Bright Stove

Reflecting information risk journey

Archive for April 2011

Taipei – 9th RAISE Forum Meeting

leave a comment »

April 1st marked the successful completion of the 9th RAISE Forum meeting hosted by the Information and Communication Security Technology (ICST) Institute in Taipei city. The two-day meetings, as in all previous RAISE Forum meetings, covered a slice of the top of minds information security issues, concerns, and thoughts amongst the participants across the region. A new participants reflected that it was “rich in information and contents”, which I’m glad that it has been that way since its inception.

The logistical support for this meeting was extended with two new capabilities. One was the addition of an online conferencing service, using Cisco WebEx services, in response to members’ requests from the past two meetings. The WebEx meeting session was set up by the host, which allowed a few members to participate in the two days’ meetings online, via the Internet. This setup also allowed the meeting to be recorded for replay by interested members on a future date, which should help in the preparation of the publication of the meeting proceedings. I should say that this capability was very much a pilot this round, which proved very useful, and we should look into its use in future meetings for a wider group of audience (in Asia Pacific region).
As part of our efforts to improve communications and information sharing amongst RAISE Forum members and participants, a account was created in recently, and during this meeting, the proceedings were updated via short tweets via the accounts. This new capability allowed “followers” of in Twitter to get instant updates on what’s happening at the meeting even when they are not in the physical venue. The series of tweets (about 150 counts) provided a summary of the contents discussed in the Forum meeting. With that, I can save up a few more paragraphs here 🙂
As you might have noticed from updates of the meeting proceedings, at times, there were long breaks between updates, or only very brief updates in those sessions when I was held up either facilitating a discussion, presenting a topic, or asking/answering questions from the floor (online and on-site). A learning from this is that I need a backup person in the meeting to continue with the simultaneous Twitter updates when I’m presenting or facilitating the discussion. I would also expect that with increase familiarity of the Twitter tool, some online “followers” may also RT to specific updates to place a comment or ask a question. Again, we would need to look at how to handle those incoming traffics either simultaneously, or post the event.
Amongst the topics discussed, Cloud computing security and privacy took the bulk of the agenda in both days. The concerns from various groups, including ITU-T SG17, economies’ representatives, and the Cloud Security Alliance (CSA) were shared and deliberated. The ISO/IEC JTC 1/SC 27 WG 1/4/5 joint study period on this topic was also shared to invite input/feedback on standardization needs in Cloud security and privacy. Managed security services, or Security as a Service, was identified as an important area to look into, in addition to current focus on PaaS, IaaS, and SaaS. Perhaps, instead of creating another name for SaaS, this may be named as “Assurance as a Service” (AaaS).
Another interesting discussion was in the area of Social Media Security, which include concerns over related enterprise policy, users’ privacy, as well as Cyber-bullying. Prof Pauline Reich shared her research and ongoing study in this area.
In the deep-dive sessions, the challenges on information security professionals certifications were presented and discussed. The differences in practice between different economies in the region raised concerns amongst the participants. On a positive note, the (ISC)2 Certified Information Systems Security Professional (CISSP) credential remained the most recognized as the common baseline that all could leverage at least for the time being.
The two-day dialogues and discussion reaffirmed the importance of information sharing amongst the participating economies at the RAISE Forum. The meeting concluded with a dinner hosted by ICST at the 88th floor of the Taipei 101 tower (world second tallest tower), and a plan to meet again towards the end of the year or early next year at Seoul, South Korea.

Written by mengchow

April 30, 2011 at 3:14 pm

Posted in Security Standards

Berlin Walls – Reflecting the 9th WG 4 meeting

leave a comment »

It has been six months since the Berlin meeting in October 2010. It was my first trip to Berlin then, brought about by the SC 27/WG 4 convenorship. The trip was a memorable one, not just because of the rich historical and scenic settings of the city and nearby towns, and the beautiful atmosphere of autumn, with colorful leaves along the streets in the city, or the juicy pork knuckles (a special German dish), but the events that took place through the nine days of meetings.

The progress for a number of projects wasn’t smooth this round. One of the projects that was held back was ISO/IEC 27034 Part 1 – Application Security: Overview and Concepts. At 2nd Final Committee Draft (FCD), which is very near to its completion, some National Bodies (NBs) and the SC 7 liaison officer raised concerns over its relationship with related life-cycle standards published in SC 7, and language related (syntax) issues. So it remained at 2nd FCD (which means second final committee draft) for another round of NBs review. One may think that final means done, but in our case, we often have second, and sometimes, third and forth final. Another was ISO/IEC 27033 Network Security Part 2–Guidelines for the design and implementation of network security, which should also progress to FDIS, but didn’t make it. Instead, the project editor proposed for it to revert back to working draft (WD) stage, which was supported by majority of NBs during the WG plenary. The decision was subsequently overturned at the SC 27 plenary to keep the project at FCD status for another six months of review. While there is provision in SC 27 directive for “backward progress” to happen, the WG Plenary decision to do this seemed to be the first time in the history of SC 27, and the first time was erased from the history at the SC 27 Plenary. Slow progress was also experienced in ISO/IEC 27032 – Guidelines for Cybersecurity, in which a new member of a NB who just started participating in this project wanted its scope to be revised to align with her government’s Cybersecurity policy, instead of accepting that the document has been developing with a scope that was already agreed and supported by the project members early in the process. When nationalism or personal desire kicks in, it is always painful to make progress in such multi-nationals projects that needs collaborations and cooperations to succeed.

The Berlin Walls, famous for separating the East and West Germany, came down in 1989. With its destruction, Germany has since become a unified whole for the people from both sides. Ironically, the meeting held in Berlin during the autumn was challenged by various virtual walls erected between the project editors and between some NBs’ experts. They went beyond just the WG meeting, including the Plenary. The outcomes were simply less than satisfactory. According to the Tao’s principles, this may not necessarily be a bad thing, as it provides new learning, experience, and understanding.

On another note, progresses and changes were made for a number of other projects in WG 4 at the same time. ISO/IEC 27036 was re-structured into a four-parts standards following the recommendation of the Study Period on ICT Supply Chain Security, combining the scope of ICT supply chain security, manage services, and outsourcing (and potential Cloud-sourcing in the near future) into a single (four-parts) project. The Study Period on Storage Security was successfully completed with a new work item proposal of the same title, and ISO/IEC 18043 (Selection and Deployment of Intrusion Detection Systems) was approved for revision, and would be re-numbered as ISO/IEC 27039. ISO/IEC 27037 – Guidelines for Identification, Collection, Acquisition, and Preservation of Digital Evidence attained consensus to elevate to 1st Committee Draft (CD) status, and ISO/IEC 27035 – Information Security Incident Management attained consensus to become Final Draft Int’l Standard (FDIS) status, which means ready for publication soon.

A number of new Study Periods (SP) were also initiated during the meeting. Two SP relating to Digital Evidence, one joint SP with WG 1, 3, and 5 on Cloud Security and Privacy, one SP on Terminology and Vocaburary, and one SP on incident response operations and management. These SP line up a whole new set of projects in the next six months to three to four years period, depending on their viability.

That week in Berlin, SC 27 also celebrated its 20 years anniversary, along with the publication of the Platinum Book and each participant was also given a T-shirt with the list of the SC 27 meeting locations printed on the back. The standard bureau of Germany, DIN, hosted a reception for the participants in one of the evening as well.

Next week, the group shall reconvene in Singapore. The multi-racial, multi-religion, and multi-cultural environment, and a vibrant city in the center of Asia that very much mirrors the make-up and complexity of the SC 27 social-grouping. Looking forward, as always.

Written by mengchow

April 7, 2011 at 8:16 pm

Keep left, walk right

leave a comment »

I have been jogging outdoor whenever I’m in Singapore due mainly to the warmer weather and cleaner environment there. During my jogs, I have observed the drainage covers that are lined up along the pavement of various walkways or footpaths just next to the roads. Most cemented walkways have the drainage cover placed on one side of the walkway. So if you are walking or jogging from one direction, the drainage covers would occupy the left-hand side of the pavement, leaving a slightly less than one foot width of cleared path on the right. With that, you would tend to walk or jog on the right-hand side of the path to avoid stepping on the drainage covers in case the covers are not properly secured and you could get your leg trapped or drop into the drain below accidentally. If you are walking or jogging from the opposite direction on that same walkway, however, you would see the drainage covers now occupying the right-hand side, which leave the left-hand side cleared. In this case, you would tend to walk on the left-hand side of the walkway. This is actually a more natural side for folks in Singapore (and perhaps in the Commonwealth countries as well) given that the road system here is to keep left by default and therefore people tends to walk on the left-hand side of the road. In the former case, as a result of the placement of drainage covers you are unconsciously influenced by design to walk on the right side of the walkway, which is actually quite awkward since we are “trained” to walk on the left-hand side by default. When there are pedestrian on both sides of the walkway, people tends to try to stick on their side of the walkway, and avoid shifting to step on the drainage covers area. When they do that, you get a feeling that they are giving way to you. The same feeling when you do the same for others. Such is how design decisions made on everyday things around us that could influence our behavioral responses, whether you feel it or not.

I also noticed that some walkways have the drainage covers that are as wide as the walkway itself. In those cases, pedestrians are kind-of forced to step on every cover as they walk or jog forward, inevidentally required to take a risk every few steps forward. I wonder whether the public work authority realizes such an implication of their design decision and the ultimate responsibility they have in the maintenance of so many drainage covers across the country. Newer walkways, nevertheless, seems to have this taken into considerations and their drainage covers are placed at the center of the pathways, leaving the two edges cleared creating two small walkways for the pedestrians on both directions. The total width of the walkways however remains narrower than the width of the drainage cover itself. So it seems that the design is to cater for the workers to get in and out of the drain underneath the walkway through any of the openings rather than the pedestrians walking on top along the walkway.

Coincidentally, I picked up a new book entitled “The Shallows: What the Internet is doing to our Brains“, a few days ago. The book stresses the idea that “the medium is the message”, that technology frequently has a more influencing role than the contents that it carry. More often than not, our habits and behaviors are influenced by the design of our environment, and the technology that we use.

Written by mengchow

April 6, 2011 at 10:27 pm

%d bloggers like this: