 |
| Image from Pixabay |
It was cold, dark and wet when I left the house before
seven yesterday morning to travel to Amsterdam. On the way to a congress that
started at nine and would not close until half past five. I considered leaving
a bit early, especially since the last part was a panel discussion, which I
rarely find interesting. Luckily I didn't.
The panel included information security professionals
from the banking and insurance world. The facilitator asked his first question:
“What do you see as the biggest threat to information security?” You would
expect the standard answers: ransomware, phishing, budget. But no. One
participant took the floor firmly and said: “Compliance is our biggest threat.”
Boom! The room didn't react that way, but inside I did. That man spoke straight
from the heart. Let me explain.
Simply put, compliance is complying with laws and
regulations. Don't get me wrong – of
course we have to comply with laws and regulations, especially since we are a
government organization. However, we have gone too far, because we no longer do
many things to optimally secure the organization, but to tick all the boxes and
thus satisfy the auditors.
For example, we must comply with the BIO, the Dutch Government Information Security
Baseline. The BIO consists of about 250 controls (based on ISO27002). You must
comply with every rule, unless you have a good reason not to (comply or
explain). You have to go through all those controls anyway, if only to
determine whether you have to comply with them. You must then either explain
why you do not have to comply, or you must provide proof that you comply. You
look for the gaps between the rules and the actual situation – you do a gap
analysis.
And then you can also look at three different stages: set-up,
existence and operation. Set-up means that a control has been documented, for
example in policy or a design. Existence means that the documented measure has
actually been taken, and for operation the control must have proven to be
effective several times. Actually, "stage" isn't the right word. It’s
not necessarily first set-up, then existence and finally operation. I know of
countless situations where a control has worked fine for years without ever
being documented. Operation then earns a green tick, while set-up scores red.
In recent years, we have performed this exercise at our
data center. Not for the data center as a whole, but for each individual
service that data center provides to its customers: networks, mainframe
hosting, endpoints (for example your laptop) and countless other things that I
never even suspected existed before. Apart from the fact that this operation
has provided us with a lot of insights, it was also a huge job.
Our organization is of course much more than just a data
center. And what do you think: the entire organization must comply with the
BIO. A higher level of abstraction is needed for that. A few years ago we
divided all those BIO controls among the organizational units. In a number of
major meetings, responsibility and accountability were determined. The IT department,
which also includes the data center, garnered 42 measures (I can't suppress a
nod to The hitchhiker's guide to the
galaxy here on my bookshelf). The other controls fall under the
responsibility of other organizational units. And despite the limited number of
measures that we have to implement, it is a hell of a job. Tough work too,
because it is often difficult to retrieve the necessary information. Despite
the higher level of abstraction, you still need detailed information to
substantiate your statements.
And all this compliance, the panel sighed at the
congress, swallows up all the time and money, leaving nothing left to actually
improve security. In the hunt for green checkmarks, the heart of the matter is
overlooked and the illusion of security is created. We are so busy polishing
the car that we don't get around to solving shortcomings under the hood. While
that is much more important than the outside.
Let's use lists like the BIO primarily to address and
solve security issues in a practical sense. Compliance then follows naturally –
not as a goal, but as a by-product.
And in the big bad world…
This section contains a
selection of news articles I came across in the past week. Because the original
version of this blog post is aimed at readers in the Netherlands, it contains
some links to articles in Dutch. Where no language is indicated, the article is
in English.
- Every software developer should know what SQL injection is by now, but it never hurts to explain it again.
- wholesaler Macro has again suffered from an attack on the parent company, which took place in October. [DUTCH]
- you will soon be able to encrypt your iCloud backup in such a way that Apple itself can no longer access it – and neither can law enforcement.
- European police forces are cracking down on money mules. [DUTCH]
- Chrome supports logging in without password. [DUTCH]
- the government is investigating whether there should be a national anti-phishing shield. [DUTCH]
- you can of course also hack a loudspeaker. [DUTCH]
- the State Secretary believes that the Tax and Customs Administration doesn’t log sufficiently to be able to combat corruption effectively. [DUTCH]
.jpg)
No comments:
Post a Comment