Information Security Blog

Information Security Assessment: Comprehensive and Holistic

Comprehensive vs. Holistic:

Not the same

locked folder A comprehensive approach to an information security assessment sounds like a good thing, correct? After all, comprehensive means “ Complete; including all or nearly all elements or aspects of something”. Having uniquely focused on conducting information security assessments for the last ten years – I have often tried to effectively communicate the difference. A recent electrical utilities project we worked on perfectly illustrates the problem with a “comprehensive” approach and why a “holistic” approach is required for critical systems.

There is a tremendous amount of energy and focus in and around Smart Grid Security. It is well-considered as the challenges are numerous; rapidly evolving technology, even more rapidly evolving standards/guidelines, the sheer number of moving parts (e.g., in home equipment, smart meter’s, demand response applications, customer facing applications, utilities/service provider transit networks, Distribution Management Systems, IP enabled SCADA devices, etc.). The client recognized these challenges and developed a comprehensive approach to assessing the security of their Demand Response initiative (Demand Response (DR) is a mechanism to manage customer consumption of electricity in response to supply conditions, for example, having electricity customers reduce their consumption at critical times or in response to market prices.)

Their comprehensive approach included;

A design review and penetration test of the In Home Device (IHD) and smart thermostat (connecting the customer to the meter)
A design review and penetration test of the In Smart Meter (connecting the meter to the transit network)
A design review and penetration test of the smart grid wireless network (connecting the meters to the demand response application and management networks)
An application penetration test of the DR application and a network penetration test of systems supporting it
A design review of the communication between the utility and the Demand Response application

In order to meet a very aggressive project deadline two different vendors were engaged in this assessment. Another vendor performed the Smart Meter testing (#2). Their testing focused on ensuring that the communications between the smart meter and the smart grid were secured appropriately (which they were). Where things jumped the track a bit is when we identified vulnerabilities in the IHD (#1) that may allow it to communicate upstream in an unintended manner. Unfortunately, the vendor assessing the smart meter had not tested the smart meter to determine whether it did/could “block” non expected (malicious) upstream communication. In fairness to the vendor, it wasn’t part of the utilities “defined” assessment scope.

Holistic means “Emphasizing the importance of the whole and the interdependence of its parts”. Interdependence is critical when evaluating complex systems. Identifying/understanding the Interdependence between varying technical solution elements and the key processes that are necessary to effectively “operationalize” it demands a holistic approach.

A holistic approach is challenging;

It requires “due diligence” at the project outset to really think through the requirements of the assessment. A risk centric approach is the only way to effectively scope a holistic security assessment. We favor an ISO 27005 aligned approach that focuses on information and processes as the assets – which really focuses the assessment on information and process centric risks.

My takeaway was a better way to communicate the difference between a comprehensive and holistic information security assessment. Hopefully, yours will be the recognition that critical, complex systems with a high degree of interdependence require a holistic approach to risk assessment, risk management, and the information security assessments that support these efforts.

Is ISO 27001 Right for (Y)our Organization?

Thinking about ISO 27001 Certification? View our free On-Demand ISO 27001 Webinar

How to deal with increasing threats
How to manage multiple regulatory requirements
How to handle client requests for attestation
To validate that significant changes did not have unanticipated results

Download: Information Security Attestation Guide

A Best-Practices Guide to Information Security Attestation

Download our proven Information Security Guide to simplify the process of protecting your data, proving you’re secure and growing your business.

Free Whitepaper: Stop Wasting Money on Penetration Testing

Penetration Testing is most frequently performed to:

Substantiate the net effectiveness of a mature control environment
Prove to a third party that an environment is secure/trustworthy
Quickly assess the security of a less mature control environment (in a sense a technical risk assessment)
To validate that significant changes did not have unanticipated results

Free Download: ISO 27001 Implementation Roadmap

Have no fear – our “roadmap” will guide you, step by step, through the entire ISO 27001 process.

Getting to ISO 27001 certification is a process made up of things you already know – and things you may already be doing!

Free Download: A Best Practices Guide to Database Security

Because data is only as secure as the systems & processes it relies on – a holistic approach to data security is essential. This roadmap is not meant to be exhaustive but rather to stimulate the necessary thought process to put you on the path to good data security.

Best Practices for Firing A Network Security Administrator

Want to know how to fire a Network Admin? Need to know what precautions to take? Firing any employee can be a stressful event. Firing one who has significant knowledge of and privileged access to your Information Technology/Security infrastructure is even more stressful, as the risks are so notable.