Governance – The SECOND Advisories Limited

Policy #13

21st April 202621st April 2026 By cliangNo Comments

Writing a policy appears easy. Behind the scene, you have to think twice how practically it can be enforced for compliance. Does enforcement also heavily impact operation without material purpose? Not-to-mention there should be communication with the target audience why we are doing this, what is the consequence of not setting up such directive, and consequence of non-conformance or non-compliance. So, this is not simply copied from text-book. You have to understand what works and what doesn't, how to get buy-in and essentially is the intended purpose rightfully fulfilled. A very bad example is to establish a register what system will use USB thumb drive. It does not serve any protection purpose but just informative at cost of mainteance overhead, auditing the register effort. ...

Misalignment

27th March 202627th March 2026 By cliangNo Comments

Image is generated by CoPilot This happens all the time, not just in cybersecurity domain. A common example is new system development based on business requirements but the delivered system is not usable practically or need many human intervention in the process. There are many contributors: Business requirement is generically spelt out, it is hard to indicate UI/UX in a formal specification precisely The business requirements are not well understood by the system developers, they think from the computer perspectives rather than the process perspectives Business representatives participate in the development do not fully understand current process Test cases lack of real life cases to validate the list goes on … Similarly in cybersecurity, policy maker and execution of the policy will be misaligned if the policy maker does not understand exactly the floor operation. Don't just copy/paste text book knowledge to lay down as policies. If you do, it would be disaster. ...

Protection

11th February 202611th February 2026 By cliangNo Comments

Image is generated by CoPilot In business world, resources are limited and must be best utilized for purpose. How much protection is sufficient, especially in the cyber world? It depends on the severity of the consequence driven from social impact and regulatory compliance. Take network firewall as example. Its purpose is to regulate network traffic to filter unwanted connections. Itis deployed to connect different systems because systems are now no longer standalone. Communications are needed for information exchange while denying unwanted network traffic. The use of protection measure will require considering the TCO (Total Cost of Ownership) in optimizing the resources. This is not just money but also the human efforts to sustain. To name a few of the maintenance overheads: Plan ahead before the component(s) enters into End of Support (EoS) state from OEM Execute procurement to refresh component(s) entering into EoS Coordinate with operation team with outage window for component(s) refresh Manage access credential to the components Perform backup and recovery test of the component configuration Conduct vulnerability...

Remote Control

15th January 2026 By cliangNo Comments

This facility is common in our daily life for convenience with digital function components. Examples that we are familiar with are TV, air conditioners and ceiling lights. Sometimes, the features in the remote are even much more than those in local device. Given that digitalization dominates the consumer market, it is common to see digital devices have remote control counter-part. In industry use cases, OT systems are established for controlling and monitoring the physical plants. OEM will make the life of operation easier by equipping remote control as option to help operators, support staff in managing devices over a diverse geographical area. The intention is good for cost-effectiveness, better throughput. I come across a cybersecurity practitioner that this remote control capability hits the nerve. His immediate response is to demand such remote control should be disabled. What are the key lessons here? First, the terminology must be precise. Typically, plants are installed in equipment room where they will be monitored and controlled from a different...

Anomaly

19th December 2025 By cliangNo Comments

Observations are basis in any informed-assessment to understand if operations are compliance to rules & regulations meeting the expected standards. Observations are used to support the finding in the report. They can be in the form of screenshots, photo, configuration files in plain text. When you find anomalies, what is your first respond? You have to double check if it is a false positive first. If it is valid, then check if exception process has been granted with valid reason and appropriate level of approval. That is not yet the end. A more responsible cybersecurity practitioner or auditor shall also look at the effectiveness of the written directive - if they are reasonable and practically achievable. This is the hard part because it might outside the scope of assessment, or the assessor solely bases on the book. In any cases, policy maker should look at the report and rethink if the written directives are too tight, too rigid in killing the business. Bear in...

Obsolescence

26th November 202526th November 2025 By cliangNo Comments

One of the biggest challenges in OT (Operation Technology) system is the technology obsolescence. Here, we are not talking about the machinery part but the controller part. A typical machine (or plant) have 2 major portions: machinery (e.g. motor, valve) and C&I. Nowadays the traditional C&I are replaced by commodity hardware/software because they are readily available from the market. The pain point exists. Technology product lifecycle is shorter than the machinery. Most often, those micro-processor controller enters into end of support state because the OEM of the embedded OS platform, applications will not fix any public known vulnerabilities as they do have support policy to entertain only the latest few versions. From system reliability perspective, support is important but from cyber security perspective, end of support is not the end of the world. As long as the "system" is still running, there is no means to upgrade because of the fear of hypothetical cyber attack. The plant room in the illustration shall host those...

Access Path

5th October 2025 By cliangNo Comments

A path is required at the barrier or perimeter for a number of reasons: reachability to/from destination with legitimate needs such as logistics, transport etc. In cyber world, network perimeter device protects the inside zone from outside but "holes" are still required. A common example is the access to the web site from outside. How do we stay secure? It requires orchestration from different aspects: configuration hardening, access control to resources, incident respond, resilience, regular security updates, situation awareness and most important an achievable cyber security policy to mandate all these are in place. ...

In The Cloud

31st August 2025 By cliangNo Comments

We always hear people telling everything is now in the Cloud. Precisely, this is somehow incorrect. Even though there are IaaS, PaaS, SaaS etc., there are physical equipment on SOMEBODY's premise to serve the client. It is just the client has only a very slim footprint - likely a physical device with web browser connecting to the Internet for all the services (infrastructure, platform, software) required in the Cloud. When we develop written directives, don't be influenced by jargons. We need to have a holistic view to stipulate precise generic while certain situation precise specific rather than putting a case-by-case assessment. This will end up no policy at all. ...

Perimeter #3

13th August 202513th August 2025 By cliangNo Comments

One of the key controls in cyber world is the ingress/egress points to the network. Without sufficient control, threat actors are able to penetrate inside causing system or service disruption anywhere anytime. On top of network aspect, controlling of physical access to the equipment is also important. In physical world, establishing physical perimeter is far more challenging than that in the cyber world. Three are "proper" means to reach a region and multiple "improper" means to do the same. Effective control is proper policy for "illegal" entry. ...

Shared Responsibility

26th July 202526th July 2025 By cliangNo Comments

Source AWS Security Day 2025 I saw some awareness posters that cyber security is a shared responsibility. No doubt each of us plays a different and important roles to protect the cyber space. But putting a slogan like this without any elaboration will be unwise. We never know who to do what and eventually no one takes accountability. The shared responsibility must be well defined somewhere with easy access from audience. Examples are: Senior Management supports and sponsors necessary cybersecurity resources Technical Teams secure the digital assets throughout their life cycle General Users follow the good practices published by reputable internal subject matter expert The AWS model is a good example. [ [Disclaimer: Not recommendation, critique, nor having association, affiliation with AWS.] ...