Archive for April 2010

Avoid the 2 common mistakes when formalizing information risk governance

April 9, 2010

Governance of information risks is usually pretty informal. The Information Risk function has to do most of the work identifying risks and trying to get others to “do the right thing”, whether that be to not click on links in random emails, to code applications securely, or to conduct thorough due diligence before business process outsourcing.

For obvious reasons, we would like this governance to be more formal. If everybody knew when risk decisions needed to be made, and who should make them, fewer things would slip through the cracks and the security function wouldn’t have to do so much of the work!

However, we believe that many organizations that try to formalize information risk governance go about it the wrong way. (more…)


Checklists will not increase your Cloud Computing Security

April 6, 2010

While most members are looking for differences between outsourcing and cloud computing, and developing better assessments to evaluate cloud vendors – a recent discussion between a few IREC members has provided a framework for a different approach to cloud vendors. One of the members in the panel has decided to completely drop the checklist approach to reviewing cloud vendors. He believes that the traditional approach of using ISO 27001 or NIST based questionnaires does not work well with the cloud vendors for a variety of reasons. First most vendors at this time are too new to have the security assessment process down to a point where they can respond to ISO/NIST based assessments. Second vendors are hesitant about putting to paper any information on paper that can leak and reduce their competitive edge in this rapidly growing market. Third the storage of information in the cloud can sometimes make traditional assessment unfeasible – for example Google can break and store your information in 200 different locations in multiple countries making traditional location assessment impractical while simultaneously making it harder for a breached information to be meaningfully used by hackers.   

 This obviously means that CISOs whose companies are moving forward with cloud computing initiatives at this time have to assume a lot of risk  So what shoud CISOs of those company’s do? First have a discussion about security with your cloud vendor. CISOs at first mover companies  have connected their security team with the vendors security team and found that a conversation has allayed most of their fears. Two most cloud vendors have better security controls than anything developed in house. As one CISO said “All cloud vendors are in the security business, one breach and their business is over because hackers will get every companies data. They have a lot of reasons to protect this data.” Finally have vendors buy insurance against your contract so that if a breach does happen and everyone is suing the cloud vendor, the insurance can pay your comapny off.

Obviously these recommendations are more relevant to those security folks who have to move to the cloud now. The consensus from the folks in the call was as cloud vendor’s start getting more mature they will obtain NIST or ISO certifications that can be used in assessments and will also develop better processes to respond to third party assessment requests.

2010 Information Security Outlook