Compliance & information security A (bit of a) rant. Jodie Siganto

Compliance & information security A (bit of a) rant Jodie Siganto

Compliance Definition of compliance : the act of conforming, acquiescing, or yielding. conformity; accordance: in compliance with orders. cooperation or obedience: Compliance with the law is expected of all.

Compliance with what? What does compliance mean for information security? For most organisations it should mean conformance with security architecture and policies & procedures But compliance is often based on/bench marked against input from: External (and internal) auditors Consultants Vendors What do they use?

Compliance with what? Standards and guides: ISO 27001 Information Management System (ISO) Qld Government IS 18: Information Security (State Government) ISM (Commonwealth Government) COBIT (ISACA) Privacy Commissioner s Guide to Protecting Personal Information (Government Regulator) PCI-DSS (Payment Card Industry i.e. Card Issuers) Control lists: SANS Top 20 ASD Top 4/Top 35 ISO 27002 Code of Practice: 114 Controls

Cert Australia Survey 2013

Compliance Interview Results Interviewed 10 information security people Interviewees included: Security Operations Centre Manager Security Architect Governance, Risk & Compliance Consultant IT Risk Manager Security Manager Question: What standard or benchmark do you use to assess security or to determine whether you ve taken reasonable security measures

Compliance Interview Results Interviewee A: Benchmark I use for information security compliance is PCI DSS, which is pitched at about the right level in terms of its verboseness, its technical detail although for those for do not understand it it becomes very overwhelming Interviewee H: Good sound practice following 27,000 standards and the other related good practice measures in addition to the Information Security Manual Interviewee J: The ISM provides minimum mandatory requirements if I see the opportunity to make it a little more than I will take the opportunity to do that if it's within the scope of what we are doing and it's not going to cost a lot of money.

Compliance Interview Results Interviewee B: There s a list of controls you have in your head, which are applied based on a judgment on how strong the control needs to be given the risks that you are facing. Interviewee D: There are guiding principles, which apply depending on the particular circumstances of each organisation. Standards, e.g. PCI DSS and SANS Top 20, are a way of making security information more accessible. Interviewee C: Couldn t recall the specific standard but regarded it as guidance to give a general intent or vibe rather than a prescriptive list of what the organisation can or cannot do.

Compliance Interview Results Interviewee I: Uses Gartner benchmarks and IT maturity levels. Determined what might be reasonable steps to secure the organisation s data based on what was efficient and common-sense.

CERT Australia Survey 2013 Increase in the number of organisations applying IT security standards (from 64% in 2012 to 83% in 2013 Decrease in the number of organisations that do not apply IT security standards (from 25% in 2012 to 13% in 2013). Increase in the number of organisations using ISO 27001 from 50% in 2012 to 83% in 2013.

Compliance & Management Systems ISO 27001 created for specialised area of business management other examples include Environmental management Social responsibility management OH&S management New version of ISO 27001 aligns requirements with other management disciplines including reliance on: ISO 31000 risk management ISO 19011 auditing Main purpose of ISM is to provide information security assurance

Compliance & Assurance Definition of assurance : A feeling of confidence A feeling or attitude of being certain that something is true e.g. He said it with assurance What is the relationship between compliance and assurance? Does compliance lead to assurance i.e. confidence that your systems are secure?

Compliance & Assurance Interviewee A: People believe they want security and when they understand that they have a fair amount of work to get there, they just want compliance. I have sat in rooms with managing directors who have said to me, I just want to do the bare minimum if you could tick the box. Which is understandable, right? Interviewee D (referring to an organisation that was certified but which had appalling security ): I just think well you may have fooled the compliance auditor but you just saw that as a compliance journey and that achieved nothing because your processes are stuffed, you've not got it, you've not understood the point. Do you know what I mean? So I guess that's my attitude towards compliance.

Compliance, Assurance & Information Security Practitioners Is compliance or assurance recognised as a role for information security practitioners? There are lots of consultants & vendors who think so But

(ISC)² Global Information Security Workforce Study (2013) Governance, Risk & Compliance: 2 top activities within the category are: Developing internal security policies, standards & procedures (78%) and Auditing IT security compliance (63%) Security management: 2 top activities within the category are: Inter-departmental activities(64%) and Manage internal security awareness programs(63%)

Compliance, Assurance & Information Security Practitioners European Committee for Standardization: 23 job profiles in six areas of IT security: business management, technical management, design, development, service and operations, and support. Does not refer to compliance or general assurance

Compliance The story so far: There is no general understanding of what information security compliance means The main security standard(s) support assurance not compliance Information security people don t believe compliance or certification or audits provide security or assurance Compliance and general assurance aren t seen as a key role for IT Security practitioners although those tasks take up the majority of time of security executives

Compliance Question: So why is compliance seen as a major driver for security? One [possible] answer: Because it s a way to engage management.

Information Security & Management PwC The Global State of Information Security Survey 2015 : Despite the media attention following a series of high-profile retailer breaches, many organisations have not yet elevated information security to a Board-level discussion. Fewer than half (42%) of respondents say their Board actively participates in the overall security strategy and 36% say the Board is involved in security policies. Garry Sidaway, NTT Com Security Many UK execs do not understand need for data security, study shows Nov 2014: Information security and risk management, and data breach headlines, are often seen as constraining and negative so we need to do a better job of showing the business advantages. Protiviti 2014 IT Security and Privacy Survey : Organizations with a high level of board engagement in information security risks have significantly stronger IT security profiles

Compliance and Management Question: Is lack of management engagement with information security: Real? Reduced to a compliance issue because that it the only way for management to understand security? A result of the poor communication skills/inability of information security people to translate security into business terms?

Compliance: Some Questions Things to think about: Auditing (and compliance) may be OK for checking the operation of technical controls but does it provide info about the future and the possible (rather than the probable), the black swan event? Most standard approaches to security use risk. Risk provides a veneer of objective rationality/science to information security but does it work? Is information security risk really a negotiated outcome based (at least in part) on emotion, politics and relationships? Accepted practices set the benchmark for what is reasonable. Identifying those practices relies on interactions with professional bodies. This assumes that there are professionals, experts or a community of practice who can convey those practices. Who is doing this in information security?

Compliance & Change We have been doing things the same way for a long time but it s not working Is it time for some new ideas? Our findings of many years following the standardization work of the ISO/IEC 27000 family of standards and its results is that in the standards revisions it is very difficult to get out-of-box thinking and to create radically new ideas to the ISM standardization in order to keep up with the general development of business environments and managerial practice. This standardization has been strongly the job of a restricted group of information security experts (mainly consultants) to whom it seems to be difficult to get out of old traditions of the information security discipline. J Antilla Integrating ISO/IEC 27001 and other Managerial Discipline Standards with Processes of Management in Organizations (2012)

Conclusion Information Security A call for change!