Hey, wouldn't it be cool if, instead of constantly having to patch our systems or put up with security bugs and flaws, they were secure-by-design?  Suppose security was the default, not an obscure option that is difficult to find let alone turn on.  Imagine if vendors and business partners took our information security seriously enough to want to discuss mutually satisfactory security arrangements when drawing up contracts and agreements. You can either dream on or do something about it.  We chose the latter, hence this month's brand new awareness module covers security architecture and design - not something most security awareness programs get in to, but we've never been a company that follows the herd. One of the ideas we bring up is to make use of design principles used in contexts other than information security. The engineers' approach to 'safety, security and survivability', for instance, is easy to transfer, while health and safety's hazard analysis ...

The new, thoroughly updated and largely rewritten 2013 versions of ISO/IEC 27001 and 27002 are out!   It may take a while for them to filter through to the national standards bodies for translation and branding, but if you are desperate to get your hands on them meanwhile, they are on sale directly from the ISO web store. ISO/IEC 27001:2013  costs 108 Swiss francs. ISO/IEC 27002:2013 costs 184 Swiss francs. I will be updating the standards' pages on ISO27001security.com shortly, and in due course we will revise our ISO27k-based information security policies too.  It will take a while though, due to the extent of the changes, including a load more topic-based policies to add to the set.

Security Metric of the Week #74: information security governance maturity We've covered a number of so-called maturity metrics previously on this blog. They usually score highly on the PRAGMATIC scale, meaning that (according to the fictional managers of ACME Enterprises Inc., at least) they are valuable metrics.  This week's example security metric specifically concerns the governance of information security. Imagine that, for some business reason, your management was interested in/concerned about the way the organization governs information security, whether for their own purposes or perhaps at the behest of the regulators or auditors. How would you go about addressing that issue? Think about what you would do. A sensible first step would be to clarify the requirement: what does management need to know, when, and why? Exploring what they actually mean by "governance" is a good way to tease out what they are on about. Don't be surprised if individual managers ha...

Security Metric of the Week #73: Psychometrics We've cheated a bit with this week's example metric: 'psychometrics' such as OCAI, MBTI and MSCEIT are actually an entire class of metrics rather than one in particular. The discussion that follows concerns psychometrics in a general sense. Many of us will have been invited to take psychometric tests during the job application and interview process. Psychometric testing is based on the science of psychology. The tests provide an additional source of information about candidates' psychological makeup - personalities, attitudes, aptitudes and so on - the 'soft stuff' that is important for almost all positions but which is hard to gauge from  résumés  or (unskilled/untrained) interviewers.  Given that a substantial part of information security revolves around human behaviors and attitudes (such as ethics or compliance with policies), ACME's CISO wondered if psychometrics might have potential as security metrics...

There's as much an art to interpreting metrics and statistics as there is to designing and presenting them. Take this exploded pie for instance: I plucked the pie chart image from a survey by Forrester on behalf of Blue Coat - in other words, Blue Coat paid them for the survey ( we have discussed vendor-sponsored surveys before on this blog ). The survey Key Drivers, Why CIOs Believe Empowered Users Set The Agenda for Enterprise Security  was promoted on email via IDG Connect .  Before we continue, what conclusions do you draw from the figure above? I appreciate I have taken it out of the context of the report but take another look at the graphic. Imagine you are a busy business manager briefly pondering a graphic similar to this, whether in a commercial survey, an in-flight magazine, or an internal corporate report from Information Security. What does it say to you? What's your impression? I spy with my beady eye that the largest slice was for the response 'some of t...

Security Metric of the Week #72: Proportion of highly privileged/trusted users or functions This metric is indicative of the organization's control over access to IT systems, networks and perhaps other information assets.   The metric is measured by someone suitable (such as an IT auditor) systematically reviewing access permissions assigned to user IDs on (a suitable sample of) the organization's IT systems in order to determine the proportion that are privileged or have enhanced access rights. The metric's  PRAGMATIC  ratings are not bad: P R A G M A T I C Score 86 80 51 40 65 39 55 95 60 63% "Not bad" however needs to be taken in context, since there is a wide choice of metrics relating to access rights/permissions. Of the 17 examples classified as "IT security metrics" in the book , ACME managers scored this one in seventh place.  It has merit bu...

Thanks to  Aztec-History.com  for the Mexican  flag! Elia Fernandez has enthused about PRAGMATIC Security Metrics in Spanish on her blog part 1 and part 2  concluding “Importante es determinar cómo la organización puede identificar las métricas de seguridad que vale la pena utilizar, y cómo se pueden evaluar los méritos de una métrica. A la fecha, el enfoque común ha sido informal y subjetivo. Por el contrario, el método pragmático permite medir y evaluar una métrica en forma estructurada; obliga a analizar la métrica en detalle.”  Thanks Elia - and sorry for using the wrong flag!

Biological metrics - commonly shortened to "biometrics" - comprise an interesting class of information security metrics that, unfortunately, we didn't have space to explore in our book . Biometrics are commonly used for strong authentication in situations where there is a genuine need to authenticate and distinguish legitimate people from impostors. Take for example your heart rhythm. According to the blurb on the Bionym website "Bionym has developed the first wearable authentication device that utilizes a user's Electrocardiogram (ECG) to validate a person’s identity." Before reading that, I didn't even appreciate that heart rhythm was a reliable biometric. I presume the Nymi can cope with heart rate changes caused by stress, exercise, rest, drugs such as caffeine, and some medical conditions - it does at least have the advantage of collecting biometric data over a sustained period, but as with any biometric, there must surely be some important tolera...

Security Metric of the Week #71: Extent to which quality assurance (QA) is incorporated in information security processes This week's metric, randomly selected from the 150-odd examples discussed in chapter 7 of  PRAGMATIC  Security Metrics , doesn't appear very promising, with mediocre PRAGMATIC ratings as far as ACME management is concerned and an overall score of 58%: P R A G M A T I C Score 75 70 66 61 80 50 35 36 50 58% The premise - the rationale behind the metric - is that t he quality of various information security products (such as risk assessments, functional and technical specifications for security controls and security functions, architectures/designs, test plans, test scenarios, test results etc. in relation to application development projects, plus many other products in relation to other security activities) significantly influences (but does not entirely determine) the security achieved by the corres...