May's awareness materials have been delivered to customers, a ~50Mb zip file of awareness content on email and messaging security. If you have been following this blog over the past month, you'll have a good idea about what's in the new module . I make no bones about it: this is an extremely important topic for all security awareness programs.  Given the prevalence and impact of issues such as phishing, malware and privacy breaches, any organization that foolishly ignores the risks and leaves its employees to flounder in the dark deserves what it gets!

As today is the last day of April, we've been running flat out in top gear all week to complete May's awareness materials on email and messaging security before our self-imposed delivery deadline. There is just one more paper to prepare today while the proofreading is in progress, then we'll package and deliver the materials before taking a breather. The final paper to cross the line this month will be a management-level awareness piece about security metrics for email and messaging.  It should take two or three hours to prepare, on the basis that I write at about one A4 page per hour on average. If that sounds slow, my excuse is that a lot of thinking and creative effort goes into each piece: I'm not just typing frantically - far from it. The shortest, most succinct and high level awareness items often seem to take the longest to prepare, especially the ones with diagrams and figures. The starting point for all our materials is a template, an MS Word template in this c...

Yesterday we almost completed the general employee materials aimed at workers in general.  Six fantastic new awareness posters are in from the art department. Despite having come up with the brief so we had more than just an inkling of what to expect, I laughed out load at the artists' creative interpretations of the concepts. Once again they have brought a spark of life, humor and visual impact to our dull words. Having developed a strong working relationship with our graphics people over several years, it's still getting better month-by-month. It's a pleasure to collaborate, each of us contributing our respective expertise and complementary skills to generate high quality products. Thanks to effective teamwork, the total is greater than the sum of the parts.  That said, I've mentioned before that posters and the dreaded infographics are only part of the awareness collateral. About 20+ years ago, to a lot of organizations, awareness programs were posters and vice v...

Awareness and training in general are successful if they change people's attitudes and decisions sufficiently to change their behaviours . Getting them to do things differently (not just 'be aware' in some vague sense) is the aim, the bit that pays off.  In the case of information security awareness, if successful it leads to people behaving more securely - stopping or avoiding insecure things, and starting or doing more secure things. Not falling for phishing attacks is a topical example, just one of many.  Knowing how to spot, avoid and minimize incidents is only part of it. Actually doing so is what generates benefits, as phishing incidents fall in number and severity. Workers diligently reporting incidents and especially near misses is a strong indication of a mature level of awareness, with still more benefits for the organization. We think of security awareness as a process - a cascade or logical sequence of several discrete stages rather than a single nebulous whole:...

The awareness module on 'email and messaging security' is coming along nicely, with just 4 days until our usual end-of-month delivery deadline. We could easily consume at least another month refining the materials, getting further into some of the technical issues and digging up more news, security controls and related issues to discuss ... but in the end we'd still only have a single awareness module on a particular topic, focusing on a small part of the information risk landscape. It's better to complete and deliver what we have, then turn the awareness spotlight to illuminate a different part of the landscape next month. Yesterday I read " Be Compromise Ready: Go Back to the Basics - 2017 Data Security Incident Response Report ", a glossy survey report by BakerHostetler that started out strongly by acknowledging the value of employees as part of an organization's cyberdefense: "Employees are often cited as a company’s greatest asset. In the cyberse...

We've used the professionals' seminar as a donor to kick-start the staff and management seminars. Copying seminar slides into new templates and fiddling around with the layout and formatting is the easy bit: adapting the presentations to suit the different audiences takes a bit more thought. Most managers are unlikely to have an interest in the techical details of email encryption, for instance, but they ought to appreciate that there are options in that regard, each having pros and cons for the organization. We need to give them just enough context and background to be able to take this up with their IT, risk and information security professionals - some questions to pose, perhaps, as well as a basic grounding in the concepts and terminology to facilitate meaningful communications. The awareness module will also contain management briefings, a sample policy and a paper on email and messaging security metrics, encouraging managers to contemplate the strategic, governance, compl...

After a busy week away at the ISO27k meeting, I'm catching up with the day-job, working flat out to complete the email security awareness module by the end of this month. Yesterday, the professionals' seminar slide deck came together nicely: It's not quite finished yet but the 'story' behind/linking the slides is taking shape. We've incorporated a mixture of graphic images, diagrams and recent press clippings to illustrate and enhance the content.  Notice the near absense of bullet points, avoiding 'death by PowerPoint'. There are a few paragraphs of text quoted in the press clippings (which, we believe, are relevant, topical, interesting and worth it) but most slides use striking visual imagery and strong colors. The idea is for a seminar leader, presenter or facilitator to explain and talk about each slide, conversing and interacting with the audience, where appropriate expanding on the literal content of the slides, interpreting things in the particul...

A plenary concluded the main business of the ISO/IEC JTC 1/SC 27 WG1 meeting in Hamilton, NZ.   This was a formal session to vote on and record decisions and progress made during the week, including deadlines for the next tranche of work. The next SC 27 meeting will be in Berlin at the end of October 2017, then Wuhan in China in April 2018. The main resolutions from this meeting were: A minor revision will update ISO/IEC 27000 :2016 to reflect the recent publication of 27002, 27004 and 27011. Governmental/regulatory use of 27001 will become Standing Document 7 and will be maintained for internal committee use. 27002 revision project will generate two versions of the standard demonstrating alternative structures for commenting at the next stage. 27005  will produce a revised design specification for the revision work, plus a corrigendum for the current standard. 27007   will produce revised text for FDIS, requesting a project extension to complete this. 27008 will prod...

ISO/IEC 27003:2017 has been published.   This is a fully revised version of the Information Security Management System (ISMS) implementation guide , originally published in 2010. The new version is a significant improvement on the 2010 version.  It follows the structure of ISO/IEC 27001 , providing pragmatic advice section-by-section on how to satisfy the requirements. I'm happy to recommend it. The following core ISO27k standards are a sound basis on which to design and implement a management system to manage information risks (for historical reasons, termed "information security risks" or "cybersecurity risks" in the standards): ISO/IEC 27000 :2016 - the overview and glossary ( FREE download !) ISO/IEC 27001 :2013 - formalized ISMS specifications ISO/IEC 27002 :2013 - information security controls ISO/IEC 27003 :2017 - the new implementation guideline ISO/IEC 27004 :2016 - security metrics Unfortunately,  ISO/IEC 27005  on information risk management is out-of...

ISO/IEC TR 27019  concerns Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry . 27019 identifies information security controls that are either specific to the energy utilities, or are critical in that domain and perhaps need to be bolstered. The 2013 standard is currently being revised and will be published as a full International Standard, possibly later this year. There are some formatting issues to resolve with ITTF but the content is stable enough to move forward to FDIS. The SC27 project on cybersecurity insurance is developing a standard explaining cyberinsurance concepts to information security professionals, and cybersecurity concepts to insurance professionals, forming a common basis for specifying, discussing and adopting cyberinsurance. The Study Period has developed a solid donor document with plenty of meaty content. The SC27 Study Period on Risk Handling Library (RHL) resolved to deve...

The study period researching the possibility of revising  ISO/IEC 27005  on 'information security risk' has resolved to limit the scope of the revised standard primarily to supporting and expanding on sections 6 and 8 of ISO/IEC 27001:2013 , with some consideration of other standards including ISO 31000. An outline/skeleton document structure has been developed as part of the design specification, although it is hard even to assess it without the corresponding content. It is likely to change as the project proceeds. It was agreed to request a further 6 months to prepare a more complete draft standard before proposing a new work item. The study period considering the revision of ISO/IEC 27014  is proposing various improvements to make the standard more generally applicable and useful. 

27001 ISMS for government use - comments agreed, Standing Document to be produced. 27001 ISMS defect concerning 'risks and opportunities' should have covered risks to the ISMS not to information security.  Issue was slopy-shouldered to 27005 revision project (then promptly rejected by them!). Decision to defer this to next planned revision of this standard.   27002 security controls revision SP - challenging meeting. Plan to develop 2 versions of a template standard: (1) with the controls laid out in the front part in 4 categories with various 'views' of the controls appended according to the attributes; (2) with the views up front and the controls laid out in a catalogue as an annex. SP to be extended another 6 months, giving time for expert comments. [Meeting ongoing] 27005 information security risks - challenging meeting and robust discussion. 27005 scope changed again to support 27001 clauses on 'Risks and opportunities' plus 'risk assessment and treatme...

It should be obvious from my previous comments here on this blog, on www.ISO27001security.com and on the ISO27k Forum, that the last revision of ISO/IEC 27002 was less than satisfactory in my jaundiced opinion. When released in 2013, the standard was already out of date ( e.g . it pretty much ignores cloud computing, BYOD and IoT - all topical issues that were emerging at the time the standard was being revised) and had some serious flaws  ( e.g. in the garbled continuity section). What may not be quite so clear is that the team responsible for the revision is a top-rate international group of experts in the field - experienced, intelligent, committed professionals.  It wasn't the team that let it down so much as the tortuous revision process we had to follow. The next revision of 27002 could easily go down the same muddy path but there's hope, now, for a different approach. A major stumbling block, to date, has been the structure of 27002, derived from the original donor se...

The ISO/IEC JTC 1/SC 27 meeting is under way in Hamilton. After a stormy couple of weeks in NZ, the weather is fine and sunny so hopefully delegates will have some time to see the country after the meeting. Work on the ISO/IEC 27000-series information security management standards ("ISO27k") standards this week includes: 27000 (glossary & intro) - terminology working group to review process for maintaining terms 27001 - its use in governments and regulators is going well, may become a SD as it demonstrates the value of 27001 27002 - structure & future to be discussed in depth this week, particularly the ~5-10 themes (chapters or sections of the standard, the logical sequence, classes of control) and control attributes (tags, categories) that may form the basis of a revised, smaller, more usable 27002 27005 - reported defect to be discussed and resolved; revision project to be discussed too 27007  - comments to be discussed and resolved this week: should go to DIS ...

Today I'm off to the University of Waikato in Hamilton for the SC 27 meeting.  I'm planning to catch up with developments on most if not all of the ISO27k standards, in particular: ISO/IEC 27000 - is this going to be dropped in favour of an online glossary? What happened to the definitions for 'information asset', 'information risk' and 'cyber'?  ISO/IEC 27001 - how did the boilerplate section on 'risk & opportunity' get hijacked as information risk? ISO/IEC 27002 - how is the idea of tagging the controls going to work out? Is that just another recipe for interminable  ISO/IEC 27003 - new version due soon, all done? ISO/IEC 27005 - any chance of this being updated and published soon/ever? And if it is fast-tracked, where next - 'information risk management' maybe? ISO/IEC 27007 - new version due soon, all done? ISO/IEC TR 27008 - new version nearing completion, ready to finalise? ISO/IEC 27017 , 27018 , 27036 and others - wher...

The fifth edition of the Common Sense Guide to Mitigating Insider Threats was published at the end of 2016 by the CERT Insider Threat Center.  As we've come to expect from CMU/SEI & CERT), it's an impressive, well-written piece of work. In short, these are the 20 best practices they recommend: Know and protect your critical assets.  Develop a formalized insider threat program.  Clearly document and consistently enforce policies and controls.  Beginning with the hiring process, monitor and respond to suspicious or disruptive behavior.  Anticipate and manage negative issues in the work environment.  Consider threats from insiders and business partners in enterprise-wide risk assessments. Be especially vigilant regarding social media. Structure management and tasks to minimize unintentional insider stress and mistakes.  Incorporate malicious and unintentional insider threat awareness into periodic security training for all employees.  Implement ...