David Berkelmans, Executive Director
Recently the report titled ‘Review of the Events Surrounding the 2016 eCensus’ prepared by Alastair MacGibbon, Special Adviser to the Prime Minister On Cyber Security, was made public. The report goes into great detail of the events leading up to, and after, the Census website was shut down on Census night.
Shortly after the events of Census, I wrote a blog about the possible risk management practices that may have occurred. I was very interested to see what the report said about risk management.
There is some great analysis of the risk management practices, and reading through the report, one line on page 60 jumped out at me:
“In hindsight, we know that the identified controls were not adequately implemented for DDoS.”
For me, this is the most telling line in the whole report. The report provides details about how Distributed Denial of Service (DDoS) attacks were included in the risk register. It also provides details on what controls were listed to prevent DDoS attacks affecting the Census and elsewhere it describes why those controls weren’t effective, including both technical and non-technical factors
There are some great lessons to be learned from the details in this report, but for me, the biggest one is to make sure your controls exist and are effective. This doesn’t just go for this type of project, but goes for anything you are applying risk management practices too.
So often in our profession we see well-constructed risk management registers – normally inside an excel spreadsheet with fantastic use of formatting. Significant work has been done to identify all the relevant risks. Good analysis has been done of these risks and the risk ratings are generally spot on. Then we get to the controls column. Controls are listed, some make sense, some don’t and generally there is no analysis of the effectiveness of the controls. This somehow gets the risk rating down to an acceptable level.
A quote on page 61 states:
“Risk processes ‘ticked the box’, but didn’t drive security implementation.”
The fundamentals of risk management were done but this did not actually effectively mitigate the DDoS risk from occurring. So often I see this, risk management templates are filled in and all the required documentation is completed with a nice package presented to the board for sign off.
More needs to be done, further verification of controls needs to be done. Listing controls in a risk register and crossing your fingers and hoping they will work doesn’t cut it.