« Making risk mitigation cost effective | Main | Extrusion Detection revisited, part 1 »

If Enron had been SOX-compliant.

I am thinking about writing an essay on euphemisms in the security industry.

Authorized Usage Policy, Monica Bellucci A customer data breach is "I copied some DB extracts to a server in the DMZ using a Windows file share, just for a couple days while we test.".

ILP (Internet leakage prevention) sounds like " the threat of attackers exploiting vulnerabilities in production software can be mitigated by wrapping teflon tape on server pipes.

AUP enforcement is "employees will not come to work dressed like Monica Bellucci on a movie set".

Today, we shall talk about "Compliance ROI" and the ineffectiveness of compliance checklists and compliance controls. The Institute of management accountants offers that compliance projects that use BPM can produce shareholder value and compliance ROI:

"...building assessment and assurance capabilities from the inside lead to improved ROI on compliance tasks and create value for shareholders...you can improve your compliance ROI...and be on the leading edge of new thinking in the area of Enterprise Risk."

Whew. Talk about overuse of euphemisms. This is why we have a problem.

An external regulatory body like ISO or Sarbanes-Oxley or PCI Data Security provides general guidelines and a checklist for compliance. They have absolutely no knowledge of your specific business situation, your corporate culture or how well you're already protecting your company's assets. Your auditors say you need to be SOX-compliant. You retain a compliance consultancy for an audit. They busload in a team who inform you that you need to spend $1M on risk management, network and application security products to be compliant with SOX. You get a 10kg report with the results of the risk assessment which no one reads. The next time you will do a risk assessment like that is in another 2 years; the company will be licking its wounds after a major merger, there will be new threats, new attackers and the LDAP vulnerability your auditor was so concerned about will still be unpatched.

What is wrong with checklists and controls?

  • They are qualititative - they do not provide financial numbers to the people who write checks to buy countermeasures but discuss risk in qualititative terms - high, medium, low.
  • They do not look at attackers - they use a risk-control model that can check off controls and grade risks without encouraging the organization to develop a deep understanding of where their serious threats and vulnerabilties lie. Maybe you are in a very very competitive business, you do background checks on your employees, you host Linux servers at rackspace.com and you use thin clients to access the business applications. You have competitors who want to steal your IP - i.e. implementing the controls from a PCI-compliance checklist will be a waste of money even if KPMG told you to.
  • They do not require that you monitor and assess your peformance in the field. Richard Bejtlich ("BATE lick") quotes me in his book on Extrusion Detection for my excellent series of articles on extrusion. I like Richards football analogy in his blog posting Control-Compliant vs Field-Assessed Security.
    "Imagine a football (American-style) team that wants to measure their success during a particular season. Team management decides to measure the height and weight of each player. They time how fast the player runs the 40 yard dash. An outsider looks at the situation and says: " Check the scoreboard! You're down 42-7 and you have a 1-6 record. You guys are losers!"
In my opinion, this summarizes the mindset of most corporate information security and risk and compliance managers - and not just in the US Federal government. (Don't get me started on a threat analysis of Reagan Airport in DC). What should you do ? Here are a few ideas:
  • Start with a risk assessment checklist like ISO 27001 but don't stop there.
  • Apply an attack-asset-vulnerability-control model. It's fairly easy to identify your assets (physical, digital, operational and intangible assets). The list of attackers to your business should not be rocket-science. The tough part is identifying vulnerabilities; you will need to carefully work through the people, processes and systems of your organization - bottoms-up in order to do this. Download the PTA - threat analysis freeware tool.
  • Justify what you do with your money. You will find that is far easier to get $100k for a generator/UPS if the CFO realizes that every hour of electrical downtime costs $100k. This means putting a financial value on your assets and damage to assets by threats that exploit vulnerabilities.
  • Be effective. Don't implement all the controls on the checklist. Since the shopping list of controls is a lot bigger than your appetite and pocketbook - your CEO should tell the information security officer that she needs to reduce risk by 1/3 with 1/5th of the budget that the external auditors recommended.
A reasonable person would ask - "Would Sarbanes-Oxley regulation have mitigated the threat of fraud at Enron? " I think we can conclude that teing SOX-compliant would not have stopped an Enron HR executive from stealing nearly $3 million from the company years after it went bankrupt.

Posted on May 3, 2007 3:21 PM |

TrackBack

TrackBack URL for this entry:
http://www.software.co.il/mt/mt-tb.cgi/50

Post a comment

Search


About

This page contains a single entry from the blog posted on May 3, 2007 3:21 PM.

The previous post in this blog was Making risk mitigation cost effective.

The next post in this blog is Extrusion Detection revisited, part 1.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Creative Commons License
This weblog is licensed under a Creative Commons License.
Powered by
Movable Type 3.32