Are standards worth the paper they are printed on? Part 2

Mike Thompson

Mike Thompson is the Director of Information Security Products and Services at Linus Information Security Solutions. Mike’s expertise lies in bringing IT and the Business together to improve Information Security outcomes. He has over 25 years of experience across numerous government, commercial and not-for-profit organisations, and is recognised as an ISM expert with the rare ability to articulate complex issues and concepts in plain language and business contexts. Among his many projects he has uncovered computer fraud, ethically hacked a number of organisations, worked as an official adviser to the Victorian Privacy Commissioner and the Victorian Law Reform Commission and designed and developed award-winning software solutions.

In Part 1 of this blog, I argued that relying solely on Standards as your blue-print for information security will leave you exposed, as they only offer generalised considerations, are outdated or misleading.

This month I take a closer look at the subjectivity of privacy and risk standards and outline the specific actions you can take to improve security outcomes for your organisation.

What does ‘reasonable steps’ actually mean?

The recently updated Australian Privacy Principles (APPs) include two key principles directly related to security:

APP 10 — Quality of personal information

An APP entity must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete. An entity must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure.

APP 11 — Security of personal information

An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure. An entity has obligations to destroy or de-identify personal information in certain circumstances.

The APPs continuously state that you must take ‘reasonable steps’ to secure private information held within your organisation. However, this is a very subjective measure of accountability and can open your organisation up to penalties if it’s not clearly supported.

The specific process behind ‘reasonable steps’ is not defined by the APPs, although guidelines do refer to Privacy Impact Assessment and Information Security Risk Assessment processes as a means of determining whether your controls are adequate. However, as I argue later, standard risk assessment techniques are about as useful as pinning jelly to a wall when it comes to information security, so I doubt you’ll find adequate answers there.

So how do you demonstrate ‘reasonable steps?’

Taking ‘reasonable steps’ actually requires you to provide a business case behind your control decisions—ie. evidence that the measures are in fact reasonable. By making sure that you have done a proper data sensitivity analysis of your data, worked out where the hot-spots are, and made sure you have applied a set of controls that holistically protect the data to the desired level, you will have demonstrable proof that reasonable steps have been taken.

If you cannot provide this proof, your next audit may not be very forgiving.

Risk assessments have been referred to in this blog several times and most people have heard about risk analysis, so what is stopping organisations from fully understanding their information security risks?

The simple answer is that standard risk assessment techniques are—you guessed it—about as useful as pinning jelly to the wall when applying them to information security. ISO 31000 and ISO 27005 provide a logical, high-level framework for determining risks, which looks great on paper, but fails in practice. The fundamental flaw in standard risk management approaches is the reliance on probability or likelihood as a key determinant. If you cannot establish an accurate likelihood or probability, then you won’t be able to define the risk with any certainty.

For example, an actuary in a life insurance company has reliable statistics regarding death rates from various well-known diseases and can therefore provide reasonably accurate assessments and set policy values with minimal risk. On the other hand, when you consider that information security has over 1000 new threats estimated every day, how can you possibly attach probabilities to every one? Technically you would need to accumulate all the threats and their corresponding probabilities to get close to anything useful. The statistics simply don’t exist.

This problem is well illustrated in ISO 27005, which talks about establishing incident scenarios to determine risks. Scenario-based approaches only consider a select number of threats in specific scenarios. Given that the threats and scenarios are essentially infinite, the results will be flawed.  Just like how good business continuity management techniques now adopt an ‘all hazards’ approach, we also need to adopt the same approach for information security.

There are elements of standard risk assessment that still make good sense, such as consequence or impact ratings, but unfortunately the current standards don’t provide options to work around the lack of reliable probabilistic and threat information.

So what should you do?

Are standards a complete waste? Not at all. Standards perform an essential role and they do go part-way to providing a workable framework.

My biggest concern is that security professionals may actually believe that current standards are all that they need or are the easiest way out.

I would like to see security professionals stop following the ‘standard rhetoric’ and think about the security landscape in a new light.

Standards are a good starting point for your security journey, but they cannot replace the need for properly profiling your organisation to find out what you specifically need to match the sensitivity of your data. A data sensitivity analysis is an example of an alternative probability-free risk assessment technique to work out, based on the impact to the organisation, what would be an appropriate set of controls to apply. In other words, wherever you have highly sensitive data, it makes sense to apply strong controls.

Once you know the sensitivity of your data, you can then focus on the specific controls needed to secure that data to the required level. By establishing control effectiveness ratings and applying controls holistically to data within an application context, you can then assess any residual exposures. If you follow this approach, you will achieve far better security outcomes and compliance.

This article is brought to you by Enex TestLab, content directors for CSO Australia
 

Tags: information security, personal information, private information

Show Comments