Re: Random thoughts: security controls and the eff...

Chuxing · ‎09-13-2019

Recently I have been traveling in parts of Europe, both in EU and non-EU countries, and certainly noticed the different security controls and variations at airports and entries.

This makes me wonder, in the practices of information security, do we really know the actual effectiveness of various types of controls, be it access, physical, logical, layered, etc., etc.? Are some of the security controls deployed just to meet the regulatory requirements, to make us feel secure, or to have a job security / CYA, or what?

Just curious ...

____________________________________
Chuxing Chen, Ph.D., CISSP, PMP

Shannon · ‎09-13-2019

I presently work at a University, and I've noticed that physical security is treated lightly at most levels --- from entering the campus main gates, where the security guards won't bother to check if you're an employee / student, to entering the IT office, which doesn't even have a physical Access Control system! (I've conveyed the risk of this to management multiple times.)

On the other hand, the regulatory authority is more concerned about the cyber-security threats, and provides us with the controls to apply for this. The last time they did this was in May, and just last week they asked us to update them on our compliance status. (I provided the requirements to our team)

In this situation, management asked me about the Cyber-security controls --- rather than the physical controls.

In this scenario, we see CYA followed at multiple levels: -

I respond to ALL the risks I perceive, providing management with an analysis, recommendations & treatment options.
Management treats SOME of the risks, prioritizing controls required for regulatory compliance.

(This is a government-funded educational institution; of course, things may differ at private organizations)

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz

CraginS · ‎09-14-2019

@Chuxing wrote:
... This makes me wonder, in the practices of information security, do we really know the actual effectiveness of various types of controls, be it access, physical, logical, layered, etc., etc.? ...

For some controls, yes, for others, maybe not. The whole reason the CIS Top 20 exists to to advise folks on prioritizing their security controls implementation (translation: budgeting for) based on getting the highest level of effectiveness for the investment.

@Chuxing wrote:
...Are some of the security controls deployed just to meet the regulatory requirements...

Yes, most definitely. See the entire range of efforts in the U.S. government to meet the requirements of FISMA by implementing the NIST Risk Management Framework.

@Chuxing wrote:
... Are some of the security controls deployed just ... to make us feel secure, ...?

Absolutely! Bruce Schneier has for years been warning us about the dangers of relying on security theater to protect us..

@Chuxing wrote:
... Are some of the security controls deployed just ... to have a job security / CYA, or what?

Without a doubt. Especially in large bureaucracies, being able to point to having done something, even if not at all effective, may save the job of more than one employee.

We had a huge data breach! Why shouldn't I fire you?
I did everything I could. ! I hired three specialists with CEH and I contracted an outside penetration tester every year!

Still curious?

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts

Random thoughts: security controls and the effectiveness