Where’s my data? Um…it was here a minute ago….

October 21, 2008

In the article “Study: Global information security improves, but still imperfect“, Angela Moscaritolo points us at a report recently released by PriceWaterhouseCoopers, “Safeguarding the new currency of business.”  The report is the findings of the 2008 Global State of Information Security Study®. Her article points out some salient issues found in the report, but I would like to focus on one particular issue.

On page 12 of the report, we find the following:

Finding #5
Many companies, however – if not most – do not know exactly where important data is located.

Other findings in the report indicate that we are doing better in implimenting technical controls and our compliance efforts also appear to be improving. But here is the rub, what value are better technical controls and a clean compliance report if you don’t know where your sensitive data is?

Okay, we don’t know where our data is. We need to find it. How do we do that?

Ask 10 information security professional that question and you will get 12 answers, all of them starting with “it depends.” If we can’t get a definitive answer from these folks, who can we get one from? How about the people who use that data each and every day?

Again, there are plenty of ways you could go about gathering that information from your user populace, many of which would be adequate.  But if we want better than adequate, I think Michael Santarcangelo gives us a great model for producing excellent results in his book Into the Breach.

You should get his book and read it as I have said before, but in short, engage your users in small groups and ask them how they do their jobs, in detail.  This will drive out where your data is. You may think your data is that big honking database, but what if a lot of it is in spreadsheets stored on a file server that you know nothing about?

This is a very simplified treatment of a great process that Michael details in his book. So, again, go get it. Read it. Twice. You will not regret it.



Once more unto the breach…

October 7, 2008

Once more unto the breach, dear friends, once more,
Or close the wall up with our English dead!
In peace there’s nothing so becomes a man
As modest stillness and humility;
But when the blast of war blows in our ears,
Then imitate the action of the tiger:
Stiffen the sinews, summon up the blood.

Henry V” (5.3.44-51)

Michael J. Santarcangelo, II has written a little book titled Into the Breach. The preview copy I have has 91 pages of content, but I want to make something very clear, the ideas in this little book are big, very big.

The subtitle of the book is “Protect Your Business by Managing People, Information, and Risk.”  Seems pretty straight forward, doesn’t it? However, those of us in the information security profession are painfully aware that actually doing what that simple statement says is often far from straight forward.

Michael wants to help us with the issue and puts forth a process that can greatly increase our ability to satisfy that statement in a manner that brings engagement from all parts of the organization. At its root, Micahel’s strategy makes protecting the data of our organizations everybody’s job, not just information technologies job, but it does so in a way that re-energized everybody by giving them a voice in what is important and what is not.

He starts out the book by introducing and addressing three common myths that crop up when we start talking about protecting our organization’s data from unauthorized access or “breach”:

  1. “Outsiders pose the biggest threat to information.”
  2. “Information protection needs a technology solution.”
  3. “Protecting information costs too much.”

Throughout the rest of the book, he walks us through a process that is simple in its execution, but profound in what it provides to those who participate in it. I’m not going to steal Michael’s thunder. I am going to suggest that you pick up a copy of his book and read it…twice…at least. If you do and implement the strategies contained in it, you will be much better equipped to “Protect Your Business by Managing People, Information, and Risk” and reducing the chances that your data will go “Into the Breach.”


Influencing our user community….

May 1, 2008

Mike Rothman in his latest Pragmatic CSO Newsletter (I highly recommend subscribing) has a really good post up about our responsibility to ensure that user community understands why they should be adhering to established policies and not attempting to circumvent controls put in place to protect our organizations.

I left the following comment and now am going to reuse it as a post 🙂


I have been reading the book “Influencer: The Power to Change Anything” which I highly recommend. In it they posit that there are essentially six sources of Influence. They fall into two categories and what I call three strata. The categories are motivation and ability and the strata are personal, social and structural. Where motivation and personal intersect, the source of influence is defined as “Make the Undesirable Desirable.”

If the general user community does not desire to adhere to or follow established policies and is actively attempting to circumvent controls, then we have failed to instill in them a desire to be compliant. It is our responsibility to influence them to change that mindset, in other words, to make the undesirable desirable.

So how do we do that? What you suggest exemplifies what the authors of the book have discovered. People are much more likely to embrace ideas when they have been shown the consequences of ignoring those ideas in a very personal and impactful way. I’m not saying that we should all use the specific scenario you suggest, although it would certainly bring
home the messages :), but we do need to find ways to instill awareness into our user communities that is much more personal than “read this policy and sign this paper.”

Kevin Riggins

Information Security Program…..huh…what?

April 17, 2008


The CEO walks into your office/cube/dark cave. He has one of those looks on his face that does not bode well for you. He pauses, takes a breath, looks you straight in the eye and says, “We need an Information Security Program.”

You reply, “An Information Security Pro….what?”

He says again, “We need an Information Security Program thingy. All my CEO buddies have one. We need one. Figure it out. Get on it!” and leaves. No explanation of what this thing called an Information Security Program is and no guidance as to what he expects from you.

After fighting off those panicky feelings that threaten to cause you to run about and scream and shout. You fire up your friend Google and get to work trying to figure out what an Information Security Program is.

One good thing

This scenario may seem quite far fetched to you. Unfortunately, it probably isn’t. On the good side, the CEO wants it, or at least thinks he does. On the bad side, he doesn’t appear to have any idea what he is asking for and frankly neither do you.

What is an Information Security Program?

So you start searching away and come up with things like the NIST Information Security Handbook: A Guide for Managers and this paper by Bruce C. Gabrielson, PHD Information Security Program Development, both of which are great resources.  However, as I was looking about, I came across the Univerisity of Iowa’s page that describes their Information Security plan.  I really like what they call the Objective as a good general definition:

This program is a collection of policy statements, an architecture model, and a description of the approach taken at the University of Iowa for information security. Together, they describe administrative, operational, and technical security safeguards that must be implemented for systems that create, maintain, house, or otherwise use confidential or sensitive information.

The objective is to provide Business Value:

  • Applications delivered to more individuals, more timely, with better/definitive data
  • Broader deployment of services and data increases both the value and the risk
  • Information security is crucial to this environment
  • There are many layers of security involved, each managed in concert with the rest to provide “Defense in Depth”:
    1. Physical access to systems
    2. Server or host controls
    3. Client or workstation controls
    4. Data access controls (confidentiality)
    5. Policy & Procedures
    6. Network controls
    7. Employee practices

Management is responsible for taking the necessary steps to identify internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of institutional data.  Risks may include, but are not limited to:

  • Unauthorized access to confidential information
  • Compromised system security as a result of access by an intruder
  • Interception of data on the network
  • Physical loss of data center or computer equipment
  • Errors or corruption introduced into systems
  • Inadequate system administration practices

Responsibility for managing the Enterprise Information Security Program is described in Roles and Responsibilities for Information Security. This document will be reviewed and updated on an annual basis by the IT Security Officer.  Documentation supporting compliance with regulatory controls, (e.g., memoranda received from service providers attesting to their security safeguards), will be maintained by the IT Security Office.

Great. Now what?

Okay. So you are saying to yourself, “That looks hard.”  It is hard, but also necessary.  We will be looking at some of the challenges in the future and some ways that we can overcome them.

Your thoughts

I am really interested in your thoughts on this definition.  Please leave them in the comments.

Kevin Riggins