Compliance with information security related obligations, privacy laws in particular, was already a major issue for management when this paper was written back in 2007. Over the succeeding years, it has grown even bigger and yet we still often hear people discussing compliance in simplistic, black-and-white or binary terms in the sense of "You either comply or you don't". In reality, compliance is usually a matter of interpreting and weighing-up the evidence concerning the extent to which the obligations have or have not been fulfilled, and their relative importance. Compliance may not be glorious Technicolor but there are definitely shades of grey! This metrics briefing proposed a few simple measures of the extent and speed of compliance, as well as the costs relating to or arising from compliance.   In addition to legislation, it mentioned compliance with and enforcement of corporate policies and other requirements (such as good security practices and contractual oblig...

A mediocre bit of journalism in Forbes notes a security breach at NVIDIA, the video card company, that was notified to employees by an email from their Privacy Office last month. The email is light on details about the breach, apparently, but it appears employee usernames and passwords may have been compromised in some manner.  For some reason, the journalist latched on to particular parts of the security awareness advice included in the email concerning being alert to phishing and care over passwords: maybe he has additional information about the incident ... or perhaps he simply doesn't understand what he's reporting. According to the Forbes piece, NVIDIA's email includes the recommendation "Regularly change your passwords on both company and personal accounts. Avoid using the same password for more than one account". From the information security perspective, I agree with not re-using passwords (although that has significant implications given the number of ac...

In the context of information security, physical security is about protecting tangible assets holding, communicating or processing valuable information - primarily ICT systems and data storage media - from physical incidents such as theft, criminal or accidental damage, loss, sabotage, fire, flood, mechanical breakdown, electrical surges, dips and power cuts, static discharge, magnetic or electrical interference etc. that would damage the information content or the services provided. Strictly speaking, it includes physical protection for people, workers particularly, since we also constitute physical information assets - well most of us anyway (some are liabilities!).  'Health and safety' is, in a sense, part of information security, along with substantial parts of HR. This very brief metrics discussion paper , written seven years ago, does not explore the entire scope of physical security but mentions just a few considerations around physical security targets and measurements...