A recent posting on Bruce Schneier’s blog drew my attention to a revealing confession by Los Alamos that they had failed to address cyber security issues regarding stolen laptops because such losses had been treated as a “property management issue”. This might sound unforgivably careless, but they’re certainly not alone.
A few years ago you would have had to look hard to find any organization that carried out a security assessment for a missing laptop. It’s only in recent years that highly-publicized thefts have draw attention to the problem. And many enterprises still don’t realize they have a major exposure.
The root cause of this lies in the backward-looking nature of our control design process, as well as a widespread failure to check the actual implementation of security policy. Twenty years ago, when we were assembling the original base material for BS7799, mobile computing and helpdesks were in their infancy. We didn’t address laptops or the need to build security into helpdesk processes for managing reports of lost assets. Two decades later, we’re still not covering these areas as well as we should. Security standards rarely cater for current or emerging problems.
Critics can slam Los Alamos for their failings, but it’s not intuitively obvious for a call centre or asset manager to carry out a risk assessment for a lost or stolen asset. The need for this won’t come to light until a security review highlights the issue or, more likely, a major incident occurs.
And, be warned, it takes time to plug this gap. New processes have to be designed. Call centre software has to be upgraded. The helpdesk operators have to be trained to ask the right questions. Security expertise must be available to guide the risk assessment. The process will also take a few iterations to reach an acceptable level of reliability.
Asset management itself is a far-from-perfect process in many organizations. So don’t expect operational managers to implement appropriate controls without prompting. They’re busy enough struggling to stay abreast of a sprawling IT estate in a constantly changing environment.