Advice to Govt. of India after the decision to develop their own version of OS & Software

Note: This advice is offered free with no obligations

The Indian government has set in motion an ambitious plan to develop its own software & operating systems after the spurt in cyber attacks on Indian establishments. I think this is a bad idea and being an Indian i thought of contributing.

The Problem is not with the OS or software, it is with the way IT is managed.

Indian government should look at addressing the management of IT; developing a OS (or software) is not the solution. I am sure existing players can do a better job because they have matured their processes over time and it is really a mammoth task.

If i were to address this problem, i would start with this to-do list:

• Do a risk assessment and then develop a risk management system
• Develop an security management system or adopt some existing system like ISMS
• Create a security plan & include specific plans for departments/units
• Develop security evangelists in government departments
• Implement technical systems like standard hardening like US Fed's or have special a government build

Posted via email from Ramki's posterous

Automated tool assisted vulnerability assessments

ISO27001 requirements 15.2.2: Technical compliance checking Control states - "Information systems shall be regularly checked for compliance with security implementation standards"

Code of practice ISO27002 states "Technical compliance checking should be performed either manually (supported by appropriate software tools, if necessary) by an experienced system engineer, and/or with the assistance of automated tools, which generate a technical report for subsequent interpretation by a technical specialist"

ISO27k certified companies need to conduct periodic vulnerability assessment and hence employ consultants for this. Mostly the scope is to run a series of predominantly automated tests using vulnerability scanners and provide a report & recommendations.

This makes them comply but Is this enough? NO

This post was triggered by thoughts after

> Reading  Information Escapology, part five – Careful with That Proxy, Eugene... Will a standard vulnerability assessment address this? i guess no. It depends on who is doing? depth? methodology? etc.

> After hearing this from a consultant (someone i trust). It seems after a capability presentation session to a large company, the company's CISO asked him if they were the Authorized Scanning Vendor for the scanning tools & was the consulting company PCI DSS compliant... these were the only questions he had on the vulnerability assessment service process; nothing on things like what is the typical approach, methodology, depth, etc. Is it enough if your consultant is an ASV for a tool? Do you need to be PCI DSS compliant to do a vulnerability scan?

Conclusion: For most of them it looks like only compliance matters (or) they want a testing service that is so cookie cutter that the scope will be automatically limited to the basic scan-and-patch kind of findings

Posted via email from Ramki's posterous

CISO and/with IT roles; few thoughts...

CISO reporting to board of directors: Myth or for real? Has some quite interesting views on the role of CISO; certainly worth reading and discussing.

“… four aspects to be kept in mind, while deciding a CISO's reporting pattern:
(a) The CISO should be seen as a strategic role.
(b) He must be at a leadership level.
(c) The CISO should be independent of IT
(d) He should report to a very senior person in the organization, who has strong hold within the organization”

While the points above are good in general; I believe point “c” is too idealistic and actually depends on the organization dynamics. The IT & CISO roles can conflict in certain scenarios but certainly not impossible to manage.

“When a CISO becomes independent of IT, he comes out of his shell. According to the CISO of a leading Indian BPO, this widens the CISO's ability to think about security from an organizational perspective than just IT.”

One cannot presume that IT roles (I am talking about leadership roles) will so severely constrain views to the extent of being considered to be in a shell; any experienced IT pro will have the capability to avoid this state.

“if a CISO is expected to limit himself only to day-to-day operational tasks, instead of assuming a larger responsibility for enterprise-wide coordination of security and risk management, he will not be able to usher in improvement”

I disagree on this; an organization having a CISO role in the ORG chart will have a reasonably mature management systems where roles are clearly defined. If a person here is doubling up for CISO role he/she will be at a level on which their involvement in the execution of day-to-day operational tasks/transactions will be nil or at the most minimal. Of course I am in agreement with the CISO being responsible for risk management and improvements.

I play multiple roles; project management, service delivery, information security, etc… though I face tough conflicting situations regularly they are being managed effectively. 

Finally it all depends on the organization dynamics no standardizations can be applied.

Well… though off-topic this article Let a Hundred Flowers Blossom has made me re-think about standardization. Right now I am thinking about the various standardizations present on our management systems.

Posted via email from Ramki's posterous

Do certification audits also suck?

This post why do pen-tests suck? triggered my thoughts I started thinking about the certification audits.

I have personal experiences of dealing with ISO27001 auditors from certifying companies with very limited knowledge in IT infrastructure & technical areas and some of them are even from non-it backgrounds (I have seen audit findings in all CAPS :-) ). Without this crucial knowledge they will not be able to find any gaps hence the audit will be ineffective. I am also aware of the option/process of having a domain expert during an audit; perhaps this is not practiced as it might uncover too many gaps that may be expensive to fix.

If certifying company auditors do comprehensive job I am sure things would change…

Posted via email from Ramki's posterous