Category Archives: Compliance

Rethinking Risk

Posted on by

Now it’s no secret to those of you who know me that I’m a big believer in using risk management in the security space. Iang over at Financial Cryptography think’s it is “a dead duck”:

The only business that does risk management as a core or essence is banking and insurance (and, banking is debatable these days). For all others, risk management is just an ancilliary aspect, a nice-to-have, something that others say is critical to you, but you ignore because you’ve got too much to do. So we have a choice: is security like finance, or is it like “the rest of business?”

I disagree while it’s true that financials and insurance have done a much better job then anyone else of formalizing their risk management practices, every business does risk management to some degree, it’s part of the job of the C-Suite. Arguing that we don’t have data so trying to do it in security is pointless is taking the lazy way out. It’s true we don’t have as much data as we’d like, but as Hubbard said, (more or less) “You don’t need as much data as you think, and you have more data then you think.” or in other words, we have to start somewhere.
On a related note, The Economist ran an article at the beginning of this year, from which I took the title of this post “Rethinking Risk.

What makes the current situation so dire is the way in which so many major risks are converging all at once: a credit crisis, volatile commodity prices, soaring government debt, rising unemployment and its attendant impact on consumer spending — the list goes on.
None of those risks are lost on CFOs, of course, who now have an additional impetus to address them: more pressure from boards. Corporate directors in most industries have gotten risk religion, says Henry Ristuccia, U.S. leader of Deloitte’s governance and risk-management practice in the Northeast. “More external directors are asking senior management: What are the company’s major risk issues? What are the dimensions of governance and risk management? What levers and tools does the company have in place for risk management?

Now, The Economist doesn’t explicitly talk about security but as several companies including Hannaford and TJ Maxx learned, just because you’re not in the finance industry doesn’t mean you don’t face significant financial or security risk. A shame neither of them had real risk management in place.

Canadian Privacy and Private Action

Posted on by

In reading Arthur’s post on “Canadian PM FAIL,” I was thinking of the odds that this would be investigated and dealt with under Canadian privacy law. Now, I’m not an expert on that, but my recollection is that the main private sector law, PIPED complements a Federal Privacy Act which would likely be the relevant law for the office of the Prime Minister. I also recall that neither law contains any sort of right of private action.

So, will the Privacy Commissioner investigate? She has limited resources, and perhaps she doesn’t see this the way that Arthur does, “there are few groups who care less for this sort of tracking than Jews.” Perhaps she has other priorities. (Does anyone know if a formal complaint has been filed?)

Regardless of if the Commissioner investigates, I think there’s value to society in allowing citizens to balance government, rather than having to act as supplicants, asking one department to investigate another. The ability to act as a party in a case can be a powerful balancing factor.

Regulations, Risk and the Meltdown

Posted on by

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we should bang out the best deal we can before the rest of the banks in the US come falling like dominos. As Bagehot said, no bank can withstand a crisis of confidence in its ability to settle. I think that knowing how distasteful and expensive it is, and with far better things to do with the $5,000 or so it will personally cost me as a taxpayer. (That $2,300 figure is per person.) I also think that knowing how poorly this administration has done in handling crisis from 9/11 to Katrina, and how poorly it does when forced to act in a moment of crisis. (Sandy Levinson has some interesting comments at “A further Schmittian (and constitutional?) moment.”) Finally, we are not bailing out the banks at the cost of a free market in banking. We gave up on a free market in banking in 1913 or so, after J.P. Morgan (not his eponymous bank) intervened to fix the crises of 1895 and 1907.

What I did want to look at was the phrase “more regulation,” and relate it a little to information security and risk management.


US banks are already intensely regulated under an alphabet soup of laws like SOX, GLB, USA PATRIOT and BSA. They’re subject to a slew of additional contractual obligations under things like PCI-DSS and BASEL rules on capital. And that’s leaving out the operational sand which goes by the name AML.

In fact, the alphabet soup has gotten so thick that there’s an acronym for the acronyms: GRC, or Governance, Risk and Compliance. Note that two of those three aren’t about security at all: they’re about process and laws. In the executive suite, it makes perfect sense to start security with those governance and compliance risks which put the firm or its leaders at risk.


There’s only so much budget for such things. After all, every dollar you spend on GRC and security is one that you don’t return to your shareholders or take home as a bonus. And measuring the value of that spending is notoriously hard, because we don’t share data about what happens.

Just saying that measurement is hard is easy. It’s a cop out. I have (macro-scale) evidence as to how well it all works:

  • Bear Stearns
  • Fannie Mae
  • Freddie Mac
  • Lehman Borthers
  • AIG
  • Washington Mutual
  • Wachovia
  • (Reserved)

I have a theory: in competition for budget within GRC, Governance and Compliance won. They had better micro-scale evidence as to their value, and that budget was funded before Risk was allowed to think deeply about risks.

There’s obviously immediate staunching to be done, but as we come out of that phase and start thinking about what regulatory framework to build, we need to think about how to align the interests of bankers and society.

If you’d like more on these aspects, I enjoyed Bob Blakley’s “Wall Street’s Governance and Risk Management Crisis” and
Nick Leeson, “The Escape of the Bankrupt” (via Not Bad for a Cubicle. Thurston points out the irony of being lectured by Nick “Wanna buy Barings?” Leeson.)

I’m not representing my co-author Andrew in any of this, but at least as I write this, his institution remains solvent.

Supreme Court Narrows “Money Laundering”

Posted on by

The Supreme Court narrowed the application of the federal money-laundering statute on Monday, ruling for criminal defendants in two cases in which prosecutors had employed broad definitions of two of the law’s major provisions.

The two rulings are likely to crimp the government’s ability to bring money-laundering cases, although not necessarily to the degree that an initial reading of either might suggest. (“Justices Narrow Money-Laundering Law,” New York Times.)

The money laundering laws are a great example of bad law, and I’m glad to see them narrowed. They’re bad law because they include tremendous prosecutorial discretion, because they’re exceptionally expensive to enforce, and they infringe on the privacy and liberty of normal people.

Recently, I talked about “The Costs of Security and Algorithms” and the link between these silly laws and a how banks had shifted their risk-management dollars from looking for bad loans to looking for money launderers. Sometimes this goes to a ridiculous extent.


When I was moving to Montreal, I didn’t have enough ID to purchase a Canadian dollar cashiers check to reserve my apartment and satisfy Bank of Boston’s AML regulations. The check was for some nominal sum, like $1000. Fortunately, Zero-Knowledge was willing to loan me the money, and cut my landlord a cheque that day.

I’m glad they’ve narrowed the law, and I hope this will be the first of many chips that bring down the edifice.

The Costs of Security and Algorithms

Posted on by

know-your-customer.jpg
I was struck by this quote in the Economist special report on international banking:

There were navigational aids to help investors but they often gave false comfort. FICO scores, the most widely used credit score in America, were designed to assess the creditworthiness of individual borrowers, not the quality of pools of mortgages. “’Know your customer’ is a staple of banking that has largely been forgotten because of the disaggregation of the supply chain,” says Mark Greene, the chief executive of Fair Isaac, the company behind FICO scores. (“Ruptured credit)

“Know your customer” actually hasn’t been forgotten, it’s been co-opted. It’s been co-opted by the “AML” (Anti-Money Laundering) crowd. (The Google search is also fascinating. Look at all those ads!) But “know your customer” has been co-opted by the surveillance state. The people who want to know where your money is going in case they need to investigate you.

Bruce Schneier has a 5 step process for evaluating security:

  1. What problem does it solve?
  2. How well does it solve the problem?
  3. What new problems does it add?
  4. What are the economic and social costs?
  5. Given the above, is it worth the costs?

To be clear, the whole idea of AML doesn’t pass this test. But let’s set that aside, and test the re-definition of knowing your customer. We can then look at step 2 and 3, and ask “is re-defining a known element of good advice worthwhile?” I don’t think it is. I think it’s an example of how we let process and algorithms replace clear thinking.

It used to be that part of getting a mortgage was talking to a banker. You talked to an officer of the bank who was going to be collecting money from you for twenty years. And he made a call. That’s been replaced by the FICO algorithms and checking your ID. There’s now a process and an audit trail. And there’s no common sense. There’s no senior person who can see trends. To be fair, with common sense, it’s become harder to impose racist lending standards. That senior person can’t imagine trends.

Back to the topic at hand, we’ve moved from “know your customer” as sage advice to trite bits of checklist faux diligence. We’ve lost something important.

Really, what we’ve done is substituted a knowing a person with a knowing their data shadow. That’s not the only problem, but it’s one of a set of synergistic changes that will cost us hundreds of billions to clean up.

(Data shadows is a great term, defined by Alan Westin. Bruce Schneier used it recently in his excellent essay “Our Data, Ourselves,” which I hope to shadow shortly.)

Image: “Sinister,” by Adactio.

HSPD-12 Does Not Require JPL Background Checks

Posted on by

Adam writes about the brouhaha at NASA over HSPD-12 background checks.

A friend of a friend who is in the business of implementing HSPD-12 sent me a tidbit about it, along with a link so that you can read the primary source — something always needed when you get emails from FOAFs.

In paragraph 3, there is the interesting statement:

The Standard will include graduated criteria, from least secure to most secure, to ensure flexibility in selecting the appropriate level of security for each application.

The FOAF was incredulous at the report, because there it is in paragraph three that it’s okay to have different levels of security, and that which was good enough to defend us against the Godless Commies oughta be good enough to defend us against the Godful Beard-Dyers.

Let’s look down a little further. HSPD-12 is short, it’s only eight paragraphs. What’s that in paragraph 6?

(6) This directive shall be implemented in a manner consistent with the Constitution and applicable laws, including the Privacy Act (5 U.S.C. 552a) and other statutes protecting the rights of Americans.

Which gives the protesters a lot of ammo right there. But wait, there’s more. The HSPD-12 FOAFs say that the hardware JPL has ordered can only support a low-security ID system anyway, not a high-security one, so even if it were reasonable, they can’t implement the high-value security checks anyway. The FOAF gives this site as a reference.

So there you have it, not only abuse at JPL, but waste, too.

Wretched Term of the Week: Best Practice

Posted on by

BestPractice.jpg

This is a peeve I learned from the great Donn Parker. The term “Best Practice” should be avoided. It is inaccurate. misleading, and self-defeating. Here’s why:

  1. Best is a superlative. By using it, one implies that there a single choice that surpasses all others. Rarely is this the case in real life. Security gurus are known for asking probing questions like “What’s your threat model?” or “What goal do you wish to achieve?” Different goals yield different practices.

    Shortly after 9/11, some physical security people I know put some physical security plans in place that many people, including me, sneered at. Harumph, harumph, it doesn’t actually improve security. It’s there just to look like you’re doing something. Some time later, one of them took me quietly aside and told me that the reason they did it was to lower insurance costs. If you’re faced with your insurance bills going up by a million bucks and you can avert that with fifty grand of security theatre, out comes the greasepaint and tap shoes followed shortly by an amateur production of songs from Chicago.

  2. Something that is best doesn’t actually have to be good. If you’re faced with having to choose between a number of bad alternatives, you still look for the best. But best implies good. Admittedly, using best allows you to weasel out of the fact that the decision sucks. In such a dilemma, least bad is better than best because it’s honest.
  3. A superlative implies that it cannot be surpassed. That makes it hard to replace a best practice with one even better. Smart people know that best is always within context and often the life of it being superlative is shorter than the implementation time. But that word works in favor of the clichpoop with the budget. Why set yourself up be on the defensive?

What do you say, then? Parker recommended “Good Practices,” but noted that many best practices need improvement before they can get to good. This the problem — we’re always having to do things that may not be quite so good. Grading on the curve is an old technique, and the same budget holder who will question improving a best practice may not appreciate honesty. Some organizations use “Best Current Practices” which manages to keep from tacitly chiseling them in stone, but still keeps the superlative, and I believe that the superlative is a problem. I think I can count practices that are truly best on one hand once they get more complex than, “look both ways before crossing the street” or “cook the popcorn for only two minutes.”

I recently heard Stephen R. Katz, another pioneer of computer security — the world’s first CISO, mention the same peeve and suggest the term “Standard Acceptable Practice.” The great thing about a term like “Standard Acceptable Practice” is that no one is going to disagree with either, “We have to get this organization to follow Standard Acceptable Practices,” or “We need to improve our Standard Acceptable Practices.”
Photo by andai.

U.S. versus E.U. Audits

Posted on by

Speaking of the differences between how security gets managed in the U.S. versus the E.U., CSO magazine has a light-hearted and somewhat irreverent article on the differing goals and priorities of audits on either side of the Atlantic. In spite of its tone, it does highlight some important issues to keep in mind. In particular:

But it also illustrated a fundamental difference in the way audits are conducted on both continents. In the United States, audits are about ensuring that sufficient controls are in place to mitigate risks. Thus, the audit findings tend to emphasize lapses in application and network security. In Europe, audits tend to focus on following a predefined process, being transparent in the actions taken, precisely defining policies and procedures, and adhering to international standards.

I’d love to see a much deeper analysis of managing compliance in the U.S. versus the E.U. from someone who has a lot experience working in both domains. Does this already exist? Or are folks interested in collaborating on writing something like this?