Bright Stove

This is not about Windows 7 or Microsoft, but to have a tail to the head that I started while at Redmond in early November 2009, about the progress of the 7th meeting of WG 4 and what lies ahead for the 8th meeting in less than six months time.

From a progress standpoint, let’s say if someone is tracking WG 4’s performance by the speed of it’s standard development, then I think we are on track. Two projects have moved to FCD balloting (27031 and 27033-3), two have moved from WD to CD balloting (27032, and 27033-2), and two new items have started work in good progress into their first working draft (27034-2 and 27033-4). If we track also the number of national bodies’ comments, there were substantial number of contributions as well. A quick sampling revealed that project 27031 received 148 comments, 27032 has 248, 27035 has 171, and 27036 has 128. Overall (counting all projects’ comments), there were more than a thousand comments resolved within the week.

 

While we may use some logics between the number of comments and the rate of progress from one stage to another to gain certain assurance on whether the standard is on the right path, those numbers however do not necessary translate into quality standards. For example, after going through the many rounds of editing on WG 4 Standing Document 1 (SD1) on WG 4 Roadmap, I noticed that majority of the comments received over the three years period, broken down by their types, i.e., editorial versus technical, we see a very low percentage of technical contributions. Much efforts were invested in the document just to keep the status of various projects updated, and then they become obsolete shortly after. So for the next revision, I’ll be removing all status details from the roadmap and basically organize the list of projects by three broad categories: Published standards, Standards in development stages, and potential and future work items. This also addresses a consistency issue between SD1 status updates and SC 27 SD 4, which is a document that has a consolidation of all project status across the entire sub-committee. With this change, perhaps the NB has less things to review in SD1 and could have a better focus on the roadmap proper. Would this help in improvement of the roadmap henceforth? I think it is a small step forward, and we shall see.  

With regards to other projects in WG 4, perhaps one of the things that we could do going forward is to pay more attentions on the breakdown between the technical and editorial comments, and also how often structure get changed and contents get removed and placed back later. By driving for more focus on technical contributions, at least at the early stage of the development, perhaps we could get better quality standard (technical-wise). Again, such metrics would probably indicate the proportion of attentions into the meat of the standards in development rather than the dressing and presentation. 

On the first day of the meeting, I had the rare opportunity to sit in and observed two WG 1 project meetings on the revision of the ISMS standards, i.e., 27001 and 27002. At both meetings were two groups of NBs debating on what to revise, in particular, the extent of changes to make in the revision. A few NBs proposed that the structure of the documents should be changed, and the focus of the standard should be specifically on the information security domains, reducing or eliminating sections from 27002 that are not directly parts of information security management. Speaking to some delegates, I gathered that these changes were introduced as a results of learning and experience from certain implementations of the standards. However, other NBs were strongly against this approach for several reasons relating to the current growing population of certified companies involved. For one, major changes to structure and contents would invalidate the current base of certified companies, which require them to go through a complete recertification. While this could mean good business to the ISMS consultants and auditors, it also raises questions on the maturity of the certification scheme as a whole. Not many companies may one to go through a complete recertification and if that’s the outcome, then many consultants and auditors’ jobs may actually be at stake. If major change of this nature can proceed just after a few years of the standards publication, what is there to stop another major overhaul in another few years? Many companies would not welcome such disruption introduced by a certification that they have embarked upon. For those who were not so concerned about the certification itself, the issue they have was about the holistic nature of the standard. Would the revision make the standard so narrowly focused that it becomes applicable only to enterprise or organization of certain size or characteristics? Can, for example, 27002 continue to be used as a reference guide for quick assessment purposes? I could not see an easy resolution to these concerns. Someone will have to lose, it seems. Unfortunately, I didn’t have the capacity to look more closely into this development during the week due to the busy schedule that WG 4 is already engaged with. I will have to read the meeting report to find out the conclusion. 

The irony that’s perhaps worth highlighting here is the influence of these externalities to the development of the standards, in both it’s evolution process and it’s contents and structure. What is a good quality standard given these influences and constraints? Interestingly, we are often taught that standards are an important tool for achieving quality. Yet, in developing standards, we are faced with the challenges of ensuring quality in standards, which is not an easy undertaking given the externalities involved.

Unlike many things that undergo standardization, security has a peculiar characteristic that perhaps makes it challenging to be standardized. Security does not stay still. It changes as it’s environment change. What we can capture from an environment is only a snapshot of a given time, which is likely to have changed when we are reviewing that snapshot. Projects 27031 (ICT Readiness), 27032 (Cybersecurity), and 27037 (Digital Evidence) are attempts to establish suitable frameworks and provide guidance to help organizations prepare for undesirable changes to occur (failure events, emerging risks, incidents-to-be-happened, etc). The success of these standards, when available, however, still depends very much on how the practitioners adaptation to their respective operating environment.

 

At the Redmond meeting, the study period on Digital Redaction has also been closed successfully, in which a new work item proposal for “Guidelines for Digital Redaction” will be put up for NB ballot in the next few weeks. In addition, two new study periods have also been initiated in the WG, on Storage Security, and Supply Chain Security Controls, respectively. The next meeting will be hosted by the Malaysian NB at Malacca in April 2010. Between now and then, the editors and NB experts have a lot to update, review, comment, and contribute. I’m certainly looking forward to all of these to come.