The "RISKY BUSINESS" Blog

On my flight back from Phoenix I had an interesting experience that reminded me that what we do is still as much an art as it is a science.

I was asked to review “Managements Response” to the findings & recommendations we provided during the Security Certification and Accreditation process for a very large, mission critical, application for a government client. In doing so, I often referred back to our original reports to ensure that the responses/schedule that they proposed were reasonable, appropriate, and likely to achieve the security objectives that management had defined for the project.

During the review I suddenly felt a little queasy. Unfortunately, the blame was mine (not the gourmet airline cuisine); in reviewing our findings and recommendations it became apparent that we had failed to identify a (perhaps significant) risk. There’s still a little five year old left in me – as the first thought that popped into my head was “If I don’t tell anyone …”.

As you might imagine not missing security risks is pretty important for an Information Assurance firm. To that end we have formalized our processes wherever possible, including at least one Quality Assurance review by a second consultant. In this particular case I had provided QA and had missed the same issue that the primary security consultant had.

Thoughts swirled …. Why on review did this issue suddenly become apparent? What can we do to reduce the likelihood that this happens again? More importantly what can we do to prevent this from happening again? Even more importantly – what did we need to do to prevent this issue from delaying the deployment of business significant changes to this critical application?

First the great news – after considerable angst on our part we determined that the “new risk” was fully mitigated by an existing technical control. The application rolled out to everyone’s satisfaction on schedule. The good news – we have made several subtle changes to our QA process to make this less likely to happen. We also sampled a number of our previous Certification projects to ensure that this was an isolated incident. The less than good news – the reminder that despite progress, Information Assurance is still as much an art as it is a science.

On both sides of the fence (build versus assess) there have been some significant Information Assurance advances over the last five years that have moved us more towards a “science”. Dozens of major universities are now offering excellent programs. OSSTMM is a very intriguing methodology for security testing that we are increasingly leveraging elements of. We utilize elements of prevailing logical frameworks and/or good practices (ISO 27001 and 27002, COBIT, CIS, NIST, and OWASP) which allow us to take as consistent and methodical approach as possible . Unfortunately, as new technologies emerge (e.g., flash, Web Services/SOA) the frameworks are still alrgely applicable but good pratices often trail.

So for now, my goal will have to be more Leonardo Davinci than Albert Einstein — as comfortable with a paint brush as I am with a telescope.