Rick’s Playground

For the past one month, I probably spent half of my free time in playing Starcraft II on the Battlenet. While I am trying to pull back a bit and get back to the usual IS research stuff I am doing, I just find the two (Information Security & Starcraft II) are amazingly similar in multiple aspects.

In the Information Security world, we always look at People, Process and Technology while in Starcraft - Resources, Troops and Technology are the threesome to win a game. As in both case, an optimal balance of these three factors are the key to successfully manage an enterprise information security or defeat your opponent in a Starcraft 1vs1 game.   Also an objective and adaptive strategy are fundamental in both cases.  As an IS professional, we need to keep a close eye on the current threat landscape, the emerging threat and allocate resources (your budget) accordingly. In Starcraft, scouting and intelligence about your enemy’s strategy is the used to decide how you want to use your minerals and gas.

At the tactical level, a complimentary mixture of your troops are the most basic micro techniques in Starcraft. Similarly in the Information Security, I am a strong believer of multi-layers/tier implementation and diminishing returns of investment in single type of Information Security controls. A single type of IS security controls can only reduce the overall risk to a certain percentage and subsequent return of investment in the same type of control will decrease and reach a plateau. In one of the recent talks I have attended, Dr Peter Tippett from Verizon Business also illustrated this by using the example of safety belt in car safety controls. A nylon safety belt will reduce the probability of fatal car accident by 50% while a high-cost titanium safety belt will only reduce another 3%. Instead, an airbag at a fraction cost of a titanium safety belt, will reduce the risk much more significantly.

Just like Starcraft’s micro (unit controls in battles) and macro (resource planning, map controls etc)management, there are also micro and macro in Information Security. We need Risk framework, Governance, Strategy, Measurements and Metrics etc at a macro level, but we also need micros such as vulnerability research, code analysis, log monitoring, intrusion signature developements,  reverse engineering. Lacking either one will neither win you a Starcraft game nor will protect your enterprise information effectively.

I can’t believe this is the first entry in my blog for the past 6 month and we are more than half way through year 2009. It has been … ‘busy’… (err.. i tend to not use this word because everyone is busy and it’s not really justifiable due to the very diverse scale of measurement ..) Anyway I have been travelling around the Asia Pacific region, meeting people from very different cultural background, professions, ways of thinking and life styles. It is fun although there is frastration, boredon and stress. That’s part of parcel for life anyway.

The only reason which triggers me to sit down and write down this post is the inspiration after reading a couple of articles in one of the backlog ISACA Journals. In the “HelpSource Q&A” session, there is a question on how to fight phishing attacks for online banking applications.  Although I have been dealing with process-level controls for the past year, the words “attacks”, “applications”, “phishing” just trigger the technical geeky style of problem-solving thinking in me and ideas of strong 2-factor authentication, SPF (Sender Policy Framework), gateway spam filtering etc immediately come into the picture.

However the very first key control suggested is to have a properly defined e-mail communication policy for both sending and receiving emails to and from customers. Subsequently the advice mentioned a number of very good business process improvement which take fighting spam/phishing emails into consideration. A few small changes to a business process will easily mitigate bunch of relevant security issues which technology alone finds them difficult to tackle. It reminds me of those days when great amount of efforts and resources were spent on network level controls in order to fight application level security issues.  Are we in the same situation nowadays while we are spending too much efforts in creating application level or even information security process level controls in order to tackle business process level security issues?

I believe it’s time to introduce business process security into the information security model and make it a layer-8 practice. It just like buiding security into SDLC and we shall build security into a business process from the very begining. The thought of having a whole new paradigm in the information security model is really exciting. I am sure this will bring drastic changes to the infosec industry - probably soon we will see business process level security penetration testing, business process hardenning etc .

I can’t believe I am writing this post to talk about “IT Governance”, “ITIL” and “ValIT”. For techincal folks like me, terms like “IT governance”, “Value IT” and “ITIL” were always vague, abstract and a lot of “bxxxxxxt”. However after working in a consulting environment for 2 years and now in a regional role of a huge financial institute, I start to see the type of problems which IT Governance, ITIL and “ValIT” are created to address. It’s impossible to cover everything about these three musketeers within a few blog post, so I will keep them as a continuous efforts to share my understanding especially for geeks out there who faces the same challenge as me.

IT Governance comes from corporate govenrnance and the definition by IT Governance Institute is - “The leadership and organisational structures and processes that ensure that the organisations’s IT sustains and extends the organisation’s strategies and objectives.” It is a concept usually includes 2 parts - IT decision making and execution. Firstly it aims to make the right person at right position to make right IT relevant decisions and establish the accountability for the decisions as well. Secondly it requires controls and measures to make sure the decision is properly and effectively executed and meanwhile the risk is controled during the delivery.

Based on ITGI’s definition, there are 5 focus areas of IT governance - Value Delivery, Strategic alignment, performance management, resource managmement and risk management. ValIT is the framework and best practices to achieve the value creation in IT governance. Val IT is derived from Control Objectives for Information and related Technology (Cobit). It’s not surprise that Val IT is one of ISACA’s “product”.

ITIL ( Informatoin Technology Infrastructure Library) currently comes as v3. It supposes to cover 5 Key volumes including service strategy, service design, service transition, service operation and continual service improvement. ITIL is purely a collection of best practices. It aims to be a practice guide for IT governance implemenation, but the word “Infrastructure” indicate a pretty limited scope although I seriously doubt the accuracy of these namings. Also the volumes are only available to commerical users.

References:

• IT Governance in Wiki
• ITIL in Wiki
• ISACA on Val IT

Recently I have been doing some work on risk management mainly information security risk and impact to a medium to large companies in financial sectors. Commonly used risk categories include but not limit to following types:

1. Monetary loss (such as reduced Revenue, inflated expense etc)

• High Risk: Potential for a significant impact on revenue or expense plan (greater than $xxxx per day)
• Medium Risk: Potential for a moderate revenue or expense plan (between $xxxx - $xxxx per day)
• Low Risk: Potential for little/no impact on revenue or expense plan

2. Legal and Regulatory Risk

• High Risk: Risk of potential regulatory intervention and supervisory action or fines (greater than $xxxk per day)
• Medium Risk: Significant compliance gaps with potential serious impact or fines (between $xxxx - $xxxx per day)
• Low Risk: Common compliance findings without serious impact (less than $xxxx per day)

3. Reputation

• High Risk: National or international news segment (Print, TV, Blog or Radio). Repeated news mentions.
• Medium Risk: Makes local news with potential for national coverage
• Low Risk: No external exposure. If leaked externally, unlikely or negligible impact

4. Competitive Ability (For example leakage of new products information etc)

• High Risk: Potential for a significant impact on potential new enterprise-wide customers or incremental fees
• Medium Risk: Potential for a moderate impact on potential new customers in isolated markets or incremental fees
• Low Risk: Potential for little/no impact on potential new customers or incremental fees

5. Customer/internal Staff

• High Risk: Potential for significant loss of existing customers enterprise-wide or significant impact on employees enterprise-wide
• Medium Risk: Potential for a moderate loss of existing customers in isolated markets or moderate impact on employees in certain geographies
• Low Risk: No loss/negligible loss of existing customers or impact on employees