BD&F Information Security

The BDF 4Tier is cyclical. As you go up through the tiers they build on each other and then return again. Here’s another attempt to clarify the focus of each tier and how they relate to each other. 

Tasks are the flesh and bones that make the tactics work. They are the things that are done at the user level and can be thought of as the operations aspects derived from the chosen tactics. 

If for example a company decides on training staff, they then have to devise tasks to accomplish that. Is it going to be online, posters, books, mentors etc.? In here the PDCA cycle can be helpful and when the tactic is audited, the tasks can be looked at to see where improvements can be made. 

Tactics describe the methods chosen to deal with a threat.  Let's look at the big divide of training v technology. The choice of either or a mix of is a tactic. There are age old arguments for all choices. Whichever is chosen that is the tactic the company has decided to use against InfoSec threats. 

An online training delivery might prove to be too cumbersome to access, too boring, too infrequent, has a poor UX... It is an opportunity to improve a task that supports a tactic. In the end you will get a better online training facility but your tactic of using training remains the same. 

Habits are about making the tasks as automatic as possible for human and / or machine. It is only by understanding what tasks are used can you look closely at them to decide which way you can make them more efficient for users or if to automate via a machine. This step is important because it is where the InfoSec function in a company can 'sign off' activities that are already embedded and not have to live a life of rinse / repeat / rinse / repeat firefighting. 

Office documents give the ability to save and encrypt. To do this is a multi-step process and requires the user to create and record a password. Scripts can be written to automate this process and perhaps generate a strong random password users can exchange in order to share documents securely. 

Culture comes in when the other three tiers are built into the running of the company and InfoSec now has the time to devote to business strategy. At this level the company can decide its approach to market and how it can use IT to its advantage. Without the other three, there is no bandwidth for InfoSec to add value to these types of decisions and both InfoSec and the company lose out and remain stuck at firefighting to protect information and underutilising the evolving capabilities of IT. 

It is culture that will set the cycle going again because at that level it will be decided what tactics will be used to protect information and the company's risk appetite. 

The laws and standards go across all the tiers but while they can provide limits and set boundaries, they should not be the aspiration but rather the base. For example, it is possible to build an exceedingly secure system that will not match some of the standards and laws. 

Many companies rest on the standards and laws and as technology changes they end up becoming insecure, stymied by the recommendations and are slow to exploit IT.

“I can’t stand to wake up to a dirty kitchen!” If you hear that often enough in your formative years, guess what you end up saying as an adult.

It is a ritual in our house to tidy the kitchen each night before bed. The sight in the morning of a spruced up kitchen with an espresso pot ready to go, sets up the day in just the right way.

I am very methodical when it comes to doing the dishes. They are first grouped so that cutlery, pots, plates etc. all get hand washed in their respective batches. The draining rack is packed from the top and while the dishes are dripping dry, I will put out the garbage and then wipe clean the counters and stove. That for me is the most relaxing experience of the day.

Cleaning the kitchen is a task. If I want to enjoy an organised kitchen on waking up, it has to be cleaned at night. But the way I do it is not the only way that the result can be obtained. People who order in food and use disposal cutlery can also enjoy a clean room in the morning. Someone can be hired to do that work or there are dishwashers to handle the bulk of the task.

The objective remains to wake up to a tidy kitchen but the tactics used can be varied. For each tactic, there are tasks that must be done in order to achieve the desired arrangement.

When the objective is the protect information there are also different tactics a company can use. The factors that influence the choice of tactics are peculiar to each company and for each there will be a set of tasks to accomplish the goal.

It is important to keep a record of the tasks that make a tactic successful because with this information companies can teach staff about and then streamline the effort to secure their information.

Hans Monderman designed the traffic system in Drachten, in north Holland where there are practically no road markings, traffic signs or lights. He did this because he believed that if humans were trusted to interact with one another, compromises will be made.

His street layout and designs encouraged motorists, cyclists and pedestrians to make individual negotiations at every encounter, always with the notion that everyone just wants to get to their destination safely. It has been a resounding success. In 2006, Drachten reported seven consecutive years of zero fatalities.

The system is radical enough to place a children’s playground in the middle of a road forcing drivers to drive at safe speeds and also other users of the space to consider the presence of vehicles. The idea is to make something safe by making it obviously dangerous.

The influence of this approach can be seen on Kensington High Street where the railings and zebra crossings were removed and pedestrians were encouraged to cross wherever they wished. From 2006 to 2008 accidents were reduced by 44%.

I see similarities in Information Security with respects to regulation and policy. It is easy for InfoSec to quote chapter and verse of policies, standards and laws without engaging with the business members who want to move information from one place to another for profit.

Would less regulation work in Information Security? I believe it will reduce the reliance on the static codes and get InfoSec to engage more with the business. For this to work everyone has to be aware of the dangers within Information Technology.

This awareness is not geared towards less interaction but a more cautious, cooperative approach. Teams wanting to purchase Cloud services, for example, will be willing to ask the security questions of the suppliers or engage their InfoSec team more readily to assess the security of an offering.

Companies will have to build a culture of education for all members, not only focused on policy but how IT works and what are its weaknesses. There should also be fair and consistent penalties when incidents occur.

When end users are empowered to make decisions regarding the exchange of data, a company will have a larger group of people working towards its success, in a unique, secure, digital environment.

My son is a year old and is starting to walk. We knew we had to make some changes as the stairs are quite steep and from previous experience, it is easy for a baby to have a tumble while learning to climb.

There were a few tactics I can employ to avoid such a scary mishap but there were other considerations besides not wanting him to have a fall.

Firstly, we recently moved in and stuff is constantly on the move as we have not yet worked out, what goes where. The older two have a lot of toys that they bring down each day and pack back at night in their rooms upstairs.

Secondly, the baby is almost always supervised and we trust the habits we have of keeping him under close watch. This though will change as he gets better and faster at walking.

Thirdly, I want him to learn to climb the steps in a safely manner and I think the early he is given a chance to try it, the better it is for all the family.

We had two child gates at the last house, one at the top of the steps and the other to the living room where the first two were able to roam without getting into the kitchen and also up the steps. This time the layout is different and the baby has a larger area on the ground floor to practice his walking.

In the end we settled on one gate at the bottom of the steps. This divides the house in two with free roam for baby boy on the ground floor and ease of use for everyone else. Upstairs we make sure whichever room he’s in, the door is kept shut.

So far, so good. As he gains confidence in his walking, he gets a supervised go at the steps but the gate remains closed not only through habit but through the swing lock design that makes it near impossible to stay open.

The choice of a single gate was not the only one. It was the one that presented the safest compromise for all involved. Information security has to make similar choices all the time in situations where different factors have to be considered and it is not necessarily the best touted option that delivers the most desirable result.

This brings me neatly to Information Security. The degree to which you rely on technology to secure data versus human habit and company culture will vary for each situation. The costs you are willing to sustain, you assessment of the attendant risks and the ethos of your business must all be weighed when such a decision is being made.

Laws and policies are useful but they can never cover all the circumstances that each business will throw up. It is up to the individual companies to work out how they want to balance all the factors so as to maintain their competitive advantages in a secure environment.

I did a couple of webinars over the last month where I talked about my Four Tier approach to information security.

Below I’ve added more of my ideas which led to the Four Tier approach.

Problem - Information Security is seen as a mandatory technical liability, necessary to protect secrets and to comply with the law.

How do organisations support managers to build a culture of protecting information?

Claim - Better use of IT’s capability to mimic repetitive tasks reduces InfoSec’s governance workload.

Warrant - Web applications to automate governance and increase managers’ time to support teams in protecting data.

Problem

We think of InfoSec as a technical activity. This means money for equipment and expertise. Much of the budget will go on these two things but the day to day running of the InfoSec effort is handed to managers who are in charge of other activities.

You might for example have a centralised BYOD system to control company information on the drives held by staff but the registering of those devices will be the responsibility of the team manager. And where is this done? In an Excel spread sheet kept on a staff drive, hopefully with a unique password. If it’s a simple flat sheet, that’s okay, enter a new row, transfer information already in an email and perhaps staff directory. Update and save. How long? 3-4mins. A relatively long time when the task can be as simple as an additional question at some other point where employee information is being recorded.

When this information has to be audited, it becomes a nightmare. I have worked in systems where the HR, Finance, Facilities, InfoSec and various team managers all have a different, non-concurrent record of an employee.

Tracking a lost item! The form filled out by the employee does not provide what is needed in the Lost Item register. The manager has to find that information elsewhere. Even if they were synonymous, the task of transferring the data becomes a repeat of the BYOD activity as before.

When managers often have to deal with mundane, tedious tasks there is little time left to develop innovative ways to secure company information. Reliance is built on the technology and the opportunity to cultivate the work habits that will add a layer of protection to the information is lost.

Much of InfoSec is still in the firefighting stage with respect to the problems. Unable to contribute to business strategy and to developing a culture of doing business that includes information security. Who has the time?!

InfoSec priorities across the organisation are affected by these ‘Triplicate’ operations. For each one there is record keeping for operational, audit and archive purposes.

Below are eleven (11) InfoSec aspects that all require governance and two associated items. Maintenance of each of these consumes a lot of resources.

Data Security – 3rd party links, forensics

Application Security – development standards, lifecycles

Cloud Computing – data exchange standards, access

ITSec staff recruitment, training and retention – ROI, compliance

Business Continuity / Disaster Recovery – team plans, drills

Identity and Access Management – SML, systems register

Aligning ITSec with the business – onboarding InfoSec, reporting

External Threats – patching, IT audits

Regulatory Compliance – tick boxes, suppliers

User Sec training and awareness – frequency, measurement

Mobile Sec – device registration, change control

These are all opportunities to create ways of securing the company’s information in a manner that acknowledges the threat landscape and matches it with the risk appetite. To accomplish a better risk based approach to InfoSec requires time and resources.

Claim

Automation of these governance tasks will save businesses time and money. If the processes are properly analysed, deconstructed and coded as applications, managers will have more time to devote to information security as a BAU prerequisite.

I will like to describe the InfoSec effort as a stack, made up of four tiers.

Tactic – What is done to achieve a goal; E.g. securely linking with a 3rd party supplier of a needed service.

Task – How that activity is carried out; management, documentation and audit of the process

Habit – When is the task done; how often, how easy

Culture – What tactics are we willing to employ and how do we govern them

Leverage IT; write once, use everyday. Automate the tasks and habits. Avoid the mundane and tedious. Give managers more strategic responsibilities.

Warrant

When InfoSec gets past the firefighting mode and move into a true PDCA cycle they will make better use of the company’s assets to protect information. The technology becomes transparent, the governance overhead decreases and the business’s core objectives become closer aligned to the team’s InfoSec efforts.

A team wants to put in a new system and checks the security of the innovation with InfoSec. It appears to contravene some standards. What is the next step? For a firefighting InfoSec, there is no next step, quoting the standard will serve to end that development. “Try again!”

For an InfoSec with time and a different culture, it can be the invitation to start a dialogue, see the process in situ, involve technicians, update standards…

Companies are not in business to comply with standards. The market is dynamic and competitive. Is it more efficient to ban a WebEx session than to send a trusted employee to a supplier’s site? That type of decision needs to entertained and not cut off by the chapter and verse of policies and standards.

Automation releases bandwidth for InfoSec to conduct these types of conversations.

On Black Ops there’s “If I tell you, I have to kill you”. This is the secret services’ attitude to their information. An outsider gets the impression that everyone there understands and respects how information must be kept private. When someone says that they are in this line of work, it is normally a conversation stopper. Does your staff see company information in the same way?

I recently read Don't Talk to Strangers to my son. In the story Christopher Robin leaves the 100 Acre Wood to go visit his grandmother all by himself. Piglet finds this a worry and asks him if he is scared. Christopher Robin says no because he has the Stay-Safe-Rules written by his mother to help protect him.

Of course at that point my security hat went on and I compared how those rules relate to the effort of creating a culture where colleagues are conscious of their responsibilities in protecting Ofcom's data.

AA Milne wrote this story in the late 1920s and today those rules still hold true in many spheres of life. Looking through company’s security policies we see these rules reflected and they have proved to be universal truths indeed.

Don't talk to strangers

Avoid all confidential discussions with colleagues and/or stakeholders in public areas of such buildings or offices. These areas may include receptions, restaurants/cafes, lifts and lift lobbies.

Remember that office buildings are often shared with other tenants. The public areas should therefore be considered to be no more secure than, for example, an external restaurant or train station.

Do not share confidential information with third-parties without appropriate prior approval from a senior manager.

When taking sensitive papers out of the office keep them secure and out of view and do not allow anyone at a conference or meeting to read your documents if they have no legitimate reason to do so.

Never open your door to a stranger

Display companys’ security passes at all times in the offices and be aware of potential tailgaters when entering and leaving. If in doubt about someone's identity ask him/her to show a pass.

Escort visitors at all times, particularly back to reception.

Never take a present from a stranger

Do not install third-party software or hardware applications, disclose password details or access other colleagues' files or emails without appropriate approval.

Act responsibly and reasonably in using company IS systems for personal purposes such as web browsing or email.

Never take a ride from a stranger

As part of their role, some colleagues will from time to time need to speak to or meet other members of the business community. Such contacts should be carefully handled, and are subject to the following rules:

No one should maintain active contacts without ensuring that the group head is fully aware of these and has given written agreement. In particular, lunches and other events should be approved by the group head in advance.

More generally, any conversations should be restricted to gathering information and opinion about the market.

More generally, any conversations should be restricted to gathering information and opinion about the market.

If a stranger does try to talk to you or touch you, yell "NO!" run away, and tell a grown-up you trust as soon as you can

Do not click on links in unsolicited emails. Do not give information to callers whose identity you cannot confirm. If you spot a security flaw in any of the company’s facilities including the offices, network and websites, please report this to the security team.

And remember, if you're going somewhere, it's always friendlier and safer to go with someone you know

Third party service providers offer ways to help managers and their groups perform more efficiently. It is always best to check the levels of security a provider is able to offer and ensure that it is documented in a contract. Buying in external services should not be done without consulting other relevant colleagues.

Safety and security are about creating protective habits in handling what is valuable to us. A good habit to develop is removing any sensitive documents in your possession from meeting rooms, copiers, printers and business centres as soon as the reason for them being there expires.

Christopher’s grandmother understood this and was able to put together a list of cautions that will lead to safe behaviour.

All the family went to Berkhamsted Castle last Sunday. It was a sunny day and lots of people were camped out on the grass where an entire community once lived under siege for two weeks. The area looks small today but I can imagine how an entire town can live within the once formidable walls and function on a normal basis.

Castles are part of the iconography of defence and in InfoSec they have been used to illustrate many different aspects of securing information. It is also instructive that they are used to represent an idea of what should be happening when we say we are protecting information.

The popular portrayal of a castle is of a redoubtable village under siege. InfoSec has had this analogy at its disposal from the early years of enterprise networks and it has served its purpose in explaining what was considered good security.

With the castle parallel you get the idea that the castle’s inhabitants could rely on the knights to balk any attack. A network was a complicated, engineered system that protected the company’s data and all who processed it. The metaphor has been tried and tested and it is understood by all.

I will like to add another observation about castle life that is applicable to today’s porous networks that handle consumerisation and Cloud services. With these two challenges you can no longer employ the siege scenario because it suggests that the gates are open while the castle is under attack.

In the life of many castles, attacks will have been occasional. Much of the time, life will be lived under normal conditions with commerce carried out in all spheres. The nearby farmland had to be worked, the livestock tended, trade with other groups and recreation outside the confines. A castle could not be sustained without these comings and goings.

The preparedness of the castle dwellers to revert to ‘lock down’ and to play their part in the survival of a siege will have been important. What did they understand was their expected behaviour when outside of the walls? After a long period of peace, would they have changed behaviours, perhaps be more welcoming to strangers? Will they go out to the fields alone? Did they know what villages were safe to visit? Did they still keep old secrets?

Today, InfoSec could exercise that story of the castle but add that the experts have a duty to raise the level of awareness in all staff about what part they must play to protect the company’s information.

Without trade, villages/company’s die. The knights/InfoSec are skilled with the tools of defence. Dwellers have to work and ensure the castle prospers. In war and in peace, NO ONE! must divulge the source of the castle’s well water.

My primary background is fashion design. For close to fifteen years I coloured lengths of cloth, took them to garment factories to be made mostly into shirts and also women’s two piece outfits. My main market was direct customers that I built up from making the rounds of the offices in Port of Spain, Trinidad, at the end of each month. 

I also supplied tourist shops in Tobago, Grenada and Barbados always looking to differentiate my products with design, quality or price. This made my sales trips easier and buyers were always excited to carry my line.

I moved to the UK and shifted to soft furnishings with a stall at Covent Garden and the chance to supply my cushions to stores. I then wanted a change of career and thought computing was a challenge I should take up.

My first computer was bought in 1999 and I remember taking it home, puzzled about how to turn it on! An IT newbie. I did a BSc in A.I. and then moved into InfoSec for a MSc. My first job in this field was as a Web Application Analyst helping a development team to write secure code.

Throughout my career I have always maintained the idea that InfoSec is about protecting information as it travels across an organisation. This should be done in such a way that all staff can contribute at their point of contact with the data and the interaction should be as abstract as possible so that more attention can be paid to the business aspect of the function.

I changed cars a few months ago and only recently opened the bonnet to top up the windscreen washing liquid. This is how I envision InfoSec should appear to most members of staff. Focus on the driving and not the mechanics. I trust that if the engine needs oil, the oil light will flash. Pretty much as I expect the fuel gauge to let me know when to fill up.

A lot of the language of InfoSec is inside speak and this can be self-defeating for practitioners because it focuses on the technology and misses the point of the entire exercise, which I believe is to safely conduct business with digital information.

A couple years ago I was driving on the Autobahn and saw whenever we had to make a sudden stop, the hazard lights on the other cars will go on. I thought the German drivers were really skilled, to have the presence of mind to hit that switch in an emergency situation. Don’t laugh!