Combining thought models for better understanding

We look at combining two well-known thought models to better understand security and data protection outcomes from a whole-business perspective, and focus thinking on what's important rather than what's easy (or fun, or cheap, or...)

The Managing Successful Programmes (MSP) framework talks about POTI when describing what might need to be considered to deliver an outcome:

  • Processes – The cogs of the machine controlling the flow of information through an organisation
  • Organisation – People, skills and culture within the organisation
  • Technology – Not just IT but also other resources people need
  • Information – The data and higher order information that an organisation consumes and produces

Often thought of as a four-legged stool, you can’t produce a functional seat without considering all four. The analogy fails given three-legged stools are inherently stable, but anyway…

CIA is… of course you know what this is! I’ll recap anyway:

  • Confidentiality – Ensuring only those entitled to access an asset are permitted to do so
  • Integrity – Ensuring an asset is accurate and remains unchanged
  • Availability – Ensuring an asset is accessible when it’s required

You may have heard this described as “the right data for the right people at the right time”.

Combining the models

We can view this as a table quite easily, and here I’ve added some arbitrary scores in as an example:

Confidentiality Integrity Availability
Processes 2 3 3
Organisation 2 3 4
Technology 4 5 5
Information 2 2 4

I’ve found this table a great teaching aid, but limits the information that can be effectively conveyed. It is a great way to present a gap analysis across the twelve areas! Some audiences may respond better to other presentation, focussing on either the traditional programme/business change or information security perspective.

Building an example

Let’s look at this from a more conventional business perspective, and you can consider how you might create the view for your own organisation. We need to think for each of the twelve combinations how the intersection of the two concepts impact the intended audience.

Processes

  • Confidentiality - Lots of companies have developed processes that give them a competitive edge, whether that’s a specific optimisation allowing an assembly line to achieve higher throughput to an underwriting method that allows an insurer to better estimate their customers’ risk profiles.

  • Integrity - Consistency and repeatability of process is a whole field in itself, with ISO9000 being a family of standards most will recognise. I don’t know about you, but when I drive a car I want all four tyres to be manufactured to the same high standard.

  • Availability - “I’m sorry, the office is closed. Our opening hours are…” is never what you want to hear, but there’s a world of difference between intentionally allowing your staff to go home at night and trying to deal with a major business-impacting incident. The surge in popularity of cyber-resilience is indicative of the shift in thinking in this area – it’s more important to keep running than to avoid incidents at all costs.

Organisation

  • Confidentiality - “The name’s Bob – just Bob. Unlicensed to tell my mates about my work down the pub.” With the (somewhat anecdotal) figure that two thirds of security incidents are caused by an individual’s (in)action, it’s clear to see that confidentiality is dependent on the people and culture within the organisation. If staff aren’t trained to treat information and resources with care, they’ll contribute to that figure above.
  • Integrity - We’ve all heard of people described as ‘pillars of the community’ with great integrity. Being able to trust staff is vital when securing information, and we can manage risks here by employing techniques such as vetting potential employees, building trust over time, as well as our stalwarts of the ‘need to know’ principle and the separation of duties.
  • Availability - To make processes work, to transform information, to use the tools, we need people. Not often a concern of information security, ensuring there’s skilled people to make things happen is an easily overlooked task. Succession planning, forecasting demand on staff and multi-skilling are potential options.

Technology

  • Confidentiality - The InfoSec specialist’s comfort zone. All sorts of tools and techniques exist to provide confidentiality in a multitude of areas. Encryption, authentication, authorisation, SIEM, IDS, IPS and a plethora of other buzzwords abound in the IT space. In physical security safes, alarms, security guards and other techniques can be employed to ensure the safety of the organisation’s assets.
  • Integrity - There’s a vast number of products to assure integrity, whether it’s via hashing to ensure files aren’t modified in storage or in transit, or maybe multiple sets of alarms on a building. Even a quality sensor on a water supply is an example of ensuring integrity of a (very valuable) asset.
  • Availability - Organisations are becoming experts at understanding system availability. In recent years, air traffic control IT systems have failed, leaving planes and passengers stranded at airports around the globe. It’s not rare to build high-availability systems, only to find an incident causes an outage via an unexpected or untested failure mode. Practice difficult and novel failure scenarios!

Information

  • Confidentiality - Data loss and high-profile breaches are sadly becoming the norm rather than the exception. Legislation and regulation on the storage of information assets abound (in the UK, the DPA1998 is the obvious one) and provide for financial penalties for losing data. Knowing what assets are held, their owners and their value helps to identify the level of controls needed to secure that data.
  • Integrity - It’s a pleasant surprise when an organisation makes a mistake in your favour. But what would you do with a €11.7 quadrillion phone bill? Exam marks mis-recorded, turning an ‘A’ into a ‘B’ and losing a place at that Top-5 university? And as for incorrect medical notes… 500g of a drug instead of 500μg won’t make a difference, will it? Again, legislation and regulation require organisations to address integrity of information assets with the potential for hefty fines and legal action.
  • Availability - Organisations need their information assets to operate. A car factory needs to know what models to build, what colours to paint them and what options to add as they pass down the line. It needs to order stock from its suppliers and organise transport for the finished cars. It can’t do that without its order systems, stock management and shipping systems having that information visible in a timely manner.

And then what?

Adapt the concept to fit your environment. Some organisations will identify more readily with the 4 Ps: People, Process, Products and Partners. Some will already be using Balanced Scorecard to measure their business. The important point is that if it helps explain data protection and security needs to business change practitioners, or vice versa, then it’s served its purpose.

You might consider a heatmap of strengths and weaknesses to inform your continuous improvement activities. You could add other dimensions, perhaps showing improvement over time. Representing the inside of the cube would pose an interesting visualisation problem!

What do you think? Let us know your thoughts at hello@hamptondell.co.uk.

essential