active<\/a>). Sony is planning on hiring a CISO and has started hiring security folk, but they really need to develop a comprehensive Security & Operational Information Risk Program (and I suspect your org does as well).<\/p>\nWhat can we in the info risk world glean (steal) from BP’s plan and new S&OR Organization? Well, to adapt their charter, a new S&OIR program charter might be:<\/p>\n
<ul><li>Strengthen & clarify requirements for secure, compliant and reliable computing & networking operations<\/li>\n<\/code><\/pre>\nHave an appropriately staffed department of specialists that are integrated<\/i> with the business<\/li>\nProvide deep technical expertise to the company’s operating business<\/li>\nIntervenes where needed to stop operations and bring about corrective actions<\/li>\nProvides checks & balances independent of business & IT<\/li>\nStrengthens mandatory security & compliance standards & processes (including operational risk management)<\/li>\nProvide an independent view of operational risk<\/li>\nAssess and enhance the competency of its workforce in matters related to information security<\/li>\n<\/ul>\nBP claims success form their current program (the link above has examples), and imagine – just imagine – if you your org required – yes, required – that new systems & applications conform to core, reasonable standards.<\/p>\n
In their annual report, BP fully acknowledged that risks inherent in its operations include a number of hazards that, “although many may have a low probability of occurrence, they can have extremely serious consequences<\/strong> if they do occur, such as the Gulf of Mexico incident.”<\/em>. Imagine – just imagine – if you could get your org to think the same way about information risk (you have plenty of examples to work from).<\/p>\nBP did not remove responsibility for managing operational risk and operational delivery from the business lines, but they integrated risk analysts into those teams and gave them the authority to intervene when necessary. It took a disaster to forge this new plan. You don’t need to wait for a disaster in your org to begin socializing this type of change.<\/p>\n
Imagine…just, imagine…<\/p>\n","protected":false},"excerpt":{"rendered":"
Everyone who can read this blog should remember the Deepwater Horizon spill that occurred in the Spring of 2010; huge loss of life (any loss is huge from my persective) and still unknown impact to the environment. This event was a wake-up call to BP execs and other companies in that industry sector. You should […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":true,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"activitypub_content_warning":"","activitypub_content_visibility":"","activitypub_max_image_attachments":3,"activitypub_interaction_policy_quote":"anyone","activitypub_status":"","footnotes":""},"categories":[3,4],"tags":[339,501,502,199,505,368,507,504,735,506,738,500,503],"class_list":["post-611","post","type-post","status-publish","format-standard","hentry","category-information-security","category-risk","tag-actuarial-science","tag-bp","tag-compliant-and-reliable-computing","tag-computer-security","tag-gulf-of-mexico","tag-information-security-2","tag-operational-risk","tag-operational-risk-management","tag-risk","tag-sor-organization","tag-security","tag-sony","tag-web-site-breaches"],"yoast_head":"\n
Your New Mega Security Program - rud.is<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Your New Mega Security Program - rud.is\" \/>\n<meta property=\"og:description\" content=\"Everyone who can read this blog should remember the Deepwater Horizon spill that occurred in the Spring of 2010; huge loss of life (any loss is huge from my persective) and still unknown impact to the environment. This event was a wake-up call to BP execs and other companies in that industry sector. You should […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/\" \/>\n<meta property=\"og:site_name\" content=\"rud.is\" \/>\n<meta property=\"article:published_time\" content=\"2011-06-29T19:45:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2018-03-10T13:01:38+00:00\" \/>\n<meta name=\"author\" content=\"hrbrmstr\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"hrbrmstr\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/\"},\"author\":{\"name\":\"hrbrmstr\",\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"headline\":\"Your New Mega Security Program\",\"datePublished\":\"2011-06-29T19:45:38+00:00\",\"dateModified\":\"2018-03-10T13:01:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/\"},\"wordCount\":426,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"keywords\":[\"Actuarial science\",\"BP\",\"compliant and reliable computing\",\"Computer security\",\"Gulf of Mexico\",\"Information security\",\"Operational risk\",\"operational risk management\",\"Risk\",\"S&OR Organization\",\"Security\",\"Sony\",\"web site breaches\"],\"articleSection\":[\"Information Security\",\"Risk\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/\",\"url\":\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/\",\"name\":\"Your New Mega Security Program - rud.is\",\"isPartOf\":{\"@id\":\"https:\/\/rud.is\/b\/#website\"},\"datePublished\":\"2011-06-29T19:45:38+00:00\",\"dateModified\":\"2018-03-10T13:01:38+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/rud.is\/b\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Your New Mega Security Program\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/rud.is\/b\/#website\",\"url\":\"https:\/\/rud.is\/b\/\",\"name\":\"rud.is\",\"description\":\""In God we trust. All others must bring data"\",\"publisher\":{\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/rud.is\/b\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886\",\"name\":\"hrbrmstr\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"url\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\",\"width\":460,\"height\":460,\"caption\":\"hrbrmstr\"},\"logo\":{\"@id\":\"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1\"},\"description\":\"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7\",\"sameAs\":[\"http:\/\/rud.is\"],\"url\":\"https:\/\/rud.is\/b\/author\/hrbrmstr\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Your New Mega Security Program - rud.is","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/","og_locale":"en_US","og_type":"article","og_title":"Your New Mega Security Program - rud.is","og_description":"Everyone who can read this blog should remember the Deepwater Horizon spill that occurred in the Spring of 2010; huge loss of life (any loss is huge from my persective) and still unknown impact to the environment. This event was a wake-up call to BP execs and other companies in that industry sector. You should […]","og_url":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/","og_site_name":"rud.is","article_published_time":"2011-06-29T19:45:38+00:00","article_modified_time":"2018-03-10T13:01:38+00:00","author":"hrbrmstr","twitter_card":"summary_large_image","twitter_misc":{"Written by":"hrbrmstr","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/#article","isPartOf":{"@id":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/"},"author":{"name":"hrbrmstr","@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"headline":"Your New Mega Security Program","datePublished":"2011-06-29T19:45:38+00:00","dateModified":"2018-03-10T13:01:38+00:00","mainEntityOfPage":{"@id":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/"},"wordCount":426,"commentCount":0,"publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"keywords":["Actuarial science","BP","compliant and reliable computing","Computer security","Gulf of Mexico","Information security","Operational risk","operational risk management","Risk","S&OR Organization","Security","Sony","web site breaches"],"articleSection":["Information Security","Risk"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/","url":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/","name":"Your New Mega Security Program - rud.is","isPartOf":{"@id":"https:\/\/rud.is\/b\/#website"},"datePublished":"2011-06-29T19:45:38+00:00","dateModified":"2018-03-10T13:01:38+00:00","breadcrumb":{"@id":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/rud.is\/b\/2011\/06\/29\/your-new-mega-security-program\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/rud.is\/b\/"},{"@type":"ListItem","position":2,"name":"Your New Mega Security Program"}]},{"@type":"WebSite","@id":"https:\/\/rud.is\/b\/#website","url":"https:\/\/rud.is\/b\/","name":"rud.is","description":""In God we trust. All others must bring data"","publisher":{"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/rud.is\/b\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/rud.is\/b\/#\/schema\/person\/d7cb7487ab0527447f7fda5c423ff886","name":"hrbrmstr","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","url":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","contentUrl":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1","width":460,"height":460,"caption":"hrbrmstr"},"logo":{"@id":"https:\/\/i0.wp.com\/rud.is\/b\/wp-content\/uploads\/2023\/10\/ukr-shield.png?fit=460%2C460&ssl=1"},"description":"Don't look at me\u2026I do what he does \u2014 just slower. #rstats avuncular \u2022 ?Resistance Fighter \u2022 Cook \u2022 Christian \u2022 [Master] Chef des Donn\u00e9es de S\u00e9curit\u00e9 @ @rapid7","sameAs":["http:\/\/rud.is"],"url":"https:\/\/rud.is\/b\/author\/hrbrmstr\/"}]}},"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p23idr-9R","jetpack_likes_enabled":true,"jetpack-related-posts":[{"id":1376,"url":"https:\/\/rud.is\/b\/2012\/06\/23\/breach-reach-google-insights\/","url_meta":{"origin":611,"position":0},"title":"Breach Reach : Google Insights","author":"hrbrmstr","date":"2012-06-23","format":false,"excerpt":"UPDATE: I had to remove the Google Insight widgets and replace them with static images. There was inconsistent loading far too often in non-Chrome browsers. Click on the graphs to go to the Google Insights detail pages for more interaction with the data. Information security breaches have been the \"new\u2026","rel":"","context":"In "Breach"","block_context":{"text":"Breach","link":"https:\/\/rud.is\/b\/category\/breach\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":512,"url":"https:\/\/rud.is\/b\/2011\/04\/17\/a-fully-operational-os-x-dbclone\/","url_meta":{"origin":611,"position":1},"title":"A Fully Operational OS X dbClone","author":"hrbrmstr","date":"2011-04-17","format":false,"excerpt":"Spent some time today updating the missing bits of the OS X version of the Dropbox cloner I uploaded last night. You can just grab the executable or grab the whole project from the github repository. The app can now backup\/restore of local config, clone dropbox configs to a URL\/file\u2026","rel":"","context":"In "Development"","block_context":{"text":"Development","link":"https:\/\/rud.is\/b\/category\/development\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":629,"url":"https:\/\/rud.is\/b\/2011\/09\/23\/why-didnt-they-just%e2%80%a6\/","url_meta":{"origin":611,"position":2},"title":"Why Didn’t They Just\u2026?","author":"hrbrmstr","date":"2011-09-23","format":false,"excerpt":"A while back I was engaged in a conversation on Twitter with @diami03 & @chriseng regarding (what I felt was) the need for someone to provide the perspective from within a medium-to-large enterprise, especially when there are so many folks in infosec who are fond of saying \"why didn't they\u2026","rel":"","context":"In "Information Security"","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":658,"url":"https:\/\/rud.is\/b\/2011\/12\/10\/predictions-humbug-resolve-is-where-its-at\/","url_meta":{"origin":611,"position":3},"title":"Predictions? Humbug! Resolve Is Where It’s At","author":"hrbrmstr","date":"2011-12-10","format":false,"excerpt":"This is the time of year when pundits and armchair\/amateur analysts make predictions for the coming year. Given that only a tiny fraction of them predicted the Sonage of 2011 (not Sony specifically or the level of pwnage) or the RSA\/Lockeed [\u2191, \u2191, \u2193, \u2193, \u2190, \u2192, \u2190, \u2192, B,\u2026","rel":"","context":"In "Information Security"","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":298,"url":"https:\/\/rud.is\/b\/2011\/03\/07\/behind-the-mask-supporting-the-new-cio-personas\/","url_meta":{"origin":611,"position":4},"title":"Behind The Mask : Supporting The New CIO Personas","author":"hrbrmstr","date":"2011-03-07","format":false,"excerpt":"This morning, @joshcorman linked to an article in the Harvard Business Review \"The Conversation\" blog that put forth the author's view of The Four Personas of the Next-Genereation CIO. The term persona is very Jungian and literally refers to \"masks worn by a mime\". According to Jung, the persona \"enables\u2026","rel":"","context":"In "Compliance"","block_context":{"text":"Compliance","link":"https:\/\/rud.is\/b\/category\/compliance\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":133,"url":"https:\/\/rud.is\/b\/2011\/02\/14\/metricon-measuring-metrics-programs-why-arent-we\/","url_meta":{"origin":611,"position":5},"title":"Metricon: Measuring Metrics Programs (Why Aren’t We?)","author":"hrbrmstr","date":"2011-02-14","format":false,"excerpt":"Speaker: Jared Pfost (@JaredPfost) Framing: IT Security Metrics in an Enterprise \u00a0 If metrics are valuable, why aren't we measuring them. Virtually no research on them. \u00a0 The Chase Measuring metric program maturity would be easy, but not valuable Metric programs aren't a priority for enough CISOs for a benchmark\u2026","rel":"","context":"In "Information Security"","block_context":{"text":"Information Security","link":"https:\/\/rud.is\/b\/category\/information-security\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/611","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/comments?post=611"}],"version-history":[{"count":0,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/posts\/611\/revisions"}],"wp:attachment":[{"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/media?parent=611"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/categories?post=611"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rud.is\/b\/wp-json\/wp\/v2\/tags?post=611"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}