Friday, 28 January 2011
Data Governance Anyone?

I recently had a scary experience with Amazon.  I regularly order items on this site, and have not had significant problems.  However, yesterday was different.  I was ordering an emergency flashlight and four way travel powerstrip and about to complete my order, when I noticed that the shipping charges totalled $1055.44.  See the screen shot to see what I saw.  Fortunately I caught this and didn't click "Place your order".  Amazon explained to me that the seller, not Amazon, had incorrectly provided this shipping cost.  Was it fraud, a computer error or a simple human error?  I don't know.  Did anyone else order the flashlight before me?  Here is an example of a data governance problem, where Amazon is importing erroneous data without checking the information.  It's their reputation that will suffer, if someone really does order the $1000 flashlight.  I believe that there is an opportunity for security professionals to get more involved with these types of problems.  It doesn't really matter if the data "glitch" is fraud or a data import error or human error.  The effect on the customer relationship is the same.  As an entry point into this field, check out

Posted on 01/28/2011 9:40 AM by Frederick Scholl
Wednesday, 12 January 2011
Learning from the oil spill disaster

I believe that information security professionals can learn from disasters reported in other areas.  After all, the basic security mission of prevent, detect and respond is the same whether the assets being protected are bytes of data or barrels of oil.

Yesterday the National Oil Spill Commision released its final report on the Deepwater disaster of April 20, 2010.  The section on root causes was especially interesting.  It is not often that we get a real analysis of the root cause of a security incident.  In this case the identified root causes were failures in management and communications, both of which directly apply to information security management. 

Here are the causes identified by the Commission and the corresponding actions that should be taken by security managers to help avoid a security disaster:


1.  There was no process to evaluate the risks associated with last minute changes in well design or procedures.  This highlights the necessity of security representation on the Change Advisory Board as well as a strong change management process overall.

2.  Inadequate testing of well processes before utilization.  Again, this highlights the need for a strong change management process and QA function.

3.  Inadequate communications between BP, Transocean and Halliburton.  Most security operations today are at least partly outsourced to one or more vendors.  In the case of Deepwater there were numerous communications failures between vendors and between well management and operational personnel.  This highlights the need for including vendors in the security incident process and for expanding this process to include security events that may be leading to a larger incident.

4.  Inadequate communication of previous near disaster.  Another rig operated by Transocean had experienced a similar blowout four months prior to the Deepwater disaster.  Transocean had prepared an advisory regarding this event, but it was not communicated to the Deepwater team.  This highlights the need for regular review of security incidents by security management and continuous improvement of security controls.


The Commission report states that this accident was the result of mistakes and was avoidable.  Implementing the above procedures will help eliminate similar types of avoidable information security disasters.

Posted on 01/12/2011 11:03 AM by Frederick Scholl
Friday, 7 January 2011
Down the Rabbit-Hole...Again?

The New York Times ran an interesting story on January 5 about a House Republican inviting input from business on which regulations were impeding economic recovery.  I am sure the House will get at least a few comments on this topic.  Since I had just finished reading Professor Tim Wu's new book--The Master Switch--I had the distinct feeling I had seen this process before.

All security professionals operate in a highly regulated environment and more information security regulations can be expected in 2011.  The Internet is a commons and needs regulation, but it is not clear if this should be government regulation, private industry self-regulation or a combination of both.  Government regulation recently has seemed inept and unable to prevent either disastrous financial meltdowns or near disastrous oil spills.

Professor Wu's interesting book documents the interplay of industry and government control in the telecom and media business over the past 100 years.  One theme of this book is the attempt by industry to control the regulatory process for the benefit of specific industry players.  It is not a pretty picture nor an optimistic picture.  The author does offer the idea that all of us need to be involved in the regulatory process at some level.  Ultimately regulations or lack of regulations are just a reflection of the political  trends of the times.  Security professionals need to be heard in this process just as much as industry lobbyists.  Professional group activities are one way to participate.

You might think there is no way you can have any influence.  However, a friend recently forwarded me a success story about government regulation.   This is the story, by another professor, Herbert Needleman,  of the successful regulation and control of lead in the environment. While this took 30 years, the level of lead in the air decreased by 30X from the days of lead containing gasoline.  Most interesting is the description of lead industry research purporting to show that rats with lead containing diets were healthier than rats with no lead!!   The other interesting point in the lead story is the almost heroic work of a few people, who ultimately were proved right.  One individual can make a big difference even in Washington.

Posted on 01/07/2011 10:48 AM by Frederick Scholl
Monday, 3 January 2011
Don't forget basic physical security risks

It is easy to forget the information security risks associated with physical security.  Sophisticated hacks are more interesting than plain theft of computers or paper records.  In truth, electronic thefts often are responsible for the largest numbers of breached records.  However, plain old physical theft or loss shows up all the time on breach statistic web  sites.  For example, searching the breach database for 2010 shows that 47% of the 590 reported breaches were attributed to loss or theft of electronic or paper records. 


Geographic Information Systems software (GIS) is making it easier to evaluate these risks.  Sites like provide a great visual representation of local crime statistics.  Depending on the type of crimes reported, you may want to provide more physical security controls around your data (and personnel for that matter).


As an example, I looked at the crime statistics over a two month period from a major US city within a one mile radius downtown.  The high incidence of theft and robbery might make this not a good location for a call center.  A picture definitely communicates the risks better than any formal risk assessment!



Posted on 01/03/2011 12:55 PM by Frederick Scholl