The infonomics letter on governance of it


Published on

Information Security Bulletin

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The infonomics letter on governance of it

  1. 1. The Infonomics Letter March 2011 Edition Plain Language about Leadership and (Corporate) Governance of Information TechnologyStaying Safe Governance of InformationWelcome to the Infonomics Letter for March 2011. SecuritySome time in 1978, I attended a conference where Press reports of information security breaches areseveral companies were demonstrating software on nowadays an almost daily occurrence. If we take aone of the workhorse computers of the time – a DEC global view, there would be dozens, if not hundreds ofPDP-11. Out of curiosity, I went to one system breaches reported and discussed every day of theconsole and logged on. I didn’t need to ask anybody week. Among the headlines noted by Infonomicsthe password – most PDP-11’s running that operating during March 2011 we saw:system used the password originally set at the factory  Stolen BP data a warning for Australian companiesand nobody at the factory saw any need for different  Aussie ATMs a laughing stockpasswords. When the first PC was released, it didn’t  Hacker takes off with TripAdvisors customer emaileven have the means to identify different users – let databasealone keep them separate with different passwords.  Hundreds to be briefed on hacked security firmsIn 1987, newly arrived in London, I picked up my ATM technologycard and proceeded to an ATM to reset the PIN. I  warns of customer e-mail security breachwas horrified that, having entered my old and new  Warning over Skype security weaknessPINs, the ATM then checked that I had entered my  High-tech criminals outsmarting the lawnew PIN correctly – by displaying it back in big digits  French government hit by spectacular cyber attackon the screen. Thankfully nobody was watching. Of  Hackers hit Gillard, ministers computerscourse banks have learned a lot since then, and they The above are but a small sample of many caseswould never show a customer PIN today. But while around the world where criminals are directly, activelybanks have learned a few things about information and in many cases aggressively seeking to profit bysecurity, one wonders about the greater community. obtaining access to, using or changing sensitiveIn a previous edition of this Letter I’ve commented on personal, business and financial operators that, having demanded we set upan individual account with a secure password, then But guarding against the actions of criminals is onlykindly send us a clear text email putting all that one dimension of information security. Another,identity information out where it can be seen by any increasingly relevant dimension is that of keepingerrant teenager with the most primitive hacking tools. information available and safe from accidental loss orOne mailing list I use very nicely reminds me every destruction. These headlines illustrate the point:month of my user id and password. You can bet that  Gmail messages vanish for about 150,000I keep that one quarantined with a fake name!  CIOs warned to prioritise governance and business continuityRecently I wrote about the appalling lack of access  Telstra power fault takes out Australia Post contactcontrol in mobile phone shops run by Vodafone centre phonesHutchison Australia (January edition, More red faces).Now I find that another phone company demands a Governments, businesses and individuals todaystrong password for access to customer accounts depend on their information being available to themonline, and then requires the customer to quote part at any time and from, in many cases, any location.of that password when accessing the call centre – Loss of access, even for short periods, at best causeswith the whole password visible to the call centre frustration and inconvenience, and at worst can resultoperator. Don’t they understand information security? in serious consequences for individuals and organisations.Public disquiet about information security breachesand weak safeguards used by many organisations is Information Security Risk is not confined to externalnow driving strong regulatory and legislative action. and technical issues. There are just as many casesThe probable high cost of information security in the where the privacy and integrity of information are atfuture may be in part a consequence of organisations risk due to what might at first be dismissed as benignfailing to take early and decisive steps to direct and factors. In Australia recently, a mobile telephonecontrol their information security. But while provider was forced to act after being extensivelylegislation may oblige organisations to pay attention castigated in the press for failing to ensure a properto information security, it can’t define how to do the level of control over staff access to customer records.job. So, this month’s key topic explores how those In Britain, the new Information Commissioner’s Officewho govern organisations can direct and control their is issuing substantial fines to organisations that areinformation security arrangements. Enjoy! found to have lax data security arrangements.Mark Toomey 31 March 2011
  2. 2. The Infonomics Letter 2 March 2011 EditionThe message is clear for governance of IT in ISO 38500 should guide governance of information security regardless of theAs our world moves rapidly into the full realisation of medium on which the information is stored.the information age, it has become abundantly clearthat security of information is a critical matter for A model for governance of Informationevery individual, organization and government. SecurityThe consequences of failure in information security The model for governance of IT presented in ISOrange from relatively benign and trivial, to 38500 is equally applicable to specific aspects of ITextraordinary. The trouble is – what may be benign use, as it is to the overall use of IT. Thus it providesin one case may be devastating in another case. an ideal frame of reference for discussing theWhat may be a nuisance at one level, can create an governance of information security, and can be madeimmense impact at another. Breach of a teenager’s quite specific merely by refinement of may expose juicy gossip. Breach of emailsystems used by a nation’s top executive may resultin draconian international consequences. Exposure ofa customer’s password on internal systems mayenable an errant employee to steal the customer’sidentity and subsequently access that samecustomer’s information held by other organisations –including banks!Every individual and every organisation has a duty toprotect their own information, in their own interests.Now, every individual and especially everyorganisation has a duty to protect the informationthat they hold about others. To neglect this duty putsthose others at risk of consequences over which theyhave no control. Increasingly, governments and otherregulatory agencies are recognising the extent ofthese risks and, in the face of market failure to actappropriately, are embedding the obligations inlegislation and enforcing the legislation aggressively.Oversight of risk is a fundamental element ofgovernance for all types of organisation. Information * Adapted from ISO 38500Security is no longer merely an emerging field of risk– it is well established as a critical and highly active The model shows that:field of risk that must be high on the agenda for every  The governing body, through management, shouldorganisation’s governing body. The governing body evaluate the organisation’s current informationmust ensure that the organisation has a sound security situation and options for ensuring that itunderstanding of the information security risk it faces, has an appropriate level of information securityon an ongoing basis, that it has appropriate and  The governing body should direct managementeffective treatment in place for that risk, and that with regard to goals for information security,there is an oversight regime that both keeps the together with policies that condition decisionsinformation security regime effective, while also management makes about information securityensuring that incidents which do occur are effectively  Management should, as directed by the governingand efficiently resolved. body, put in place the necessary capability and arrangements required to realise the organisation’sThese obligations of the governing body with respect goals for information securityto information risk map directly to the tasks for  Management should fully integrate thegovernance of information technology described in organisation’s information security capabilities intoISO 38500, the international standard for governance the organisation’s ongoing business operations andof information technology. As the vast majority of should ensure that its chosen information securitythe world’s information is stored and communicated arrangements are part of the fabric of the way theusing information technology, it is not unreasonable organisation conducts its businessto view the tasks for governance of information  The governing body should monitor thesecurity as a subset of the tasks for governance of the organisation’s ongoing activities for conformanceuse of information technology. Indeed, as one can to the established policies for information security,readily argue that stone tablets, paper, film and so on and should monitor the information securityare merely early forms of information technology arrangements for efficacy in the context of the(technologies for the capture, storage, processing and established goals and evolving market conditions.dissemination of information), the recommendations
  3. 3. The Infonomics Letter 3 March 2011 EditionEvaluate Information Security clear direction to management regarding the information security goals of the organisation, and theISO 38500 says that the governing body for any arrangements for achieving these goals. In manyorganisation should evaluate, direct and monitor its cases, the specific direction should be proposed byuse of information technology. It follows logically that management as part of facilitating the governingthe governing body should also evaluate, direct and body’s evaluation, enabling the governing body tomonitor the information security situation. make the key decisions, but avoiding the requirementAs is explained in Waltzing with the Elephant, for the governing body to hold specific skills inevaluating information security does not necessarily information security.require that the governing body itself undertake a Direction on information security should address acomprehensive assessment of threats and treatments. range of matters, including:Rather, it means that the governing body should  Conformance to applicable laws regarding any andensure that management has undertaken such an all aspects of information securityassessment, and that the assessment is repeated at  The organisation’s risk appetite regardingprudent intervals. The assessment process should information securityensure that management has a clear and sufficient  Investment in necessary capability to safeguardunderstanding of the risks and treatment options, and information securityshould result in recommendations to the governing  Allocation of resources to enable development andbody regarding the acceptance of tolerable risk, the ongoing operation of information securitytreatment of intolerable risk, and any residual risk that arrangementscannot be controlled in a cost-effective or practical  Assurance regarding efficacy of the arrangementsmanner. for information securityThrough the work of management to evaluate risk,  Recording, tracking and reporting of incidentsthe governing body should itself be well-informed of pertaining to information security riskthe risk to information security. To obtain further  Behaviour of the organisation, its personnel andcomfort and assurance that management’s evaluation agents with regard to information securityis appropriate, the governing body should from time  Behaviour of the organisation and its seniorto time obtain independent external advice on the management in the event of a major informationorganisation’s situation. Prudent members of security incident.governing bodies, as well as their managers, shouldalso maintain general awareness of the prevailing Monitor Information Securityclimate in information security risk, covering both the Criminals and other subversive agents work tirelesslyrise and decline of specific risk categories and to devise new ways of breaching safeguards thatsources, and the efficacy of treatment options. organisations use to fulfil their information securityThe information and recommendations prepared by safeguards. It is far from sufficient to simply investmanagement will form the basis of direction provided once in an information security capability and treatby the governing body. To assure itself that the the issue as resolved. Rather, organisations shoulddirection provided is appropriate, the governing body maintain awareness of the changing informationshould rigorously test management’s clarity and depth security landscape and take action as necessary toof understanding of the assessment, as well as its maintain the desired level of protection as directed byconfidence in and commitment to the recommended the governing body.treatments. For example, as information is invariably While the capability and impact of criminal behaviourpart of the fabric of the business and is gathered and continues to grow, research and many anecdotalused in many different parts of the business, it would events have demonstrated that many of the mainseem insufficient for all aspects of information threats to information security come from within thesecurity assessment and treatment to be channelled organisation (including through outsourcingthrough a sole manager, unless there is obvious and arrangements). Internal controls and otherabsolute consistency of view across the entire arrangements for maintaining information security canmanagement team. On the other hand, the become degraded over time as a natural consequencegoverning body might be concerned about an of other aspects of organisational change and staffassessment of information security and treatment that turnover. Thus, organisations should incorporate intois distributed across the management team without their monitoring regime specific elements that willobvious cohesion on significant risks and treatments. highlight an unacceptable loss of rigour in information security arrangements well in advance of any possibleDirect Information Security consequential breach.Based on its assessment of information provided by The precise means by which any particularmanagement and, if considered appropriate, from organisation monitors its information security will varyalternative sources, and weighed in the context of depending on its circumstances. Regardless, themarket awareness, the governing body should provide
  4. 4. The Infonomics Letter 4 March 2011 Editionmonitoring arrangements should provide for necessary aspects of responsibility for informationdemonstrating the efficacy or otherwise of the security are properly identified, clearly communicatedinformation security arrangements in place, as well as and regularly reinforced. Individuals must understandhighlighting any significant change in the information their responsibility, have the training, capacity andsecurity landscape. other means of discharging it, and be given appropriate incentives to do so diligently.Considering that information security incidents canoccur with no warning and can rapidly escalate fromwhat initially appears to be a minor infraction to what Strategy / Planningultimately may have far-reaching consequences, it is Goals set in respect of information security must beessential that the monitoring arrangements not only achievable and should clearly match the exposure,provide the governing body with timely awareness of context and aspirations of the organisation as aserious situations, but that there is an effective path whole. The arrangements for maintaining informationfor escalation so that serious information security security must be aligned to the goals, and be bothincidents receive prompt and comprehensive attention effective and efficient. The resources allocated tofrom the most appropriate levels of management. achieving and maintaining the desired level of information security performance and conformancePrinciples for governance of information must be adequate to the task, not just in normalsecurity circumstances, but also when an actual serious information security incident is occurring.As with the model for governance of IT, the principlesfor good governance of IT expressed in ISO 38500 While already a perhaps daunting set of requirements,are highly relevant in the context of information the above points are often taken only in the contextsecurity. When considered in the light of information of an information security veneer over an intrinsicallysecurity, the principles help organisations define the insecure information storage environment. But just asbehaviour they intend to exhibit as a whole, and the multigrain bread is not made by dipping a ready-behaviour that they require of their personnel in baked loaf in a sack of seed, achieving truly effectiverespect of information security. In this context, the arrangements for information security typicallyprinciples provide a powerful basis for the requires a more fundamental attention as an integraldevelopment of policy, and through policy, a guide to part of planning, building and operating thedecisions that will be made regarding identification organisation’s actual business information systems.and treatment of information security risk. Thus, in addition to ensuring that there is appropriate alignment and resourcing to the externalResponsibility manifestations of information security, the strategyThroughout the organisation, there should be clearly principle should cause organisations to think aboutunderstood assignment, acceptance and discharge of how they make information security an integralresponsibility for security of information. From an element of their entire information systems andoverarching perspective, the entire organisation must business systems environment.accept that it has operational, legal, ethical and moral Clearly, considering the frequency and severity ofresponsibilities to maintain adequate security of the “security updates” for much of the software that weinformation it holds. Within that broad use today, there is a dual challenge of firstunderstanding, it is necessary to establish the more establishing a culture and the necessary resourcingspecific assignments of responsibility for information for making information systems intrinsically secure insecurity to individuals throughout the organisation. the first place, and then for overcoming theThe mere fact of information being predominantly deficiencies that exist in established technology thatstored using information technology does not may stay in place for significant periods of timeautomatically mean that IT specialists are solely (noting that some code in banking systems, forresponsible for the security of the information. There example, is nearing fifty years of age.are many ways in which information security can be Balance is essential in planning and allocatingbreached by personnel far removed from the IT resources to information security. It is very easy, andenvironment, such as careless disposal of printed entirely inappropriate, to over-allocate to high impact,material, or even making computer screens visible to low probability risks because they are “scary”, whileunauthorised personnel or outsiders. under-investing in the more mundane, but highlyAn effective approach to information security requires probable risks that can nonetheless cause significanta comprehensive approach to responsibility. In most operational, reputational and financial damage.cases, every individual in the organisation will carrysome responsibility for information security, while amore limited number of personnel will have veryspecific and sometimes onerous responsibilities. Toavoid overlap and redundancy, it is important that all
  5. 5. The Infonomics Letter 5 March 2011 EditionAcquisition security risk at the infrastructure level is properly treated, in the context of its own business activities.Decisions to invest in information security capabilityand arrangements should be made for the rightreasons, and in a proper manner. Performance In ISO 38500, the Performance Principle essentiallyFundamentally, this principle focuses on the says that information systems performance shouldimportance of investing in information security only meet the reasonable needs of the organisation – ITwhen it is clearly warranted, and in a manner that should perform well, whenever required.delivers the optimum treatment for the risk throughthe lifespan of the investment. It also provides a This should also be the rule for information security.different context for the business case where, in a The arrangements for information security shouldbizarre hangover from the desire to invest only in perform well, whenever required.profitable IT projects, investments in information It might be too easy to consider this point just insecurity are also required to demonstrate a positive terms of the efficacy of the information securityfinancial outcome. Rather, a proposed investment in arrangements in preventing, detecting and resolvinginformation security should be inalienably linked to information security incidents. Of course, theseclearly identified risk and be demonstrably, the most matters should be given appropriate and ongoingappropriate option for treatment of the risk. attention. However, there should also beThis does not mean that literally every risk and every consideration of how the information securityindividual purchase need be linked through a business arrangements interact with the complete system ofcase. There is a well-established understanding of the business, to ensure that there is an adequatethe basic elements of information security risk which balance between the cost of the necessary controlsis matched by well-established, though continuously and the efficiency and effectiveness of the businessevolving best-practice in configuring infrastructure overall. Where there is an unacceptable reduction inand systems to provide the first line of protection. business performance or the performance ofNonetheless, existence of such knowledge should not individuals, there is also often a temptation tobe taken as carte blanche for over-spending on circumvent the information security protocols,technology for the sake of information security – the improving business throughput and performance, butinvestment decisions should still carry a clear, if brief, often at significant risk of information securityconfirmation of risk exposure and fitness for purpose. breaches.Decisions to invest in IT-enabled business systems, The constant nature of some kinds of informationwhether custom developed or through acquisition of security “hacking” means that some of the more basicpackaged software, should include appropriate controls in organisations are effectively underconsideration of the information security risks for that constant test and their effectiveness and performancesystem and the underpinning technology as an can be readily measured. However, the more exoticintegral part of making the acquisition decision. Given and sophisticated efforts of criminals and other hostilethe extent of information security risk faced by a entities are rarely continuous – they are more likely tomajority of organisations, it should be regarded as be sudden, intense and unique. These techniques areunacceptable for consideration of information security also under constant and intensive development, withto be deferred until after the acquisition is made or a significant undercurrent of collaboration byconstruction and integration is complete, as otherwise independent groups enabling rapidretrofitting information security arrangements is likely development and lightning-fast deployment of newto be at least complex and expensive, and may be forms of attack. Organisations which assessimpractical and unachievable. themselves as being a high probability target for such attacks should use an appropriate ongoing testingThis does not mean that the only allowed investments regime to give assurance that the information securityin new capability should be those that incorporate a arrangements are fit for current and foreseeablehigh level of information security. Rather, it means conditions.that the acquisition decision should weigh anunambiguous understanding of information security This does not mean however that only organisationsrisk and protection as well as other factors in favour with substantial risk should be testing theirof and against the decision. information security regimes. The reality in today’s market is that most organisations have significant riskInfrastructure decisions today also require specific and thus should all conduct appropriate routine tests.consideration of information security risk andtreatment. The advent of infrastructure andoperational outsourcing, software-as-a-service and so- Conformancecalled cloud computing may obviate the need for an Increasingly, and probably as a consequence oforganisation to retain skills and provide environments organisations failing to ensure appropriate informationfor infrastructure, but they do not absolve the security and related behaviour, governments areorganisation from assuring itself that information
  6. 6. The Infonomics Letter 6 March 2011 Editionlegislating minimum and sometimes stringent and treatment of risk is focused. These communitiesonerous obligations for information security. With often need to be subdivided so that the diversesome jurisdictions imposing substantial penalties for behaviours can be properly understood.confirmed breaches of information security, it is vitally One of many challenges in contemporary use ofimportant that organisations are well informed of the information technology is that the people on whomrelevant laws when considering their information we depend for appropriate behaviour in respect ofsecurity risk and treatment, and that they remain information security are beyond our immediate controlinformed as the legal situation evolves. and authority. Where once the enforcement ofSome industries are also acting to direct and control password security could be enforced by, for example,the behaviour of their members, in an effort to ensure the consequence of disciplinary action, how does oneadequate information security. In some cases, such now enforce password security when most passwordas the payment card industry data security standard users are not our employees, but our customers. One(PCI DSS) there are significant conformance can hardly sack a customer, after all.obligations being imposed on organisations that Effort to properly understand the human communitiespreviously enjoyed almost complete freedom with and their various behaviours is an essential part oflittle, if any recognition of the risk they were taking. establishing an effective information securityHistorically, many organisations approached environment in any organisation. Differentinformation security as if the risk lay predominantly communities can and will create quite differentwith the activity and behaviour of front-line personnel. exposures in what is otherwise the same businessInternal controls and policies tended to focus on context. Moreover, the response of these differentcontrol and use of passwords and restrictions on the communities to the treatments we may choose coulduse of removable media. While still important, these also vary markedly, to the extent that what is atools for management of information security risk benign demand on one community may be anshould nowadays be complemented by a broader intolerable imposition on another. One size may notrange of clearly articulated, well-communicated and fit all, and important decisions may be required aboutenforced policy to govern the full spectrum of which subgroup interests are accommodated, anddecisions and other behaviours involved in information which are It is not the purpose of this paper to deliveran exhaustive treatment of the policies that may be In conclusionrequired. However, it is strongly suggested that the This article has discussed information security from aprinciples for governance of IT, and now top level governance perspective. It stresses thatdemonstrated as being also relevant in governance of information security is indeed an important andinformation security, should form a basis for an ongoing topic for governance oversight. Itoverarching set of six policy statements that clearly demonstrates however, that governance oversightdefine the expected behaviour in the organisation’s depends on management doing a great deal of theinformation security risk and treatment, with regard to leg-work, and provides a context in which governingresponsibility, planning, acquisition, performance, bodies can direct and control their organisation’sconformance and human behaviour. arrangements for information security without needing in-depth technology skills. It positionsHuman Behaviour information security as a topic that should beToday’s information security risks and challenges are addressed in conjunction with oversight of the use ofclearly a problem of human behaviour. On the one information technology, as the latter is both thehand, mainstream human beings are inclined to be principal repository for, and the primary channel fortrusting and see that in a perfect world, there would risk realisation in personal, corporate and governmentbe no requirement for information security other than information. However, it emphasises that informationto guard against the possibility of mechanical loss. security is not merely another duty of the informationOn the other hand, our communities host individuals technology specialists, but is in reality a core duty forand groups who, for a variety of reasons, behave in every member of an unethical manner, seeking to obtain access to,disrupt, damage and otherwise interfere with Tariq’s Viewinformation held by individuals, organisations and Infonomics has an important new friend. We’ll tellgovernments. you more about him in the next few weeks. For now,No assessment of information security risk, and no it is sufficient to say that Tariq participated vigorouslyplans for treatment of such risk can be considered in the last ISO 38500 Foundation Class in Kualacomplete unless the relevant aspects of human Lumpur, and has moved very strongly to adopt ISObehaviour are considered and accommodated. In 38500 and the vision it presents of effective, efficientmost cases, it is important to identify a variety of and acceptable use of information technology.human communities on whom the analysis and
  7. 7. The Infonomics Letter 7 March 2011 EditionA couple of weeks ago, Tariq read Gartner’s Top enterprise goals will create or promote “valuePredictions for IT Organizations and Users, 2011 and destruction” where the viability of the enterpriseBeyond: IT’s Growing Transparency. Here he will be at risk.comments on some of its messages. Tariq responds:Gartner says: This has long been a problem. ISO38500 refers to By 2015, a G20 nation’s critical infrastructure will this in the Principles. be disrupted and damaged by online sabotage. Depending on the target, one can expect various Infonomics Education Program responses. Last month we introduced a comprehensive, Governments will pass legislation and launch integrated package of education to serve the security-related initiatives, as the U.S. did after burgeoning global market demand for knowledge Sept. 11. This will boost the sector of the security about governance of IT and ISO 38500. Now we’ve industry that can provide protection against these finalised the education program for the coming few attacks, similar to how revamped airport security weeks. It’s BUSY! measures led to the emergence and growth of an industry sector around transportation and airport Two day ISO 38500 Foundation Class security. Melbourne (Australia) April 6/7Tariq responds: Abu Dhabi (UAE) April 13/14 In the UAE for example, there is ADSIC (Abu Muscat (Oman) April 19/20 Dhabi Systems & Information Centre). They have turned on the heat on local Abu Dhabi based Brisbane (Australia) May 3/4 organizations. Weve seen a tremendous increase Sydney (Australia) May 9/10 in organizations achieving the ISO 27000 certifications in this year alone than weve seen in Kuala Lumpur (Malaysia) June 6/7 the last 5 years. One day ISO 38500 Immersion ClassGartner says: San Salvador (El Salvador) May 24 By 2015, new revenue generated each year by IT will determine the annual compensation of most Buenos Aires (Argentina) May 27 new Global 2000 CIOs. ISO 38500 Introductory Briefing Executive and board-level expectations for realizing revenue from those and other IT Dubai (uae) April 11* initiatives will become so common that, in 2015, Abu Dhabi (UAE) April 12* the amount of new revenue generated from IT initiatives will become the primary factor Muscat (Oman) April 17* determining the incentive portion of new Global Bahrain April 18* 2000 CIOs’ annual compensation. San Salvador (El Salvador) May 23Tariq responds: Buenos Aires (Argentina) May 26 Hence, Corporate Governance of IT! This explains the worldwide growing interest in the ISO38500 Guidance. Top Executives in organizations are * These events are fully booked. feeling the heat. They have obligations towards their shareholders. They are starting to realize Foreign Elephants that they can no longer leave decisions around IT As announced last month, Waltzing with the Elephant to IT. They also realize that they can no longer is now available in PDF form through IT Governance say, nor will it be acceptable to say, that they were Limited. not involved in the decisions. We’re still accepting requests for the first-run printGartner says: copy of the Spanish Edition of Waltzing with the By 2015, information-smart businesses will Elephant. increase recognized IT spending per head by 60%. Beating the Drum Due to the recession, IT investment contribution to business success must now be proven. As IT Following last month’s Infonomics Letter on getting spending per employee organically increases in value from Australia’s National Broadband Network, these market conditions, enterprise leaders and we had the opportunity to emphasise the message in stakeholders must change their way of thinking The Rust Report. that “lower is better” for this metric. Unrecognized