The intersection between information security and change management is our awareness topic for September, covering issues such as:  Many corporate changes deliver new or modified IT systems and business processes, and most of those have information security requirements - therefore information security risk analysis and security design should be a routine part of project management; New and updated laws, regulations and compliance obligations (some of which are relevant to information security, risk, privacy and business continuity) push the organization into changing, as do changes in the information security threats, vulnerabilities and impacts affecting the corporation - in other words, apart from changes driven by the business, it needs to respond to changes in the external environment, including some that affect information security; Change control and system security in general are all bar impossible without adequate IT security controls preventing unauthorized changes - so I...

A seller offering a top-of-the-line radio at a knock-down price  through an online auction/swap-meet site seems too good to be true ... as indeed it was. He'd already scammed others, so the website's admin was prepared to string him along when he published another ad, playing the part of his next willing victim. The story line is all too familiar although it is unusual to see anyone brazenly trying to pass off such cheesy fake documents.  The naivete of people who are being scammed in this manner, as well as the scammer's cynical attempts at coercion and fakery, sing out from the write-up and, I must say. some of the comments that follow.  A number of warning signs about this scam are noted in the piece, along with generic advice about reducing your risk of being scammed in this manner.  I should mention, though, that this particular website is not a dedicated auction site. Auction sites such as eBay and (here in NZ) Trademe have full-time anti-fraud teams and clos...

The universal hot crazy matrix is an amusing demonstration of the power of presenting numeric data in graphical form, extracting meaningful information from the data in order to lift the discussion off the page. We shall have to include it in our security metrics course. Non-PC sexist humour aside, the presenter's knowledge and passion for the subject are undeniable.  Contrast that enthusiastic, lively presentation with the dull, ponderous, matter-of-fact way we normally present information security and other business metrics. 'Nuff said. For more, come on the course!

For something a bit different, have you thought about running a roadshow, tradeshow or conference-style display/event as part of your security awareness program?  "All it takes" is: The creative ideas and enthusiasm to intrigue and garner management support. Don't underestimate this element! The 'man cave' is but one random example of a style/design theme you might adopt. For a significant event, it's worth drafting a proposal and project plan detailing the resources, timing, location/s and most of all the purpose of the roadshow e.g . which information security awareness topic/s will be covered and why? What are the learning objectives and/or key messages you want to put across?; A few mobile display panels (perhaps borrowed from Sales and Marketing) for your posters and other materials ...; Some posters and other display materials. We find that mind maps and metrics , for example, tend to intrigue and draw people in to the stand; the awareness briefings, cas...

We have just updated the security awareness module on cloud computing - well, I say "updated" but it was practically rewritten from scratch - new PowerPoint slide decks, new briefings, new posters, new cloud security metrics and so on.   Things have moved on some way in cloud computing since we first wrote the module in 2011.  Cloud security is still evolving.  It wasn't hard to find a handful of novel cloud security challenges that have literally come to light within the past month or so to illustrate the module, making it highly topical. The relationship management aspects of cloud computing caught our attention this time.  One of the items in the module is a due diligence checklist for management to assess the information security aspects of potential cloud service providers before jumping into bed with them.