Discussing with various personnel it is quite amazing to see each one come up with their own way of interpreting controls and to what depth each control need to be implemented. I would like to illustrate a discussion that I had recently. The standard too does not talk about this and it is left to the person who implements and to the auditor on how they want to look at the implementation effectiveness.

Up until now some of the aspects that we look into while implementing a control is as mentioned below; 

  1. Is the control implementation cost less than or equal to loss of the damage a threat could cause to an organization?
  2. Does the control implementation enable process improvements?
  3. Is the control implementation required as a part of legal, regulator or contractual requirements?

The effectiveness of each control that we implement should ensure that the risk is mitigated and for those risks where a control is not available or cannot be implemented (due to various reasons) is considered to be a residual risk. How does an organization determine the depth of a control implementation?

Let me give you an example from the recent discussion. One of the organizations was planning to have their tele-working process rolled-out and hence wanted to know the security controls that can be implemented. After a long discussion all of them agreed for controls such as encryption of the disks and that users should store their data on a particular folder which would automatically get backed-up while they connect to the organization network, bio-metric authentication is in the pipe line and that closed the discussion.

The trigger for a debate came up when one of the stakeholders raised the point of having a physical lock to the laptop which would ensure that the laptop is cannot be stolen or causes a delay or deters the malicious intended person in steeling the laptop. The other members mentioned that the physical lock was not required and that the laptop user should take care of his/her laptop.

Here comes to what depth that control should have been implemented. I look at the following points which say why we should implement the physical lock to the computer. 

  1. The location of storing the data in the laptop is up to the user. He/She can store it either on the folder that gets backed-up automatically or elsewhere which will not get backed-up. This is user driven.
  2.  The data stored in other locations could be critical to the organization and the storage cannot be monitored all the time.
  3. The drive is encrypted and so the data cannot get exposed. But the intent of certain malicious persons are not only data theft, it is destruction of data or destruction of service.
  4. So if the laptop is stolen what is the amount of time required for the user to get back to his/her normal work with all of the data been restored.
  5. Will all the data be restored?
  6. Of course the cost of the laptop needs to be considered.

“I would recommend that a dependency on a user to ensure security” should only be done in the following two cases: 

  1. If the cost of the control is more than the loss that a damage by a threat could cause.
  2. If there are no possible controls that can be implemented after that particular point.

The first point is clear as all is aware of the same. Let us relate the second point to the example above. As you look at the physical lock to be implemented, we are not transferring the responsibility of securing the laptop from theft to the user. We have implemented a control to take care of that. But it is still the choice of the user to either lock the laptop or leave open.  Now we can transfer the responsibility to the user, because I cannot see any other control that can be implemented after the physical lock.

Looking forward for your responses.