Monday, September 21, 2009

ERM-BC-COOP: Security 1, Business Continuity 0

A funny thing happened on the way to increased security.

My current employer, a major contractor to Uncle Sam, changed its computer security tool from a key fob to a smart card.

That makes Uncle happy, but as an enterprise risk manager I am left shaking my head muttering "Too bad no one asked us first."

There are a number of "got'chas" to the change.

The key fob the card replaced wasn't perfect and the cost to maintain the synching service may be more than that charged by the card provider; I am not privy to the bills.

Key fobs could get lost, but since they were always apart from the computer, a lost key fob wasn't a security disaster. The computer is loaded with a unique program that works in conjunction with the key fob - or the smart card.

Smart cards also can get lost, but as long as the computer is not "lost" with the smart card, there is no major disaster; again, the smart card and the computer go together.

But, got'cha #1: Most of us stick the smart card into our computers when we get the card.

Those of us using desktop machines can walk off and leave the card in the machine. This is a double whammy.

First, the installed smart card compromises the machine. A miscreant still would have to know the computer user's network ID - ANY computer user's network ID; there is no machine/user relationship.

Second, when Joe Q. Employee shows up for work tomorrow, Joe Q. won't be able to get inside the building (at least without some hassle and some explanation to the guards); the smart card also is the entry swipe card.

For those of us with notebooks - nee' laptops - the temptation is to stick the card into the box and leave it there. When the office is abandoned for the day, the computer is stuffed into its carrying case and off Jane goes. But if Jane forgets the computer or elects not to take it with her, she'll have to explain herself to the guards in the morning.

But it gets worse.

Let's say Jane has to fly to a customer site with her computer. As she sits in the airport something distracts her and she looks away just long enough for someone to walk away with her computer . . . with the smart card safely stuck in the computer's smart card slot.

Not only is the machine generally compromised, the person who "borrowed" the machine will easily find out who "owns" the machine (Jane) and the company that employs the owner (Secret Projects, Inc.). Even if our airport ganov (thief) lacks any computer skills, the value of the stolen box suddenly increases . . . maybe the hard drive houses sensitive information that can fetch a nice price from a competitor or someone who has another country's best interest at heart.

A lesser got'cha is that now neither Jane nor Joe can use their personal computer to access even a limited amount of places on the corporate intranet .

If the company machine dies - as it will - Joe and Jane are out of luck until a new machine can be provided, imaged, and the files that hopefully were saved to the network recovered and restored. How long with that take? Depends on Jane and Joe's rank within the company; for a rank-and-filer, maybe a week or three; for a C*O, probably less time.

In the "old days" of the key fob, Jane and Joe could access a number of things, including corporate email, from their personal computers. If the company machine failed, they could "make do" by using their own equipment. True, they could not access everything that they could with the company machine, and "sensitive" material should never be put on a personal machine, but life could go on, albeit less efficiently.

Once again, keeping risk management people out of the loop has presented the organization with several probably avoidable "got'chas." I'm not sure the organization had much choice but to implement the smart card system, Uncle Sam being the 800-pound gorilla customer that it is. Maybe Uncle should have talked to COOP experts - COOP being government speak for risk management - before insisting that vendors implement something with so many points of failure.

What do I mean "once again?" How many companies include risk managers when they consider a new building - tornado and earthquake proof, shelter-in-place, wide exits for handicapped - with paved paths away from the facility; full capacity stairwells, and much more; even something as simple as checking the flood history.

"Once again" to consider the risks all vendors pose, even money lenders. Does the vendor have a plan to assure product (including money) or service delivery?

"Once again" to consider the neighbors and the environment - are the neighbors high profile? Is the facility near an airport, major highway, railway, sea port?

"Once again" to consider both insurance coverage and carriers; is there enough of the "right" insurance and can the carrier(s) cover the loss, either individually or as a consortium?

Enterprise risk management is best practiced from the business concept and is a continual process.

Enterprise risk management is a process that requires - if properly done - input from everyone, both within the organization and the organization's vendors - including architects and CPAs, lenders and regulators. No one should be expected to an expect in everything, but an experienced, inquisitive enterprise risk management practitioner can play a major role in discovering the "what if's" that each individual SME knows lie in wait.

John Glenn, MBCI
Enterprise Risk Management practitioner
Hollywood/Fort Lauderdale Florida

No comments: