You are posting a comment about...
Learning from the oil spill disaster
I believe that information security professionals can learn from disasters reported in other areas. After all, the basic security mission of prevent, detect and respond is the same whether the assets being protected are bytes of data or barrels of oil.
Yesterday the National Oil Spill Commision released its final report on the Deepwater disaster of April 20, 2010. The section on root causes was especially interesting. It is not often that we get a real analysis of the root cause of a security incident. In this case the identified root causes were failures in management and communications, both of which directly apply to information security management.
Here are the causes identified by the Commission and the corresponding actions that should be taken by security managers to help avoid a security disaster:
1. There was no process to evaluate the risks associated with last minute changes in well design or procedures. This highlights the necessity of security representation on the Change Advisory Board as well as a strong change management process overall.
2. Inadequate testing of well processes before utilization. Again, this highlights the need for a strong change management process and QA function.
3. Inadequate communications between BP, Transocean and Halliburton. Most security operations today are at least partly outsourced to one or more vendors. In the case of Deepwater there were numerous communications failures between vendors and between well management and operational personnel. This highlights the need for including vendors in the security incident process and for expanding this process to include security events that may be leading to a larger incident.
4. Inadequate communication of previous near disaster. Another rig operated by Transocean had experienced a similar blowout four months prior to the Deepwater disaster. Transocean had prepared an advisory regarding this event, but it was not communicated to the Deepwater team. This highlights the need for regular review of security incidents by security management and continuous improvement of security controls.
The Commission report states that this accident was the result of mistakes and was avoidable. Implementing the above procedures will help eliminate similar types of avoidable information security disasters.