The late late edition.
Well folks, I’m finally checking in at the end of a week which shall go down in history as a craptacular festival of Executive Idiocy.
Before I go off the deep end and plunge into a classic infosec-guy’s weekend full of alcoholic anesthesia, I thought I’d relate to you a new-ish concept in my arsenal of Information Assurance.
“Risk Reduction through Executive Education”
In this week’s episode, we find your humble scribe sitting in a Status Meeting.
The room is abuzz with the high energy that comes to every friday’s status meeting – that energy that somehow causes meetings to be dragged onwards and outwards to a somewhat terrifying FULL HOUR. (Note: want to increase the productivity of your team? Set the default meeting length in your calendaring system to 30 minutes.) As we slowly (agonizingly) work our way through the issues raised, we find ourselves in the midst of a really tough one for most Infosec departments.
You see, there’s this senior executive and he’s found a flaw in the basic authorizations in one of the major data management systems. He’s been describing the flaw to anyone who’ll sit through him telling the tale in a “Look what I did – stupid IT people don’t have a clue” fashion that just sets my teeth on edge.
I ask how we found out about it.
The.
Grapevine.
Yes folks, we’ve got ourselves a genuine Security Incident. And at this point exactly ZERO of the CSIRT processes have been followed.
We have no idea what the real problem is (no first hand account).
We have no knowledge of whether or not the problem is still contained.
We have done zero analysis.
I look around with (what I hope was) a benevolent paternalistic gaze and ask who is thinking about whether or not they’ll be continuing to enjoy employment.
After several people gibber and kvetch, we settle down into the groove and attempt to process events as if we were actually involved.
I give the executive noted in the story a call and ask if it would be ok to come over and have a little chat.
(Cut to exec’s office)
I sit down and we exchange pleasantries.
I ask him point-blank if there is anything that he thinks we need to discuss.
He looks at me with the same look that my son has on his face when I catch him covered in chocolate with a bag of chipits spread all over the floor.
“Maybe we should talk about the thing I found in the $big_system.”
Yes, that does sound like an excellent idea.
He leads me down the path that he discovered and I finally get a handle on the issue.
Good news #1: We’re contained. Other than a half dozen other executives and some IT staff, no one knows about this.
Good news #2: There is a (weak) compensatory control in place. Auditors would still freak out, but it’s “Management Letter” freaking out, not “Qualified Audit” level freaking out. (Insert mental image of yours truly doing the Hampster Dance.)
Good news #3: He’s actually suddenly contrite.
I explain to him that if I find out that he repeatedly accessed the information he did, we’re going to have to involve HR.
Because I’m not completely evil, I go on and explain to him that for most kinds of confidential data access, we’ve got a one-liner built into the annual ethics sign-off that he’s required to not access information which is not directly related to his job and that he’s required to inform Information Security when he accidentally accesses information for which he does not have a legitimate need.
The trouble is that he’s probably off the hook – you see, despite an incredible amount of case law to the contrary, most organizations still do not apply policy equally to all ranks of employees. If the employee involved was a junior level clerk, HR would likely throw the book and declare him to be an object lesson for other employees. Since he’s a senior guy, that’s not going to happen – he’s too valuable, we’ve spent too much time and effort to acquire and maintain him in the position that he’s in.
And I’ve just neatly had my knees cut out from under me.
So while I’ve got some good news, I’ve also got some bad news.
Bad News #1: The grapevine that got this information to me is also going to carry the information that for execs, there are no consequences. And if there are no consequences for execs, the lawyer wannabe’s are going to be able to argue effectively that there is inconsistent application of policy and therefore they are likely exempt from the provisions of the policy just like our executive.
Bad News #2: Despite knowing better, the exec got caught up in the thrill rather than doing the right thing. He knew the right thing. He actually showed up to the training session and asked cogent questions. Is the training flawed? Is the training now an in-effective control? Will I have to revamp my controls assessment to determine whether or not I’m adequately covered when I remove training from the list of controls?
Bad News #3: I’ve lost the effective support of HR.
What’s a CISO to do?
Strategy.
Action.
Monitor.
Apply Learning.
I’ve just finished monitoring – and as you know – Apply Learning leads me right back to Strategy.
I think I know what I’m going to do.
I’ll get a start on it Monday.
For now, I’ve got a bottle of beer calling my name.
Anyone have thoughts on what they might do if they were me?
Consider it a table-top exercise. I look forward to your thoughts.
Until next week when I update you on my actual plan and what happened.
[tags]internal controls, CSIRT, CISO, ranting[/tags]
