(NOTE: content may be light this week as I’m performing an audit based on BITS Agreed Upon Procedures.)
I was thinking of another reason why checklist based approaches fail, and I came up with yet another lame security analogy. I thought I’d force it on you. In thinking about this audit, I realized that data is to an organization (especially an F.I.) what syrup is to my 3-year-old eating pancakes.
(not my kid, but flickr user Big DC’s)
Without adult supervision, my boy puts an enormous amount syrup on his pancakes. You might as well take the little flow-limiting mechanism on the top of the squeeze bottle right off and let half a bottle of maple goodness douse the plate. Now the consequences of this much syrup are twofold:
- It tends to make the child hyper. The sugar high must be enormous. The child is bouncing off furniture like a pinball, chattering away at about 10,000 words per minute, reciting the Wiggles and Tolkien with equal ease, giggling uncontrollably one minute, screaming at the top of his lungs the next. On top of it all, his tactile senses are in overload. He’s touching everything in sight — which complicates the next part:
- He’s sticky. Very, very sticky (see the young lady, above). And thus everything he touches is sticky. A week later I’m wondering why there’s this patch of rug fuzz on the TV remote, why the “T” key on the boy’s iMac is stuck in the down position, why there are sticky brown patches on my stupidly expensive camel’s hair overcoat, why the cat hasn’t moved from one spot in about seven days…
Data, for financial institutions, is the same way. The abundance and new, cheap and easy access to data makes business development ecstatic. They’re offering access to this, they’re crunching those numbers, they’re doing new, wonderful and creative things with your and my personal identifiable information. They’re bouncing off the cubicle walls.
But while we security professionals are stuck herding managing the child on the sugar high, everything is becoming sticky. Sticky with data. It’s on servers and desktops. It’s over wireless and wires. It’s near and far — crackberry’s and laptops, off to business partners and used test environments. Reams of the stuff is being printed, tons of it being talked about, and like my furniture, toothbrush and wife’s hairbrush, sticky we find out at inopportune times that stuff is definitely where it shouldn’t be.
How does this pertain to checklist approaches like BITS Agreed Upon Procedures (AUP) (or the ISO, or whatever)? Easy. Checklists don’t take into account the “stickiness” of data. Specifically picking on AUP, there’s nothing about not using live data in test environs, or figuring out how/when data touches “portable electronic devices” and how those should be secured down. Now maybe those things will be covered in a future version, but for now they’re missing. It’s not like laptop theft issues aren’t well known.
Not to mention that there’s no “risk driver” for AUP. It’s binary, a function — say a “vibration alarm sensor in the Secure Perimeter” is either there or it isn’t. It doesn’t matter if risk analysis says it’s effective or not: if you aren’t protecting your Minnesota bank from earthquakes, you’ve got a frowny face sticker on your AUP audit — and that goes off to whomever the audience of the resultant document is.
The bottom line is that as long as checklists and risk assessments focus on assets and best practices and not business processes and data, we’re going to have these problems. We’ll clean the kitchen floor, only to find sticky syrup in places we least expect.