Per vertical lines of defense

What if … Lines of Defense aren’t three (or four or five) ‘horizontally’, but vertical, like actual protection against things getting out of bounds ..?
Wouldn’t that return the whole concept of 3LD, TLD, Three LoD or what’s your favourite abbreviation, to the already tried and tested process control models of yesteryear and when not if Yes, wouldn’t you be found out to be a sort of bumbling eager beaver when you think you’re still doing great and are Really Important and a GRC star and don’t see your kindergarten Importance is called out to hang high ..?

Because then, you’ll need no more big Risk departments with all the procedural justice, compliance on paper (and actual (operating) effectiveness nowhere!), etc., just some nimble support structure. Then, a major part of the conzulting industry would collapse and core management capabilities would have to be returned to formal and practical education and experience-training.

Oh well, one can dream, can’t one?

[A lot of science and engineering there, inside and out, and how beautiful it is (for it); Valencia]


Strange, that we see ‘cyber’ (#ditchcyber) Insurance behaving as if it’s not Insurance but banking:
A banker is someone who lends you an umbrella, but wants it back when it starts to rain

Which already has a lot to add; ‘lends against a princely interest sum’, ‘the umbrella will be small, not enough to protect your family that’s the Deluxe edition for a premium’, not ‘starts to rain’ but ‘is predicted to be only slightly possible to have rain in some undisclosed upcoming time period’, ‘wants it back’ means ‘has it reposessed, violently’. Etc.
But that’s not the issue. The issue is that the underwriter of the insurance will not want to pay out. Duh.
Because it’s not if but when you’ll get wet. Despite all reasonable, or more, efforts on your side to protect yourselves from it by not being in the streets when the first drops fall. But then, you can’t stay inside all the time; you’re in business which means going out to play. No matter what sou’wester you don, you’re done.

In other words, no matter how perfect your compliance with, e.g., ISO2700x, you are not safe. Which means you’ve overlooked something, didn’t do e-ve-ry-thing perfectly 100,0% – certainly not when ‘compliance’ means ‘60% or above, of the reasonable efforts’. If the latter is 80% of max, you still end up with having done only less than 50% of what was possible. In the more than 50%, there certainly is something that with hindsight and progressive insight now you’ve been hit you may have done differently.
And the insurers only act on hindsight, qua culpability and cover…

’nuff said; and:
[Differently since positive: Within an unknown Cala hides an unknown Cala; Toronto]

GDPR is just a legal attempt at Y2k

Suddenly I realised, as one who profited handsomely (not in money but in perks’ way), that the whole GDPR compliance thingy is becoming quite similar, all too similar, to the hype that was called The Millennium Problem … too bad we now know how that ended, otherwise an illustrative movie could be made of the latter – now only (?) a documentary review is worthwhile, as history writing. Too bad it isn’t out in the open that despite all efforts then made, actually quite a lot of companies ended up having to hire temps to do all sorts of manual corrections in their administrations due to e.g., spreadsheets [the very things the toughest, most important business decisions hinged, and still hinge on!] going heywire over date fields.

To come back to the Issue … Are you not hit by that, almost sudden, avalanche of GDPR compliance warnings lately, like, the past couple of weeks ..? Is it not a warning that you need to do loads of things now, starting with hiring consultants (call to action; they’re Sales messages of course) this time not of the tech kind – engineers that see a problem, craft a solution and we’re done –, but of the legal kind – profiting only from prolongation of your insecurity.

And ah, there’s the snag! Multifaceted it is;

  • One: With some deadline suitably near to instill fear of lurking deadlines but suitably far to be able to still write you up with many, many ticks (per 6 or 3 minutes ..!?) at ridiculous rates, will be written;
  • Two: Unlike the patching that was the core solution (after Inventory – you did keep that in appropriate order in your wide-scope CMDB ever after 31/12/00, right ..? Even with some global outpost in the corner writing that down as 12/31/00. What stupid value loss if you didn’t! We’re only 17 years on! Did you really think legacy problems would have gone away by now …!?), we now see there is no solution but just getting compliant with all sorts of stupidly unprofitable, inefficient (and might we add, ineffective! yes if you are realistic, that’s what it is) good-for-nothing overhead;
  • Three: The good-for-nothing part — maybe not fully nothing, but oh so limitedly good for anything that you should’ve done already long ago not only for any ‘privacy’ compliance but for effective and efficient IT, -security included.

Following on this Lotus list, indeed there’s a lot of work to be done to become compliant … on the Legal side. On the IT side maybe also, but what needs to be done there, is (re)implementation of sound practices that should have been common daily practice anyway, and when implemented as such, ready; done.

The legal side on the other hand, sees all sorts of enduring challenges, like many cultural changes; no leaning back and await questions for advice to be answered out of hand with “It depends…” / “Come with a proposed solution and I’ll tell you whether it may or may not be permissible”, but for once being actively engaged and delivering definitive answers, and designing, implementing, and carrying out your (Legal) selves reams of procedural stuff. Acting on assessments, acting in communications, acting in control(s), etc.

You get it — the GDPR brings many problems for many organisations, the biggest of the problems being how to manage back the (Legal) consultancy fees… Remember, when data leakage isn’t preventable (as some dunces might still believe, many on the Legal side of GDPR compliance among them – hey they even think pseudonymisation amounts to anything), bad things are bound to happen. When (not if) not already via the avalanche of information requests

I rest my case now, for you to have time to process the above, get it, and leave you with:

Your GDPR compliance looks much, much worse (this is actually quite good!); Toronto]

Ninety percent

Not in any economic sense you may have thought, given the attention oft given to, e.g., the 1% or 99% (We Are-; Occupy-style) where now the 90% might be the disappeared middle class in the US that extended from the bottom 10% – that was around even in the best of times – all the way to the top — excepting the 0.01% that was in charge all the time …
Here, it’s about a quote slash truism:

90% of everything is crap

Have ever truer things been said. This, of course you knew since prep school, being Sturgeon’s Law.

Just putting it there. See the link for a ‘proof’. Or look around you; physically (co-workers), mentally (in your head, and feel free to assume the others’ heads are not necessarily better…), qua your pay check, your significant other [hey here I can testify I’m lucky with a not-90% specimen par excellence; no she’s not reading this], etc.

Leaving you with:
[In the 10%, definitely. Even when it rains, this one. Baltimore]

Being Creative with Trust in Identities

… seems impossible to get right. Since for sure, Identities that can be Trusted are so stable that all Creativity is impossible ..?

What does society-at-large want? If you think about the bandwidth above: Aristoteles’ true middle..! But would you know where that is, in this? Would it be sufficiently on the Fixed side to be able to be used as trustworthy Identity? Or would it be a matter of good-enough reliability, for the task at hand?
Possibly we should like Activity-Based Access Control to pair to this Task-Sufficient Identification ..?

A lot on this will have to be developed further, I’d say, but this could be the beginning of a beautiful friendship
Plus (skewed ‘horizon’-ID intentional…):
[All the ID theft may not get you here…; Amsterdam]

Nog een / One more on audit culture

U zult weinig genoegen scheppen in zang, dans of vechtsport als u bij de zang de harmonie van de muziek ontleedt in haar verschillende klanken en u bij iedere toon afvraagt: ben ik hier nu echt van onder de indruk? U zou u voor zoiets schamen. Hetzelfde geldt voor de dans, wanneer u elke beweging en houding apart beoordeelt, en voor de vechtsport.
Which translates to, anachronistically:
A pleasant song or dance; the Pancratiast’s exercise, sports that thou art wont to be much taken with, thou shalt easily contemn; if the harmonious voice thou shalt divide into so many particular sounds whereof it doth consist, and of every one in particular shall ask thyself; whether this or that sound is it, that doth so conquer thee. For thou wilt be ashamed of it. And so for shame, if accordingly thou shalt consider it, every particular motion and posture by itself: and so for the wrestler’s exercise too.

Which in turn brings back the discussions on the auditors being of a stratum or subclass that abhors the Cultural stuff, runs away from the Arts. Contrary, statistically, to e.g., lawyers and notaries-public. This was researched some years/decade back here in NL: auditors don’t read books. Don’t go to theaters. Don’t go to concerts. The bores, the bereft of exposure to the Classics, in classical or latest-modern form. They just don’t delve into anything moral, or consider Advanced Excel the ultimate they’ll go to.

As POTUS of the Western world — military and culturally, not just the latter or, much degrading, economically only — Marcus Aurelius saw it right (yes the above is from his Meditationes, book XI / II): Those that focus only on the analytical, tracing the veracity of the True and Fair View to the detail only and not do (moral/ethical-Value) synthesis, are of an ethically overly impoverished, plebeian folk; worth to be (wage) slaves.
Those, on the contrary, that use the nitty-gritty to arrive at some grand, eloquent plea like lawyers do [should do; ed. – yeah that’s me myself ;-] even when not fully in compliance AAARGGGH! Yes I’ll go rinse my mouth with green soap   with the Original “ISO” standard for that, will see their Virtue strengthen…

Never thought that I’d prefer lawyers over … anything.

But it does also refer back to my post of a couple of weeks ago in which I explained the difference between dispassionate conformity checking and invariable fault finding, the robotic way, versus compassionate improvement-issue formulation and risk-based prioritisation, the nothing-like-robotic way.
Now imagine which side I prefer to be on …

[Ah, Culture and heritage, much over, higher, than mere systems of record; Edinburgh]

4Q for quality assurance

To go beyond the usual, downtrodden ‘quality in assurance’ epitome of dullness, herewith something worth considering.
Which is about the assessment of controls, to establish their quality (‘qualifications’) on four, subsequent, characteristics [taking some liberties, and applying interpretation and stretching]:

  • Design. The usual suspect here. About how the control, or rather set of them, should be able to function as a self-righting ship. Point being, that you should+ (must?) evaluate the proposed / implemented set of controls to see whether self-righting mechanisms have been built in, with hopefully graceful degradation when not (maintained) implemented correctly and fully — which should be visible in the design or else. Or, you’re relying on a pipe dream.
  • Installation. Similar to implementation-the-old-way, having the CD in hand and loading / mounting it onto or into a ‘system’.
  • Operational. Specifies the conditions within which the control(s) is expected to operate, the procedural stuff ‘around’ the control.
  • Performance. Both in terms of defining the measuring sticks, and the actual metrics on performance attached to the control(s). Here, the elements of (to be established) sufficiency of monitoring and maintenance also come ’round the corner.

Note; where there’s ‘control(s)’ I consider it obvious, going without saying (hence me here now writing instead of that), that all of the discussed applies to singleton controls as well as sets of controls grouped towards achieving some (level of) control objective. All too often, the very hierarchy of controls is overlooked or at best misconstrued to refer to organisational / procedural / technical sorts of divisions whereas my view here is towards the completely ad hoc qua hierarchy or so.
Note; I have taken some liberty in all of this. The Original piece centered around hardware / software, hence the Installation part so explicitly. But, on the whole, things shouldn’t be different for any type of control or would they in which case you miss the point.

And, the above shouldn’t just be done at risk assessment time, in this case seen as the risk assessment time when one establishes the efficacy, effectiveness of current controls, to establish gross to net, inherent to residual risks, on all one can identify in the audit universe, risk universe, at various levels of detail. On the contrary, auditors in particular should at the head of any audit, do the above evaluation within the scope of the audit, and establish the four qualities. Indeed focusing on Maturity, Competence, and Testing to establish that — though maybe Competence (not only the competence of the administrator carrying out the control, but far more importantly, the competence of the control to keep the risk in check) is something just that bit more crucial in the Design phase, with Maturity slightly outweighting the others in Installation and Operational, and Testing of course focusing on the Operational and Performance sides of things.

Intermission: The Dutch have the SIVA method for criteria design — which may have some bearing on the structure of controls along the above.

Now, after possibly having gotten into a jumble of elements above, a closing remark would be: Wouldn’t it be possible to build better, more focused and stakeholder-aligned, assurance standards of the ISAE3402 kind ..? Where Type I and II mix up the above but clients may need only … well, hopefully, only the full picture.
But the Dutch (them again) can at once improve their hazy, inconsistent interpretation of Design, Existence, and Effectiveness of control(s).
With Design often, mistaken very much yes but still, meaning whether there’s some design / overall structure of the control set, some top-down detailing structure and a bit of consistency but with the self-righting part being left to the overall blunder-application of PDCA throughout…;
Existence being the actual control having been written out or more rarely whether the control is found in place when the auditor come ’round;
Effectiveness… — hard to believe but still almost always clenched-teeth confirmed — being ‘repeatedly established to Exist’ e.g., at surprise revisits. Complaints that Effectiveness is utterly determined by Design, fall on stone deaf ears and overshouting of the mortal impostor syndrome fears.

Back to the subject: Can four separate opinions be generated to the above four qualities ..? Would some stakeholder benefit, and in what way? Should an audit be halted when at some stage of the four, the audit opinion is less than very Satisfactory — i.e., when thing go downhill when moving from ideals and plans to nitty practice — or should the scope of the audit be adapted, narrowed down on the fly so the end opinion of In Control applies only to the subset of scope where such an opinion is justified?
But a lot needs to be figured out still. E.g., suppose (really? the following is hard fact at oh so many occasions) change management is so-so or leaky at best; would it be useful to still look at systems integrity?

Help, much? Plus:
DSCN4069[An optimal mix of complexity with clarity; Valencia]

"Compliance auditing"

Is two distinct things, or a contradictio if taken as one.

  • The ‘compliance’ thing is just rote checking of the implementation of all petty rules. The Certificate certification type. If I’d even need to say more…
    Some even claim that by repeated checks of implementation, ‘operating effectiveness’ would be established. Fools. The operating effectiveness can only be designed in, so the first 99% of operating effectiveness can be checked in the design; what do you check the design for in the first place? Why would you check the design otherwise? And if you don’t, then what value to the petty paper that the standards are?
    Ah, “…the slavery of fear had made men afraid to think.” (Thomas Paine, Rights of Man, p.159) — that’s what this is about… As in a couple of last days’posts. But this is Not Auditing, since ..:
  • Auditing is the art of application of risk management upfront, and insight and wisdom afterwards. (as also in this.)
    Risk management upfront: Even when taking up some standards first and then seeing how it would apply to the case at hand, a true auditor would select, inter alia based on informal and formal risk assessment (in a mix dependent on the case, and experience) wat rules from the standard apply and which ones to check for in what various levels of detail. If ‘all’, you’re doing something Wrong like doing compliance checking.
    Insight and wisdom after: There’s no value whatsoever in noting deficiencies as such, or recommending on their remediation simply by inner-productlike fixes. There is value when taken one, two, more, many more, levels up and digging deep (upwards, usually) to find the true causes, possibly root causes (but do NOT overdo this), and then advising in smart, intelligent, wise ways to remediate those. Don’t think black-white here, but about (fundamentally different!) thesis versus antithesis, towards Synthesis… And, along the way of the audit, support and encourage those under stress/duress of audit requirements, petty standards requirements, and micromanaging bosses all standing in the way of actual performance and use of brain. When then, a final overall conclusion is to be had, this would be based on the ability and application to weigh arguments (as Cicero, utterly correct: “One should not count arguments but weigh them”, De Oratore 307-310 LXXVII) and hand down a verdict which all embrace for its wisdom and authority — your personal authority which isn’t power, not rightiousness-by-procedural-justice! Let alone attachment to some organisational body (self-aggrandised company or professional association), or by it of a title to you.

So, either you set your mind to Blank and do compliance checking, or you use your brain for its intended purpose [“irregardless” of its nature/nurture capability levels with you] and audit.
The first, not for nothing to be replaced by AI soon, very soon. The second, the almost-definition of what AI still (your mileage may vary) can’t do, yet… The first, for DAOs; the second, lost through Bureaucarcy (see previous posts).

[Shifty facades/faces; Zuid-As Amsterdam]

Two stikes and you’re out of third party standards

What a wobbling title.

When already for a second time (here), the European Supreme Court has ruled that laws requiring broad (meta)data retention for trawling are illegal per se, with a minute few exceptions, making it illegal to consider it legal (i.e., have a law requiring it — which of course is much stronger than just doing it on private company want) you’d better comply.

That’s all, folks, only adding the following thus undoing that:

  • You may read back some posts on how to pull off better Privacy (-compliance) in a fun and efficient way;
  • And note how this seems to run counter the above, or does it ..? Distinction is finer than initially thought;
  • Standards as yet fail to address sufficiently the main cause of leakage, being third parties or in your case, second parties; known for being the #1 Saying Yes (on paper) Doing No when it comes to maintaining security to the impeccable standards of yours. Those impeccable standards of yours that … can’t even seriously assume you’re at those levels. Can’t assume the second parties are anywhere near your levels even, because of their business model which is Profit over Non-profit [think that through] so have no incentive to take the moral high ground and all the incentives to the opposite … Those second parties of course are in your standards (are they? certainly not everywhere) under transparency towards first parties (customers) regulators if ever they’d look so (only just beyond skin-) deep or rather disregard the issue;
  • If not when those your standards would have been clear enough to yourself to collect and put them up as requirements, and properly communicated to the second parties, and (checked to have initially been) implemented with them;
  • But then no-one really knows how to pull off even core but real oversight over the infosec quality at second parties — don’t fool yourselves: reporting, always throught their Marketing/Sales, will give no real info (info being the things you’d want to notice, not the stuff you can skip because it’s green lights/smileys all the way); actual audits, are either by third parties most usually on pay of second parties hence on their hand (don’t believe the outright lie of independence [I’ve been there, countless scores of times..]) e.g., when ISAE- or other certification is in play (certification after petty-rules-compliance checking not Auditing see tomorrow’s post) or by your own auditors — how good are they, anyway, when this outsourced stuff is special to them too (as you outsourced, their knowledge / experience re this, tumbled) and again it’s a side show to their audit universe, hard to pull off (have a look at the notification requirements and their freedom of movement in the contracts…) and still with an interest of the second parties to show a nice picture not truth which is almost completely in their hands, or by some third party hired and paid by you, for which the latter flaw of pretty-picture needs; the Diginotar case anyone?
  • Summa summarum: You may be hosed.

Even more so, when it comes to Privacy. Either as an organisation, or as private person [ditch the oh so pejorative ‘individual’ and ‘citizen’ — don’t start me on the utter ridicule of the moronic ‘corporate personhood’], or both.

Oh well:


[May be prone to strike the wrong way, too, anyway; DC]

Low standards

The compliance check-box approach is an atrocious thing for and to many things and reasons, but has been induced by the very growth of the industry. Since all margin calls at all controls and controls objectives achievement have been whipped out — and no-one dares to or has the experience for margins calls anymore. How low can your standards of professionalism dive.

Sic transit gloria mundi; the trade once was a veritable gentleman’s (M/F/~) affair, for one put up one’s honour and good name (and standing including life, liberty, welfare and happiness) for the value of the second opinion over the full width of the (opinion about subject matter) playing field.
But one’s good name is no more. Men are no longer honorable, virtue isn’t a thing anymore; pluto reigns, in particular at 1600 Penn Ave — the demise of humanity. In the coming years, the standards will follow; having deteriorated from standards to hold Men to, to straight jackets most easily escaped from by surreptitiously gaming the system, making the system the mockery of men. I repeat myself.

But ideals, values, virtue and all things principle-based will resurface; if only trivially since the now resurgent risk-management approach would not work otherwise. The value is already returning to the dare of the expert to call it not to fold on details.
Hence, new standards will emerge. Pure-principles lists, no nitty-gritty stuff. To be audited on, by knowledgeable advisors that can relate sample controls / -frameworks to the principles and back. The 27k1/2 divide, but strengthened, widened.

About the latter; the renewed gap between principles and samples, will also allow auditors more flex when determining their audit approach as in next week’s post ;-|

By the way, the Dutch may read a bit on the same issue, au fond, and some pointers to solutions, if they’d work (put hypothetically for a reason), in this here piece, released after my draft of the above.

Oh, and:
[A winery, of course; Douro valley]