The Basel II definition of operational risk is “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”

It seems that in the middle of the great financial crisis, TARP, unmet calls for transparency and trillions being sunk into the US financial services industry (instead of encouraging innovation, manufacturing and creation of free cash flow…), Basel II deserves to be judged and found wanting.

Perhaps we need to update the Basel II definition of operational risk and bring it into line with a modern set of threats. For example, we might say, let’s add to the Basel II definition, “… and risks due to networking with other businesses”. This is a reasonable addition, since in my experience in data security projects and according to the Verizon security breach reports,  over 70% of data loss incidents involve outsourcing and sub-contractors.

External business partnerships are indeed, a source of risk for financial institutions that do business process outsourcing (especially if one considers data loss) but it appears to me that the Basel II and Solvency II definitions  are  less appropriate for the technology and manufacturing industries, where  innovation and product development are performed by relatively small engineering teams and key assets are product quality and customer safety and not credit cards in database servers.

Let’s take the example of a company that makes a robot to assist in micro-surgery.

For the medical device company, the biggest operational risk  is a flawed product that might damage a patient. The FDA sees this as a regulatory issue and addresses it with the 510(K) but my gut feeling is that most small (4-6 people)  software development teams don’t really have a “process”.  After an audit by a regulatory affairs consultant, they can comply and still fall hard on a software defect or design flaw.

It’s amazing to me that the Basel II definition of does not consider customer safety as an  operational risk, and yet, the lack of customer safety and networked-business risks in the Basel II definition only serves to illustrate the futility of a check list approach to operational risk management.

Since regulatory compliance is not a substitute for analyzing particular threats to a particular business unit,  I would propose a different definition of op risk:

“Any combination of one or more threats that exploits vulnerabilities to damage company assets as measured in dollars (or euro or yen ….)”

This definition is universally applicable to financial services, IP developers, manufacturing, distribution, health care, bio med etc…The definition does not limit business management to risk analysis inside the company but enables a company to consider threats due to product quality, compliance, extended business relationships, PHI, PII and a whole slew of new risks that don’t even exist yet on their current threat surface.

It’s a definition that forces the company executives to ask themselves what are their key threats and assets and vulnerabilities and how much of the company value is at stake.

Threat models are not a silver bullet solution to prevent a crisis like AIG on one hand or Toyota on the other. A threat model is only a tool to implement a risk strategy by the business management. Threat modeling  needs to be used in the proper way, measured in dollar values and must be reviewed regularly – at least once/year.

The beauty of the above definition is that it links operational risks to business operations.

Any business in any vertical, must define their own threat landscape, define their control/security countermeasure strategy, run their own risk assessment regularly and  insure that their data security and regulatory compliance policies, procedures and systems are aligned with the latest version of their threat model.

Read more about threat modeling and operational risk management on this blog.

Frankly – as a data security and compliance consultant who does a lot of work with corporates in social networking (both on the application side and security side), I  would not use technology as an excuse for social media abuse.

This is a cultural and behavioral issue similar to any other content abuse issue. It starts with education: at home, in the school and with parental and teacher role models.

Current definitions of privacy are changing. Regulatory definitions of privacy used by legislators in the credit card and HIPAA compliance space do not seem to be relevant for under 25 users of Facebook – who are happy to disclose pictures of themselves but very careful about what they show and who they would share the media with.  I believe that as social media becomes part of  the continuum of social interaction in the physical  and virtual worlds, privacy becomes an issue of  personal, discretionary disclosure control.

To this extent, it seems to me that we are moving rapidly towards a new generation of social networking that is much closer to what happens in the physical world – centered on individual perspectives, one person, their friends, selective disclosure and information leakage by word of mouth not by IP protocols, social media and public access Web sites like Facebook.

But – that is already another technology kettle of fish.

There is a school of thought that says that you can take any complex problem and break it down like swiss cheese. Risk assessment data collection and analysis with Excel is one of those problems that can’t be swiss-cheesed.  A collection of brittle, unwieldy, two dimensional worksheets is a really bad way of doing multi-dimensional modelling.

Consider that a typical risk assessment exercise will have a minimum of 4 dimensions (assets, threats, vulnerabilities and controls) and I think you will agree with me that Excel is a poor fit for risk assessment.

Here is where PTA (Practical Threat Analysis) comes to the rescue. You can download the free risk assessment software and try it yourself.

Any risk assessment process can be automated using Practical Threat Analysis and the PTA threat modeling database.  PTA is a threat modelling methodology and software tool that has been downloaded over 15,000 times and has thousands of active security analyst users on a daily basis.

PTA (Practical Threat Analysis) was first introduced in a paper by Ygor Goldberg titled “Practical Threat Analysis for the Software Industry” published online at Security Docs in October 2005. PTA provides a number of meaningful benefits for security and compliance risk assessments:

• Quantitative: enables business decision makers to state asset values, risk profile and controls in familiar monetary values. This takes security decisions out of the realm of qualitative risk discussion and into the realm of business justification.
• Robust: enables analysts to preserve data integrity of complex multi-dimensional risk models versus Excel spreadsheets that tend to be unwieldy, unstable and difficult to maintain.
• Versatile: enables organizations to reuse existing threat libraries in new business situations and perform continuous risk assessment and what-if analysis on control scenarios without jeopardizing the integrity of the data.
• Effective: recommends the most effective security countermeasures and their order of implementation. In our experience, PTA can help a firm mitigate 80% of the risk at 20% of the total control cost.

The PTA calculative model is implemented in a user-friendly Windows desktop application available as a freeware at the PTA Technologies web site. A PTA ISO 27001 library is available as a free download and is licensed under the Creative Commons Attribution License.

The need for cost effective risk reduction

Despite the importance of privacy and governance regulation, compliance is actually a minimum but not sufficient requirement for risk management.

The question is: What security controls should a firm implement after a risk assessment?

Taking ISO 27001 as a baseline security standard with a comprehensive set of controls, the ISO 27001 certification process can be as simple or as involved as an organization wants but there are always far more available controls than threats. As a result, organizations, large and small, find themselves coping with a long and confusing shopping list of controls. You can implement the entire checklist of controls (if you have deep pockets), you can do nothing or you can try and achieve the most effective purchase and risk control policy (i.e. get the most for your security investment dollar) with a set of controls optimized for your business situation.

However, implementing additional controls does not necessarily reduce risk.

For example, beefing up network security (like firewalls and proxies) and installing advanced application security products is never a free lunch and tends to increase the total system risk and cost of ownership as a result of the interaction between the elements and an inflation in the number of firewall and content filtering rules.

Firms often view data asset protection as an exercise in Access Control (Section 11 of ISO 27001) that requires better permissions and identity management (IDM). However, further examination of IDM systems reveals that (a) IDM does not mitigate the threat of a trusted insider with appropriate privileges and (b) the majority of IDM systems are notorious for requiring large amounts of customization (as much as 90% in a large enterprise network) and may actually contribute additional vulnerabilities instead of lowering overall system risk.

The result of providing inappropriate countermeasures to threats is that the cost of attacks and security ownership goes up, instead of risk exposure going down.

How to choose cost-effective controls

A PTA threat model enables a risk analyst to discuss risk in business terms with her client and construct an economically justified set of security controls that reduces risk in a specific customer business environment. A company can execute an implementation plan for security controls consistent with its budget instead of using an  all-or-nothing checklist designed by a committee of experts who all work for companies 100x the size of your operation.

At a recent seminar on information security management, I heard that FUD (fear, uncertainty and doubt) is dead, that ROI is dead and that the insurance model is dead. Information security needs to give business value. Hmm.

This sounds like a terrific idea, but the lecturer was unable to provide a concrete example similar to purchasing justifications that companies use like: “Yes, we will buy this machine because it makes twice as many diamond rings per hour and we’ll be able corner the Valentine’s Day market in North America.”

The seminar left me with a feeling of frustration of a reality far removed from management theory. Intel co-founder Andy Grove said, “A little fear in an organization is a good thing.” So FUD apparently isn’t dead.

This post will help guide readers from a current state of reaction and acquisition to a target state of business value and justification for information security, providing both food for thought and practical ideas for implementation.

Most companies don’t run their data security operation like a business unit with a tightly focused strategy on customers, market and competitors. Most security professionals and software developers don’t have quotas and compensation for making their numbers.

Information security works on a cycle of threat, reaction and acquisition. It needs to operate continuously and proactively within a well-defined, standards-based threat model that can be benchmarked against the best players in your industry, just like companies benchmark earnings per share.

In his classic Harvard Business Review article, What Is Strategy?, Michael Porter writes how “the essence of strategy is what not to choose … a strong completive position requires clear tradeoffs and choices and a system of interlocking business activities that fit well and sustain the business.” The security of your business information also requires a strategy.

Improvement requires a well-defined strategy and performance measures, and improvement is what our customers want. With measurable improvement, we’ll be able to prove the business value of spending on security.

Ask yourself these questions:

1. Is your information asset protection spending driven by regulation?
2. Are Gartner white papers your main input for purchasing decisions?
3. Does the information security group work without security win/loss scores?
4. Does your chief security officer meet three to five vendors each day?
5. Is your purchasing cycle for a new product longer than six months?
6. Is your team short on head count, and not implementing new technologies?
7. Has the chief technology officer never personally sold or installed any of the company’s products?

If you answered yes to four of the seven questions, then you definitely need a business strategy with operational metrics for your information security operation.

Now let’s look at three steps for developing a business justification for spending on information security.

1. Choose a business unit strategy

• Take a break from the daily firefighting and choose a competitive strategy for infosec operations. Is it low-cost? Is it single-vendor? Is it Linux desktops?
• Start by implementing a consistent set of activities, for example, standardizing on diskless thin clients, remote desktops and Windows Terminal services.
• Then think how activities can reinforce each other, such as installing personal firewall software that reports on intrusion attempts to a central server so that you can plan your response to future attacks.
• The most productive strategy identifies sets of activities that optimize your efforts. Perhaps you have a flat spaghetti network of servers and workstations. Segment the network into virtual LANs, put the application servers on one segment, the data servers on another and client workstations on departmental segments and so forth. Performance and security will improve, and you’ll be able to monitor content effectively. You’ll spend less time firefighting and more time thinking how to optimize the operation.

2. Add business value and measure your results

There are widely practiced models and metrics that work for all kinds of business units. For instance, if you want to evaluate cash flow, then measure cash flow from operations or free cash flow (FCF), which is cash from operations minus capital expenditures. FCF omits the cost of debt, but it is an objective indicator that can be measured every day.

• Set up indicators and publish them once a week on the company intranet for everyone to see. Start with three indicators: the number of network anomalies your intrusion-detection system found that week, the current patch cycle time and how much overtime the team worked.
• Do continuous security audits. Purchase a tool for network auditing and run it once a week on a different part of the network. The guys over in the warehouse stopped doing full physical counts once a year 15 years ago. They count a little bit of inventory every day with bar-code terminals. Have a consultant help you set it up and run audit yourself.
• Run security awareness programs. Make training hours an indicator.
• Build a threat model and maintain a database of assets, threats and vulnerabilities. Start today. Check out the SANS Institute for tools.

3. Drive the message home

Send out your CTO to install your company’s products himself, follow customers back to their offices, observe howthey do the install and take notes. Update the threat model with the CTO’s findings. He’ll sign your next purchase request for software security tools in a flash. Trust me.

So where and how does DLP fit into the compliance equation?

Let’s start with COSO recommendations for internal controls:

“If the internal control system is implemented only to prevent fraud and comply with laws and regulations, then an important opportunity is missed…The same internal controls can also be used to systematically improve businesses, particularly in regard to effectiveness and efficiency.”

The Control Policy Group is providing these workshops as a free service to the security and risk professionals community after having identified a gap between the security practioner and the management board.

The gap is this: the management speaks the language of money and security practioners speak the language of technical security countermeasures like DLP, database security and messaging security.

From a management board perspective, budgets for security projects like DLP are a capital cost in a down GFC economy – Control Policy Group clients in Europe and the Middle East have slashed down security and risk budgets about 50% since the beginning of the year.

From a security and risk practioner perspective, data breaches went up almost 50% in 2008, there is more phishing, more web defacing, more Web applications to secure and yet – less head-count and capital budget to do the job.

In order to close the gap – the Control Policy Group have built a model that helps an organization measure how well a new security product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications.  However – since these tools have no notion of your business context and how much you value your information assets,  it is likely that a company’s security spending is misdirected.

This series of workshops is designed to help the security and risk team  take a  leadership role in the board room instead of waiting for vendor proposals. Through specific Business Threat Modeling(TM) tactical methods, you will learn how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is not one-size fits all.

For example, if the threat scenario is an attack on your customer self-service Web application – obfuscating or encrypting fields in database tables is not an effective security countermeasure;  you need a network DLP solution to prevent leaks of clear text data and a software security assessment that will help you get rid of the bugs that make your Web application vulnerable.  On the other hand, if the threat scenario is sales representatives working in stores in shopping malls using unmanaged PCs and leaking customer data; you need an agent DLP solution.

How do you decide what is the DLP solution for your business?

Data security is the task of ensuring confidentiality and privacy, integrity and availability of the data you use to run your business.  It includes DLP, DRP, data retention and backup but the essence  of data security is it’s approach:  data security employs a direct data-centric approach as opposed to traditional IT security which focuses on protecting networks and systems or risk and compliance management which focuses on assuring processes and compliance to regulation.

The confidentiality and privacy component of data security is well-addressed by DLP (data loss prevention) technologies. Roughly divided into two kinds of products – there are agent DLP products from companies like Verdasys and McAfee and network DLP products from companies like Fidelis Security Systems and Symantec (formerly Vontu). At the beginning of 2009 – Websense introduced an integrated agent and network DLP product, and I’m expecting that Mcafee will release their integration with Reconnex sometime in H1 2010. It’s a bit too early to say if the integrated approach to DLP is the best of both worlds or the worst of both worlds – but that’s material for another discussion.

The question is not at all what DLP solution you should choose, but how DLP technology and data security practice fits into your business.
Consider that data loss prevention is a subset of the wider discipline of GRC – governance, risk and compliance.

Data loss prevention is a highly effective supplement to  patch management, server hardening, rights management and permissions. Being data-centric (as opposed to network-centric), a DLP data security countermeasure  mitigates multiple threat vectors from trusted insiders, malicious outsiders or business partners with access to line of business applications.

But TANSTAFFL – there is no free lunch.  Data security comes at a price because unlike servers, your data is everywhere. The price is that if you want to protect your company’s valuable data, you must be able to identify your data threat scenarios and valuate your data with a financial price tag.  With valuation – you will be able to justify an investment, and implement the right data security in an effective way.

Before valuating the data, you must first identify your key threat scenarios or use cases – in any company, there are no more than 3-5.  A threat scenario will be basically a verbal description of the threat, the data being attacked, the vulnerabilities that the threat exploits and the countemeasures that mitigate the vulnerabilities.

Here is a typical threat scenario:

Customer data loss
a)The asset is credit card data.
b)The company installs a Web-based reseller application that enables a reseller to take orders and enter them into the system. The software developer who wrote the Web application is not strong on software security and doesn’t encrypt the payment card transactions sent to the company’s ERP system. The vulnerability is transmission of payment cards in clear text to other system interfaces. The threat is an attacker that may be able to capture the clear-text payment cards by copying temporary files or sniffing data on the network (see the case of Hannaford supermarkets)

c)The data security countermeasures are:
Monitor for credit cards in clear text in the DMZ and on the network segment before the VPN.
Perform a software security assessment of the reseller application and require encryption of all credit transactions sent to external system interfaces (for example the ERP system and the payment processor).

Hellman proposes that we need a  third state scenario (instead current state – > nuclear war) where the risk of nuclear holocaust has been reduced by several orders of magnitude from today to an acceptable level.

This makes sense and it’s an intriguing idea as an exercise in risk analysis of information security and data protection to see if there is a third state of reduced risk that where the risk of data breach and major data loss events is reduced to acceptable levels.

That’s one thing that got me thinking.

The second thing is the quote from Fyodr Burlatsky, one of Khrushchev’s speechwriters and close advisors, as well as a man who was in the forefront of the Soviet reform movement:

In Krushchev’s eyes [America insisting on getting its way on certain issues] was not only an example of Americans’ traditional strong arm policy, but also an underestimation of Soviet might. … Khrushchev was infuriated by the Americans’ … continuing to behave as if the Soviet Union was still trailing far behind.

So here we are – 2009 and President Obama is insisting on getting his way on certain issues with the  Iranians, who pose a serious nuclear threat to the world.  But no only Ahmadenijad – the Russians and the North Koreans are also  infuriated by the Americans’ … continuing to behave as if they are still trailing far behind.

I think it’s only a matter of time before someone exploits a wireless mesh network that controls and reads home utility meters to get free water and electricity.

Until then, there is a problem of range and coverage.

Greentech media reports that Trilliant ( a smart meter neighborhood networking startup) has bought SkyPilot for it’s long range, WiFi-based communications. Skypilot (with over 500 customers in 50 countries – utilities, wireless Internet service providers (WISPs), and municipal agencies – deployments exceeding 50,000 devices) will help Trilliant get to the next stage.

The greentech angle makes sense, as remote data collection/remote meter reading eliminates the need for meter reader to get into a car and drive around reading meters.  However, remote meter reading using powerline communications has been around for a long time – so I think that the positioning is more a product of politically correctness and current fashion than pure innovation.

A more significant concern that I have is data security of wireless mesh networks – less secure and easier to exploit than powerline communications connectivity. I can visualize exploits of wireless mesh reading electrical meters to get free electricity and on the uplink to the network management center – attacking customer data bases resulting in a major data loss event.

As my maternal grandmother, who spoke fluent Yiddish would yell at us – you have ” grosse augen” when we would pile too much food on our plates. ” Grosse augen”  is literally “big eyes” – having eyes that are bigger than your capacity.

Yes, US publicly traded companies are already subject to multiple regulations – if the company sells to customers and stores and processes PII (personally identifiable data) they will have to deal with PCI DSS 1.1, California State Privacy Law, Sarbanes-Oxley PCI DSS 1.1 protects one asset – payment card numer and magnetic stripe, while Sarbanes-Oxley is about accounting records. Yes, there are a few commercial software products that map business processes, databases and data elements to multiple regulations; their goal is to help streamline the work involved in multiple regulatory compliance projects – eliminating redundancy where possibility using commonality.

On the domestic front, if we look at all the credit card fraud, data loss events and the great financial crisis  – it seems to me that government regulation has not made America more competitive nor better managed.

I would say that the short answer is that less is more:  less but simpler and more practical, and universally applied data protection regulation,