A discussion got started on Twitter two weeks ago about whether or not complying with standards and regulations such as PCI, HIPAA, FISMA, ISO 27001, etc worked when it comes to securing data.  A good friend of mine, Mike Smith of the Guerilla CISO Blog, offered the point of view that compliance works, it is just that we don’t have the right requirements.  It was my point of view that compliance doesn’t work and thus the point/counterpoint began.

 

Let me say that Mike and I are very good friends and we respect each other’s opinion and point of view.  That was good because we were able to focus on attacking each other’s arguments and the conversation didn’t degrade into the usual “you don’t get it and you should just listen to me because I’ve been doing this for x number of years and know what I’m talking about” that we regrettably so often see now a days.   Let me also say that Mike and I often like to play devil’s advocate in order to explore both sides of an argument.  I can say that what I’m about to relay, I honestly believe but I make no assertion with Mike’s point of view.  You’ll have to ask him if he holds that position or if he was playing devil’s advocate with me.  In the end it really doesn’t matter all that much. 

 

We took the discussion off Twitter and onto email because it is hard to develop and present arguments in the 140 character sound bites that are Twitter.   What I’m about to summarize is an email that I send laying out what I believe to be the salient points and my contention that compliance doesn’t work.  Once this is over please feel free to join the discussion – dissenting points of view are welcome. 

 

Point:

Compliance does work it is just that we haven’t done a good enough job in setting the requirements (the required elements of standards and regulations such as PCI, FISMA, ISO 27001, COBIT, etc).  Since these requirements are not directly translatable into buildable/testable requirements then they are not adequate and that is why compliance fails.  If our requirements were buildable and testable then achieving compliance would work. 

 

Counter Point:

Compliance doesn’t work because it is based on the assumption that achieving a given set of requirements will result in a secure system (or environment).  For example, installing a web application firewall or intrusion detection system will not necessarily help to secure your environment if they are not configured properly.  Standards and Regulations are often written to address the widest audience possible.  As a result many, if not all, of the requirements need to be tailored for each specific environment.   By refining the requirements you effectively reduce the applicable audience and by extension increase the number of variances that need to occur in order to widely apply the standard or regulation.  As a result you’ll still be struggling with the same issues just from a different direction.

 

In order for something to be considered a standard it must meet the balance between being applicable to a majority of its audience and be actionable.  If it is too broad then it can’t be a standard because it doesn’t provide value, if it is too narrow then it can’t be a standard because its audience is too small (i.e. it is not widely applicable).   So is it really a problem with standards?  I don’t think so. 

 

The main problem with the compliance mentality is that it has you striving to achieve a requirement which, while related to the goal, is not the actual goal of what you are trying to accomplish.  The goal that you are trying to secure information with a reasonable level of security controls.  A reasonable level of security involves much more than achieving a set of requirements within a standard.  It involves fully understanding the information lifecycle and choosing controls which correspond to how information is used and how critical it is to your organization.  By definition, standards don’t offer that. 

 

Now don’t get me wrong, I’m not advocating that we throw out standards such as PCI, FISMA, HIPAA, ISO, etc.  What I am saying is that we need to view them in the proper perspective and for what they are as opposed to what they have been portrayed as.  Standards and regulations can and do provide focus and some of the necessary elements to achieve a reasonable level of security but they do not make an organization secure in and of themselves. 

 

Is the answer to create more refined standards and regulations?  I don’t think so.  By doing so you would only make them less applicable.  What we do need to do is make sure that our approach to security not only incorporates the existing standards and regulations but goes beyond them is search of a reasonable level of security control.  (Whether a truly secure system is even possible is another topic that we can debate.)  Information Security is a journey, it isn’t a destination.  We need to foster an approach that values responsibility and reasonableness over blind compliance.  

 

Tags: Compliance, FISMA, Guerilla CISO, HIPAA, ISO 27001, Mike Smith, PCI, regulation, requirements, twitter

For those of you who are either working for or supporting the U.S. Federal Government, I wanted to let you know that I’m teaching a seminar/workshop on the FISMA Certification and Accreditation process at the end of this month (30-31 March).  This is an overview of the entire process with a lot of lessons learned.  Anyone can read the NIST documents so what we teach is an approach to the process that will make it relevant in your environment as opposed to some checklist/massive documentation approach.    What it is not is a typical vendor seminar – you won’t get any sales pitch and we don’t push any products.   

We are delighted to have several government speakers at this two day event as well.  Marianne Swanson from the Computer Security Division of NIST will be our keynote speaker on the morning of the first day.  We will also have a panel of government experts to share their experience in making C&A relevant.  They will be Tim Ruland – CISO of the U.S. Census Bureau, Porter Davis – Information Security Officer with the Department of Housing and Urban Development (HUD), and Paul Rickets – Senior Information Security Officer, Nuclear Regulatory Commission (NRC). 

All of this will be taking place as I said on the 30^th and 31^st of March 2009 at the beautiful Willard InterContinental Hotel in Washington DC.  The event is being put on by the Potomac Forum, Ltd. a non-profit educational organization founded in 1982.   The team of individuals who put this on with me has a pretty wide base of experience and we try to instill the lessons we’ve learned over the years in what we teach.  This is very much a team event where everyone contributes material and instruction.  We have been honored to keep getting asked back to teach this seminar.  It’s been over 5 years now. 

Anyway if it is something you’re interested in, you can find out more at the Potomac Forum website. 

Tags: Accreditation, C&A, Certification, FISMA, HUD, Marianne Swanson, NIST, NRC, Paul Rickets, Porter Davis, Potomac Forum, Tim Ruland, U.S. Census Bureau

The following is a piece that was originally written for Network World’s Security Newsletter and published in March of 2006.  It was a collaborative effort between Joe Faraone, a close friend, and I.  The issue we touched on really hasn’t gone away so I thought that I’d dust it off and update it a bit. 

Sometimes we hear senior managers and executives expressing frustration with government regulation by saying that the issue has come down to a choice of either being secure or being compliant.  In fact Compliance remains the number one driver of information security as reported in the 10^th Annual Global Information Security Survey conducted by Ernst & Young. 

This is consistent with the article that sparked the original version of this post.  That was an Information Security Magazine article from October 2005 in which security managers were asked to respond to the question, “What is your biggest obstacle to implementing and managing security related government regulations?” Responses reveal that the top two obstacles faced were unclear compliance related responsibilities and interpreting regulatory language. This point of view appears to be more prevalent in the private sector than the public sector.

One of the reasons for this discrepancy is that the public sector must follow a specific framework for measuring the maturity and effectiveness of its information security programs: certification and accreditation (C&A). The Federal Information Security Management Act of 2002 (FISMA) was intended to provide for the development of and maintenance of minimum controls required to protect information systems and to provide for a framework for ensuring the effectiveness of these controls. While many of the overriding principles followed in C&A are contained within the law, nowhere are the words “certification” or “accreditation” found.

FISMA points to the Office of Management and Budget (OMB) as well as the National Institute of Standards and Technology (NIST) to obtain guidance. OMB has issued its Circular A130, which requires that all federal information systems to be certified and accredited following guidelines developed by NIST.

Now the C&A process has gotten a lot of bad press, some of it well deserved but coming from someone who has worked with the process in one form or another for the past ten years I’d say that it comes down to a matter of implementation rather than issues with the process itself.  If the process is viewed as just another paper exercise intended to satisfy auditors then it is a waste of time but it is also missing the forest for the trees. 

NIST has done a laudable job of developing and revising this guidance. It provides a methodology to fully document, measure, assess, track and report on the health of information systems from the aspect of security. These guidelines show how to integrate an information security program with the systems development lifecycle as well as how to test the implemented controls.

Those in the private sector are probably wondering why this should be important to them.  Many argue that the control sets mandated by the process are too much for a private sector environment.  Implementing the full set of baseline controls would be too costly and provide little ROI others say.  Again, my response is that you’re missing the forest for the trees.  The process itself is what is valuable here and is flexible enough to allow any set of requirements to be utilized not just the set of baseline controls provided by NIST. 

NIST publications and the methodology for conducting certification and accreditation are freely available and constitute an untapped publicly available security resource. Inputting the government regulations (Sarbanes Oxley, Health Insurance Portability and Accountability Act, etc.) into this framework allows the private sector to document, measure, assess, track and report upon the security posture of their information systems and how well government regulations are adhered to. The private sector can assess the maturity of their information security programs and determine how well these programs integrate into their overall business processes.

What is key for the private sector is that the process must be tailored to your environment and needs.  Herein lies the problem that has plagued C&A from its beginning – it is often applied improperly. 

When the emphasis is placed on being compliant, people go through the motions and focus on technology and checking boxes rather than leveraging the power of the framework to assess the effectiveness of their programs.

The two most basic elements of any system are often overlooked or underemphasized: the information being protected and the people who use the information. You can put in all the high security devices you want in a system, but if you do not account for the people who need to use the information system and the criticality of the information within the system, you still will not be secure.

If the C&A process is improperly applied then it does result in a lot of wasted time and paperwork. If it is properly applied then it becomes a wonderful tool to assess the effectiveness of your security controls – everything from policy and procedure down to control functionality and configuration.  It provides a holistic view of the network and security with the emphasis on being secure. Compliance is simply a milestone on that journey.

The beauty of this is that the information that you need to implement this framework is _free_ and fully available at the NIST Web site. Do you need to hire high priced consultants to come and set this up for you? No, you don’t. Although consultants can save you some time on the learning curve, the guidance available through NIST will allow you to begin the process on your own. You can then use consultants to give you an independent review of your program or to bolster areas where you might feel less comfortable. But remember that you must tailor this framework to fit your environment – use what works and make sense and discard that which does not.  (Sorry government readers – this doesn’t apply to you.  You don’t have the same latitude to do that as does the private sector.)

The CIO implementing this approach can concentrate on the details of how information is protected and used rather than scurrying about wondering how to bring order to the new herd of cats that legislation has unleashed.

Take the framework that NIST has so diligently given us, plug in the requirements that you are subject to, and then sit down with your network architects, your user representatives and your key project managers and find a way to work efficiently but securely. With the NIST framework, you will be able to assess, measure, track, and deliver a more secure and user friendly network and in the process, achieve compliance.  I have done this with amazing results so I know for a fact that it works. 

Alternatively, keep enjoying your view of the forest.

Tags: C&A, Compliance, Ernst & Young, FISMA, Information Security Magazine, Joe Faraone, Network World, NIST, OMB, Published