Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2012 > November
2012

Late last week, the PCI Security Standards Council released its Risk Assessment Guidelines as a supplement to the PCI Data Security Standard (PCI-DSS).   Expanding on the requirements outlined in section 12.1.2 of the PCI-DSS, the new document provides further guidance on the techniques and methods organizations should consider when addressing this requirement of the standard.   As solid and prescriptive the PCI-DSS is, there are several areas – risk management being one – that are very hard to elaborate on beyond the basic requirements of having a risk management process without publishing an extensive treatise on risk management.   The Special Interest Group of the PCI Council has taken this opportunity to expand on its risk management expectations through this special publication.

 

The traits described in the supplement are common to many organizations’ goal of an enterprise risk management program.  Establishment of a Risk Assessment team, implementation of a common risk assessment framework, consistent risk identification methods and the evaluation, analysis and treatment of risks, as outlined in the publication, are core to the ERM strategies of many companies.   This underscores the value of the ERM initiatives that are driving though companies today and is an indicator of what we can expect from regulatory, industry and legislative standards.

 

Risk based approaches are becoming a fundamental component of Compliance activities across the board.  The inclusion of a risk management requirement is common in many industry standards.  The PCI Council has taken the next step to provide more guidance and thus raising the bar on what is expected to meet this requirement.   Those companies that are struggling with supporting or justifying their ERM efforts can look to this trend as another source of rationalization.   Risk management will be considered another key benchmark in a company’s compliance efforts.  Checking the box on “Do you have a risk management program?” will not be as simple as before.  The expectations are being raised as standards bodies are recognizing the benefits, and intricacies, of a strategic risk management program.

Captain’s log: Star date: 11.6.2012

Location: just on the edge of the Illinois galaxy in the Chicago quadrant

Subject: Information Security Forum Congress

 

I am not a Trekkie but I thought this was an apropos beginning for my blog coming out of the 2012 ISF Congress.  This is one of my favorite conferences in the industry and the conference again did not disappoint.  I start with the Star Trek-ish opening because Gene Kranz, of Apollo 13 fame, launched the conference with a fascinating presentation.  During the three days of the conference, I also witnessed Whitfield Diffie meander through Information Security past, present and future and Frank Abagnale, of “Catch Me If You Can” fame, deliver a stirring testimony based on his life.   It was the aura of these unique individuals that hurled me on this trajectory of philosophical thinking.

 

The images of the Apollo 13 mission conjured up by Gene Kranz’s speech, coupled with Whitfield Diffie’s conversation of the information security quandaries posed by technology over the past century and beyond, brought to mind the evolutionary nature of security.  A current security professional striving for ‘complete security’ is like Christopher Columbus worrying about traveling to the moon.  While the moon may be the ultimate new world to explore, Columbus needed to be concerned about staying afloat, keeping his sailors happy, bringing value to the king and queen to keep his head connected to his shoulders and basically surviving the voyage.  For him to be concerned about the supreme achievement in exploration was beyond his current technological, social and personal abilities.  It would have been a futile and hopeless dream for him to try to reach the moon.  But he focused on what was at hand, kept the boat afloat, his sailors pleased, his king and queen satisfied and survived his voyages.

 

And what came of this focus that centuries later seems to be just one small step for mankind?  New markets opened.  New technologies drove exploration across the globe.  Old philosophies collapsed.  Things people accepted as absolute truths fell apart and the world was transformed.  All because a guy did something new and tried to survive while doing it.  His achievement continued to push open the door cracked by Marco Polo and subsequently yanked open by a stream of adventurous explorers.  And thus, we come to the space program and the biggest ‘new world discovered’, as of today, the moon.

 

Security may seem small compared to the exploits of men who literally put their lives on the line for the dream of exploration but we can see a parallel path.   From the Egyptian codes to the Engima; from the bastions of the feudal lords to the mantraps of the bank vault, security has been a constant exploration.  Sometimes there is the discovery of new island; sometimes there is the discovery of a new galaxy.  We need not strive for the ultimate completeness of total security, we just need to keep the boat afloat, the sailors happy and the kings and queens satisfied.  As long as we continue that exploratory path, we will occasionally hit that 2.5 degree window of re-entry necessary to cross the threshold of the Earth’s atmosphere and survive the voyage from the Earth to the moon and back.  In that moment, we will protect our most valuable resource, stop a would-be data breach or catch a thief with his hand in the cookie jar.  And that moment, as Gene Kranz described the Apollo 13 mission, will be our finest hour.

 

If you have your own ‘finest hour’ of security exploration, please comment and tell me.  I believe, like Polo, Columbus and Armstrong, each of us in the security industry are continuing to open that door to new worlds.

49808

 

I'm fresh off the road from the 23rd annual Information Security Forum World Congress, held this year in Chicago! As many of you know already the ISF's Standard of Good Practice is a leading information security best practice framework that we're happy to feature as an authoritative source in Archer. The ISF is a member driven organization comprised of over 300 leading global companies including RSA. What you may not know about the ISF is they also host this fantastic annual event. Each year it's in a different city around the world and this year we were lucky to have it in the US, selfishly in my own time zone!

 

First and foremost, the keynotes this year were nothing short of awesome. Frank Abagnale gave an amazing account of his life and perhaps you'll see an upcoming blog about that too. But if you know anything about me by now you're undoubtedly aware of the soft spot I have for all things aerospace. So you can imagine how excited I was to see Gene Kranz, former NASA Flight Director give his amazing account of the early days of America's space program and the incredible story of Apollo 13. If you've ever seen Ron Howard's movie by the same name you'll remember Gene's character being portrayed by Ed Harris, complete with white vest and all.

 

Gene showed several pictures from that era as he illustrated key examples of the teamwork, leadership, and discipline the team demonstrated; and the goodwill from people around the world who pulled together to collectively will our astronauts back to safety. At one point he revealed a grainy picture of a simple procedure document which became one of the pivotal elements to crew survival. As if they didn't have enough to worry about, midway through their return in their battered spaceship, the crew encountered a major problem with their oxygen supply. Since their moonshot was scrubbed anyway, Mission Control had them utilize the Lunar Module as a temporary lifeboat to preserve the power needed for reentry to earth. As they solved one problem they unwittingly created another. All Apollo crews had three astronauts but only two landed on the moon. The third always remained behind in a lunar orbit to coordinate things when they reconnected. As such, the Lunar Module's life support system was designed to support two astronauts for a day and a half, not three astronauts for four days. This caused the CO2 levels to rise faster than the air filters could handle which posed a fatal risk to the crew. No problem, they'll just swap out a new filter from the other module, right? Nope. The filters were different shapes!

 

So the team on the ground quickly set about finding a workaround to solve the problem of literally fitting a square peg into a round hole. What resulted was a duct tape contraption that, to the uninitiated probably looked like a grade school science project.  But as the air started flowing and the CO2 levels dropped I assure you at that moment it was likely one of the most beautiful devices the crew had ever seen.

 

So there I am, jaw on the floor, as Gene Kranz is telling this story and displaying the actual written procedures for how to build this device. Remember, Mission Control couldn't just beam this new filter up to space, or even send them a picture! The crew had to listen to instructions for how to assemble it, under enormous stress, fatigue, and oxygen deprivation. So those instructions had to be clear and concise. Gene called our attention to the upper right corner of the page where they had incremented versions as they refined the document, scratching out the old version number and writing in a new one. Working round-the-clock on no sleep, the team on the ground and the crew went from major crisis to workable solution in a matter of hours and still produced versioned documentation by hand!

 

In that environment, documented procedures are just part of the deal. The process doesn't work without them so keeping the documentation squared away is baked into the protocol. It's not "extra work" they'll do if they have time left over. It's a core requirement, even in emergencies...especially in emergencies. It kind of puts things in perspective where today we have wonderful tools like Archer to help automate all of that; and leaves little excuse for not having a solid policy management program except that like most things, it ultimately comes down to leadership. After the Apollo 1 fire that killed Gus Grissom, Ed White, and Roger Chaffee, Gene Kranz held a staff meeting to address the issue. In what would come to be known as the "Kranz Dictum," Gene very clearly stated that the Apollo 1 disaster was their fault. By prioritizing schedules and perceptions solid solutions and procedures, they allowed themselves to be pressured into overlooking issues in the hopes it would work out rather than pushing back. In short, they didn't do their job. Gene issued an edict that from that point forward his Flight Control team would live and be defined by two words, "Tough" and "Competent." They would always be accountable, always be prepared, and would never again compromise their responsibilities.

 

Imagine if during the Apollo 13 mission the engineers on the ground just started hollering ideas for the crew to try, rather than methodically working the problem first? Or better yet, what if the higher order expectations set by Gene and others were not in place right from the beginning? Remember in the movie when Gene's character yells "We've never lost an American in space and we're sure not going to on my watch! Failure is not an option!" And later when responding to criticism that Apollo 13 would be regarded as a disaster for NASA, Gene's character challenged back to his boss (and everybody in earshot) his disagreement that it would instead be their "finest hour." Although creative liberties were taken with some of these exchanges for the sake of the screenplay, they were done to portray something difficult to articulate otherwise. The notion of failure not being an option was ingrained in everything they did. It was cultural, and still is.

 

Whether at NASA or anywhere, that kind of attitude and leadership truly makes a difference, especially against long odds. The integrity to take an unpopular stand because it's the right thing to do can dramatically inspire an organization towards excellence. Strong leadership calms fears and gives people focus and clarity in uncertain situations. In the case of Apollo 13, the refusal to waiver or even entertain the notion failure, and instead demanding and accepting nothing less than excellence meant the difference between life and death for astronauts Jim Lovell, Fred Haise, and Jack Swigert.

 

Fortunately the stakes aren't quite that high in our daily lives but the lessons are no less true. Company leaders have a responsibility to set clear direction and tone at the top to support effective policies and procedures as a matter of standard business practice. Frighteningly, many do not. Those who do rise and embrace that challenge and responsibility are much better positioned to ensure the next time their organization faces an incident, they too can look back on their preparedness and ability to manage through the crisis as one of their "finest hours".

 

Thank you Gene Kranz...for everything.

Filter Blog

By date: By tag: