Wednesday, May 11, 2005

The Five Most Shocking Things About the ChoicePoint Debacle

Excel-web sharing of spreadsheetsA senior editor at CSO Online, Sarah Scalet, shreds ChoicePoint in impressive fashion, highlighting some of the concerns I mentioned in several earlier blog-missives.

One of the most amazing aspects to the aftermath of the incident were statements made by ChoicePoint's CISO, Rich Baich, who claimed that it really wasn't his concern:

"Look, I'm the chief information security officer. Fraud doesn't relate to me."


So, Rich, who would this sort of incident relate to, if not the CISO? Wouldn't some CISOs have established processes for analyzing access to the crown jewels? Say, detecting anomalous activity, or creatively discerning whether customer activities match up with their claimed size and role in the market? Or is the data held in the various repositories really not that crucial to ChoicePoint's business?

...The security community seems skeptical of Baich's argument too. CISOs have long asserted that their responsibilities ought to encompass all aspects of information protection-whether a vulnerability stems from insider misuse, an outside hack or (in ChoicePoint's case) a social engineering scam. It seemed an especially convenient moment for Baich to argue, uncharacteristically, that his job description is actually narrower than one would assume...

It all really does translate back to process. You could have orchestrated a series of stellar vulnerability assessments, indicating that you'd closed all the holes known to exist... and then, only a week later, be utterly exposed to a catastrophic crime through a zero-day exploit. Good processes, creative and committed people, and -- least of all -- technologies together need alignment under the management of a CISO willing to take responsibility for all of IT. Not just firewalls and network monitoring - but application development, databases and other repositories, remote access, the gamut of offerings that make up today's IT world.

...It would also behoove companies to review their use and/or implementation of IT security best practices, such as the ISO 17799:2000 framework, as well as the NIST 800 series practices for sound IT security management. IT's one thing to have the "CISO of the year in the State of Georgia" at the helm of your security function, but it's far better to have "state of the art" security best practice processes integrated into your business. Which would you prefer? I prefer the latter...

An "award-winning" CISO unwilling to tackle the tough problems of information security is like a brand new Mercedes convertible... without an engine. On paper, it looks great. It just won't get you from point A to point B.

CSO Online: The Five Most Shocking Things About the ChoicePoint Debacle

No comments: