Sermon - TLIS - 1.1.7 - Security Frameworks
Proverbs 11:14
For lack of guidance a nation falls, but victory is won through many advisers.
1 Corinthians 12:28
And God has placed in the church first of all apostles, second prophets, third teachers, then miracles, then gifts of healing, of helping, of guidance, and of different kinds of tongues.
Psalm 25:5
Guide me in your truth and teach me, for you are God my Savior, and my hope is in you all day long.
Jeremiah 33:3
Call to me and I will answer you and tell you great and unsearchable things you do not know.
I know. I'm talking about security frameworks, and you are thinking that the only framework that we need in the Christian life is the Bible.
That just shows that you don't know what frameworks are.
First of all, I suppose I should talk about what policy is. Once again, you think you know what a policy is, and you don't. You think that the bible is a policy guide book. Well, no, the bible is way too big to be a policy guide.
Yes, you have policy guides probably at your work, probably for any organization that you belong to, and probably your church even has one or two policy guides. They are great big thick fat documents, just like the Bible. You think that the Bible is a policy guide.
No, it's not.
First, there is the actual policy. The policy, for the Christian life, probably boils down to:
1. Love God
2. Love your neighbor
3. Spread the gospel
That's it. Policy is a lot shorter than most people think it is. The actual policy is more like what people tend to think of as a mission statement. The shorter you can make it, the more focused you can make your policy. So God wants us to love Him, and then to love our fellow man, and then to spread the good news. To everyone. Policy is the foundation. The barest fundamentals. It defines what the enterprise considers valuable, and the goals and objectives. But I did say "policy guide." That does tend to contain other documents like our standards, our baselines, our procedures, and some guidelines.
Guidelines are where frameworks come in.
COSO is an acronym that stands for Committee Of Sponsoring Organizations which is itself a an abbreviation of the Committee of Sponsoring Organizations of the Treadwell Commission. The Treadwell Commission was formed in response to the financial crisis of 1980, after financial institutions had been very busy selling junk bonds to people who then lost their life savings. That started a problem with the financial institutions not being able to sell anything to anyone because nobody trusted them and therefore they were losing money. So the Treadwell commission was formed in order to figure out how to convince people that financial institutions were safe people to deal with. In other words, they wanted to figure out a way to lie to people. This was an absolutely cynical project from start to finish. The entire intent was to get people to trust organizations which had demonstratively proven themselves to be untrustworthy. I very much doubt that anyone intended it to ever make any change in business management at all.
But the result was very good. This is one of the "breakdown" frameworks. Breakdown frameworks mean that instead of trying to improve your entire business all at once, or to protect your business all at once, you break it down into small sections, and then try to protect and improve each individual section. Later on you can try and address overall problems of the whole institution, which is probably going to be informed by the breakdown that you have done and the protections that you have put in place at lower levels.
We can use breakdown models in our own Christian life. Instead of trying to improve yourself all at once, which becomes a huge and impossible task, you instead take a section of your life and examine it carefully, looking for flaws or areas of improvement. For example, instead of trying to address everything in your life, first of all address, for example, your reading of the Bible. Find a time that works for you, and an amount of time that works for you, and figure out how many chapters of the Bible you could likely read in that time. Then set yourself a quota of reading two chapters of the Bible per day. If you keep this up every day, it will take you two years to read the entire Bible, cover to cover.
Then there are the checklist frameworks. Generally speaking, in security I call these the 135 checklists, because most of them have approximately 135 items on them. Possibly 133, or 138, but within a few numbers of 135. It is astounding how consistent this has been over time. These checklists have fallen out of favour and haven't been updated in about a decade, but recently GDPR set up the accountability standard, and they came up with a checklist. It had roughly 135 items on it.
In the Christian life, our checklists tend to be smaller. Generally speaking, we would go for the Ten Commandments. Ten items. So there's a checklist that you can go through and figure out whether or not you're doing well.
However, that's certainly not the only one. You will find books with a dozen steps to this, or twenty steps to that, or seventeen items to consider with regard to your faith. Use these checklist frameworks to address different areas of your Christian life and improve things.
One common category of frameworks in the security world are the maturity models. Maturity models usually have five or six steps to them, and see how mature they organization is. This does not mean how long you have been in business, but rather how well you manage your systems and your overall performance on an ongoing basis. This is quite useful if you use it properly. The big mistake that people make is to say okay, we are at the first step. We want to get right to the top level here. The big lesson with maturity models is that you have to take it one step at a time. There is no point in being at a chaotic level, and try to go to a fully managed level right away.
That lesson is directly applicable to our Christian lives. We cannot reach perfection immediately. We have to take each imperfection in our lives and try to address it separately. And we have to ensure that we do not expect, once we have addressed something, to never fail in that area again. Forgive yourself, in the same way that God forgives you. Try, but do not expect yourself to be perfect.
Certain types of security frameworks come from business management frameworks. There is one that I find particularly useful called the Balanced Scorecard. The point is to have you assess yourself in your business in four different business areas. The intent of doing so is to find out where your business is not the strongest, but the weakest. Then concentrate on improving that particular aspect of your business. That way, you improve the weakest link in the chain, as it were, and make a greater contribution to improving your business overall.
This is directly applicable to our Christian life. Look at your Christian life. Yes, take note of where you are strong, but pay particular attention to areas where you are weak. Do you fail to read the Bible regularly? Do you have inconsistent prayer time? Do you fall down in the areas of volunteer work, or contributing to charity, or the church itself, or to other charitable donations? Have a clear-eyed viewpoint and look at your Christian life. Where are you the weakest?
That is the area to concentrate on. Remember that our adversary is not going to attack us at our strongest. As I have said elsewhere, our adversary is not going to play fair with us. They are not going to attack the area where we expect it and have protected ourselves. They are going to attack us at our weakest. Attack an insufficient prayer life. Attack a weakness for alcohol or a wandering eye. We need to concentrate on the areas of our life that open us and make us vulnerable to attack.
Theological Lessons from Information Security
Sermon - TLIS - 0.2 / 47 - Integrity/Robert Slade is a world renowned speaker
Sermon - TLIS - 1.1.3 - Functional and Assurance Requirements
Sermon TLIS - 1.1.5 - "Footprints" and key performance indicators/metrics
Sermon - TLIS - 1.2.1 / 34 - Edit, Audit, Prophet
Sermon - TLIS - 1.5.1 - Manage Everything
Sermon - TLIS - 1.7.1 - Organizational Roles and Body Parts
Sermon - TLIS - 9.8.5 / 73 - Muster station, safe and secure
Sermon - TLIS - 10.3.1 - Intellectual Property
Sermon - TLIS - 10.5.1 - Privacy
Sermon TLIS - 10.6.1 / 54 - Liability and Negligence
No comments:
Post a Comment