We have just delivered April's awareness module on information security and privacy compliance, a perennial topic that remains stubbornly on management's agenda. This time around, we had the 'benefit' of an excellent ready-made compliance case study in the shape of Target's recent breach. Reviewing the news on Target revealed plenty of lessons on compliance, security, privacy, governance, risk management, incident response, press relations and accountability - a rich vein indeed! Something else that came out of our research was the value of encouraging compliance in a positive sense, as much as hammering non-compliance through enforcement and penalties, the more conventional approach (typified by this poster image - one of six new designs in the module).  Compliance benefits the organization, management, the authorities, customers, business partners, owners, stakeholders and society, as well as individual workers. The module talks about good practices, maturity and ...

Continuing the series of bloggings on new/changed controls proposed to SC 27 in 2011 for incorporation into the 2013 version of ISO/IEC 27002 , we come next to thorny issue of business continuity. Let me set the scene for this by reminding you what ISO/IEC 27002:2005  had to say about business continuity management in its section 14  ( italicized ) along with my comments (not italicized). 14.1 INFORMATION SECURITY ASPECTS OF BUSINESS CONTINUITY MANAGEMENT  Objective:  To counteract interruptions to business activities and to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption. Mmm.  OK, well I note that it mentions 'information systems', primarily meaning IT systems - at least, that is how the vast majority of readers will interpret it. The mention of resumption also hints at IT Disaster Recovery (DR) which in practice was the main emphasis of business continui...

Things being measured are patently being observed in a very specific, focused manner. Things that are observed so closely tend to be presumed by others to be of concern to the measurer/observer, at least. Things under the measurement ruler therefore assume a certain significance simply by dint of their being closely observed , regardless of any other factors. We see this 'fascination bias' being actively exploited by cynical promoters, marketers and advertisers on a daily basis through an endless stream of largely banal and unscientific online polls and infographics, their true purpose made all the more obvious by the use of bright primary-color eye-catching graphics. They are manipulating readers to believe that since something has been measured, it must be important. How many of us take the trouble to think about the quality of the metrics, or about all the other aspects that haven't been measured? Like bunnies in the headlights, we stare at the numbers. In PRAGMATIC Secu...

In the course of researching for next month's awareness module on security compliance, I came across a surprisingly honest  security and compliance statement by UserVoice - a cloud based customer service provider. I suspect, like all those website privacy policies, very few visitors are concerned or knowledgeable enough to read the compliance statement word-for-word.  A quick scan of the headlines tells us they comply with Safe Harbor, PCI-DSS and others.  It mentions SSAE16 certification. Sounds OK at this point - all very positive. They are making the right noises. Most of the more technical security-related statements are similarly inspiring.  I am impressed to read, for instance: " Development and test environments do  not  use customer data.   We use fake customer data in those environments. " I wish that approach was universal - in fact as I said just last week here on the blog, I tried (and failed!) to get advice along those very lines inserted...

I proposed the following text to update the ISO/IEC 27012:2005 advice on physical security.  Unusually for me, it specifically relates to protecting IT rather than information assets of all kinds.  Various changes were made in that section, but virtually all that remains of my suggested control is 11.1.4's "Physical protection against natural disasters, malicious attacks or accidents should be designed and applied" so obtain specialist advice. ------------------------------ Protecting the IT environment and services Control IT facilities should provide a suitable environment to protect the IT equipment and other information assets, and to maintain essential supplies and services. Implementation guidance IT facilities such as computer rooms, computer suites and computer centres commonly house significant quantities of highly valuable and somewhat fragile IT equipment and other information assets (including data storage media).  Where possible, IT facilities should be locat...