August's security awareness topic is "pocket ICT security", referring to the information risks associated with portable Information and Communications Technology devices: the smartphones, laptops, tablets, USB sticks, wearables and other high-tech stuff we carry about our person. Risks such as walking into the road and being hit by a car. Yes, seriously.  It is both on-topic and highly topical in the case of Pokemon Go players, young and old, being so focused on the virtual world on the smartphone screen that they neglect the real world hazards around them. The lucky ones are spotted and avoided by alert drivers. The unlucky ones are injured, perhaps even mown down by a vehicle driven by a similarly distracted driver. Distraction is the more general information risk, a modern-day affliction. The more portable ICT we use, the more distracted we become. Wearables are the latest trend, long predicted but curiously slow to take off, perhaps because of the distraction factor? ...

I spent my weekend catching up with a backlog of ISO/IEC JTC 1/SC 27 emails, updating ISO27001security.com to reflect my personal understanding of the current status on all the ISO27k standards.  A few items of note:  Terminology continues to be a problem for the committee. ISO/IEC 27000 isn’t working out very well. Although there are obvious advantages in everyone agreeing on the terms and definitions, it causes dependencies between standards projects. There are lingering disagreements over the meanings of terms such as ‘information asset’ and ‘cyber’ (currently undefined), and bureaucratic delays in publishing the free version of the standard. The standard might become an online glossary but whether that will help or hinder is uncertain. [The current online glossaries are not exactly paragons of web design and functionality – take a look at the ISO Online Browsing Platform (OBP) and/or the IEC’s equivalent International Electrotechnical Vocabulary (IEV, a.k.a. Elect...

Whereas "micro metrics" focus-in on detailed parts, components or elements of something, "macro metrics" pan out to give a broad perspective on the entirety.  Both types of metric have their uses. Micro metrics support low-level operational management decisions. Time-sheets, for example, are micro metrics recording the time spent on various activities, generating reports that break down the hours or days spent on different tasks during the period. This information can be used to account for or reallocate resources within a team or department or identify. Normally, though, its true purpose is to remind employees that they are being paid for the hours they work, or as a basis on which to charge clients.  Macro metrics, in contrast, support strategic big-picture management decisions. They enable management to "see how things are going", make course-corrections and change speed where appropriate. The metric "security maturity", for example, has impli...

Here's a neat illustration of the challenges facing those protecting critical national infrastructures. Take a look at this map of the UK's fuel pipelines  - a massive mesh of pipes criss-crossing the country, linking refineries and fuel stores with power stations and airports. Many of the pipes are buried, carrying large volumes of volatile and energetic fuel under substantial pressure for hundreds of miles across open country, along roads, over canals and under cities, hence the need for the map, the website and the organization behind it: trust me, you don't want people accidentally digging them up, or driving piles through them. For health and safety reasons, let alone the risk of serious economic and physical fallout, people driving big yellow mechanical diggers and pile-drivers need to know if they are within striking range of the pipes. Planners, architects and builders need to know where they lie, plus the operators who use and maintain them, oh and the emergency se...

Like its predecessors, the 2016 fourth edition of ISO/IEC 27000 has been released for FREE .   It can be downloaded in both  English  and  French . Whereas I regret to say that ISO/IEC charges heavily for almost all of the ISO27k standards, ISO/IEC 27000 is FREE  in order both to spread a common understanding of information security terms, and to outline the whole family of ISO27k standards. This is not some ripped off pirated version but a legitimate publication by ISO/IEC. The definitions in ISO/IEC 27000 apply throughout the ISO27k standards except where terms are explicitly redefined in the individual standards: generally those explicit redefinitions are refinements in the specific context of a single standard, or variations required to align with ISO standards outside the ISO27k family.  A few of the official definitions are rather curious and narrow - for instance I believe the definition of 'integrity' as ' property of accuracy and completeness' is ...

In the context of ISO/IEC 27001, I've often heard people planning to commission or conduct a ‘gap analysis’ or 'readiness assessment' or 'pre-certification audit' or 'ISMS project review', but what do they mean? What exactly is going to take place? Good question! There is no formal definition. It is essentially just a consultancy assignment specified by the client and agreed with the consultant/s doing the work. Given the context, its main purpose is generally to review the organization's state of readiness, addressing the question "Is the organization ready to be certified compliant with the ISO standard?" Another way of putting that is to ask "If the certification auditors turned up next week, would they:  T urn around and walk away during the very first morning, shaking their heads in sheer disbelief at the near total clue deficiency and leaving site with another war-story; Get stuck in to the audit fieldwork, quickly digging up plenty ...

A thought-provoking piece in Forbes about the commercial value of intellectual property contains a stack (a set? A pile? A jumble? An assortment?) of remarkable statistics ... and I feel inspired to comment on one graph in particular: Neither the Forbes piece nor the Ocean Tomo source explain how the numbers on that graph were calculated. Intangible assets are not normally reported/disclosed, and in fact are notoriously difficult to value . Various approaches could have been used to estimate the asset values but we don't know how it was done. The valuation appears to have been based, in part, on the 'market value' or capitalization - essentially the product of the number of issued shares and the share price - of some or all of the Standard & Poor's Top 500 companies. The difference between capitalization and reported tangible asset values would estimate the value of intangibles ... but both values are somewhat uncertain. Share prices, for instance, tend to be far ...