Freedom of Speech vs. Freedom of Action

Over the last few weeks, my country, the USA, has seen a number of issues rise to the surface of public view and opinion.  While this blog will attepmt to stay neutral on the individual issues, it will not be silent when comparing a vital element found in the mainstream media.  This element is easy to see once it's pointed out, but it's obviously been overlooked by the general public.  I'm talking about a basic misinterpretation of the first amendment.  Yes, I'm talking about freedom of speech and it's key difference with freedom of action.

You see, there is a difference, one that is painfully obvious, yet seems to be largely ignored by certain individuals who try to hide behind the first.  Let's start by stating the intent behind this amendment and follow the trail from there.  When the founders of this country proposed the amendments, one thing was painfully clear to them at the time, that of freedoms, given that they had been under the oppressive thumb of the British crown and were in the midst of a revolt.  I propose that their thoughts were to create a country without the possibility of an oppressive government and, at the same stroke, justify their revolutionary actions to the rest of the world.

After the revolution however, they realized that some of the actions they themselves took could not be condoned outside of the specific situation they found themselves in, and the drafting of the original documents that founded the nation reflect very careful thought along these lines.  Here are two specific examples: 

     1. They gave the right to bear arms, but not to use them against others

     2. They gave us the freedom of speech, but not action

These examples highlight a common element, that of a freedom of expression, but not the execution of the thought.  This is a huge difference when considering the recent events in the media.  We have a right to express ourselves, in other words, a peaceable demonstration.  We do not have the right to rioting and violence.  We have the right to express our thoughts publically and openly, but we do not have the right to act on those thoughts, especially if there is a law against it.  Notice that given the absence of a law, we are still not automatically granted a "right" to act.  In these cases, we are left to our own moral judgement and have a choice to act, not the right.  If we chose to act, there may well be consequences as a result of our actions.

E-cigarette usage in Corporate Policy

A statement regarding the recent policy change on e-cigarettes:

I wish to proclaim a grievance with the policy, but not to totally dismiss its reasoning or importance.  In order to properly display the significance of the grievance, it is necessary to clarify my personal position (and perhaps the position of every e-cigarette user).  The choice to move to an e-cigarette was a willful, conscious and researched option stemming from my known addiction to nicotine and my fervent wish to continue to avoid the use of combustible nicotine products (regular cigarettes).  Furthermore, I have researched the field of medical knowledge on the topic and have purposefully chosen my suppliers to minimize the dangerous effects of ingesting harmful chemical solutions.

First, the pros regarding the policy:  Most e-cigarette juice (e-juice) is primarily made up of only four or five ingredients, distilled water, propylene glycol (PG), vegetable glycerin (VG), purified or synthetic nicotine, and flavorings.  In multiple studies on the individual ingredients including air quality testing, only two of these ingredients has shown to be any more harmful than the normal air we breathe.  The two that are of the highest concern are PG and nicotine.  PG has been shown to be an occasional irritant in a small number of the population, and nicotine is a vasoconstrictor.  From this explanation, I fully support the policy of removing e-cigarettes from the workplace environment and delegating them to restricted, designated areas on the basis that that small number of the population may be impacted by the PG directly, and the nicotine addiction qualities generally.

Now the con:  My concern is the choice of lumping the vaping crowd in with the designated combustible tobacco areas.  Use of the e-cigarette is termed “vaping” not “smoking” for a reason.  People who have completely stopped all use of combustible tobacco products are, in fact, non-smokers and physiologically have the same reaction when exposed to smoke from those products.  Since my choice has been a conscious one, and I wish to avoid the dangers of smoking, I must protest being forced to share the same designated space as the smoking community.  Therefore, I should be afforded the same rights as every other non-smoker in the workplace who wish to be removed from the harmful effects of combustible tobacco smoke.

Possible solutions:  Since it is clear that vaping should rightfully be removed from the general work area, but should not share space with designated smoking areas, either a vaping area should be formally designated, or clear limits set on open area (inside or outside) use of e-cigarettes.

Information Security Control Mapping

As any Information Security Professional will tell you, there are a multitude of regulation and security control frameworks out there to choose from.  Very often, an individual organization is subject to multiple regulations and must show compliance with them regularly.  This mandate sets up a situation where they have a choice between duplication of effort for compliance's sake, or to compare and contrast the multiple regulations and implement a single, unified solution.  Given that duplication of effort is not cost efficient, and smart organizations always track the bottom line, then a security control map is absolutely necessary.

Mapping of security controls between differing standards is not a task to be taken lightly, nor is it the most speedy process.  At best, an odd sized small team (5 or 7 individuals) takes months to come to an agreement between them.  Teams smaller than this run into a problem of less objectivity faced with a herculean task.  Larger teams run into the opposite problem of the more frequent disagreements in committee and too much input to be discussed in a timely fashion.  In the end, the map itself is always subjective to the nuances of the group that created it.

This subjectivity is the result of two factors, the interpretation of the control measures combined with the methodology used to form the map.  While the interpretation is subject to each individual making up the group along with their expertise, (which not only cannot be controlled, but is very often viewed with a contrasting opinion once the map is published) the methodology can at least be framed by a general consensus among the professional field.  This is accomplished by taking each control measure into consideration and finding one or more suitable equivalent controls from the other control set.

It is widely accepted that there are not one, but two maps to look at when comparing two sets of control measures, that of each set in the context of the other.  Adding more control sets makes the number of potential maps rise progressively using the formula <i>n * (n-1)</i> where <i>n</i> is equal to the number of control sets in play.  Therefore, 3 sets would produce 6 maps, 4 produces 12, and 5 produces 20 maps.

While a thorough exploration can be thought of to be complete by finishing all the maps, a simpler method presents itself, reducing the number of maps to just the number of control sets in play.  This methodology consists of choosing a primary control set among the multiples and only considering the maps to the other control sets in context of the prime.  Logically, this makes sense, but there is still something missing from this methodology, that of the usefulness of the "reverse" map.

Because differing control sets often have no equal between them, and many are far too focused in scope and content to be of any use to the other, holes in the map abound.  Compounding this is the fact that the regulations themselves are not enough for an effective security program, and an additional framework is necessary to achieve security effectiveness, increasing the number of maps by a proportional number.  Fortunately, there are several frameworks in the wild that are written from a far more general nature than the specific regulations.

When employing a framework into the mix of regulations, caution must be observed in the choice of framework.  Traditionally, individual regulations are married to particular frameworks (i.e. PCI-DSS to COBIT, SOX to COSO, HIPAA to ISO 27001, FISMA to NIST 800), but in reality, any framework could potentially contain any regulation depending on how flexible it's implementation is handled.  It stands to reason that not every pairing is a harmonious match, thus the traditional pairings have the most chance for success.  In the end, the framework dictates a common control set that will then have to be mapped to the applicable regulations.

This mapping, as discussed above <i>could</i> be achieved in the context of the framework, however, a more saturated method is to only consider the <i>reverse</i> maps instead of the "forward" maps.  This method takes each control measure from the regulation and fits one or more controls from the framework to achieve compliance.  This last method is by far the most beneficial from a compliance standpoint as every mandatory control measure is assured to be assessed and met as well as any holes from the framework control set will be identified and rectified.  This last situation is actually very rare as the framework used (as long as a harmonious "marriage" is observed) is most likely to be a super-set that envelops the regulation set.

So what happens when an organization needs to be compliant with multiple regulations?  Obviously the choice of framework becomes even more critical, requiring a much more general context to maximize the saturation and minimize the leftover controls from the individual regulations.  For this effort, two frameworks stand out, the NIST 800 series and the similar ISO 27001.  Both are formed by entities that produce common standards, one for the U.S. federal government and the other for an International community.  Which to choose depends upon the nature of the organization contemplating the adoption of either from the aspects of HQ location and global presence.