In a mad dash toward security compliance or to plug known vulnerabilities, IT professionals have a tendency to implement security controls without thinking through what could go wrong with them.
They mean to do well. They really really do. But sometimes people can create new risks when our intention is to reduce them.
Take my favorite humbling story from early in my information security career. I was auditing a company whose information analysts were paid by the hour to crunch financial databases. If a batch of data analysis took 6 hours to run, then that was 6 hours billed. If they had enough demand and two data analysis systems, then they could bill for 12 hours in that 6 hour period. So I asked during the audit how the analysts kept their information processing going over the week-end, after seeing that they ran billable analysis all week long when the demand was high. “Well,” they said, “We’ve got computers at home, too. We log on through the VPN, download data to our home computers and crunch numbers there at the same time.” Knowing that some of that data could potentially be personal, sensitive data I reacted strongly, “You’ve got to prevent data from being sent to home computers over the VPN, NOW!”
And the IT team agreed, as did their CIO, and they shut down data transfers over the VPN to personal computers. It would be tough on billable work, unless some power-house laptops that the company controlled and encrypted could be used for the same purpose.
I stopped by the analyst team the next week and asked whether they got their new laptops, or were they coming in to work after hours to manage their week-end-long analysis. “Oh, no problem at all,” they said, “We’re able to continue billing through the weekend and overnight still.” “Good,” I said. “And how are you doing that?” “Well, when we’re in the office, we just copy the databases onto these USB thumb drives . . . “
What had I done? I had prompted the analysts to increase their risk by blocking their normal business activities without thinking of the consequences. What if they drop those USB sitcks?
There are two complementary lessons here that we need to keep in mind as we design information security controls:
- When information security controls interfere with incentivized activities, the incentivized activities will win . . .
- . . . and when they do, there will be new risks created.
So how do you implement these controls without adding new risks?
Whether you are applying the ISO 27001 standard, working toward PCI DSS compliance or compliance with laws and regulations, new information security controls should be designed in cooperation with the end-users who will have to live with those controls. If the planned control is feasible from a process, business, technology and physical standpoint, then try it out. Test it. Observe how people behave during the testing. Interview the end-users and the administrators who are responsible for working with the new controls. Are there un-necessary impediments to business? Are the controls sustainable? Are these controls interfering with other controls?
If your test of the new controls reveals these shortcomings, then tweak them, again with the cooperation and ideas from the end-users, and test your revised controls. In short: reduce their need to work around security controls so they can get their work done!
Your information security controls must support business; by reducing risks while allowing the business processes to succeed. Working with end-users to design security controls that meet both of these requirements is a certain way to achieve both of these goals.