Information is needed to perform commercial functions. Treatment of that information is governed by a mix of laws, regulations and policies. To be nimble and complaint in order to prosper, information must be able to move freely throughout its processes under changing conditions.
BD&F Information Security provides strategic planning and implementation of data lifcycle management systems.
Welcome to this site and I hope that the information is helpful.
It can feel like an uphill struggle when you try to instil new habits. There always seems to be resistance regardless of the reward. Change is difficult especially when the new direction is not clear. This makes it difficult to keep track of the return you are getting for the effort.
I decided to learn to play the guitar and that got going with a full head of steam. I now have a guitar and The Complete Guitar Guide which is rapidly disappearing under this week’s letters on my desk. I need to work out a time slot for practicing that will be sustainable and not disturb others as they sleep. This is not as simple as I envisaged.
I am still evaluating the effort. Because there is no set goal and no time limit, this as a project is running the risk of not getting off the ground. I am sure the book will help with this so the main action now is to ‘just do it.’ The Ready, Fire, Aim method applies here.
Every evening when Big Son comes out of the shower there is a ritual of asking him if he washed his hair. We will then smell his hair and send him back to wash his hair properly. Exasperating for everyone. The last straw came and he pranced out of the room shouting “How am I to do it right when I don’t know what the standard is!”
We laughed hard but took it seriously because he was right. We’re asking him to do something with as vague a description as possible. “Wash your hair” is a very easy task to accomplish and he has been doing this regularly. That night we worked out what the standard is and so far, much less dramas surrounding this.
The
BDF 4Tier is cyclical. As you go up through the tiers they build on each other and
then return again.
Here’s another attempt to clarify the focus of each tier and
how they relate to each other.
Tasks are the flesh and bones that make the tactics work. They are the things that are done at the user level and can be thought of as the operations aspects derived from the chosen tactics.
If for example a company decides on training staff, they then have to devise tasks to accomplish that. Is it going to be online, posters, books, mentors etc.? In here the PDCA cycle can be helpful and when the tactic is audited, the tasks can be looked at to see where improvements can be made.
Tactics describe the methods chosen to deal with a threat. Let's look at the big divide of training v technology. The choice of either or a mix of is a tactic. There are age old arguments for all choices. Whichever is chosen that is the tactic the company has decided to use against InfoSec threats.
An online training delivery might prove to be too cumbersome to access, too boring, too infrequent, has a poor UX... It is an opportunity to improve a task that supports a tactic. In the end you will get a better online training facility but your tactic of using training remains the same.
Habits are about making the tasks as automatic as possible for human and / or machine. It is only by understanding what tasks are used can you look closely at them to decide which way you can make them more efficient for users or if to automate via a machine. This step is important because it is where the InfoSec function in a company can 'sign off' activities that are already embedded and not have to live a life of rinse / repeat / rinse / repeat firefighting.
Office documents give the ability to save and encrypt. To do this is a multi-step process and requires the user to create and record a password. Scripts can be written to automate this process and perhaps generate a strong random password users can exchange in order to share documents securely.
Culture comes in when the other three tiers are built into the running of the company and InfoSec now has the time to devote to business strategy. At this level the company can decide its approach to market and how it can use IT to its advantage. Without the other three, there is no bandwidth for InfoSec to add value to these types of decisions and both InfoSec and the company lose out and remain stuck at firefighting to protect information and underutilising the evolving capabilities of IT.
It is culture that will set the cycle going again because at that level it will be decided what tactics will be used to protect information and the company's risk appetite.
The laws and standards go across all the tiers but while they can provide limits and set boundaries, they should not be the aspiration but rather the base. For example, it is possible to build an exceedingly secure system that will not match some of the standards and laws.
Many companies rest on the standards and laws and as technology changes they end up becoming insecure, stymied by the recommendations and are slow to exploit IT.
“I can’t stand to wake up to a dirty kitchen!” If you hear that often enough in your formative years, guess what you end up saying as an adult.
It is a ritual in our house to tidy the kitchen
each night before bed. The sight in the morning of a spruced up kitchen with an
espresso pot ready to go, sets up the day in just the right way.
I am very methodical when it comes to doing the dishes. They are first grouped so that cutlery, pots, plates etc. all get hand washed in their respective batches. The draining rack is packed from the top and while the dishes are dripping dry, I will put out the garbage and then wipe clean the counters and stove. That for me is the most relaxing experience of the day.
Cleaning the kitchen is a task. If I want to enjoy an organised kitchen on waking up, it has to be cleaned at night. But the way I do it is not the only way that the result can be obtained. People who order in food and use disposal cutlery can also enjoy a clean room in the morning. Someone can be hired to do that work or there are dishwashers to handle the bulk of the task.
The objective remains to wake up to a tidy kitchen but the tactics used can be varied. For each tactic, there are tasks that must be done in order to achieve the desired arrangement.
When the objective is the protect information there are also different tactics a company can use. The factors that influence the choice of tactics are peculiar to each company and for each there will be a set of tasks to accomplish the goal.
It is important to keep a record of the tasks that make a tactic successful because with this information companies can teach staff about and then streamline the effort to secure their information.
Hans Monderman designed the traffic system in
Drachten, in north Holland where there are practically no road markings,
traffic signs or lights. He did this because he believed that if humans were
trusted to interact with one another, compromises will be made.
His street layout and designs encouraged motorists,
cyclists and pedestrians to make individual negotiations at every encounter,
always with the notion that everyone just wants to get to their destination
safely. It has been a resounding success. In 2006, Drachten reported seven
consecutive years of zero fatalities.
The system is radical enough to place a children’s playground in the middle of a road forcing drivers to drive at safe speeds and also other users of the space to consider the presence of vehicles. The idea is to make something safe by making it obviously dangerous.
The influence of this approach can be seen on Kensington High Street where the railings and zebra crossings were removed and pedestrians were encouraged to cross wherever they wished. From 2006 to 2008 accidents were reduced by 44%.
I see similarities in Information Security with respects to regulation and policy. It is easy for InfoSec to quote chapter and verse of policies, standards and laws without engaging with the business members who want to move information from one place to another for profit.
Would less regulation work in Information Security? I believe it will reduce the reliance on the static codes and get InfoSec to engage more with the business. For this to work everyone has to be aware of the dangers within Information Technology.
This awareness is not geared towards less interaction but a more cautious, cooperative approach. Teams wanting to purchase Cloud services, for example, will be willing to ask the security questions of the suppliers or engage their InfoSec team more readily to assess the security of an offering.
Companies will have to build a culture of education for all members, not only focused on policy but how IT works and what are its weaknesses. There should also be fair and consistent penalties when incidents occur.
When end users are empowered to make decisions regarding the exchange of data, a company will have a larger group of people working towards its success, in a unique, secure, digital environment.
My son is a year old and is starting to walk. We knew we had to make some changes as the stairs are quite steep and from previous experience, it is easy for a baby to have a tumble while learning to climb.
There were a
few tactics I can employ to avoid such a scary mishap but there were other
considerations besides not wanting him to have a fall.
Firstly, we recently moved in and stuff is constantly on the move as we have not yet worked out, what goes where. The older two have a lot of toys that they bring down each day and pack back at night in their rooms upstairs.
Secondly, the baby is almost always supervised and we trust the habits we have of keeping him under close watch. This though will change as he gets better and faster at walking.
Thirdly, I want him to learn to climb the steps in a safely manner and I think the early he is given a chance to try it, the better it is for all the family.
We had two child gates at the last house, one at the top of the steps and the other to the living room where the first two were able to roam without getting into the kitchen and also up the steps. This time the layout is different and the baby has a larger area on the ground floor to practice his walking.
In the end we settled on one gate at the bottom of the steps. This divides the house in two with free roam for baby boy on the ground floor and ease of use for everyone else. Upstairs we make sure whichever room he’s in, the door is kept shut.
So far, so good. As he gains confidence in his walking, he gets a supervised go at the steps but the gate remains closed not only through habit but through the swing lock design that makes it near impossible to stay open.
The choice of a single gate was not the only one. It was the one that presented the safest compromise for all involved. Information security has to make similar choices all the time in situations where different factors have to be considered and it is not necessarily the best touted option that delivers the most desirable result.
This brings me neatly to Information Security. The degree to which you rely on technology to secure data versus human habit and company culture will vary for each situation. The costs you are willing to sustain, you assessment of the attendant risks and the ethos of your business must all be weighed when such a decision is being made.
Laws and policies are useful but they can never cover all the circumstances that each business will throw up. It is up to the individual companies to work out how they want to balance all the factors so as to maintain their competitive advantages in a secure environment.
