cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Functional and assurance requirements and CoVID

With the recent surges in CoVID-19 cases (pretty much everywhere), parents have become (understandably) concerned about the welfare and safety of their children, particularly at school. There have been widespread calls for school closures, or, at the very least, mandatory mask wearing for all staff and students. However, looking at the situation in terms of both functional and assurance requirements demonstrates that these concerns are unnecessary, or, at least, misplaced.

 

First lets look at the functional requirements. For the most part, controls against the pandemic are still basic and widely known. But they are problematic in regard to schools. Isolation is the most effective. However, classrooms are too few, and too small, for completely effective isolation. Desktop and other barrier systems are possibly expensive and time-consuming to construct and install in many places, and, in any case, are limited at best. Distance learning carries its own set of problems. Handwashing is good, and, particularly in the younger grades, you can really get students to buy into it. But it's not complete. (And forget trying to get teenagers to do it regularly.) And any teacher knows that telling kids, especially in the primary grades, to keep physically distant from each other is just not going to work. (Actually, if you tell students in the primary grades that it's a game, that their friends are radioactive, and that if they get close enough for their outstretched hand to touch their friends' outstretched hands they'll both explode, it'd probably work. It's the teenagers who seem to think that social distancing means six inches.) And I've written elsewhere about masks, but it is difficult to get kids, particularly younger kids, to wear them consistently and properly.

 

However, when we look at assurance requirements, we find a much different picture. One of the assurance requirements is detailed contact tracing, looking at where, how, and in what situations the infection actually (as opposed to theoretically) does spread. Part of this, of course, gives us information about which controls actually do work. But often it just gives us information about risk levels. And, even in these "resurgent" times, schools are not dangerous places.

 

Detailed contact tracing has demonstrated that the number of actual transmissions of the infection in schools is startlingly small, given the problems we have just looked at with functional requirements and controls. In British Columbia, while general case numbers jumped from 5,000 to over 20,000, there were only three outbreaks in schools, and, in those outbreaks, it seems to be impossible to prove that any infections actually took place at school. Schools do seem to reflect the prevalence of the case numbers, and, during this surge, exposure events at schools have increased, but cases of actual transmission seem to be vanishingly small.

 

Unfortunately, we do not yet have enough data to know exactly why this is the case. It may be that children, particularly young children, have differences in their immune systems that make them less susceptible to the coronavirus, but that would not explain why there are almost no cases of student to teacher transmission. It may be that, despite the problematic nature of the functional controls, the fact that children are better at "sticking to the rules" means that the layered defence works better than in adults (who often seem to think that wearing a mask means you can neglect all the other safeguards). At this point we still don't know enough to explain it.

 

There are other things that the assurance requirement of detailed contact tracing can demonstrate, but not explain. We have seen that transmission in restaurants is low, but transmission in bars is very much higher. Why is that the case? The two situations are very similar. Bars do the same level of cleaning as restaurants, and often have the same capacity limitations. Alcohol is served at restaurants as well as bars. But bars have higher transmission rates. In fact, the data even shows that transmission rates, in both bars and restaurants, is higher after 10 pm than before. Why? Is it just because patrons are drunker (and drunk people make worse decisions about sticking to the rules)? We can't yet explain why, but we do know that it is the case.

 

In security, we often pursue functional requirements and neglect assurance. After all, it is functional requirements that direct us to technologies and systems and processes that keep us safe. But it is assurance requirements that tell us whether the technologies and systems and processes actually do keep us safe, or whether we are wasting resources on controls that don't actually do anything for us. We need that assurance.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
0 Replies