As regards interception of data packets in the public medium i.e. Internet (whether at a cyber cafe or at the national/regional Internet gateway), I believe Indian Telegraph act 1885 still rules as there is no substitute to that yet. All other constitutional, statutory and regulatory references are inferential. So the only agencies who have any say are the Govt appointed and approved ones as per due process and even if it steps on citizens privacy. The new privacy regulation is likely to trample a little more on citizens' privacy than make the interference lesser. Similar Laws exist in most countries.
Monitoring with in organisations is not seen with the same light. Here privacy laws if any apply squarely; hence a variety of interpretations abound. While India, US and China permit unlimited monitoring of internal electronic communication after generic notification/intimation to employees, Australia, Japan, Canada and a few others permit the same after specific intimation. Europe on the other hand has a lot of variety; some countries require specific intimation to employees and individual acceptance by them, some exempt 'private'/'personal' marked mails/content within office mail communication and many such subtle variations.
Privacy Laws mandate such specific intimation to employees and the variations are almost as many as there are countries in Western Europe; the Russians and several East European countries have a much easier take on privacy. There are technological fixes that could identify whether employees are misusing the given facilities without necessarily singling out the perpetrator. However, there may not be possibility to serve individual notices without identifying offenders. Doing so would be a serious offence, in say Germany. Actually, in Germany, even general monitoring would be an offence without following laborious protocols to initiate the same.
But all in all, the very privacy regulations themselves are being re-looked or at least re-interpreted as is the failing welfare state concept prevalent in Western Europe for more than half a century. Enterprises which used to earlier leave alone data interceptions altogether are employing full time privacy officers and legal advisers not only to ensure compliance to the privacy regulations but see to it that the internal monitoring program is managed with in limits of the law. We are sure to hear more of this from Europe topic in coming times.
Back to the Govt monitoring, Govt agencies in poorly oversighted systems tend to go overboard with the use of power when consequences are not known to be severe. Same is the case with lawful monitoring. Excesses are rampant and law enforcement has pretty much a free hand, be it for tapping phones (land line/mobile) or track Internet communication..
Security is a team sport, and we can figure it out if we are together working towards the same goals...
Please share your comments; critics make life meaningful!
Tuesday, December 21, 2010
Wednesday, December 8, 2010
On ROSI (Return on Security Investment)
One way to look at it is to calculate the actual cost of the people, platforms and services engaged full time or specifically security related projects; and compare it against Legal, Financial, Operational and Reputations costs. But that is a myopic exercise done from a perspective of weakness and insecurity. And there is never going to be a sure fire way of accurately computing legal and reputations costs.
A quasi-quantitative way is to take the following approach:
1. Identify in consultation with Management/business what all need protection/security and document items under groups - services, operations, systems, facilities, people and any other.
2. For each of the above items, document the business function/user who concurs that the protection/security is necessary
3. Assess the security risks to the above items and arrive at the ideal/best/cost effective means to provide protection/security
4. Discern what protection/security out of the above means has already been deployed as part of the initial architecture/design
5. Prepare a phased road map for deploying rest of the means and quantify their cost
6. Take a sign off from the user function(s) on whether they would like to bear the above documented costs or accept the documented security risks
7. If they would rather bear the cost, the benefit they derive out of the said security deployment can be then taken as the return on the security investment cost calculated above (point 5)
Another approach when CISO has strong management buy-in:
1. The very fact that a CISO has been hired is to meet an existing business need to provide security/protection
2. What we do with what we have - Just having security systems and processes does not ensure security. They have to be designed, configured, operated and reviewed efficiently and intelligently as per the organisations operating environment and business needs. Common examples are gaps in Access Control systems, Vulnerability Assessment platforms, SIEMs, Patching and AV infra etc
3. How we do, what we do - The approach should be business oriented, as business wants it and because it will facilitate/enable business not because the CISO wants it or because it's a security best practice. CISO's advisory and Security best practices are important but they have to be aligned to the business requirement and not vice-versa.
A quasi-quantitative way is to take the following approach:
1. Identify in consultation with Management/business what all need protection/security and document items under groups - services, operations, systems, facilities, people and any other.
2. For each of the above items, document the business function/user who concurs that the protection/security is necessary
3. Assess the security risks to the above items and arrive at the ideal/best/cost effective means to provide protection/security
4. Discern what protection/security out of the above means has already been deployed as part of the initial architecture/design
5. Prepare a phased road map for deploying rest of the means and quantify their cost
6. Take a sign off from the user function(s) on whether they would like to bear the above documented costs or accept the documented security risks
7. If they would rather bear the cost, the benefit they derive out of the said security deployment can be then taken as the return on the security investment cost calculated above (point 5)
Another approach when CISO has strong management buy-in:
1. The very fact that a CISO has been hired is to meet an existing business need to provide security/protection
2. What we do with what we have - Just having security systems and processes does not ensure security. They have to be designed, configured, operated and reviewed efficiently and intelligently as per the organisations operating environment and business needs. Common examples are gaps in Access Control systems, Vulnerability Assessment platforms, SIEMs, Patching and AV infra etc
3. How we do, what we do - The approach should be business oriented, as business wants it and because it will facilitate/enable business not because the CISO wants it or because it's a security best practice. CISO's advisory and Security best practices are important but they have to be aligned to the business requirement and not vice-versa.
The inevitable CISO and the future ubiquitous CSO (under a pseudonym)
The CISO has come to be in the last one decade a position which can not be wished away. However, but for mature business houses, it finds itself being tossed about quite a lot - sometimes under the CIO, and other times under heads of Operations, Finance, HR, or some other corporate function. Rarely does it have access to the board and even less the board room. It's as if most people think he is required but most can not decide where he belongs.
This is connected to the evolution of the CISO function from IT Security to Information Security. While definitely it has come out or at least on the way of coming out of the IT function, the CISO has quite not been able to establish the domain spread it requires to fulfill the Information Security responsibility for an enterprise. From being a transactional security organ which ensures security of IT transactions, CISO has gathered steam to encompass the operational risk management, the security governance and audit framework as also the disaster recovery apparatus.
However, there are several other complementary and competing security and related domains which exist in penny pockets in other parts of the organisation which dilute the CISO and often are beyond his control, some times at cross purpose. These are Physical Security, Enterprise Risk, Business Continuity, Privacy, Fraud, Investigation and their ilk who masquerade with other names.
Organisations would eventually see the business benefit of integrating all these complementary functions and consolidate them under one head under some enterprise function or create a new function for it; if only to stop them from their never ending turf war and one-up-man ship . But it is unlikely to bear a designation with a S in it standing for Security. It's simply not sexy enough, especially when there are so many more hep sounding names in the stable. So CSO may never happen, as it also has not happened till date.
Physical security has become interesting and technical. There is increased room for convergence between PS and IS. But rarely, if ever, there has been an organisation where the two are under one head. And whenever they are or when they would be together under umbrella, it will not bear the name of CSO but something rather fancy and unrecognisable.
This is not necessarily a bad thing. It will bring security and all the complementary functions into the middle of business relevance, hopefully with the head of this heterogeneous entiry being from a business background but with a strong understanding of information security, and having a place in the boardroom - if not the board.
This is connected to the evolution of the CISO function from IT Security to Information Security. While definitely it has come out or at least on the way of coming out of the IT function, the CISO has quite not been able to establish the domain spread it requires to fulfill the Information Security responsibility for an enterprise. From being a transactional security organ which ensures security of IT transactions, CISO has gathered steam to encompass the operational risk management, the security governance and audit framework as also the disaster recovery apparatus.
However, there are several other complementary and competing security and related domains which exist in penny pockets in other parts of the organisation which dilute the CISO and often are beyond his control, some times at cross purpose. These are Physical Security, Enterprise Risk, Business Continuity, Privacy, Fraud, Investigation and their ilk who masquerade with other names.
Organisations would eventually see the business benefit of integrating all these complementary functions and consolidate them under one head under some enterprise function or create a new function for it; if only to stop them from their never ending turf war and one-up-man ship . But it is unlikely to bear a designation with a S in it standing for Security. It's simply not sexy enough, especially when there are so many more hep sounding names in the stable. So CSO may never happen, as it also has not happened till date.
Physical security has become interesting and technical. There is increased room for convergence between PS and IS. But rarely, if ever, there has been an organisation where the two are under one head. And whenever they are or when they would be together under umbrella, it will not bear the name of CSO but something rather fancy and unrecognisable.
This is not necessarily a bad thing. It will bring security and all the complementary functions into the middle of business relevance, hopefully with the head of this heterogeneous entiry being from a business background but with a strong understanding of information security, and having a place in the boardroom - if not the board.
Subscribe to:
Posts (Atom)