We’ve got some really great posts we’re working on this week. I think you’ll like some of the content. This morning, I’d like to take some time and just point some stuff out.
First, I’m kind of bummed that I couldn’t put glasses on my Simpsons avatar (left). I also resisted going with the “fat” homer-shaped body - I guess I can still lie to myself 
Second, my friend Rafeeq has a blog I wanted to point you to - OpenID and Risk Management. Rafeeq is “FAIR Aware” (a term Jeff Ballay and I were using during lunch Thursday), so what he writes there ought to be pretty interesting.
Now on the OpenID thing - I love the idea, the paranoid in me isn’t sure about the execution. Maybe Rafeeq can run some FAIR analysis for us on the risk of using OpenID to help put my mind at ease.
SOFTWARE UPDATE
Speaking of running FAIR analysis - we did a software update to our demo/beta server. If you need login and passwords again - let me know.
INTERESTING ATTEMPTS TO MANAGE RISK
Insurance demands that “high risk” cars put in immobilizers in Winnipeg. Apparently Winnipeg is an auto theft capital, and this is an attempt to reduce risk to the insurer. Invasive?
Well if that’s not invasive, how about this: New Zealand banks, under a new Code of Practice, are going to demand access to your PC if you dispute a transaction (thanks Mike Scheibel for sending this in). If you don’t have “proper” security, they may refuse your claim. Interesting way to own the endpoint, there. They’re apparently going to look to see if you have:
“used a computer or device that does not have appropriate protective software and operating system installed and up-to-date, [or] failed to take reasonable steps to ensure that the protective systems, such as virus scanning, firewall, antispyware, operating system and antispam software on [the] computer, are up-to-date.”
Ok, so what is an inappropriate “operating system installed”? What if you use Linux or a Mac? I’m not saying this to be snarky here, I think we can all readily imagine being the victim of someone dumpster diving a receipt of ours, the bank asking to see our “PC” and some low level grunt sending the bureaucracy a note that we, an Ubuntu user, don’t have “antispyware” and therefore our claim should be rejected.
YOU THINK YOU’VE GOT IT TOUGH?
Let me introduce you to Ohio State University’s CISO Charles Morrow-Jones. Here’s a CISO that, due to culture, has NO control over his environment or users.
“Each college is semi-autonomous, so unlike a business operation where I can force standards, each college has its own choice of hardware, operating systems, and software. Security is a coordinating effort rather than one of enforcing standards.
The second big difference is the presence of tenured faculty members, [whom] are given secure appointments to ensure academic freedom. They are extremely difficult to terminate, even for non-compliance with policies that they believe either don’t apply to them or require too much effort.
We had a minor breach in which a tenured faculty member had a laptop computer containing student information stolen. Our Board of Trustees is comprised mostly of businessmen, and in talking to the board’s audit committee, one of their questions was who would be terminated for this breach. The answer was “probably no one.” It took them a while to understand that difference between private-sector employee and tenured faculty.
Third, the whole security policy process is negotiated. The developed policy may be weaker than I would like, but the quid pro quo is that people, all the way up though faculty and upper administration, sign off on a policy they believe is appropriate for the entire university. The whole process is much more collaborative. Most people in the private sector would find it a frustrating way to work.
DOOMED, WE’RE ALL DOOMED
Chris Hoff interviews Marcus Ranum. If you follow any link on this page today, Read Question #5. Seriously.
LINKS, EGO, AND IT’S NOT ABOUT ME, IT’S ABOUT *US*, FAIR/RISK, AND WHAT WILL HELP OUR INDUSTRY
Recently, there have been a couple of really great posts that say kind words about yours truly. I’ve hesitated to link to them because, frankly, I felt like a tool if I did so. The good news is that I’ve gotten over myself. I’m going to insist until the day I die that if I write anything worthwhile here, it’s not my doing, but the fact that I’m FAIR Aware and have spent a ton of time learning it under very smart people. Heck, that’s why we started a company, it’s why I blog. If a schmuck like me can understand risk and be effective…
First, Hoff’s top ten list is good reading. Let me just say that you can’t do numbers 1,2,3, or 7 effectively until you do #4 (Understand Risk). You can’t do #4 until you do #6 (shut up and listen).
Second, Rob Newby’s post “Not That Interesting” really hit home with me. I don’t feel like he’s picking on me when he says “risk” is bland. And I don’t think he really feels that “risk is bland”. I think that nobody’s really told him what Risk Management is in a way that resonates with what he innately believes it could be.
Same with Andrew Jaquith. He loves to point out that “risk management” has been decimated by vendors and “standards” who tell us about “risk” when they haven’t the slightest clue.
I can say with all honesty, and I do believe I can defend this statement - that I haven’t seen one standard or product yet that “does” or “is” risk management. Not one. I’ve seen a lot of risk applied to vulnerability management processes, to be sure - and vulnerability management is something that contributes to risk management. But nothing that states what “risk management” is. (note: FAIR isn’t a Risk Management framework, either - Risk Analysis, yes, but not Risk Management).
Considering the above, maybe it’s time to work with our friends at ISM or The Open Group (or both) and define Risk Management. Or at least create a high level statement of what Risk Management must be that precludes people from saying that it’s the application of discreet risk analysis around some other process.
Tags: compliance, information risk, information, risk, risk management, risk_management, information, security, information security, information_security, governance, compliance, enterprise_architecture
(via RiskAnalys.is)July 02, 2007, 8:45am Comments
