Some security awareness programs simply broadcast messages at the organization. Messages flow  from the Information Security function to the audience - specifically an audience dubbed "end users" in many cases, a disparaging term implying low-level staff who use computers (neglecting all others). A more effective approach, however, is to emphasize social networking and socialization of security as a primary driver of cultural change, with bidirectional communications increasing the chances that the awareness program reflects and responds to the business. Establishing a strong social network of friends and supporters of information security throughout the organization takes commitment and sustained effort on the part of the entire Information Security function. The payback over the medium to long-term, however, makes it an approach well worth considering. An actively engaged and supportive social network will keep the awareness program, and in fact the information securit...

On ISO27k Forum this morning, an FAQ made yet another appearance. SR asked: "I am planning to do risk assessment based on Process/Business based. Kindly share if you have any templates and also suggest me how it can be done." Bhushan Kaluvakolan responded first by proposing a risk assessment method based on threats and vulnerabilities (and impacts, I guess), a classical information-security-centric approach that I've used many times. Fair enough. I followed up by proposing an alternative (and perhaps complementary) business-centric approach that I've brought up previously both on the Forum and here on the blog: Consider the kinds of incidents and scenarios that might affect the process, both directly and indirectly. Especially if the process is already operating, check for any incident reports, review/audit comments, known issues, management concerns, expert opinions etc., and/or run a risk workshop with a range of business people and special...

According to Google's Blogger stats, over the weekend this blog topped 1 million page views so I guess we must be doing something right! It would be hard to come up with something new to say every day, if it weren't for the fact that we are all bombarded by stuff from other blogs and groups, from advisories and committees, and from several billion Websites. There's lots of stuff going on in the world of infosec which keeps me interested and hopefully you too. My main concern is the human as opposed to technological aspects, hence my overriding interest in promoting good practices in information risk and security governance and management (especially ISO27k  and security metrics ), security awareness, policies, procedures etc . to keep a lid on social engineering scams, frauds, hacks and malware attacks, ineptitude, thievery, spying, piracy and so forth. Having said that, managing technology requires understanding it (IT especially) so I try my best to keep an eye on that to...

The  Information Security 101  awareness module update is going well. We might even finish slightly ahead of the deadline, provided I can resist the temptation to keep polishing and adding to the content! One of the deliverables is a 'menu' of rewards for workers who uphold the information risk and security practices, controls and behaviors we wish to encourage. The rewards are divided into bronze, silver and gold categories. Bronze rewards are generally free or cheap, and yet welcome - a nice way to thank workers for simply participating in awareness seminars, case study/workshop session or quiz maybe. Here are just a few examples: A phone call, personal thank-you note and/or email Letter of participation or commendation to be placed in the employee’s personnel file (whatever that means!) Relaxed dress code for the recipient – for a defined period such as a day or a week  Generic certificate acknowledging a level of competence ( e.g. on completion of security induction...

I'm currently working on a couple of interrelated matters concerning ISO/IEC JTC 1/SC 27 business. One is the possibility of renaming and perhaps re-scoping the committee's work. The other is a study period exploring cybersecurity. They are related because cyber is a hot potato - a bandwagon no less. Some on the committee are raring to disable the brakes and jump aboard. When asked to describe what cybersecurity is, one expert replied "Budget!". That's more than just a cynical retort. Cyber risk, cyber security, cyber threats, cyber attacks, cyber incidents and cyberinsurance are all over the headlines. Several countries have invested in cyber strategies and units. There is money in cyber, so that's a good thing, right? As I've said before, the focus on cyber is problematic for several reasons, not least distinctly different interpretations of the very term, a gaping chasm separating two distinct domains of understanding: In informal use (including most jo...

Further to yesterday's ISO27k Forum thread and blog piece, I've been contemplating the idea of extending the security awareness program into an "outreach" initiative for Information Security, or at least viewing it in that way. I have in mind a planned, systematic, proactive approach not just to spread the information risk and security gospel, but to forge stronger more productive working relationships throughout the organization, perhaps even beyond.   Virtually every interaction between anyone from Information Security and The Business is a relationship-enhancing opportunity, a chance to inform, communicate/exchange information in both directions , assist, guide, and generally build the credibility and information Security's brand.  Doing so has the potential to: Drive or enhance the corporate security culture through Information Security becoming increasingly respected, trusted, approachable, consulted, informed and most of all used , rather than being ignored,...

  A disarmingly simple question on the ISO27k Forum this morning set me thinking. "RP" asked: " Does anybody have a generic [set of] high level questions for business departments other than IT, that can be asked during gap assessment?" As is so often the way with newcomers to the Forum, RP evidently hasn't caught up with past Forum threads ( e.g. we recently chatted about various forms of gap analysis, and the markedly different ways that people [including dentists!] use and interpret the term), paid scant attention to forum etiquette ( e.g. he/she didn't tell us his/her name), and provided little to no context in which to address the question ( e.g.  what size and kind of organization is it? What industry/sector? Does it have a functional, certified and mature ISO27k ISMS already, is it working towards one, or is RP just idly thinking about it over coffee?). Despite that, a couple of us responded as best we could, making assumptions about the context, th...

Further to yesterday's blogging, I normally prepare I nternal C ontrols Q uestionnaires  to structure and record my audit fieldwork.   As the illustrative extract above shows, these work nicely as landscape tables in MS Word  with the following 4 columns: Check : these are the audit tests, written before the audit fieldwork starts. As well as the classic audit 'show me' and 'tell me about ...', I much prefer open-ended questions and general prompts such as 'check', 'review' and 'evaluate'. ICQs are intended to be used by reasonably competent and experienced  auditors, not spouted verbatim by novices. SWOT : these record the auditor's first impressions - an initial evaluation of the findings. Is this area a S trength (the findings are good, risks well under control), a W eakness (there are some issues but nothing too desperate), an O pportunity (generally meaning an ‘opportunity for improvement’ i.e. a change that will bene...

That sums-up our approach to using security awareness as a mechanism to foster a 'culture of security'.   In the spirit of yesterday's blog, rather than wax lyrical, I'll let the diagram speak for itself.  'Nuff said.

Today I've revised the management seminar for  Information Security 101 . Given our deliberately wide brief, there's quite a lot to say even at the relatively superficial 101/introductory level, so we're using thought-provoking pictures (mind maps, process diagrams and conceptual imagery) in place of reams of text and tedious bullet points. The whole seminar works out at just 12 slides ... at least that's the management seminar slide deck we'll be providing to subscribers. They can adapt the content, perhaps incorporating extras or indeed cutting back on the supplied content - and that's fine by us. In fact, more than that, we actively recommend it!  Much as we would like to offer awareness materials tailored for each customer, we simply don't have the resources. For starters, we would need to spend time getting to know and then keeping abreast of each customer's specific circumstances and needs ... and being information security related, there are confi...

A  public draft of NIST SP800-53 revision 5  is worth checking out. Major changes in this draft: "Making the security and privacy controls more outcome-based by changing the structure of the controls; Fully integrating the privacy controls into the security control catalog creating a consolidated and unified set of controls for information systems and organizations, while providing summary and mapping tables for privacy-related controls; Separating the control selection process from the actual controls, thus allowing the controls to be used by different communities of interest including systems engineers, software developers, enterprise architects; and mission/business owners; Promoting integration with different risk management and cybersecurity approaches and lexicons, including the Cybersecurity Framework; Clarifying the relationship between security and privacy to improve the selection of controls necessary to address ...

We've updated more stuff for the  Information Security 101  module today: 8 two-page case studies based on commonplace incidents;  13 one-page scam alerts on common scams (yes, 13);  Generic job descriptions for an Information Security Awareness Manager, plus an Awareness Officer, and Awareness Contacts (part timers, distributed throughout the organization).  Ticks are appearing and darkening on the contents listing at a reasonable rate. Meanwhile, over on the ISO27k Forum , we've been discussing terminology and the pros and cons of various information security frameworks, and CISSP Forum has been yakkin' about quantum crypto key exchange and fake news.   Oh and we've arranged for the tractor repair man to come over tomorrow to fix a broken valve and solenoid, and I popped down to the vet for antibiotics for 3 sick animals. Quite a varied and productive day, all in all.

Today I'm revising the  Information Security 101  presentation for general employees, starting with a brief introductory slide addressing questions along the lines of "What's the point of information security?" and "Why are you even telling me about it?". It's not as easy as you might think to answer such fundamental questions, simply, for someone who may have no background or interest in the topic. So I went Googling for inspiration, and came across this neat list of infosec benefits from a company called Global Strategic: Demonstrates a clear commitment to data security- including confidentiality and strict accessibility rules; Provides procedures to manage risk; Keeps confidential information secure; Provides a significant competitive advantage; Ensures a secure exchange of information; Creates consistency in the delivery our services; Allows for inter-operability between organizations or groups within an organization; Builds a culture of security; P...

Another basic information security practice is updating things  e.g. : Patch promptly (update software) Lock-n-load (physical security) Counter cons (social engineering) Nuke nasties (update antivirus)  Read rules (security policies) Those short alliterative phrases are memory-joggers to catch people's imagination and remind them about the things they ought to be doing regularly. Conspicuously missing from the list is changing passwords: once upon a time, it was generally accepted practice to force people to change their passwords every few weeks or months. I have never quite understood the rationale for this. It takes effort to think up and commit to memory yet another strong password, and there are security costs when people forget their passwords, so what's the benefit? I suppose it might frustrate someone who has been surreptitiously watching a colleague enter their password every day, trying to figure out what they are typing ... but really? Arguably it would reduce the s...

A survey of password security on 48 popular websites [by a company selling a password vault system] 'reveals' that several don't enforce password parameters [that pretty much any password vault system would fulfill]. It also reveals an issue for online organizations whose users may or may not use password vaults. With a click or two, users with password vaults can easily generate and regurgitate very long, complex, unique passwords, no problem. Sensible vault users don't particularly care what password parameters websites define, just so long as the sites don't unduly constrain their choice of long, complex, unique passwords. From my perspective, sites that prevent me choosing passwords longer than, say, 16 characters, or passwords with spaces, punctuation and other "special" characters, are intensely annoying, and also very revealing: such organizations are evidently not clued-up on user authentication. They are inadvertently whispering "Hack us!...

Passwords qu alify as a basic cybersecurity control, so what should we be saying about passwords? Two key messages, for sure: Choose strong yet memorable passwords: easier said than done given the number of systems we are using these days. Longer pass phrases are better, and we have some useful tips on those.   Keep passwords secret. Aside from the obvious 'don't disclose or share your passwords with anyone', phishing is definitely a concern in this area ... but it's tricky to explain succinctly. We'd like to recommend password managers or vaults - and we may do so, in the hope that our customers either supply a 'company sanctioned' one, or permit/encourage their people to use them: that's something to bring up in the management awareness stream, along with accountability. We could also discuss bad passwords, password cracking/brute force attacks, poorly thought-out system designs that unduly limit password choice, hashing and salting and other controls ...

September's awareness content will take a back-to-basics look at information risk and security, with an update to the  Information Security 101  module. So what are the basics? We probably ought to, at some point, introduce the fundamental concepts, principles and approaches such as:  Risk and control, both in general and in the context of information; Governance, management and compliance; The process of identifying, assessing and treating information risks; CIA (confidentiality, integrity and availability) requirements; and  Various types or categories of security control ( e.g. preventive, technical). Then there are basic security controls, such as: Access controls; Assurance and trust; Backups, resilience and business continuity; Firewalls and network security; Malware controls; Monitoring and oversight; Passwords, identification and authentication; Patching and system security; Policies and compliance; Physical security; and Awareness (naturally). Hey, the modul...