in the same way. Again, in ISO 27005 parlance the likelihood of something happening may change dramatically, or perhaps the ease of exploitation. Even worse, the asset value that you are measuring your risks against may have changed which will have a number of far reaching impacts to your risk register. To that I mean that a project that was once of little importance to the organisation, or even a physical asset, may suddenly take on a more important role and therefore greater ‘asset’ level.  All of this is going to have an impact on your risks and how they impact  your organisation.

Finally, the risks you weren’t even aware of. To be honest, and by their very nature, there is not a lot you can do about these except consider the following advice which applies to all risks;

You should be clear on one thing, namely that risk management is not a one time activity. All of the text books and standards will say that your risk register needs to be reviewed every year or after every major change. Whilst I don’t disagree with this per se (and in fact a minimum of a yearly formal review is an absolute necessity), I think in reality this needs to be much more frequent. Really, reviewing your risks needs to be an organic part of your day to a greater or lesser degree, and dependent upon the type of environment you operate in.

This does not necessarily mean you need to pore over your risk registers every day, but rather make a concerted and formal effort to be aware of the changing ‘threat landscape’; you can do this through popular news sites (e.g. BBC, CNN etc), specialist news sites (e.g. SANS, Sophos Naked security etc), blogs of people you know and trust, and of course Twitter for instance. There are likley to be many examples, but each one of these sources is going to give you a constant stream of information that needs to be processed and reviewed in some away against your risk register. You may only make minor changes every month or so, or you may find more frequent changes dependent upon your environment, but either way you will be ensuring that the your risk environment is fresh and up to date.

Now that your risk register is up to date and managed well you can be assured that the information you have is accurate, timely and subsequently meaningful. What you do with that information however is even more important, and something that will be looked at in a later post. As always, your comments and questions are welcome.

(Artwork by Peter Spier from his book, RAIN.)


Wash Out Your Ears – The importance of listening during risk assessments

listening-ears1I can’t tell you the number of times I have sat on the other side of the table during a risk assessment or audit and not only been talked at by the auditor but also not even listened to. Unless what I or my colleagues are saying are a part of the accepted script the auditor expects to hear it can often fall on deaf ears.

It doesn’t matter if what I am saying is germane to the topic in hand, explains in more technical detail, or even if it addresses a number of questions old or yet unasked, the auditor blindly continues, or even just appears to switch off. How can this lead to a successful audit or assessment? To some, an audit or assessment is a sequence of activities to be completed in a set order and a set pace, and that will never result in quality findings. Approaching an audit or risk assessment from a less mechanical perspective will often derive results in unexpected ways.

Simply listening will give you at least two things:

  1. More information. It may not always be immediately relevant, but at some point in the day it will help you form a larger and more complete picture.
  2. Unprepared auditees will sometimes talk themselves into trouble! Nerves can make people do very silly things, and letting people engage their mouths before their brains can lead to some startling insights.

When you combine the above points you can often find what I call the “over specific response” occurring. What this means is that people will also sometimes be very specific in their responses, for instance when asked if a particular procedure has been tested, the response “Yes, this procedure has been tested” gives rise to so many other questions such as “when, where, and by whom?”, and yet at a casual listening it is a very positive response. Listening to the exact response and unpicking the precise verbiage is vital.

Additionally, there is one other aspect of listening that should be observed; that is, carrying on listening even when the other person has stopped talking. Just as nature abhors a vacuum, human beings as social animals abhor a silence. Staying silent for longer than is comfortable (at least to them) very often produces more talking and more information than they originally intended. When I first presented this thought just over a year ago in a risk forum a member of the Metropolitan Police in the audience later asked me if I had ever had interrogation training, as this was exactly one of the approaches they used! I would certainly never suggest that an audit or assessment is an interrogation, but there is very much an art to getting the maximum amount of information out of someone trying to give you the absolute minimum.

One rule of thumb to take away in this instance is a quote I first read in The Leaders Workbook by Kai Roer (@kairoer):

Try to keep in mind that you have twice as many ears as you have mouth, implying you should spend more time listening than talking.

That’s a pretty good ratio for any risk assessment or audit I think.


Where is Your Data?

Have you paused to consider where your data is at any given time in your organisation?

All but the smallest of organisations is likely to have notes, CV’s, financial records, personnel records, legal documents and the like, and that is just the stuff in paper form. Throw in electronic records, and you include emails, working documents, client deliverables such as code or documentation, even firewall logs or IT documentation and records.

Now that you have a picture in your head of what exactly might be out there, do you know where it actually is? Any organisation that operates in more than one country, and with the advent of the cloud any small organisation that uses third parties for any of it’s traditionally in house capabilities is very likely to find data in different countries. While this may come as no surprise to some, for many once they have carried out even a rudimentary analysis this is likely to come as a shock.

The problem I feel is that the pervasiveness of technology, and the ability in the modern business to operate without boundaries as result. By this I mean  when, for instance, someone looks at, alters, reviews or saves data of any kind more often than not they have no idea where that data resides. Is it in the server room across the hall, a colocation facility across town or in another continent? Even when the various professions in an organisation are aware of the various compliance and regulatory requirements (Human Resources, Legal etc.), because the location of the storage devices themselves are invisible to them the issue is not even considered.

For instance, a Hiring department in one country may take the personal details of a new hire such as name address and bank account and upload them to a file server in Excel or onto a SharePoint for the Finance department to set up into payroll. The server this data resides on may be in a second country, while the person who updates the financial systems resides in a third country. In many cases this may not be acceptable according to local data protection laws for the storage and access to a given country’s resident data. This is more often the case when one country has significantly greater (or better) privacy laws than another.

The solution to this is two fold, one legal and one common sense:

Legally, agreements can be put in place; these can include well known standards that can be adopted between reciprocal countries. Perhaps the most well known is the Safe Harbor Privacy Principles. This is a set of seven principles that allow for the streamlined compliance of US companies to the EU Directive 95/46/EC and was developed by the US Department of Commerce in consultation with the EC. There have however been concerns raised about the efficacy of this approach, but it still remains a common and well known one nonetheless.

Another legal approach, and one that appears to be be more commonly adopted in recent years is that of Binding Corporate Rules. Developed by the European Union Article 29 Working Party it is wider in scope than Safe Harbor as it applies to any country that may want to exchange or store data from an EU country. Both of these examples (and other alternatives) do require a lot of work to effectively adopt, the latter especially, and should not be entered into lightly. More often than not third parties/consultants will need to be employed to bring the very specialist skills required.

The second solution, and one in reality that should be taken in conjunction with the legal approach, is that of awareness. This is awareness on behalf of the organisation as to where it’s information and data is stored, and also awareness of the individuals who are managing and posting this data to the various locations required. IT moves faster than ever, and the location of your data store may well move with it. These individual teams will need to engage with IT and the CIO and become firm stakeholders during any kind of IT infrastructure upgrade and bring their specialist knowledge to the table. And the company will of course need to commission an international data location map!

The alternative unfortunately is a knock on the door from the Data Commissioners Office (or equivalent from outside of the UK) and a potentially heavy fine and the related embarrassing media frenzy. That is going to cost significantly more money than that cheap hosting deal in India.


An Anatomy of a Risk Assessment at BSidesLondon (Updated)

(Updated) The lovely people at @twistandshoutUK and @j4vv4d have very kindly sent me the recording of my presentation. I have inserted it below, just above the slideshow so you can follow along and pause the slideshow in time with the presentation!

Here are the slides from my presentation at todays BSidesLondon. I will add the video of the presentation in a few days once I get a copy from the organisers and process it.

As always, comments are welcome; let me know if you loved it, hated it or were even perplexed by it. Every comment is a valuable piece of learning for me!

This slideshow requires JavaScript.

You can also find a downloadable version of the presentation directly here.


An Anatomy of a Risk Assessment

The video below is my presentation to the RANT forum in London on “An Anatomy of a Risk Assessment”. In it I give a personal view on the mechanics underlying a risk assessment or audit. It is not a highly technical approach, and is not meant to be; for that purpose there are plenty of books and guidance available elsewhere. Instead I take a more human approach as to how to get the most out of an assessment, from both sides of the table. The slides are available at the link below, in Keynote, PDF and Powerpoint format or can just be viewed through your browser. Presenter notes are there and are my original presentation ideas, and so therefor may not accurately reflect the presentation on the night!

http://bit.ly/wF3pKe

Technically, this was my first ever public speaking engagement of any note (I did a two minute session in the November RANT), and so I am scrutinising my performance significantly to ensure I can improve upon this presentation for reuse at other venues. If you attended, or indeed if you care to review the video below I would welcome your feedback. I must say though, having watched it a number of times now, I am very much painfully aware of my annoying personal tics, mannerisms and expressions of speech! Still, it was an immensely enjoyable experience and one I am looking forward to repeating at some point in the next twelve months.

The book I make reference to at 16:00 is The Leaders Workbook by Kai Roer (http://amzn.to/xm3dy2), an inspirational book, but only if you use it properly!