Tag Archives: IT Controls

The Enterprise Compliance and Security Game board

Questions that must be managed by the COO and CIO of every business relates to dedicating finite resources across the company. The products and services sold the by the business are developed and delivered to market as rapidly as possible in a race to be competitive. In the startup realm the concept of building in security, compliance, and privacy elements is very low priority. In most cases startups (and skunkworks within larger enterprises) depend upon the security of the libraries (ruby on rails, java libraries, etc…) and product components (UL Certified) to deliver security. Unfortunately depending upon the security and safety of the individual pieces is insufficient and inadequate when the elements (from here forward meant to refer to technology code and physical product components) are brought together in a new and non-obvious way. The emergence of these new products and services introduces dependencies, communication channels, new operating environments, and custom elements that reduce or eliminate the security-compliance-privacy elements that existed individually.

Leadership must then prioritize as immediately possible to introduce security-compliance-privacy. Companies certainly benefit by building these natively within the products and services at the Design & Build stage, as it is cheaper to build once then to re-design / re-code to meet the market expectation of security-compliance-privacy. The case when the organization must review its existing portfolio and decide what should be done, is the focus of this article. An analysis is necessary to evaluate the landscape of necessary and appropriate security-compliance-privacy requirements, and which products or services should be updated.

Or stated another way …

Where on the game board do the services and products of our company get prioritized to receive compliance, security, and privacy ‘attention’?

Such an analysis should at least include:

  1. Listing of all required regulations and business best practices
  2. Listing of all legal and contractual obligations
  3. Discovery of similar product / services in the market and list any requirements outlined resulting from litigation and similar government agency enforcement actions
  4. Strategic roadmap review – identify any likely near term requirements
  5. Listing of all requirements the individual products & services will be subject to from the customer’s perspective

At this point a robust listing exists on what the products and services should support. A cross-map of these requirements should then be produced for optimized adoption and sustained operation. The cross map will also provide the design specifications that will contribute to the use cases and product development life cycle.  An example of such is below:

Screen Shot 2013-01-09 at 4.01.26 PM

The above then (in sequence 1 to 5) are placed on your product / services game board and prioritization and risk management are possible. This is a process I designed in 2008 and have enhanced based on experience and client feedback building global security and compliance programs. Your program may need to consider additional facts and realities. I would love to hear your thoughts to enhance and challenge this method.

Best,

James DeLuccia

Latest report shows top attacking companies, 60x increases in attack intensity..

Latest report shows significant changes in the scale and type of attacks being executed, as recorded by one of the largest internet  infrastructure companies that includes additional data sources.  Akamai published their quarterly report today (January 23, 2013) and I am nearly through it … a few striking details that shift how I will recommend clients to identify; consider; and mitigate risks.  The top two items that are significant (one obvious) and important include:

  • China held its spot as the #1 source of observed attack traffic at 33%, with the United States at #2 at 13% (Not a huge surprise but an affirmation for many)
  • The amount of attack traffic that was seen during the activist (Operation Ababil) DDoS attacks was ~60x larger than the greatest amount of traffic that it had seen before for similar activist-related attacks (The volume, intensity, and strategy of the attacks is important as most do not consider a SIXTY TIMES in factor in risk mitigation calculations)

About the Akamai State of the Internet report 
Each quarter, Akamai publishes a “State of the Internet” report. This report includes data gathered from across the Akamai Intelligent Platform about attack traffic, broadband adoption, mobile connectivity and other relevant topics concerning the Internet and its usage, as well as trends seen in this data over time. Please visit www.akamai.com/stateoftheinternet

You can request access to (registration) the report here, and the individual images from the report available here.  There is also a great set of write-ups coming out here and here.

Senior leadership (board of directors, audit committee members, CIO, COO) must ensure these realities are absorbed into the organization’s business processes.  Leadership and strategy shifts required to tackle these evolutions remains an executive responsibility.

Best,

James DeLuccia IV

*See me speak at RSA 2013 in February on – The Death of Passwords

Social Media guidance from FFIEC and governed agencies .. up for comments!

The FFIEC released today (January 22, 2013) the “Social Media:  Consumer Compliance Risk Management Guidance” and is available here online.  The release is seeking comments and is a great opportunity to see where enforcement agencies are leaning; what are the concerns they are seeing on a macro scale, and their intended path to mitigating these unique areas.

“The 31-page proposal addresses how social media impacts compliance and legal risk, operational risk, reputational risk, and an increased risk of harm to consumers. While the agencies note that no additional regulations apply to social media, the relatively casual communication channels are not exempt from the rules, either.

According to the proposal, social media risk management programs should include a governance structure that includes how social media contributes to strategic goals, policies and procedures, third party due diligence, employee training, oversight, audit and compliance functions, and a reporting process.” – reference

Considering the velocity of the risks in this area and the lagging of legislation, it is fair to say that those even OUTSIDE the purview of the FFIEC, should strongly consider these as inputs to their compliance and security programs.

“The FFIEC invites comments on any aspect of the proposed guidance. It is specifically seeking comments on the following questions:

  1. Are there other types of social media, or ways in which financial institutions are using social media, that are not included in the proposed guidance but that should be included?
  2. Are there other consumer protection laws, regulations, policies or concerns that may be implicated by financial institutions’ use of social media that are not discussed in the proposed guidance but that should be discussed?
  3. Are there any technological or other impediments to financial institutions’ compliance with applicable laws, regulations, and policies when using social media of which the Agencies should be aware?”

Participate in the comments and invoking of these guidances here.

The guidance itself is again available here. (pdf)

Best,

James DeLuccia

*See me speak at the RSA 2013 Conference – Passwords are Dead (I’ll also be posting research elements on this site for the communities input)

Implications of BYOD .. cultural implications & Chief Executive considerations

BYOD ..

What is it?  Commonly referred to as Bring Your Own Device, it refers to the unstoppable trend of end-users within enterprises utilizing consumer devices in the word place.  This is a simplification, but captures the essence of how board of directors are using iPads, and how Facebook became a permitted service inside organizations.  (the Facebook example is a poor one, as that is an Application .. but that will be raised in a future discussion).

The challenge to enterprises is how to enable these end-users with these technologies?  How to gain efficiencies and advantage?  How to allow end-users to be happy with their ability to self select their devices.  As ultimately, the end-users within corporations are quite happy with their iPhones and such devices .. it is only the need of corporate IT to streamline the integration.

Here is where things become interesting …

BYOD in most regions of the world refers to “Bring” your own device, while in certain regions it refers to “Buy” your own device.  Ownership of the device is quite important legally, upon how someone uses that device, and what controls are generally accepted.

In the United States for instance – end-users Bring and Buy their own devices, generally.  This means that Corporate IT must wrestle with ownership, MDM, and a diverse device / OS ecosystem.  Such challenges center on the ability to fully wipe a device in case of a policy violation.  The capability to fully monitor and restrict via policy the permitted applications.  In addition simply utilizing the full breadth of technology on the device – i.e., conjoining GPS proximity technology with multifactor authentication to increase the confidence of user credentials when within corporate offices (a general uneasy concept with personal devices, but something magically simple when the whole device is owned and part of the operations and security ecosystem).

In other regions, such as in Europe, the devices are purchased by the business and provided to the end-users.

So is it really “BYOD” or not, for intents and purposes the end-user drive; the customization applied to these devices; the personalization, and such are all identical to that of the U.S. BYOD.  The difference is in HOW the user interfaces with the device and WHAT can be done to safeguard the device.

  • How is your organization managing these cross cultural perspectives?
  • How have you considered the cost and operational expenses of each BYOD?
  • What are the implications for security, compliance, and long term competitiveness (as it is ultimately being competitive that ensures that security and compliance will continue to matter)

Business operations, electing and incorporating mobile / BYOD technology is obviously a decision that has been made by most organizations.  Either by the rebelling user base, or through sanctioned programs.  The next field of play is to focus on the cultural aspects and embrace a forward looking vision at the emerging legislation related to such protections & expectations of consumers.

Culture eats strategy for lunch … so BYOD, please meet Culture.

Best,

James DeLuccia IV

Level setting your compliance security program

What is a good security compliance program? How do you measure the performance? How do you communicate and work with the senior leadership of your company the current state of operations and the future? A single approach to this would be to compare yourself against your peers. (Defining your peers is dependent upon each individual product and service. To often businesses classify their industry based on the business as a whole and lose sensitivity to the context of the individual service and product line.) More specifically when analyzing the security compliance program, specific areas and metrics can be considered (the specific competitiveness and leading indicators of your security compliance program must cover additional areas).

To consider the state of your security compliance program compared to your peers, the following points should be considered and tracked at the executive leadership level:

  1. How do you compare to your competitors? This statement alone requires that the leadership team of the security compliance program has these defined explicitly
  2. In the market place what deals have you won or lost, to whom, and what product / services were involved?
  3. What is the customer attrition – by customer type; rationale?
  4. What is the amount of queries being submitted to sales, engineers, customer support, and executives regarding security compliance to the business?

An analysis of these four points within the context of security compliance will clarify any areas where the program is negatively and positively effecting the market strength of the product and services for the business.

Thoughts and expansions?

James DeLuccia

An attribute of a mature security compliance program

The security compliance program of an enterprise is a core function in the achievement of sales, maintaining regulatory and contractual obligations, meeting the security challenges in a connected world, and achieving a balance of consistent operations while returning a profit for the business. A challenge within these programs, and especially for businesses do that do not have a consolidated mature program operating at the executive level is the transparency of cost and improvement of margins within operations.

Transparency of cost relates to the costs of supporting compliance, security, and privacy requirements within products and services. The lack of transparency can exist in many areas, but this article focuses on the specific costs related to reporting to third parties on the state of the compliance and security program. Cost of such can exist in any of the following scenarios:

  1. Sales person seeking to close a sale brings onboard an engineer and product manager to speak to / commit on security and regulation safeguards. Such initiation of new agreements may require a 250+ questionnaire to be completed by such an engineer that typically requires additional parties to respond – resulting in roughly 30-50 hours of engineer time x % of new deals signed annually)
  2. Help desk pulling in engineers to respond to security / compliance question submitted online (roughly 1-3 hours of engineer time x # of customer requests)
  3. Annual queries directed at engineers, leadership, product managers, and sales teams demonstrating security and compliance programs exist or controls specific to customer request are satisfied. Such annual queries may involve questionnaires as mentioned above (30 hours approximately to address), on-site audits, and 3rd party audit reports.

The end result of this singular area of cost is time taken from valuable engineers away from developing product, improving product, and executives focused on tactical activities. In addition, a non-optimized security compliance program does not gain any leverage by the above activities, so each activity is repeating past work. Zero scale is achieved.

Reflecting on your organization, improvements can be gained. An attribute that has proven beneficial is to consider the following that easily measurable and can be tracked:

  1. What is the unique number of security and compliance controls deployed within the products & services?
  2. What is the number of queries for each period?
  3. What is the number of FTE hours to address these queries? (the above are averages that I have seen, but analysis is worth refreshing for your organization)
  4. What is the number of interactions the individuals have with the customers?
  5. What is the current central approach to meeting the needs and responding to such queries?

The last question is leading to the idea that the program should be centralized in a manner to manage these questions centrally. This provides scale, lessons learned, and coordination across the business. The program itself when designed and tracked in such a manner becomes part of the sales process, account maintenance, and a regular touch point for the customer. Establishing the proper executive leadership and integrating this program is critical to every direct to consumer business, and more so for the rapidly growing technology services sector.

Thoughts?

James DeLuccia

Is your security compliance program sustainable?

As greater number of enterprises transform their products and services into a manner that allows delivery to clients directly, the increased dependency creates obligations to both parties. Specifically as technology services are adopted by enterprises and greater dependency is placed upon the relationship, regulations and customer requirements will be pushed to these service providers. This typically does not occur immediately, but only after the delivered services begin to become more integrated and reach a material state within the enterprise. (An example would be leveraging a cloud service provider for farming specific servers that then become the financial reporting servers which introduces SEC, IRS, and SOX requirements)

The establishing of a developed security compliance program is paramount to meeting customer requirements in a timely manner, actually having appropriate security and compliance safeguards, and ensuring the business maintains a profitable service.

The maturity, responsiveness, and adequacy of the security and compliance controls are discussed by me before, so they will not be a focus on this article. Instead I want to highlight the third requirement – which the business may consider MORE important and that is profitability.

The common program experiences the following scenario:

Screen Shot 2013-01-09 at 3.52.24 PM

The growth is great and responding to customer requirements is expected. The surprise for most businesses is the direct 1:1 relationship that exists and the lack of scalability without some program in place. As the business sells more, and the clients become more dependent the need and requirement to keep the customer increases. To the point that such inquiries will begin with simple SOC / Certification confirmations and evolve to questionnaires and detailed on-site audits in some cases. These activities also generally impact the engineers of product and service development directly.

Screen Shot 2013-01-09 at 3.52.35 PM

Instead, establishing a centralized program improves the visual above to show a more staggered growth rate on level of effort and FTE costs associated with the security program. Therefore providing better margin and sustainability through scale and coordination.

This is a singular example of the value of a security compliance program that is developed. What other attributes exist?

Kind regards,

James DeLuccia