Archive for the ‘Regulation/Compliance’ category

“The cloud”, just another word for outsourcing IT?

September 21, 2010

The question came up at a recent Annual Executive Retreat of how to conduct a risk assessment of a cloud vendor. One CISO in attendance suggested that “the cloud” is just a trendy term for outsourced computing, and that the risk assessment process is the same as it always has been. Other CISOs like to recall the term time-sharing to point out that everything old is new again.

However much this is part of a cyclical pattern, there are new aspects to the cloud that present new challenges to Security organizations:

  1. Governance. Purchasing decisions are much harder to detect. A credit card and they’re up and running. Members tell us much of this seems to be happening in the Sales and Marketing functions, and cite this as the number one risk of the cloud (see figure below). These are so easy to set up that those who initiate the relationship may not so much think they are going around IT, they are just doing what people do naturally these days-getting stuff done on the web. This creates new problems for Security:
    • How can you detect these transactions?
    • Is it possible to create a policy that defines what is OK and what is not, or do all projects need to go through a security review?
    • If you did create a policy, what are the carrots, sticks, and awareness needed to make it work?
  2. Requiring controls. With larger SaaS and IaaS vendors, there is little transparency into their controls, and the vendor will not change their security as a condition of your contract: the key to their cost efficiency is standardization and low transaction costs. Also, the vendors will rarely sign up for indemnification for when something goes wrong. IREC members are used to having the size to get their way with third parties, but the big cloud vendors aren’t that eager for each new small cloud contract. The balance of power has shifted.
  3. Regulations. Unlike outsourced computing in the past, in many cases with the current SaaS offerings you do not know the geographic location of the data/servers. This can be a regulatory problem, for example:
  4. Vendor selection. There are a lot of apparently small SaaS and IaaS vendors out there, but many are just resellers of services from big providers like Amazon. What accountability and visibility have you sold to the intermediary for a lower cost?

The economics and agility provided by these services are unstoppable, so CISOs must create ways to manage the associated risks. First, CISOs need to understand the business side’s desire to use SaaS offerings and then use an understanding of the organization’s risk tolerance to decide what Security’s posture will be. Specific solutions we have heard about include:

  • Offsetting desire for IaaS by building internal, private clouds, often using existing unused capacity.
  • Creating clear definitions of data or processes that cannot be transferred to a third party without a security review. Ideally the restrictions are minimal, including only regulated data or crown jewels rather than all somewhat sensitive data, which can result in driving activity underground.
  • Providing a list of approved vendors and a “getting started” guide to direct business users to safer cloud services. These guides should encourage submission of new vendors to ensure the lists continue to address user needs and keep Security aware of new cloud players.

What steps have you taken to address the specific risks of the cloud? Let us know.


The Future of Corporate IT: Implications for Information Risk, Part 2

May 25, 2010

We wrote recently about the five trends impacting the future of corporate IT, and the implication of first three trends for CISOs – information over process, IT Embedded in Business Services, and externalized service delivery. In this post we want to continue with the implications for the CISOs for the other two trends postulated in that work.


How much access control technology is enough?

November 5, 2009

I recently attended a meeting with a group of leading CIOs of U.S. Federal Government agencies, all of whom are working to meet a presidential mandate (HSPD 12) to integrate high-tech Personal Identity Verification cards into their access control systems.  Some level of activity is of course required for compliance—there’s a “just do it” attitude that has to apply in some way. The more surprising conversation for me was a mentality that would be familiar to anyone who has ever remodeled a house: “while we’re in there, let’s also fix that…”. These CIOs were very interested to know how much effort to improve access control beyond mere compliance is worthwhile from a cost/benefit perspective.

IREC’s research efforts on access management and assessing the relative value of control investments shed some light on the question of how much technology is enough.


The WSJ’s ‘IT Security’ Section

September 23, 2009

Today’s Wall Street Journal contains a special advertising section called “IT Security” paid for by the Risk and Insurance Management Society.  The two-page section doesn’t seem to be available online, but it’s fairly prominent in the print edition on pages A19 and A20.

The three articles focus on insider threat, mobile device security, and social media, but contain little that will surprise anyone who has been paying attention to the information risk landscape.  That said, several data points cited in the articles might catch the attention of your senior executives.  Here are the highlights:

Insider Threat:
Privileged insiders pose a greater threat to organizations because of their access and knowledge of how systems work.  The article cites several anecdotes to suggest this threat vector is increasing.
Key ideas/data:

  • Only one-third of data breaches attributed to insiders are unintentional in nature.
  • Data Loss Prevention tools can “identify, monitor, and protect data, alerting network administrators when select information is being e-mailed” and subsequently prevent that traffic.
  • Cyber insurance can be purchased to offset the risk of a data breach.

Mobile Security:
Lost laptops and other mobile devices can be costly and it’s important to track and secure the devices to reduce the risk.
Key ideas/data:

  • The cost of a lost laptop ranges from $8,950 to $115,849 depending on how quickly it is identified as missing. (Source: Ponemon Institute)
  • Nearly one-third of companies don’t know how many laptops were missing or stolen in 2008.

Social Media:
The rapid growth of social media tools is having an impact on businesses across the globe.  Viral videos and social networks can have both negative and positive impacts.
Key ideas/data:

  • Firms should have social media policies in place to limit the risks associated with company employees posting information to the internet.
  • “Listening” tools can gauge how (e.g. tone) and where a firm is being discussed on the Internet.

If I find a link to the material online, I’ll post it.  We’ll be back later today with a more detailed reaction and the IREC perspective.  In the meantime, Council members can check out a few of our recent resources:

Insider Threat: Managing the Threat from Malicious Insiders
Data Loss Prevention: Preventing Data Leakage
Social Media: Social media Policy Builder, Sample Corporate Social Media Policies

Who is financially responsible for a security breach? Things are changing.

July 21, 2009

The understanding of financial responsibility for security breaches continues to evolve. Where will it stop, and could a CISO ever be held personally financially responsible? (more…)

PCI Backslides?

May 18, 2009

Ever since the Payment Card Industry Data Security Standard was released, affected Council members have struggled to implement all the facets of this detailed and prescriptive standard. PCI has recently released a detailed prioritization for the elements within their standard.  While they have many disclaimers that you still must comply with everything in the standard, does the existence this tool not acknowledge that many organizations subject to PCI will remain not fully compliant for significant periods of time?