CHAPTER 5: DECEMBER: OH, FOR THE SAKE OF YET ANOTHER PROPOSAL …

Security improvement programme

In this particular instance, there was an initial budget to deliver a particular goal, then a realignment of expectations following the achievement of that goal. This was because in reality, what was put on the submissions that were required to be presented to external auditors was not the reality of what was actually going on inside the organisation. Not untypical. So a plan of action (in security terms, this is usually called a security improvement programme (SIP)) was put into place to address the compliance gaps. The gaps were way beyond just technological issues and spanned all three points of an imagined triangle of people, processes and technology.

By now, a couple of months down the line from the initial granting of compliance to an external connection requirement, the SIP was moving along apace. However, executive management required many more business proposals in order to explain why a quite significant amount of further funding was being sought to help with addressing these gaps.

In spite of the reality of being able to continue to deliver change on an incremental basis without it having a significant impact on anyone’s bottom line, senior management need constant evidence of how these improvements are making a difference and to whom. If the evidence is not compelling, it can become incumbent on the ISM to provide senior management with visually convincing reports or, worse still, you may find yourself having to write further proposals to hold on to the budget you have already secured, in order to ensure that you are allowed to continue to spend it on the security enhancements as planned.

In many ways, this approach is flawed and harks back to my opening gambit –as long as ‘doing security’ is seen as being a project, with a beginning, middle and, most importantly, a presumed end, then management find it hard to understand why there is a constant demand for further investment, resources, technology enhancements, etc. But this is the reality of the landscape within which we are operating. Our information assets are now more highly prized and more actively sought after than ever before, and so the role of the ISM needs to involve constant education and awareness raising, highlighting the latest trends, threats, vulnerabilities, risks and mitigation strategies.

Fax management

There are still many organisations where facsimile (fax) communications are the most reliable medium (and, in some cases, most secure). However, in order to ensure a consistent level of safety, fax handling procedures may be required as a mechanism for reminding people how to use the medium. The answers (solutions/controls) are simple once explained, i.e. there is no real rocket science involved; and this is the beauty of real information security laid bare for users in a way with which they can resonate – when the solutions are simple and easy to grasp.

Table 5: Faxing – what can go wrong

Image build again

As there were a number of key deliverables as part of the change programme, one of these – the delivery of a secure image on to all desktops – continued to be a challenge. The difficulties were very often not of our own making. For example, we ended up having to take off JavaScript™ because the software from a third-party supplier was not able to work with it as it was creating conflicts with other applications. As previously mentioned, this was part of a bigger issue, as it was a well-known industry third-party supplier who had clearly not upgraded their software with patches and software updates provided by other key providers to address known vulnerabilities. So you end up having to downgrade your security to operate some of the most fundamental services using key corporate systems.

This continues to be an unacceptable industry-based situation, which the third-party providers should be embarrassed into changing – and not at the great expense of, in particular, the public purse, which they have already plundered with hefty ongoing maintenance charges for many years.

With the reality of about 300 public sector organisations using the same software, the cost for upgrading should be on the vendor and not each individual public sector organisation separately. Central government procurement – and those involved in mandating centralised delivery of systems – should be making these kinds of pleas and ensuring these changes in the future, as part of the intended savings and improvements anticipated by the UK Conservative and Liberal Government coalition.

Equally, the public sector must get tougher in renegotiating contracts and demand better security for its citizens, whose data they are using, sharing, transferring and processing, all day, every day, and which is being stored and housed in these flaky systems across our land.

Physical security findings

There are many aspects of physical security that need to be within the bounds of understanding of the ISM and not just assumed to be within the control of facilities management (or whatever your equivalent is).

In many cases, you will find that not all of your sites (buildings, locations) have locked cabinets where cables are sited. So, these need to be physically visited and secured in order to maintain that outward display of ‘security in action’.

Figure 2: Unlocked cable cabinets

The kind of thing shown in Figure 2 was discovered by conducting physical security reviews of teams, sections or departments, usually at the request of their management, in the early evening, when the cleaners were around. Cleaners are usually very helpful. Part of their process may be to lock doors to all the rooms that they have keys to, but if there are no keys, this is obviously impossible. On many occasions, doing these physical walk-arounds, there were doors found open that should not have been. This exposed weaknesses in terms of the extra access they provided as a result of conjoined rooms and the internal doors that joined several offices together not being locked. I carry out these reviews in a pair, wherever possible, so that one person can make notes and the other can take pictures. The visual evidence is the most powerful tool you can imagine for showing users and management the error of their ways. It is the information security equivalent of holding up the mirror, so that they can see what’s wrong, and by implication work out what needs to be changed in order to effect a security improvement. This is tangible and gives you instant quick wins in terms of improved information asset protection, which cannot be underestimated. All the effort in the world at protecting network security – server scanning, etc. – cannot reduce the risk of someone leaving something they should not have done on their desk for someone else to see, photograph or steal.

With the availability of camera phones these days, anyone with their eye on making a ‘fast buck’ could easily penetrate your organisation through physical security vulnerability and then either sit down and have a good long read, or take photos and send them off to the local, or even national, press and make quite a splash in terms of a media storm in a teacup.

If people had to value the information assets they handled on a daily basis, like they do currency, then they might end up better protected. But the items are so easy to discard that it becomes more difficult to encourage consistent protective behaviour. Information labelling and handling can help in this area – ensuring that markings are given to the information assets being used, stored, handled, shared, processed, transferred, etc.

There are a great many files that should be marked as ‘restricted’ and kept permanently under lock and key – and the keys need to be registered and controlled, not left out on display. But this will take a significant culture change and effort of education.

So, we need to start with personal responsibility – people really need to take on board that they need to be actively participating in protecting and caring for these files. This means locking them away at night and then secreting the keys appropriately. It means keeping their rooms neat and tidy and not allowing stacks of cardboard to pile up, nor prioritising stacking newspapers over stacking files.

In the majority of cases, keys were left in most cupboards, drawers, etc. – and on one occasion it was even possible to locate the ‘stash’ of all the keys to all the doors in a drawer in a unit, and another stash on top of a cupboard in a corridor.

Why is it that there is always ‘kit’ left around? In any office you go into, rest assured you will find old equipment that is unused – perhaps a telephone or two that need to be decommissioned and a printer. There are proper recycling companies for electronic waste in operation these days that can make the task of kit removal so much easier that there is really no excuse for any clutter collection.

Consider, also, the age of the information that may be readily available. Papers are usually left lying around that are older than the ‘current year’. Given that most organisations should be operating a proper RM programme with a records retention schedule in place, having documents lying around that are outside their immediate period of use is inappropriate, as these should be in the archives or destroyed. The ISM needs to work closely with their records manager – if such a role exists. If it doesn’t exist, then the ISM needs to take this on as part of their functionality, in order to provide the appropriate breadth of protection to information assets for their organisation.

Part of your task is to try and get into the mind of your colleagues to help you explain why you think what they are doing is wrong. I have seen some interesting prioritisations in my time – a neat stack of newspapers on a shelf inside a cupboard near a door, and yet there were files out on both the desk and the shelves (all identifying individuals). People usually claim a lack of space, and yet the picture in Figure 3 shows just how much shelf space was available.

Figure 3: Virtually empty cupboard

Some people seem to think it is appropriate to leave their filing on the floor when they run out of space. Why would that ever be considered appropriate? Each office needs a dedicated person who does a ‘sweep’ every evening to watch out for these information traps.

As I say, getting into the mind-set is tricky. So, what’s wrong with the picture in Figure 4?

Figure 4: Confidential waste bin?

A confidential waste bin should be one that you cannot put your hand in to get papers out; it should be lockable, and the keys and access should be tightly controlled. This is like the best a kindergarten could come up with and is not what you would expect to find in a mature and professional organisation. But, until such issues are pointed out visually, the required change doesn’t occur, because the attitude becomes ‘it’s the way we’ve always done it’.

In one office I visited, there was a supermarket trolley being used for file storage! We’re into the second decade of the 21st century, and yet some offices appear to be still operating like something out of the 1950s. It is simply astonishing what people tolerate on a daily basis.

Expect the unexpected – there may still be floppy disks lurking in people’s desk drawers. There really is no point in keeping these if you have no mechanism for reading the data. If this is the case, they need to be securely destroyed – shredded, for example.

Any build-up of waste does not look good – overflowing waste-paper bins are definitely not to be encouraged. The first question has to be ‘why isn’t the paper being recycled?’ Then, you check the contents and consider whether, in fact, it should have been placed for shredding or confidential waste. Equally, any build-up of confidential waste is of concern, especially when it is not being stored behind locked doors. Again, it makes too easy a target for someone to simply steal a bag at random, not knowing what jewels of information might be contained therein – but you never know your luck, and that’s the point of calling it an ‘opportunist theft’.

Figure 5: Awaiting collection

Physical security solution suggestions

• Wherever possible, recommend some reorganisation of office filing to make best use of the available storage. There is rarely the space crisis as expressed to you, given the volume of Christmas decorations, tea bags and old (out of retention period/should be in the archives) papers you can find in cupboards!
• Seek to ensure that files in regular use are locked away, as a matter of course, when not in use, and ensure that no papers are left out on desks at the end of each day.
• Make it mandatory that any files that identify living individuals are locked away at the end of every day in a secure storage area.
• Move the files that are not required to the appropriate secure storage area, in conjunction with your records manager, if you have one – either external archive storage or onsite secure storage.
• Ensure that rooms that need to be locked at the end of the day are locked, with the keys being removed!
• Seek to increase staff awareness on the issue of information security and the importance of reporting issues to the correct person.
• Arrange for all redundant equipment (telephones, printers, chairs, desks – everything, do not be selective as it just becomes divisive) – to be removed in the appropriate manner. For example, electronic equipment should be removed in compliance with the Waste Electronics and Electrical Equipment Directive. (See http://en.wikipedia.org/wiki/Electronic_waste.)
• Ensure that exposed cabling and power supplies are secured. This means the blindingly obvious – i.e. make sure that no one could walk up to any cabinet or similar and unplug anything, just because they can, because the mischief in them thinks it might be funny to see what the end result would be … You may need to liaise with your equivalent of facilities management to put the right physical protection measures in place (lockable cabinets, cable boxing, ducting, etc.).
• As an overall physical security improvement measure, build the right kind of messaging into information security awareness briefings, so that all your employees know what to be looking out for, and understand and appreciate the importance of reporting even the smallest of issues to the right person, in a timely manner.
• Ensure that you have an appropriate information security incident handling process to support this. We will discuss this in the next chapter.

Other security tasks for this month

Environmental concerns

I have already mentioned the need to be aware of as many projects as possible, so that you can ensure that security is being weaved in. Most organisations are in the process of ensuring that their IT strategy meets a ‘green’ agenda – consolidating data centres, reducing carbon footprints and impact on the environment, etc. Some of the more useful technology to appear in this space is the kind that helps to put your desktops, etc. to sleep when not in use. For the users across your organisation, there are security implications with regard to leaving machines on overnight that need to be considered, particularly with regard to messaging and depending on what the machines are used for.

Information security awareness briefings

You need to be aware of the project and be aligned with it, so that you can assist with the right kind of communication, particularly as your information security awareness briefings may be giving out the wrong message.

By now, we were four months into the security improvement plan. Briefings had been delivered to thousands of employees on a one-time basis, face to face. Work was now required, in communicating with both personnel and IT training colleagues to ensure that the delivery commitment was picked up in a way that would ensure a repeat redelivery 12 months hence, with reminder notifications to all employees to undertake the supporting computer-based training (CBT) module that was available across the organisational intranet. This all needed to be made available to new starters as part of induction and a plan of delivery was required for contractors and agency staff, too. Also, for those workers who did not have access to the intranet, it was important to provide a ‘train the trainer’ function to ensure that local delivery of the security awareness briefings could be carried out, so that no one was left out.

The positive benefits of ensuring that the delivery had been done on a face-to-face basis, with one trainer providing a consistency of message and style, were beginning to be reaped. The users were starting to report more incidents, advising of concerns and asking questions. This highlights gaps in policy understanding or in security infrastructure implementation that you can seek to address.

‘Kit’ movement

Users have become much more tech savvy in their home environment, without a doubt, although the reality is actually that users are experiencing more up-to-date equipment being available to them, with faster speeds and lower prices, but with no more training or awareness of what it is that they are handling. This increased level of technological expectation in the home environment cannot easily translate to the corporate/organisation environment, as it is unrealistic. It also does not give them licence to move or disrupt existing installations in your organisational infrastructure and this must be explained to them, then enforced and monitored.

Central management systems that provide detailed logs of activity on all desktops, laptops, servers, etc. in your network provide invaluable information, once analysed, and the analysis needs to be used to inform policy reviews. You need to know if a desktop is moved or if a network cable is disconnected – for how long, by whom (if possible) and for what reason. You need to be able to explain to the users why this is important and what problems it creates at the technology end, as all they see is a cable that they can easily unplug. They don’t understand the ‘bits and bytes’ and data being exchanged through that cable.

Laptop users … again!

Laptop users still have a tendency to save a great deal of information to the hard drive of the machine and this can only be justified if the machine itself is being encrypted at boot-up. In the UK, this is particularly important, given the strength of focus that the Information Commissioner’s Office is putting on this area. It (full disk encryption) is also an expectation that is spreading more globally, too, given the scale of data breaches and information losses being experienced and their impact throughout the last few years.

New laptops are being produced all the time and some of the latest models are designed without CD/DVD drives. You need to consider this if you are buying in bulk and ensure that you order the right style of equipment to serve the needs of your users. This means their work needs, not their personal use needs, given that, of course, they should not be using the equipment for personal use, wherever possible. Certain functions in your organisation may require a CD read/write facility and you need to be able to keep track of the information being written, as the assumption is that it will be either shared or stored. In both cases, this needs to be done securely. So you need to establish whether you can enforce any kind of encryption on the transport and/or transfer of that data, and maintain some kind of register of CDs/DVDs burnt and shared, particularly if you are expecting them to be returned to the organisation. These kinds of things really arise when you meet the reality of having written a policy or procedure that requires this kind of action, but it can be hard to maintain so you need to be flexible enough to review, revisit and ultimately rewrite to meet the needs of both the users’ group and the organisation. As ever, as long as you are providing the best level of protection for the sensitivity of the information assets concerned, you won’t go far wrong.

Security awareness theme

This month’s information security theme should definitely pick up on Christmas – from the aspect of gift giving and not to cause any religious offence. Picking up on the well-used phrase ‘A dog is for life, not just for Christmas’ you could pick any element of best-practice information security and the same would apply. ‘Back-up is for life, not just for Christmas’ perhaps?

Chapter summary

This chapter has focused on the physical security issues that can cause you difficulties across your organisation and hopefully teased out some elements that you may not have previously considered. If you change your viewpoint, you can think further outside your own peripheral vision and box!

There is a real need to have a particular mind-set if you are going to be a successful ISM, and it seems to be something you need to have innately, rather than something that can be taught … although reading books is a good place to start to build a better arsenal of capabilities for yourself!

Being a security engineer gives you a certain skillset, as does being a security architect. Perhaps even being a ‘bouncer’ (a physical security person) would help. You need to be able to think ‘like an attacker’, be it a technological one or a physical one. In property law, the terms ingress, egress and regress are used to denote the rights of an individual to enter, leave and return to a property, respectively. These terms are also used in the IT world with regard to system access. You need to consider what points of egress and ingress, in particular, could be compromised (and in what way), so that you can be prepared with some solutions. Wherever possible, apply proactive, rather than reactive, security safeguards.

In becoming an ISM, you may not have started out through any kind of standard route, but if you are of a more open and flexible mind-set, you are likely to flourish. Your responses need to be relatively ‘fleet of foot’ in order to address the multitude of different aspects of challenges that may meet you on any given day, usually from the sublime to the ridiculous, but most often not based in technology itself, but rather in people and processes.