ZenGRC

Simply Powerful GRC

Technology

OMG IoT: Information Security and The Internet of Things

· ·

On December 6, 2016, the IoT “Internet of Things” Security Foundation announced a new Security Compliance Framework. Below is an intro to IoT and an executive summary of how the Framework will impact information security teams.

What Is The Internet of Things?

Generally speaking, the Internet of Things (“IoT”) applies to objects with internet capabilities whether they be smartphones, tablets, or smart house systems like Hue. However, as Jose Tabuena at Compliance Week notes, “the definition of the IoT has evolved over time. TechTarget describes IoT as “a scenario in which objects, animals, or people are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.” Forbes provides a nice simple description of the concept as one of “connecting any device with an on and off switch to the Internet (and/or to each other).” These devices which are used for work, school, and entertainment provide enormous connectivity capacities. However, that is precisely what makes them a security risk.

Slow down you move too fast…

IoT risks are enhanced by speed of implementation and lack of consumer knowledge. The subcommittee of Commerce, Manufacturing and Trade and the subcommittee Communications and Technology held a hearing on November 16, 2016 to discuss these risks. The hearing started by discussing the October denial-of-service attack which was caused by “weaponizing unsecured network connected devices like cameras and DVRs. Once these devices were under the control of bad actors, they were used to send a flood of DoS requests that ultimately rendered the DoS servers ineffective.” Estimates indicate the existence of 3.4 billion connected devices as potential entry points for 2017 alone. With connected medical devices and connected, self-driving cars increasingly being manufactured or researched, this means that protecting the increasing number of entry points will only get more cumbersome.

Who Is the IoT Security Foundation?

To the extent that a business offers cloud services that are connectible using wireless networks, this push to ensure greater safety will be important. The Internet of Things Security Foundation is a “collaborative, non-profit, international response to the complex challenges posed by security in the expansive hyper-connected world.” In short, IoTSF acts as a self-regulating body to help enhance information security for IoT while still allowing for innovation. As such, the standards it set up could be viewed similarly to those by the International Standards Organization. The importance of IoTSF lies in its ability to have security professionals who work in various areas of InfoSec to help innovators and customers continue to create devices in ways that keep them safe.

What Do the IoT Frameworks Look Like?

IoTSF is not the only one submitting a framework. CISCO has also proposed an IoT framework.  Both take a different approach in the information provided publicly. IoTSF provides a checklist to help get companies started. CISCO focuses more on giving definitions and information to help understand the security issues surrounding IoT. Putting the two together can help create the basis of an effective program.

The IoTSF checklist creates a risk-based approach that looks similar to other compliance programs. This risk assessment involves looking at the products as well as the business practices currently in place. The proposed framework lists 12 areas to be reviewed:  

  1.  Business Security Processes and Responsibility
  2. Device Hardware & Physical Security
  3. Device Application
  4. Device Operating System
  5. Device Wired and Wireless Interfaces
  6. Authentication and Authorization
  7. Encryption and Key Management for Hardware
  8. Web User Interface
  9. Privacy
  10. Cloud and Network Elements
  11. Secure Supply Chain and Production
  12. Configuration

For each of these areas, the framework provides questions and gives a place to link to evidence. For companies trying to stay ahead of the compliance curve, beginning the process of reviewing IoT security may make 2017 easier.

With the growing number of IoT devices, there is a need for business, manufacturers, and customers to work together to keep information, software, and hardware safe. Ultimately, however, it will be industry experts who guide these standards because they can triage the important concerns.  Your business would be well placed to begin reviewing its IoT related risk to determine the best way to implement the Security Compliance framework.

Cleanin’ Out My Closet: Software Not Shared Spreadsheets

· ·

Compliance theme with businessman holding a tablet computer

The devil of compliance is in the details meaning that implementing GRC software might be the perfect way to clean out those proverbial compliance closets. Many of businesses are turning towards automated systems because compliance focused spreadsheets are like the closet that has been accumulating out dated clothing since high school.

For Information Security teams, this kind of disorganization means a lack of audit trail and security. The comfort of spreadsheets, like a good bowl of chili during football Sunday, is an old tradition that can go by the wayside.

Michael Rasmussen, a self-proclaimed GRC Pundit, notes that page 124 of the report on JP Morgan’s London Whale incident was related to problems arising out of spreadsheet error, “the model operated through a series of Excel spreadsheets, which had to be completed manually, by a process of copying and pasting data from one spreadsheet to another.” In other words, the messy Excel spreadsheet process did do anyone any good. If JP Morgan’s troubles didn’t convince you, then maybe these other reasons might.

Shared Spreadsheets Are Not A GRC Platform

Many people believe that spreadsheets in shared corporate drives make it easier to coauthor documents thus eliminating the need for GRC software. Even though cloud storage services are becoming more prevalent, many companies still have that senior executive who has a hard time working in the cloud, and instead choose to download and upload from their desktop instead. This means that even though there may be a shared spreadsheet, version control is still an issue.

A GRC platform eliminates this inconsistency since edits and changes are automatically saved. GRC software also removes the ability for people to download and upload without incorporating the changes to what is documented on the system.

Lack Of History Is Lack of Audit Trail

Spreadsheets fail to provide an audit trail. Again, Google Sheets and other web-based servers seem to solve this by providing the option to view the “history” of the document. While this seems like a decent solution, all the view provides is a notification that someone made an edit. These views do not track the types or content of the edits reliably. GRC software continuously updates and archives documentation with no hassle.

Shared Spreadsheets Share Security Issues

Moreover, continued issues regarding access and security come with shared drive permissions. Shared drive folders have three settings. A person can view, comment, or edit. These options limit the ability to individualize employee permissions to match job and need. For example, not all individuals involved in a company’s information security protocol creation need to have editing rights. For some employees, viewing alone suffices.

You’re probably thinking, “This sounds like a Google Sheet might work.” However, what if a process impacts multiple departments. Determining who in that department should edit, view, or comment may become burdensome since it needs to be done on an individual employee basis. Adding new employees or removing employees can become a full-time job. GRC software permissions allow for individualization of permissions based on job type and employee need for access, on a per-user basis, and at scale.

Finally, when it comes to cloud-based servers such as Google Drives, the freedom to add them to private devices incorporates a new level of risk. With employees constantly working at home or on the go, many may connect their personal accounts to their work accounts to work efficiently. Viewed as harmless by the employee, company information may be compromised without their knowledge or intent. GRC software places greater security over the information with a hosted or on-premise servers.

Shared drive spreadsheets seem to be an innovation to help employees collaborate and keep records. Unfortunately, compliance and audit-related work requires a level of documentation and security that spreadsheets cannot provide. To meet the continued challenges facing the information security community, a GRC tool is the most effective solution.

Better Than Yoda: CIOs, GRC Tools, Principled Performance

· ·

A Jedi uses the Force for knowledge and defense, never for attack. – Yoda
To be a true GRC Yoda, an organization must enact a principled performance based program using knowledge as a defense. However, any good Star Wars fan knows that learning how to use The Force is more important than The Force itself. Yoda, the knowledge-based expert, guided his Padawans to defending the galaxy through knowledge. In the same way, an organization’s CIO can protect a company using the GRC Principled Performance approach.


What is Principled Performance?
Principled performance is defined as “reliable achievement of objectives while addressing uncertainty and acting with integrity.” This means that for an organization to succeed, it must find ways of consistently evaluating unknowns. These evaluations must also be supported and documented to be trustworthy. As an organization’s Yoda, the CIO’s goal is to look to the future and make sure that unknowns are appropriately considered.


Why Principled Performance?
In a webinar on GRC Fundamentals, OCEG Chair, Scott Mitchell discusses how to incorporate GRC into the standards of principled performance. As transparency gains greater social traction, customers seek to know not just what a business does but how it follows through. Customers want proof that a business not only acts ethically but that a business has reviewed all possible interrelated risks that could cause harm.

The first step involves defining objectives and understanding boundaries. Audit focused programs often look at risk-based program management revolving around external standards such as industry standards or regulatory requirements. However, a company’s internal standards, such as policies and processes, are even more important. The integrity portion of the Principled Performance approach means more than simply making promises, it means making sure that the whole organization keeps promises. CIOs must ensure all that their Padawans stay on the Light path rather than veering to the Dark Side due to audit result fears or company policy ignorance.  

In the past, the lack of sharing within a company created silos. Carole Switzer of OCEG noted that the GRC Capability Model can act as an all connecting Force for compliance. One missed risk in a single siloed area can lead to an organizational wide butterfly effect. By bringing together all areas using the same language, these wings can be quelled. Being Yoda means ensuring that all members of the organization from Padawan employees to Jedi Council Senior Management are connected through a shared sense of responsibility.


Why Prove Principled Performance?
Proof requires knowledge and data. The reliability prong of the Principled Performance definition requires having evidence coming from standardized best practices. This is where having a GRC tool can help most. ZenGRC allows users to review evidence and create reports that identify gaps or overlaps in programs. Using a GRC tool can make a CIO better than Yoda when it comes to creating a continuously successful program with consistent outcomes.

If you’re a CIO and you’re reading this right now, don’t worry; CIOs are Yoda in many ways.  Yoda established internal boundaries much the way CIOs establish internal boundaries. Yoda had to teach and reinforce the rules of The Force much the way that CIOs need to teach and reinforce information security policies and processes. However, Yoda had only his memory to ensure ongoing compliance with the ways of the Jedi. CIOs can use software like ZenGRC to establish documentation to ensure ongoing compliance. Using these tools, CIOs can convince their Senior Management, or their own Jedi Council, of their methods. If CIOs want to be better than Yoda, they need to use a GRC software to help incorporate Principled Performance strategies.

I LOVE YOU Not H1N1: InfoSec as Business Continuity

· ·

binary circuit

Information security and business continuity increasingly commingle. Traditionally, business continuity planning focused on natural occurrences such hurricanes, H1N1, and freak ice storms. However, corporations utilizing information technology or cloud services recognize that internet threats constitute a greater danger to their current business operations than nature.
With this in mind, business continuity plans need to change to reflect this. The SANS Institute noted in its 2002 whitepaper that there were five alternative options for business continuity:

Mutual Backup: Two organizations with similar system configuration agreeing to serve as a backup site to each other.

Hot Site: A site with hardware, software and network installed and compatible to production site.

Remote Journaling: Online transmission of transaction data to backup system periodically (normally a few hours) to minimize loss of data and reduce recovery time

Cold Site: An empty facility located offsite with necessary infrastructure ready for installation in the event of a disaster.

Mirrored Site: A site equips with a system identical to the production system with mirroring facility. Data is mirrored to a backup system immediately. Recovery is transparent to users.

Two of the five options, remote journaling and mirrored site, are also the most expensive but provide the shortest response time. For companies looking to use efficient business, recovery plans to maintain customer confidence, the information technology policies and processes, as well as the information gleaned from those audits, will serve a double duty.

Information security controls help mitigate the risks associated with the use of technology. When IT audits review an institution’s controls, they are effectively reviewing the knowledge that top management has regarding the information and communication technologies used within a company. John Gatto President of JAG Associates in Florida lists the following components of effective internal controls:
Information and Communication

  • Systems supporting the exchange of information
  • Forms and time frames enabling people to carry out their responsibilities
  • Regular reporting, policies and procedures, intranet sites

Control Activities

  • Ensure management directives are carried out
  • Approvals, authorizations, reconciliations, security, segregation of duties

Monitoring

  • Feedback on strengths and weaknesses in system of internal control.
  • Performance measurements to detect problems early
  • Effect and efficient Management reviews of internal controls

(Gatto 45)
These controls that act as standards to create effective IT policy strategies dovetail with the current trends in business continuity planning.  
What does all this mean to an organization trying to create a business continuity plan that matches its information security plan?

  1. Both require management of information and communication. As companies look to incorporate electronic remote locations into their business continuity programs, greater attention needs to be paid to the manner through which the information is exchanged. In addition, this means that business continuity planning may also incorporate ongoing reporting and review of any information technology vendors.
  2. Both require controls. Whenever a new information system is incorporated, segregation of duties, security, authorizations, and approvals are necessary. For those organizations relying on cloud services for business continuity programs, these controls and authorities may mirror the ones already in existence or may need to be expanded to other individuals. In this sense, the traditional methods of designating a backup person changes to be less about physical proximity to the backup site and more about security permissions when handling information.

Both require ongoing monitoring. Despite signing contracts with remote business continuity services, things change. This means that even though the ongoing monitoring may not be about internal controls, the organization needs to review the manner through which the vendor controls its systems and how it detects weaknesses proactively.

When to Implement a GRC Tool? – An Excerpt from ZenGRC’s GRC Software Buyer’s Guide

· ·

While the benefits of an all-in-one GRC software solution are clear, a lot of businesses get hung up on timing, asking when is the right time to implement a GRC tool?

Below are three common reasons why businesses put off implementing GRC tools, and responses to why these scenarios are actually the perfect time to get started.

“We’re doing just fine using spreadsheets.”

Research shows that almost 90% of all spreadsheets have errors. When you talk about the data in your compliance program, a 90% error rate, in most industries, is going to be completely unacceptable. The underlying cause is due to the lack of structure around collaboration and version control. If you’re using spreadsheets to manage multiple compliance programs, it’s imperative that you move to a system of record that provides you with a single source of truth that’s more reliable.

“I have an audit coming up”

An audit is a great opportunity to mature from your spreadsheets to a more robust tool. Part of the audit preparation involves getting your compliance data properly documented and collated for the auditor. Taking the additional step to migrate that content into a GRC tool where you can keep it up to date and use it as the basis for ongoing reporting helps you to leverage that work, getting more value out of your audit prep investment. Once you get results back from your audit, you can track your compliance posture and use the GRC tool to aid in remediation, rather than being forced to create and maintain new spreadsheets.

“Budgets are tight right now”

No compliance team is ever over-resourced. However, paying high earning professionals to manage inefficient spreadsheet-based programs is not the best use of your limited budget. Your team’s time would be better spent implementing and ensuring controls are operating effectively, rather than trying to reconcile a handful of spreadsheets or babysitting colleagues via email. A GRC tool that can send automated reminders for compliance tasks is a better investment than having a member of your staff sending out reminder emails and tracking completion status manually!

Be proactive and make managing GRC less of a hassle and more productive!