jump to navigation

“Tell me, Show me, Convince me”; Policies, Enforcement, and Auditing August 7, 2012

Posted by Chris Mark in cybersecurity, Risk & Risk Management.
Tags: , , , , , , , ,
add a comment

I was speaking with a client yesterday about policies and auditing.  He asked me a question and it reminded me of what I told my clients for years regarding policies.  First, it is important to remember that a policy is NOT a document. The document is a record of the policy that was passed and tool for disseminating the policy. It should be a reflection of the policy that has been approved by management.  Simply having a written document does not mean you have a policy.  The policy must be approved, documented, disseminated, and enforced.  Second, it is important to remember that writing and approving a policy is the easy part.  Ensuring adherence with the policy  and enforcing the policy is the difficult part.  Make no mistake.  A policy that is not enforced will not be followed for very long.  People are inherently lazy (this writer included).  We take the path of least resistance.  Policies require difficult, often inefficient methods.  Without enforcement, they will fall by the wayside.  Third;writting, approving and documenting a policy is often much easier than implementing the policy.  Consider the following example.  Company X passes a policy that requires all computer and IT users’ access be modeled on “need to know” and “model of least privilege” (standard model).  This alone requires an audit of every person’s existing privileges, as well as identification and documentation or their roles and responsibilities.  Then each role would need to have access levels documented and assigned.  As you can see, a simple one line policy statement may have deep implications.  Finally, it is important to ensure that your company adheres to the documented policies.  This is a three step process I describe as “tell me, show me, convince me”

1) Show the auditor that you have a documented policy that is updated, approved by management and disseminated to employees.

2) demonstrate to the auditor that you are currently in compliance with the policy.

3) convince the auditor that you have a history of following the policy by producing relevant documentation/evidence to show compliance over time. (last 3 months, last 6 months).

By using the tell me, show me, convince me model with policies and departments you can have confidence that your policies are being enforced, and followed.

“Does an F1 Car = F1 Racer? OR Does a Bullet = Sniper?” NO – Expertise ain’t about technology July 19, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

I was reading a story today on Foxnews titled: “could guided bullets turn an average joe into a sniper?”  The article is written by a former ballerina turned “defense specialist” (I didn’t make that up).  I have written about this subject before in “The Carpenter Not The Hammer Builds the House”.  In short, her article suggests that new, more accurate bullets could turn an “average joe” into a sniper.  The referenced article on bullets demonstrates several major flaws in thinking about security or defense.  First, it quotes a “specialist” who has no specialized knowledge of the subject gained through actual experience.  I am not doubting that Ms. Barrie has read some great books and attended great lectures but the fact remains that without real world experience, it is difficult to understand how she is qualified to speak on the subject at hand.  We see this in many areas of security from information to physical and so on.  The second issue is one I see every day.  It is the mistaken belief that the technology makes the expert.  It discounts the knowledge, training and practice required to use the ‘tool’ with effect.  If I were to buy a Formula 1 racecar would I suddenly be considered a ‘racer’?  A more accurate rifle does not make a sniper…it simply makes a sniper more accurate.  Within information security we see the same flawed logic.  Companies believe that by purchasing the latest and greatest technology they can replace expertise gained through years of work ‘in the trenches’.  A leading application layer firewall is only as effective as the person deploying, configuring and managing the device.  The moral of the story?  Technology makes experts more effective they do not create or establish expertise. BTW: the picture is a Canadian Sea Marshal Tactical Team (CSMTT) sniper on a ship.

“Money Laundering May Support Drugs and Terror Funding?” – US Senate says of HSBC July 17, 2012

Posted by Chris Mark in Industry News, Risk & Risk Management, terrorism.
Tags: , , , , , , ,
add a comment

According to a US Senate Report issued today and major news outlets including MSNBC, Europe’s largest bank, HSBC, has  “A “pervasively polluted” culture at HSBC allowed the bank to act as financier to clients moving shadowy funds from the world’s most dangerous and secretive corners, including Mexico, Iran, Saudi Arabia and Syria, according to a scathing U.S. Senate report issued on Monday.”  The report, titled: US Vulnerabilities to Money Laundering, Drugs, and Terrorist Financing: HSBC Case History  “…examines the anti-money laundering (AML) and terrorist financing vulnerabilities created when a global bank uses its U.S. affiliate to provide U.S. dollars, U.S dollar services, and access to the U.S. financial system to high risk affiliates, high risk correspondent banks, and high risk clients.”   The US Enacted stronger Anti Money Laundering laws as a part of the PATRIOT act passed in the wake of 9/11.  These AML laws were designed to cut of the flow of money to terrorists.  In the case of HSBC it appears many of the rules were ignored potentially allowing drug cartels and terrorist to move and launder money.

In a statement emailed to NBCNews.com, the bank said:

We will apologize, acknowledge these mistakes, answer for our actions and give our absolute commitment to fixing what went wrong. We believe that this case history will provide important lessons for the whole industry in seeking to prevent illicit actors entering the global financial system.

Oil Giants Hacked by Anonymous in “Save the Arctic Phase2” July 16, 2012

Posted by Chris Mark in Data Breach, Industry News.
Tags: , , , , , , , , ,
add a comment

According to CyberWarNews.com Anonymous set its sites on oil giants Shell, BP, Gazprom, and Rosneft in what has been dubbed “Save the Arctic Phase 2”.  This comes on the heels of phase one in which account details including administrator accounts, passwords and other server info was stolen from Exxon and released.

According to the messages posted on pastebin, the account were used to sign the petition on savethearctic.org and, more disturbingly, for phishing attacks.  Hacktivism is a growing concern for all companies.  Whether it be to combat the perceived unfair distribution of wealth of capitalism, support of US defense industry, or environmental issues, hacktivists are increasingly active against corporations.

“Experts Around Every Corner; Part Deux” -Safes, Security, Expertise and Ignorance July 16, 2012

Posted by Chris Mark in Uncategorized.
Tags: , , , , , , ,
add a comment

“There is nothing so stupid as an educated man. If you get him off the thing he was educated in.” – Will Rogers

This weekend I was reading a major news source and I was struck by an article on Safes.  As I have a gun safe, and other safes, I thought it would be interesting to read. I have written posts before on expertise (Experts in every room).  Various ‘expert’s are interviewed in the article.  One in particular stood out.  He said: People need to wake up. They think they are protecting themselves, but they may actually be putting themselves at more risk,”  As this was a very pointed statement (People need to wake up!)…I immediately thought that my own strategy of securing my valuables was mis directed.  I continued reading to see who this expert was…He then said: “Sure you want to have some cash at home, but more than a little feels unsafe,” (I have added the bold)…the expert was a man named Michael Cresh…what is his job?  You are probably thinking police officer, security expert, safe expert, or something similar.  You would be mistaken.  He is a Certified Financial Planner.  If I were asking for financial planning, this is the person that I would turn to. If I am considering the purchase of a safe, I can safely say (pun intended) I could not care less what a CFP has to say unless he has some other level of expertise.  His statement belie his ‘expertise’ and demonstrate he has little understanding of physical security or risk analysis as it pertains to physical security. (…feels unsafe).

When considering a security professional that proclaims expertise, take a very close look.  Whether maritime security, information security, personal security, or any other area of security there are more than a few self proclaimed experts walking the halls.

Last year I wrote a paper for companies to use when evaluating expertise in the maritime security industry.  While focused on maritime security it is relevant to all areas of expertise.  You can read the article here.