Yet another contents list

For the past decade the real enemy of security practitioners has not been the hackers and malware that threaten our systems but the numerous best practices, compliance demands and audit actions that take up all of the time and resources of the security function.

Security standards and frameworks add to the burden of security managers by insisting that evidence of governance, assessments and controls are presented according to a structure laid down by standards authorities, many of whom might have little sharp-end experience.

And so we have the latest distraction: a “Framework for Improving Critical Infrastructure Cybersecurity published by the National Institute of Standards and Technology, which appears to contain not a single new control, technique or technology, but one that merely restructures existing controls and guidance according to a new contents list.

Anyone who truly understands the rare art of designing models and architecture will appreciate that the top levels of any model are shaped purely for political or cosmetic purposes. They add little real value to the purpose or content of the guidance.

And of course there is an unlimited number of ways of structuring a set of controls. It can be done by lifecycle, process, technology, organisation, etc. Ideally the structure should be based on the purpose of the framework, as it is primarily a means to an end, not an end in itself. Unfortunately this rarely happens.  

The original set of baseline controls designed by Donn Parker in the 1980s contained several different contents lists, reflecting different needs. When drafting the original BS7799 we decided to have a single structure. Having presented over a dozen different structures to the BS7799 team, we all agreed unanimously to base in on “natural subject areas”, i.e. the structure most of us had already adopted for our own security manuals.

There’s nothing wrong of course in experimenting with new structures. But these should only be a accepted when there is clear, added value. Otherwise it’s a case of, as Eric Morecambe might say, of using all the right words but not necessary in the right order.  

Enhanced by Zemanta