Part 1 here Part 2 here Part 3
Mike Rothman Chimed in on the 100% compliance piece and did a far neater and faster summary of what I was trying to say.
This part brings me full circle to the original conversation on Risk Units and some of the differences between risk management and best practices.
Essentially best practices is a bunch of smart (hopefully) guys sitting around in Gartner, Forester, D&T, PWC, E&Y, SANS, and other groups coming to a consensus on which controls cover the closest to 100% for a given threat they are looking at and which are the best controls to put in place.
(yes yes I know this is going to be an avalanche of what about this or that group)
This is great. It gives us a outside look at how various actions and tools compare to each other to help prevent problems but it doesn’t factor in all of the variables that each company and organization have.
It establishes a solid baseline and goals.
Coming up with best practices by definition includes dealing with the vendor marketing apparatus and all the fluff therein. It also is heavily based on the current trends, hype cycles, and opinions of what is really at issue.
In some companies a given best practice is just not possible because of political, environmental, architectural, economic or any number of other reasons. This is why it is more important to focus on what the real risk of an issue is.
There are number of questions I like to keep in mind when looking at the effectiveness and appropriateness of controls being considered.
What threats does a control provide protection from and how?
Are there overlaps with other controls and for which threats/vulnerabilities?
In a perfect environment how much protection from any given threat does a control provide?
How much coverage can I afford to get with the given control?
How much does the control interfere with existing work?
How much does the control interfere with changes and limit future flexibility?
I would love to hear others.
This is why I am so interested in the “Units” and math that might be associated with it. I picture a type of finite element analysis that can be applied to Information Security controls.
(and before any structural engineers start laughing at me yes I know it is not the same. I am using it as an example not as a literal mathematical equivalency)
Even if we could come up with detailed equations for this stuff I realize most of the time they wouldn’t be used. I wouldn’t expect them to. When I was a Reactor Operator I didn’t do all of the full equations for every variable for every shim or pump switch. I did however have a thorough understanding of them and because of that knew exactly what would happen before I did it.
A different series of questions might be what are the disparate pieces that make up control? How do they interrelate? How do they fit into the greater piece of impact times likelihood?
What I really want to know is if Batting Avg. or On base % is going to get me more scores in the end.
Securosis Does a better job at describing the "Best Practices" process.
I love this quote from it.
"Analyst best practices will make you really fracking secure, but probably cost more than a CEOs parachute and aren’t always politically correct."
I am very aware of how the process are worked so my hopes aren't dashed. His points are valid and more descriptive but that level of detail wasn't essential for the point.
Still more detail (and more accuracy as well) is better so thanks for the critique.