CHAPTER 10: MAY: POLITICS AND MANAGEMENT

Situational political awareness

Wikipedia describes ‘situational awareness’ as:

The perception of environmental elements with respect to time and/or space, the comprehension of their meaning, and the projection of their status after some variable has changed, such as time. It is also a field of study concerned with perception of the environment critical to decision-makers in complex, dynamic areas.

In many ways, the construction of this book is one of pulling together a lot of elements that are important to the ISM role as part of maintaining your situation awareness. An understanding of the impact of politics is part of that jigsaw.

This was the month of a change of government in the UK, which had a profound impact on the whole of the public sector ICT infrastructure and strategy planning for quite some time. Whilst the arrival of the new government (Conservative–Liberal alliance) should have heralded momentum, it did not transpire that way, more particularly because of the tremendous recession and economic turmoil that was having a lasting impact.

The new government of the day planned to scrap some £15bn of controversial IT projects, including the identity (ID) card scheme and the national identity register (£4bn), the next generation of biometric passports and the contact point database (£224m). This was to have a significant impact on a number of working plans at the time related to authentication of users on systems and information sharing out of some of those systems.

A great deal of the intended focus was on transparency and the ‘right to government data’ which turned into the UK’s effort at ‘big data’ and ‘raw data’, as well as the publication of all local government spending over £500 and the publishing online of all government tender documents, etc. All of this had huge implications for the engine room of organisations involved in such work, as well as for the InfoSec-related controls and safeguards that had been building up over time. As the intention was to publish a large swathe of information that had hitherto been under wraps, risk assessments would be needed to judge the impact and to address issues of data quality, integrity, accuracy and presentation. This was the start of a mammoth undertaking for all concerned. Whilst entirely worthy in the public sector, it was not without its overheads nor its level of significant distraction from what was already a full workload with depleting resources.

Language and management challenges

It can often be the case that managers appear not to be paying attention because their perception is that security is getting in the way. Information security is accused of stifling innovation. This is an unfair representation of the reality when looked at through a different lens.

Failure to consider time and motion costs (lost) of stopping projects, clawing back money and then reigniting the work at a later stage are costing organisations (the public sector, in particular) dearly. Capitalisation of the funding for projects is also the wrong view, as ICT can then find itself running out of funding for its own department. This can be a risky strategy, given the need for ICT to be the firm and secure bedrock upon which the organisation is founded.

There are obviously time and cost considerations when implementing all the latest technologies. Just because one lone powerful enthusiast in your ICT department is allowed to do so – without engaging the business or fully understanding or appreciating the business processes that the technologies were seeking to support, nor risk-assessing the impacts, threats and vulnerabilities – does not make it right or wise and needs to be watched out for.

‘I don’t understand what’s involved in hardening a server’, said the individual ultimately responsible for the relevant ICT function. On one hand, this was a very honest admission, but on the other was an appalling reality. But it is probably very likely the case, many times over in many organisations, as security continues to be so little understood by the ICT profession. However, as none of the staff underneath the individual had the skills to ‘manage upwards’, nor were they motivated to go away and find out more about the challenges, this key issue was left constantly floundering.

Several staff attended a security certification course and thereafter understood that a key phrase to use was ‘does the business accept the risk?’ But whilst they were happy ‘throwing it out there’, there was no mechanism to follow up whether or not the business did or did not accept the risk – or even understand it.

‘Why am I doing licensing?’ asked the person whose responsibility it was, even though they knew they were the only one with the appropriate software licensing qualification (FAST). You need to check your licences, as you could be spending money on licences for products that the users either have no training for and, thus, will never use, or will simply never need. Either way, there are cost implications.

A senior director left in a hurry and those underneath were then left with little or no faith in the continuity of the change programme, its sustainability or financial support. Consultants were being brought in at director level and were blocking progress because they were new and frequently needed to find out everything from scratch (the Groundhog Day approach). This is a constant and classic organisational problem, where skills and knowledge disappear out of the organisation and someone is always left needing to play catch up. It is a costly and foolhardy practice, ultimately. The everyday worker bees end up stuck and unable to progress, whilst experiencing director-level departures on ‘fat cat bonuses and pensions’. It is very destabilising and creates depressed employees.

Also, as part of the language and management challenges, people end up not making decisions, so that they do not get blamed for others making mistakes and more paralysis ensues.

Other security tasks for this month

Inventory management (yet again)

Users are now coming forward with all sorts of technology options that they use on a daily basis, and querying the security of these. So what about the use of headphones and privacy filter screens? Who should use these and what, if any, are the disability and accessibility issues versus the security issues they seek to resolve? The answers are whatever you decide they need to be for your organisation, your users and the nature of the information being used.

What about mobile devices with unencrypted onboard memory? These were mobile devices where just the SD cards were encrypted on the device being used by mobile workers doing surveys. They needed to be advised to ensure that they closed out of the survey using the cross on the box or hit the refresh button to clear the contents. For each asset item, you can see the need to have it listed on the inventory, and to have some level of reference column identifying the appropriate security control chosen to secure the information that the asset would be used to process, transfer or store.

As an aside on inventory management – watch out for the wily user … One most interesting help-desk call we received was a claim using the ‘excuse’ that the PAT testing had failed on machine cables in order to get a whole new PC, rather than just replacing the cables!

Ongoing laptop management issues

As a result of a decentralised purchasing process, it was not possible to control those that were out in the various departments, sections and teams. There was a stockpile of laptops too old to put back into the estate. This was unfortunate, but proved to be a ‘lessons-learnt’ point in itself, particularly given the increasing attention being paid to laptop control by regulators and the media.

Homeworkers need to appreciate that if they have a laptop in their own home, no matter what they use it for, it will still be identifiable as belonging to a particular organisation if it has an asset tag, and it is that organisation that will end up in the news – even if the device is encrypted.

Port control

The background to the requirement to manage ports is well known by now. Under UK data protection legislation, data controllers have a responsibility to ensure that all reasonable steps are taken to mitigate the potential for data loss or breach of security. The seventh principle in the UK Data Protection Act requires an organisation, as data controller, to implement appropriate ‘technical and organisational’ measures to keep personal data safe. Failure to do so exposes the organisation to the risk of fines, which can be up to £500,000. People constantly plug personal storage devices into their work PCs to upload music and wallpaper images, or transmit digital photos over the Internet. Their intent may be innocent. The capability to also siphon off corporate data from an endpoint, through a USB port on to a portable storage device, may place your organisation at considerable risk of undetected data leaks and exposure to malicious files. In this particular case, with the experience of the outbreak across the network of Conficker, the most virulent virus at the time, it turned out that the threat vector was considered to be unencrypted USB devices, hence significant focus was needed on addressing this particular organisational vulnerability.

A standard corporate desktop PC may have up to eight USB ports. Some are required for peripherals, such as a keyboard or security token reader, but there are usually one or more unused ports. In the case of the organisation running throughout the dialogue in this book, by default, USB ports are ‘always on’, ready to serve any USB-enabled device that is plugged into the endpoint computer.

Your organisation may choose to disable USB access via the Windows^® Group Policy and an Active Directory Management (ADM) template, but this action does not provide administrators with granular control. It’s all or nothing, so all USB ports on an endpoint are either available or not. And since most endpoints now require USB for mandatory peripherals, this control is practically useless. Solving this difficulty can require project team resources to investigate the best approach with regard to port control. However, cost may often dictate that a cheaper solution be deployed, even if it provides less security overall – and increases administrative overheads. This is just another of the many conundrums your role will involve you in, seeking to provide guidance and steering, and the best overall solution to meet all needs. It’s a tall order and a difficult ask.

Nonetheless, following a change in the political landscape and the resultant pull-back on spend, the intended port control project was stalled, so the control of removable media devices was not progressing as planned. A less expensive interim solution was being put in place using Active Directory to control ports. This highlighted an interesting difficulty with regard to tactics and approach. The accuracy of the data held within the Active Directory listing is always a vital starting point. Also, the Global Address List (GAL) is a fundamentally important element of your organisation’s configuration and it is vital that you have accurate and up-to-date information contained therein. When it comes to users, it harks back to our references to the need to have an up-to-date user listing, so that you know who your user base is – and this can only be achieved and maintained with the assistance of the various teams that manage people in and out of the organisation. You also need to know who might require being on the ‘exception’ list, for whatever justified and risk-assessed reason, so that they can be excluded from any ‘apply all’ setting that is fixed in the Active Directory in order to roll out a policy setting for all users.

In reality, so many of your tasks and challenges as an ISM will come back to this kind of conundrum – you cannot do anything effectively without quality information and a solid foundation upon which to move forward.

Outsourcing functions

When your staff are moving from your organisation to an umbrella third-party agency, can they really take their e-mail .pst files with them? If so, what level of review of these should take place, to ensure that your organisational information assets are not leaving inadvertently – particularly if the owner of the .pst was using it as a file repository system (records management store), as is mostly the reality. Just another of the myriad of conundrums you may face and which require answers appropriate for your organisation. If only it was possible to wave a magic wand and say that one answer fits all. The principles and the approach are the same, though. Consider the information assets at risk, the threat, the likelihood, the impact (on whom), etc. – and apply appropriate controls accordingly.

Security incident

An individual received 50 payslips in a brown envelope at their home address. They were on a short-term contract before going back to college and their own payslip was posted to their home, but obviously they were not expecting to receive the other 50 as well. It was obviously necessary to safely and securely get the payslips returned and appropriately distributed, and then reassure the individual that something like this would not happen again.

Security awareness theme

Being a Eurovision lover myself, my May theme usually builds up to something related to this European song festival! Given the multicultural world in which we live and the level of diversity we see all around us, this might work in your organisation, too. You could provide a country identity (League of Nations style) for each department/team/directorate and build in some level of competition between them in terms of the best clear-desk policy adherence group; the most secure (fewest incidents experienced) team at the end of the month; or the least frequent users of the help desk. Then remember to present some kind of ‘award’ at the end. A box of chocolates usually goes a long way!

Chapter summary

Another brief month, to reflect that there will be a level of ongoing day-to-day activities that arise with a level of repetitiveness, because your journey towards the kind of optimised information security-aware culture, embedded in the DNA of your organisation, may be a long and potentially tortuous one. I’m just being honest!

You need to be a relentless beast to ‘Prove all things; hold fast that which is good’ (1 Thessalonians 5:21).