By Michael J. Corby, CCP, PMP, CISSP

Global Health Issues Require a Careful Response

Once again, we are being challenged by the potential for a serious outbreak of a highly contagious disease. This time, the threat appears to have emanated from Mexico, and by all recent accounts, has spread from person to person through the air. The number of cases appear to be mounting in the US, Canada and elsewhere. Without throwing our entire organization into convulsions, how can we best prepare to withstand this threat? Even if the influenza outbreak does not replicate the global pandemics of the past, we need to do what is proper to avoid a steep decline in our ability to maintain our profitable and viable position. Overreacting can result in a “The boy who cried wolf” situation. Under reacting can result in extensive and prolonged employee absence or sharply decreased sales. How do we handle this latest challenge? In a word: carefully.
Communication is Crucial
A global issue such as an illness pandemic presents you with multiple challenges. If the threat materializes and many people are affected, you may lose a large percentage of key workers, your customers, clients and constituents will elect not to venture into crowded public places, and your vendors and suppliers may be required to substantially change their services.

On the other hand, if the threat remains only a potential, you risk causing a disruptive and possibly expensive response with no value. Obviously the best plan is one that has been tested over and over, but in the absence of this real experience, your best bet is frequent, factual communications.

Developing a well-orchestrated plan

Your response to pandemic threats should be well coordinated and specific. We recommend you take specific steps to developing your plan.

1. Provide Factual information. You can win public relations points by monitoring credible sources and dispelling gossip and rumors. You should look to reliable resources to maintain the latest facts including:

a.Centers for Disease Control (CDC) http://www.cdc.gov/swineflu/

b.World Health Organization http://www.who.int/csr/disease/swineflu/en/index.html

c.The ASIS Swine Flu update http://www.asisonline.org/

Remember that as of the end of April 2009, a relatively few cases have been identified in the United States, all had a connection with recent travel to Mexico and most are mild. There is presently no pandemic crisis. Phase 5 means sustained human to human transmission across countries. To an individual, this is only as dangerous as the “ordinary” flu. It is receiving attention because people have minimal immunization to it.

2. Conduct a brief risk assessment. Do you or your suppliers travel to and from Mexico? If the condition escalates, what will be the impact on your employees, your suppliers and your customers? Will the need for your products/services increase or decrease?

3. Review your policies. If you don’t have a pandemic response plan, now might be a good time to start getting one in place. If you do have a plan, review it plan for needed supplies that have not yet been purchased, e.g. masks and hand sanitizers. How would you handle 30%-40% absenteeism for 1-2 weeks in the next 12 months? Consider family needs if schools and day care centers are suddenly closed for 1-2 weeks to prevent the spread of infection. Make sure employees are kept informed.

4. Educate employees and take precautionary measures. Make sure employees know the symptoms for flu and encourage them to stay home if sick, and to seek medical attention if symptoms are present. Provide extra cleaning and sanitizing supplies, especially for telephones and keyboards.

How can IT Security Help?

If you’ve done nothing to date to assure your organization can respond under the crisis conditions posed by a disease pandemic, your chance of a fully successful program are reduced. If you have already created a Business Continuity Plan that addresses the disruption of what we term the four key elements of business resiliency: People, Physical Plant, Process and Technology, this would now be an excellent time to issue a memo reminding everyone of the plan, the location of it’s latest version, and the names of the initial response leaders. You may even have the time and resources to conduct a “table-top” exercise of what will happen if the pandemic potential increases and the disease spreads as quickly as some may fear. We have worked with hundreds of organizations in the development of these plans and in monitoring and assessing the results of plan exercises. From our experience, we recommend the following minimum actions:
Appoint a Response Team Leader. This individual should be directly in control of all communication regarding the situation. From making the ultimate decision to invoke the response and recovery plan to approving all communication to the media, employees, suppliers, customers and civil authorities. This individual should be able to effectively coordinate web site and telephone system communications, advise and approve technology relocation or deployment plans, and direct the flow of materials and supplies to the locations where they can be best suited for a responsive continuous operation. Our background in this area can be a valuable resource for you to select, appoint and commission this individual.
Deploy Technology Resources. In most situations where communicable disease is a threat, people will not want to go to work in a crowded, populated office. In addition, commuting via public transportation and even using elevators presents a risky and undesirable situation. Many of your key employees can be just as effective working from the safety of their homes if they have the required computer, network access and telephone resources. Although the technology to do this is readily available, you may be competing with thousands of other company employees to set up systems and provide access codes to company resources. This is not a good time to relax security and privacy standards. Criminals are literally salivating for the opportunity to exploit the situation and gain access to valuable, sensitive or protected data. You face the risk of losing this data privacy and also the risk of a lawsuit initiated by these same individuals who now have the facts to accuse you of failing in your data protection obligations. We know how to do this deployment quickly, effectively and securely.
Monitor the facts and your business. As with other disruptive events, things can change quickly and dramatically. The spread of the disease itself can change in the blink of an eye and the need for you to provide a different response to your customers can change just as quickly. We have the knowledge and skills to help monitor the operating environment in time to affect change.

Over the past few weeks, I’ve spoken to many groups about their response to this flu outbreak or pandemic disease threats in general. The most common response is that management has delegated to a medical advisor, either through the Human Resources department or through the company preferred medical provider. This is a noble response to help people defend from the flu, and help prevent it from spreading through the organization, but as we have seen in the business response to hurricanes, terrorism, snow and ice storms and other calamities, prevention aone doesn’t solve the problem. Business Continuity Planning (for Security purists, it’s the “Availability” in the C-I-A Security triad) provides a response the addresses resilience when and not if the situation materializes.


Nearly all successful Business Continuity Plans have depended on a well defined and tested process, known and followed by all employees under the guidance of a decisive leader. Is that you?



Ready – Set – Go!

By Pete Lindstrom, Research Director, Spire Security

The first and only necessary component of risk is likelihood. Likelihood is driven by the uncertainty of which outcome within a set of possible outcomes will occur for any single event. Some of those are wanted, and some unwanted by those involved in decisionmaking (I use the word “unwanted” instead of “negative” to cover a broader set of outcomes and address the fact that there are varying opinions about what is unwanted. If the mix of unwanted outcomes is not random or equally distributed (e.g. 2 possible outcomes each happening half the time, or 3 outcomes each happening 1/3 of the time), we use past frequencies of outcomes to inform our beliefs about future risks. The portion of unwanted outcomes out of the total population of outcomes is our likelihood number which corresponds to risk when dealing with potential losses.

The other component of risk involves consequences. I noted above that likelihood is the only necessary component of risk. That is because we often suggest that in order to quantify risk we must quantify our consequences as well, but this isn’t the case. Since we are identifying unwanted outcomes anyway, in many cases we implicitly understand the value or loss involved, even if we don’t quantify it in dollar (or other currency) terms. Not only that, but we can quantify consequences in other ways that are available in whatever circumstances are being evaluated. Whatever numbers we use, they constitute the total number of units in the population of outcomes. In IT security, that might be total endpoints or total number of records or total value of the assets, for example.

When we do have a number to express consequences, we use the risk (estimated using previous frequencies as a starting point) or likelihood expressed as a percentage of total outcomes to discount the total population. This is simply an expected value calculation.

Take for example a sales pipeline. The value of a sales pipeline for a company is the likelihood of closing a deal (making a sale) multiplied by the total possible amount of the deal itself. This likelihood number is a discount factor used to reduce the amount in question based on the risk involved. So a $100,000 deal with a 70% likelihood of closing is worth $70,000 in the pipeline. Risk is like the inverse of the pipeline numbers, since the pipeline measures positive outcomes and risk measures negative (unwanted) ones.

The final outcome of a risk calculation may be
a) the probability itself, qualified by what is meant in terms of consequences,
b) the portion of the population that is expected to be affected by the unwanted outcome (using the likelihood as a discount factor for the total population), or
c) the “value-at-risk” (VaR) expressed in monetary terms (our universal unit of costs or losses) that involves translating the number derived in the previous measure into currency units.

(comments to this article can be made at http://spiresecurity.typepad.com.)

By. Thomas R. Peltier, Security Sage

A risk assessment is the backbone of any effective information security program. It is impossible to know where to implement controls until the risks, threats, concerns and issues have been identified. This process can only be completed if the risk assessment process is treated as any other properly run project. This document will examine some of the key areas that cause risk assessment processes to fail.

Scope Creep

Every successful project begins with a definition of what is to be accomplished. For risk assessment, this will involve describing what is to be examined. This could be a physical environment such as a data center; a specific system such as a network supporting research and development; a processing entity such as the corporate WAN or a subsection of the network such as the Payroll Administration LAN; or a specific application such as Accounts Payable.

In creating a statement of work or a scope statement, it is customary to begin with identifying the sponsor. This is normally the Owner of the application, system, data or process. The owner is typically described as the management person responsible for the protection of the asset in question. In most organizations, the sponsor is not an Information Systems (IS) person.

To limit the possibility of scope creep, it will be necessary to establish the boundaries on what is to be examined. An application that uses the corporate network to pass data is within the scope of a normal risk assessment. However, conducting a corporate analysis of the security of the Internet may be counterproductive. Keep the focus on those processes that the organization can affect change.

The scope statement will next want to address the overall objectives of the analysis. For information security these objectives are normally the impact of threats on the integrity, confidentiality and availability of information being processed by specific applications or systems. Consider the types of information security challenges facing your organization, and use this to define the objectives.

Ineffective Project Team

Many information security professionals attempt to conduct the risk assessment either alone or just with other members of the security group. To be effective, the risk assessment process must have representatives from the following areas:

1) functional owners
2) system users
3) systems analysis
4) applications programming
5) data base administration
6) auditing (if appropriate)
7) physical security
communication networks
9) legal (if necessary)
10) processing operations management
11) systems programming (operating systems)

The key members of this team are the owner and the users. Make certain that there is representation from every business unit affected by the new application or system. This will assist in the acceptance of the final results or the analysis. By ensuring proper representation, the controls agreed upon will come from the owners and users and not as an edict from security or audit.

Stating Concerns as How They Impact Security

When conducting a risk assessment, it will be necessary to state the concerns as to how they impact the business objectives or the mission of the organization and not on how they impact security objectives. Proper controls are implemented because there is a strong business need, not so that the business unit will be in compliance with security requirements. Keep the business of the organization foremost in the discussions during the risk assessment process.

Every Threat is a Major Concern

Establish a method to prioritize the identified risks into categories of minor, moderate or major. No organization has sufficient resources to control every identified risk. Where an effective risk assessment gains support is when it attempts to ensure that limited corporate resources are spent where they will do the most good. A possible ranking process might be a simple as the following: (Click on image to enlarge)

Conclusion

Risk assessment is a necessary and cost effective part of an effective information security program. It will support management in fulfilling is mandate to exercise management’s fiduciary duty to protect the assets and resources of the enterprise. By understanding how a risk assessment can fail, then the security professional can take appropriate steps to ensure success.