Posts

Showing posts from January, 2016

Information risk and security in business relationships

Image
As the full title for February's security awareness module became unweildy, we adopted the working title "Securing business relationships". The ambiguity in that shortened version led me to ask myself: "What are we actually concerned about: securing relationships, securing business, or securing information?" Answering that rhetorical question turned out to be an interesting diversion from the slog of writing the materials. For what it's worth, I've done my best to recall the train of thought sparked by my little poser  ... 1) Ours is an information security awareness service so naturally information security is our primary interest - our key concern. 2) Information security, in turn, comprises a suite of controls to mitigate unacceptable risks to information, hence we find ourselves increasingly referring to 'information risk and security' in the same breath.*  3) While the nature of the information content varies according to the type of relatio...

Privacy wars: US v The World

Image
Fundamentally different approaches to privacy in the US compared to most of the rest of the world, the EU in particular, are causing headaches for organizations, governments and regulators on both sides. For a while, the Safe Harbor arrangement was deemed adequate by the EU, enabling data on EU citizens to be passed to and processed by US organizations that pinky-promised to take care of it. Surprise surprise it didn't last. Self regulation - well not even that, simply asserting compliance - was a joke. Snowden's recent revelations concerning mass surveillance by the NSA have opened a bigger can of worms: it seems the US gummt can bully its way past even its own legislative controls, and gag the companies it forces to disclose whatever information it demands. Ostensibly, the EU does not permit that kind of thing - although since EU countries face the same threats of terrorism, anarchy and chaos, I would not be aghast to discover that surveillance is simply more discreet in the ...

Metrics thought for the day

Where relevant, using current business metrics (also) for information risk and security purposes can be cost-effective if suitable raw data are already being gathered: the additional analysis, reporting and use incur relatively little incremental cost, especially if largely automated. Corollary: when searching for metrics in any area of information risk and security, don't forget to check through existing business metrics alread in use for anything suitable, either as-is or with minor changes. It would be easier to identify such metrics if the organization maintained a metrics inventory or database ...