Why build in information security from the start?

Think of a project to build a bridge across a massive river. Right at the beginning, you decide what the height should be. At that stage, it's just a line on the drawing. Easy to change.

Now roll on a year; you have scheduled all the steel deliveries, hired the workers, and the planning permissions, legal work and contracts are done. The foundations have been laid, and the project is on schedule. Then you realise that a supertanker travels down that river every week. The design is too low to let it under. 

The cost of changing things now is horrendous. Much recriminations, emergency meetings, and discussion of temporary solutions ensue.

You have to pick a feasible option: the best is to make the bridge open and close. So when the supertanker goes through, the traffic on the bridge has to stop. The changes also result in the project being significantly over time and budget.

If you had known about the supertanker at the design stage, you could have made the bridge higher, to let it under without disrupting traffic.

This is exactly equivalent to the situation with information security. Designing it in from the start is cheaper, more feasible, and prevents infinite pain down the line. Requirements gathering needs to include information security.

27002: the supermarket of controls

OK, welcome to what will hopefully be a vaguely interesting and not entirely infrequent series of posts on various aspects of information security. Your host for this set of trips into the slightly known is one Bridget Kenyon, information security enthusiast.

For my first foray, join me, gentle reader, as we peer under the hood of 27002, the "supermarket of controls", as a very wise friend of mine calls it.

It's the good buddy of 27001, the set of things which make up an Information Security Management System, or ISMS, for those who like their acronyms.

If 27001 is "what you should end up with", then 27002 is a whole catalogue of security measures (controls) you can use to get you there. Stuff like physical perimeters, cryptography, user training, passwords ("secret authentication data"- don't ask) and so on. It's about 81 pages long, and a great bedtime read.

So why a supermarket? Well, in the ideal world, shopping for groceries is done by deciding what you need, writing a list, and then going to the supermarket and picking up what you need. While you're there, you may notice something you forgot to put on your list, and add it to your shopping cart. Good. 

In the real world, you either: a) turn up at the supermarket hungry, with no list, and go home with twenty doughnuts, a bar of chocolate, and a sieve; or b) turn up with a list, get side tracked, and end up with twice as much as you needed, and missing something vital (like washing up liquid). Not so good. NB: I am Shopper Type a)...

It's the same for 27002. In the ideal world, you do a risk assessment, decide what controls you need to apply to satisfy contractual obligations, the law, and make it possible for you to sleep at night. Then you write them down (your shopping list), and visit 27002 to check them off. While you're there, you can add anything vital (like passwords) you should have included originally, but forgot.

In the real world, people tend to treat 27002 itself as a shopping list. No. Please don't! You wouldn't go into a supermarket and buy everything, would you? Nor should you go into it with a vague intent, and pick out everything which looks about right. You will end up getting home and finding you now have fifty eggs and no toilet paper (metaphorically speaking). 

To spend your money and time wisely, don't let 27002 cozen you into picking the wrong things, or more than you need. Remember your shopping list.