A few days ago, an article was posted on the (ISC)2 blog about the idea of a new CBK to cover “human factors” in security?
(ISC)2 means (take a deep breath) “International Information Systems Security Certification Consortium“. This is a not-for-profit organization which maintains, amongst others, the CISSP certification.The current certification program is based on ten “Common Body of Knowledge” (CBK) going from cryptography to risk management, covering all the security aspects of information technology (more info on Wikipedia).
The article proposed to include a specific CBK dedicated to “human factors”. Of course, people are often the weakest link in the chain and we need to take care of them. Anyway I don’t think that a new CBK is required now. Why? Even if computers have been previously developed to automate as much as possible boring or recurring tasks, they are always controlled by humans (let’s hope that the WarGames scenario will never happen). Computers performs tasks only if a programmer or a user requests it. For me, that’s why computers cannot be separated of users. There is always somebody behind the keyboard. Let’s review some topics covered by the current CBK’s:
The CBK about “Access Control” covers topics like logical and physical security. Access control can be performed by a human (a security guard, a receptionist) or by mechanical means (locks, badges). Your access control procedure must already take care of the human factor: What about corruption of your guard? Best practices say that access control must be provided by multi-factors authentication means. One of those factors is “something you are” (a fingerprint, your voice stamp). It is directly related to “humans” or I’m wrong?
The CBK which covers business continuity and disaster recovery states that the golden rule when you need to launch your DRP is “people first”! When you define a business continuity plan, you have to take care of your team members (Example: relocate them to another building). Communication channels must be properly defined to reach all the team members and guide them in the right way. When you start a DRP/BCP project, representatives from all the departments are required (management, human resources, helpdesk, sales, …). The first goal is to set priorities on all the existing business processes in your organization. For sure, you’ll have to take the “human factor” into account: everybody will try to push his own process on top of the list as the “most-critical-process-ever”!
Also in software development, human factor are part of the game from the beginning of the development process. User interfaces must be designed to avoid mistakes. Here is an interesting paper about human interface/human errors.
A last example with the risk management. When performing a risk analysis, your study may come to the conclusion that some specific risks could be reduced with stronger procedures. You’ll have to present your conclusions to the management (which need to endorse you) and to the people involved with the risk. Good communications skills are required to defend your results.
Finally, human errors are the source of most of the security issues. A good example is the recent Cisco network outage. The articles posted on (ISC)2 blog is right about human factors. They must be covered but it’s already the case in all CBK’s. Any other CISSP’s comments?