The British government had their Defence Manual of Security (2001) leaked to the internet on October 4, 2009. The press and wikileaks provide a great breakdown of the information within it, and it is fairly accessible to those interested. What strikes me as interesting is not that it is in the public space now, but the concern that some organizations have with exposing their security protocols. The thinking is as follows:
How does this relate to your practices as an organization within information safeguards, PCI DSS, and GRC?
Security requires a good plan and a properly executed set of operations. The reality is security is good because it is good, and not because it is unknown. Meaning that security through obscurity is a flawed practice proven time and again. Think open source and other broken “proprietary / secret” protocols and methodologies. The point is this – good security should sustain the glaring spotlight and highlight the difficulty of breaching such security, and not have weaknesses that are only protected by blind luck.
In short organizations should not be afraid to share their security realities and compliance safeguards with their teams and partners. Obscurity is not the answer, only through prudent review, regular enhancements, and agile response to shifts in business and the risk landscape.
The combination of good self assessments, transparent and open audits with partners and firms providing attestation services, and open dialogue between the business and owners of information assets are key.
The document leaked is 2,389 pages, so you may want to get a venti coffee.
Other thoughts? Any moving forward lessons found in the document?