Tag: Information Risk Management

At least, you can have your PIA

Privacy Impact Assessments are treated much too much as an assumption in (new European regulations’) privacy-anything these days. Yes, PIAs are a critical step, on the very critical path towards compliance in substance. Since when they aren’t done well if at all done with any true attention and intention, your compliance effort will fail, if not formally then in practice – with equal serious break-your-business high-probability risks.

First, this:
20140905_201502[Heaps upon Sea again indeed]

The point being; PIAs should be done with an actual interest in privacy (of stakeholders) protection. When done less than full-heartedly, the results have hardly any value. Because that would demonstrate one doesn’t understand the ethic imperatives of privacy protection in the first place. From which would follow all required (other) policies and measures would be half-hearted, ill-focused, and sloppily implemented ‘as well’. Which isn’t the stretch of reasoning you picked up on first reading this…

And then, a great many organisations don’t even start with PIAs, they just jump in at all angles and steps. With PIAs still being required, not full-heartedly carried out somewhere during or after the fact,where all the rest is implemented on assumptions that will not be met.

To which I would add: In the above, ‘you’ regards the ones in control (“governance”, to use that insult) at organisations that would have to be compliant. Not you the advisors/consultants, internally (in 2nd and 3rd LoDs) or externally, that push organisations. [Don’t! Just tell, record, and after the disaster ‘told you so’ them. There’s no use at all kicking this dead horse.]
But oh well, why am I writing this? Why am I hinting at ethics in your governance? That’s an oxymoron at your organization – do you claim to have the one or the other?

Feel free to contact if you’d like to remedy at least this part of your Privacy non-compliance…

Postdictions 2014-III

A progress report on the Predictions 2014 I made in several posts here, at the end of Q3.
I gathered some evidence, but probably you have much more of that re the items below. Do please raise your hand / comment with links; I’ll attribute my sources ;-]

First, of course, a picture:

[Iron fist, not often seen (by tourists anyway), Pistoia]
So, there they are, with the items collected from several posts and already updated once and twice before in this:

Trust Well, there’s this, and this on the financial penalties of trusting your assurance provider…
Identity See previous re the value of certificates. Otherwise, not much news this quarter.
Things The hackability of all sorts of home appliances has already become some sort of Mehhh… And apparently, there’s a spin-off in the IoBT …?
And there’s progress in the auxiliary channels/architectures… as here and here.
Social Not much. Some Ello bits, though. And more in the AI arena, as this shows.
Mobile Has gone to the Expired phase.
Analytics Wow, this one’s moving into the Through of Disillusionment quickly! Now get it to jump out at the other hand, as quickly.
Cloud Mehhh, indeed. May be in the Through of Disillusionment, or has gone into been there, done the grit work, no-one’s interested anymore.
Demise of ERP, the Turns out it’s very hard to fill vacancies in this arena, isn’t it? Due to the boredom to death surrounding them.
InfoSec on the steep rise Even if we haven’t seen enough on this!

On APTs: Only the most interesting hack attacks get into the news these days. Turns out they’re all this kind.
On certification vulnerabilities: In hiding. Still there. Ssssht, will hit. Suddenly.
On crypto-failures, in the implementations: Not much; passé.
On quantum computing: – still not too much –
On methodological renewal; as it was: Some progress here and there, but no ✓ yet.
Deflation of TLD See second link of Trust; Fourth line didn’t work, even.
Subtotal Already, with the previous follow-ups, clearly over 80% as we speak, when discounting for some fall-back here and there.

The faint of heart wouldn’t necessarily want to speak the bold characters out loud.
See you at the end of the year ..!

Managing Fortuna’s Risks

On how Risk Management is self-defeating… or just something one has to do while Life has other plans with you(r organization).

First, the übliche picture:
20140813_154840
[Shadow (play) of Dudok, Hilversum again of course]

First, the Defeating part. This, we hardly discuss at length, full enough, but when we do, it’s so obvious you understand why: Because RM is about cost avoidance, even if opportunity cost avoidance. Which makes you the Cassandra, the Boy Cried Wolf of the courtiers (sic). It’s just not interesting, not entrepreneurial enough. [Even if that would be pearls before swines…]

Second, this is why it’s so hard to sell (no quotes, just outright sell for consultancy or budget bucks) the idea of RM to executives – they only see the cost you are. They don’t see themselves as delivering something if, if, if only, they had integrated RM into their daily ‘governance’ (liar! that’s just management!) / management. They don’t want to do anything. They just don’t understand to do something that doesn’t show to be effective even if others for once see no harm (though the others will not even care to flag the kindergarten-level window dressing that’s going on with the RM subject; too silly that, to call out).

Third, this happens not only with ‘boardroom’ RM (~consultancy/advisory), it has been well-established at lower ranks; all the way from the mundane IT security, Information Security, Information Risk Management, Operational Risk Management (where the vast majority of organisations don’t make anything tangible anymore), including the wing positions of, e.g., Credit and Market Risk (which are in fact, with the visors to mention, the same as the previous!), to Enterprise Risk Management altogether.

Fourth, we tie in Queuillism. The Do nothing part almost as in Keynesianism where in the latter, future-mishap prevention should be arranged during the years where government intervention wasn’t required as such. As in Joseph’s seven fat years contra the seven years of famine (Genesis 41). How does this reflect on RM? Would it not be just BCM in its widest, enterprise-wide sense? Isn’t that what ‘management’ is about, again..? Just sanding off the rough edges and for the rest, give room to the actual stars, the employees at all levels, to let them bring out their best – so exponentially much more than you can achieve by mere, petty, command & control. You raise KPIs, I rest my case of your incompetence. And this goes for governments even more. Just enormously expensive busywork.

Fifth, finally, the fourth trope points into the direction of Machiavelli’s Fortuna. Which was also covered by Montaigne, of course. It doesn’t matter what you do, in the end, Life has other plans with you. Sobering, eh? Oh but again, you can shave off the rough edges for yourself, too. Just don’t think in the end, that will matter much beyond some comfort to you. Katharsis, and move on.

OK, since you held out so long:
20140813_154800
[The same, from another angle]

Gotta TruSST’MM

Had been planning for a long (?) time already to write something up on the issue of Trust in OSSTMM3© – in particular, how it doesn’t conform with received (abstract) notions of trust and how that’s a bit confusing until one thinks it through wide and deep enough.

First, a picture:
DSCN4198
[Controlled to I/O, Vale]

Then, some explanation:
As I get it (now!), the OSSTMM model defines Trust as being an entry into or out of a system/component (objects, processes). The thing you may do when you are trusted. Literally, not the protection wall but the hole in that wall. Which isn’t some opinion thing the holder has of the visiting tourist. Interesting, but troublesome in its unsettling powers.

Dang. Running out of time again to delve into this deep enough – in particular where I wanted to link this to a previous post about identity and authentication … (this post in Dutch). OK. will move on for now, and return later. Already, if you have pointers to resolution of the differences (the whole scale (?) of them), don’t hesitate.

Business Model Down

DSCN2931[Deventer for zero relation with the following]

Although probably hardly still the core money maker for Big G, collecting search data for may fall back maybe significantly in the near future. Since, e.g., when did you last search for something specific enough that patterns may emerge from it..? Wasn’t it just point-and-shoot search-phrase-for-single-answer work that you did, if at all because you entered full URLs anyway ..?

Unless you’re of course part of the hoi polloi that delivers such low ultimate revenue to advertisers that it’s not worth it just return to mass marketing and don’t need Big G data specifics for that.

{Edited to add:]
… Ah, so that’s why said company is moving so swiftly into AI…

Crowdjustice

Wellicht zullen gevestigde belangen (weer ten onrechte … DNB-kneuterpietluttigheid-waarschijnlijk-uit-doodsangst-uit-onbegrip (hoewel dat d… terecht, en gewenst?) vs California State…) gaan waarschuwen voordat de vergelijking met de huidige feitelijke situatie voldoende fundamenteel en objectief is gemaakt, maar dit is natuurlijk een interessante nieuwigheid; crowdsourcing justice. En voor degenen die jury-rechtspraak iets engs vinden wat wat de boer niet lust, leze nee bestudere dit werk eens.
Plots komt zo veel samen… Vreugde alomom zo veel culturele vooruitgang.

[Edited to add: Zie de post van 25 augustus 2014…]

En dus een vrolijk:
000013 (17)[Kan dubbel zijn, swa]

COPE a Nope

Hm, this piece seems to miss the point entirely…

Because the move to BYOD had/has (sic) nothing to do with operability. But all with power. And speed. COPE will be much more of the same, but with an even more inexplainable awkward speed/flexibility/functionality trade-off. With nothing of (e.g., the European current and forthcoming Regulations’ and practices’) privacy in mind, just pipe dreams of regained totalitarian control. Heh, if that floats your boat, everyone’s including or except your boat has left the harbor because ships are safe there but it isn’t what ships are for. If you can’t see the analogy … you’ll be sunk.

And then, there’s a pic:
000004 (5)[Great for learning gaff rigging but for serious yachting…?]

Bewijs van legitieme identiteit

Bij wijze van vraag aan @iusmetis / @ictrecht …:
In het dagelijks Nederlands taalgebruik kennen we nog (…) het verschil tussen legitimatie en indentiteit, als in -bewijs respectievelijk -sbewijs. De laatste ook nog equivalent gezien met ‘ID’.
Waarbij de vragen komen:

  • Bestaat er ook juridisch (nog) verschil tussen beide ..? Waar komt dat verschil if any vandaan, hoe wordt het (nog) toegepast?
  • Hoe is de ‘mapping’ naar (identificatie,) authenticatie en autorisatie zoals die termen in de ICT van vandaag worden gebruikt..?

Met name dat laatste lijkt me bestuderenswaardig omdat a. de juridische termen lang hebben gehad om uitgekauwd te raken, en ‘dus’ nog relevante verschillen naar voren kunnen brengen met de relatief pas oh zo kort geleden ontwikkelde ideeën over toegang tot systemen/gegevens.
En het verwarren van de functie van ‘elektronische’ ID met ware identiteit en de dubbelrol van b.v. een ‘user-ID’ is ook nog wel wat beschouwing waard.

Maar goed, eerst maar eens e.e.a. definitietechnisch helder naast elkaar zien te krijgen.

En uiteraard het plaatje van de dag:
DSCN9834[Hey kèk nâh ze hadden hier in Lucca al heel vroeg Starbucks…?]

Postdictions 2014-II

A progress report on the Predictions 2014 I made in several posts here, at the end of Q2.

First, of course, a picture:
DSCN1023
[New then, outdated now, La Défense]

So, there they are, with the items collected from several posts and already updated once before in this:

Trust Bitcoin may be in this corner, covering a lot of this subject [edited to add: it’s now legal in California ..!]. Also, Heartbleed pointed out our dependency on ‘anyone but us’ in actually checking/testing open source software like OpenSSL, and the trust placed in the great many low-level bits and pieces that make up ‘the’ Internet (connections).
[After publishing, I’ll cross-post my ISSA Journal column on this, as a post] —> [Here it is]
Identity Facebook allowing anonymous (fake) identities. Users deleting posts from socmed, and switching to ephemeral messaging (Snapchat et al.). The European Court ordering Google to delete histories at request. (The semantics of) identity proceeds to being manageable…
Things Moving into a focus, vanguard of Sensors. And the Glass successors are surfacing. Earables here …
Social Movement all around; with a focus on privacy as in my May 30th post.
Mobile See Things.
Analytics Wow, this one’s moving into the Through of Disillusionment quickly! Now get it to jump out at the other hand, as quickly.
Cloud Mehhh, indeed. Still. The focus shifts towards actual security implementations, and control over that. On the Slope of Enlightenment, I’d say.
Demise of ERP, the Dude, these platforms aren’t even audited otherwise than by the most boring of boring routines – anyone interested in things other than pure dry deadwood, are working on other things.
InfoSec on the steep rise Even if we haven’t seen enough on this!

On APTs: We’ve seen Heartbleed come. And not go. This being just a mere incident, incidental symptom…
On certification vulnerabilities: See the previous. Check.
On crypto-failures, in the implementations: Some minor Bitcoin stuff, not too much else.
On quantum computing: – still not too much –
On methodological renewal; as it was: I blogged about this (re Rebooting CIA and OSTMM). Some progress here and there, but no ✓ yet.
Deflation of TLD Really out of sight even in the most dull accountant’s circles.
   
Subtotal Already clearly over 80% as we speak, when discounting for some fall-back here and there.

The faint of heart wouldn’t necessarily want to speak the bold characters out loud.
See you at the end of Q3 ..!

[In repeat, to add:]
Missed in the predictions ahead of time, but still worthwhile to watch: Google’s move towards banking via Gmail … as per this story, as commented ‘ere.

Maverisk / Étoiles du Nord