The drone incident at Gatwick airport makes a good backdrop for a security awareness case study discussion around resilience.   It's a big story globally, all over the news, hence most participants will have heard something about it. Even if a few haven't, the situation is simple enough for them to pick up on and engage in the conversation. The awareness objective is for participants to draw out, consider, discuss and learn about the information risk, information or cybersecurity aspects, in particular the resilience angle ... but actually, that's just part of it. It would be better if participants were able to generalize from the Gatwick drone incident, seeing parallels in their own lives (at work and at home) and ultimately respond appropriately. The response we're after involves workers changing their attitudes, decisions and behaviors e.g. : Considering society's dependence on various activities, services, facilities, technologies etc. , as well as the organizat...

Earlier this year I heard about the threatened shutdown of WWV and WWVH, NIST's standard time and frequency services, due to the withdrawal of government funding - an outrageous proposal for those of us around the world who use NIST's scientific services routinely to calibrate our clocks and radios. Today while hunting for a NIST security standard that appears to no longer be online, I was shocked to learn that it's not just WWV that is closing down: it turns out all of NIST is under threat, in fact the entire US Department of Commerce. Naturally, being a large bureaucratic government organization, there is a detailed plan for the shutdown with details of certain 'exempt' government services that must be maintained according to US law although how those services and people are to be paid is unclear to me. After the funding ceases, DoC employees are required (or is that requested?) to turn up for work for a few more hours to set their out-of-office notifications (on...

We've come up with an idea for our next awareness challenge .  January's topic is 'resilience', a concept that means different things to different people.  So what does it mean to workers? What is 'resilience' about? What does it imply? What are the key aspects, the things that everyone ought to know about? The concept we have in mind for the awareness challenge is simple enough: u nder guidance from our security awareness materials, groups of workers discussing and exploring their understanding of the term 'resilience' will occupy the bulk of the challenge.  Turning that into a practical and engaging awareness activity takes a bit more work though. Our approach involves prompting and supporting someone - ideally an information security awareness professional - to deliver an effective session.  Short of actually leading the session in person, we provide the materials and the inspiration to make the event fly,  awareness by proxy you could say. Despite ou...

A resilient workforce is well-prepared to cope with whatever  stuff  is thrown at it, all manner of challenges and incidents ... like this for instance: Security-aware workers are an extremely important defensive control: we really ought to recognize this email for what it is - an obvious social engineering attack, a crude attempt to dupe us into opening the attachment ... but awareness is not the only control, a good thing too since we are only human.  A truly resilient organization has a comprehensive suite of information security controls that come into effect both before, during and after the email gets delivered, even if a hapless worker receives and falls for the con, opening that attachment. In information security, resilience is largely achieved through layered, overlapping and complementary controls. Individually none of them can totally eliminate the risks, but collectively the risks are reduced to the point that we can handle the remaining issues - at least tha...

On ISO27k Forum today, a new member asked for advice on whether a 'complete package' would help the organization achieve ISO/IEC 27001 certification. It's hard to answer without knowing more about the organization and its people (especially the management and specialists), their experience and maturity in respect of information risk and security, and ISO management systems, and the business context.    For example: A small engineering company is in a different position to, say, a large charity, a government department or a multinational: its complexity, information risks, information security controls and other factors vary; A company in a heavily-regulated industry such as healthcare, finance or defense is probably more compliance-driven, its management and workforce more comfortable with structured and systematic ways of working than, say, a retailer or farmers' cooperative; An organization that is 'surrounded' or owned by ISO27k-certified organizations may b...

Auditing compliance or confomity with rules defined in policies, standards, laws and regulations is just one audit approach, commonly and disparagingly known as tick-n-bash auditing.    The rule says X but you do Y ……. BASH! It is like being rapped over the knuckles as a kid or zapping a trainee sheep dog through its radio-controlled shock collar.   It's a technique that may work in the short term but it is crude and simplistic.   The trainee/auditee is hurt and ends up resentful.   Strong negative emotions persist long after the tears have dried and the bruising has gone down, making it counterproductive.   It’s best reserved as a last resort, in my considered opinion.* Certification audits are ultimately compliance audits but even they can be performed in a more sympathetic manner.   The trick is to combine bashing (where justified) with explaining the requirements and encouraging compliance. It means motivating not just dragging people , and a lot ...

Michael Rasmussen published an interesting, thought-provoking piece about the common ground linking specialist areas such as risk, security and compliance, breaking down the silos . “Achieving operational resiliency requires a connected view of risk to see the big picture of how risk interconnects and impacts the organization and its processes. A key aspect of this is the close relationship between operational risk management (ORM) and business continuity management (BCM). It baffles me how these two functions operate independently in most organizations when they have so much synergy.” While Michael’s perspective makes sense, connecting, integrating or simply seeking alignment between diverse specialist functions is, let's say, challenging. Nevertheless, I personally would much rather collaborate with colleagues across the organization to find and jointly achieve shared goals that benefit the business than perpetuate today's blinkered silos and turf wars. At the very least, I...

A question came up on the ISO27k Forum about an A cceptable U se P olicy. I'll take this opportunity to dispense a few Hinson Tips (free, and worth every penny!).  AUP isn’t a generally-defined and globally-agreed term. Even “policy” has a spectrum of meanings. So, regardless of what any of us might think or claim it means, what matters is the organization that’s using it – the organizational context. What does your management expect an AUP to be? To achieve? To look like? You should get some useful clues from other similar materials in other areas such as IT, HR and Finance, other functions that to some extent formally express directives. They may or may not be called AUPs, so take a look around the policy-related guidance materials, and preferably talk to the original authors about their work. You will probably pick up some useful tips, maybe even some help to knock your materials into shape.  Some organizations use AUPs formally, stating employees' obligations for l...

We bring the year to a close with an awareness and training module on  a  universal control  that is applicable and valuable in virtually all situations in some form or other.    Oversight  blends monitoring and watching-over with directing, supervising and guiding, a uniquely powerful combination. The diversity and flexibility of the risk and control principles behind oversight are applied naturally by default, and can be substantially strengthened where appropriate. Understanding the fundamentals is the first step towards making oversight more effective, hence this is a cracker of an awareness topic with broad relevance to information risk and security, compliance, governance, safety and all that jazz. It’s hard to conceive of a security awareness and training program that would not cover oversight, but for most it is implicit, lurking quietly in the background.  We have drawn it out, putting it front and center.   In the most general sense...

My lack of blogging lately is due to working flat-out to complete December's security awareness module on oversight.  Today, Friday the 30th of November, it's P-day here in the IsecT office: Posters  - two more poster designs are due in from the art department today. This close to the deadline I'd be worried except that, over the years, we have developed a close relationship and understanding with the supplier. I'm confident we'll get the stuff on time, and that it will be good.  Generally, it's right-first-time, which is nice. Our contingency plan involves crayons and a scanner - not pretty but, um, distinctive! Proofreading - checking through the materials for errors and omissions, opportunities for improvement, loose ends to be tied-off and so on. This is oversight, in action.  Polishing - tying-off those loose ends and finalizing the materials. Often I find that having prepared the content for the first stream, working on the second stream reminds me about s...

High-level corporate, project and personal objectives are often very vague - “A trusted partner”, “A safe pair of hands” or “ T he best !”.   Same thing with corporate mission statements (“Don’t be evil”), marketing/branding (“Just do it”), politics (“Vive la revolution!”) and more.   To act on and hopefully achieve them in a rational, directed or controlled manner involves understanding what they really mean, peeling back the layers, exploring the meanings and interpretations in more detail – a process that is inherently uncertain i.e. risky.   The upside risk (opportunity) arises from the understanding, insight, specificity and consensus generated as they are discussed, amplified and clarified, while the downside risk includes the opposites e.g. misunderstandings, hand-waving generalities and fragmentation of objectives.   ISO/IEC 27001 tries to persuade organizations to think through their corporate or business objectives, elaborating on the information risk a...

According to an article on CFO.com by Howard Scheck , a former chief accountant of the US S ecurities and E xchange C ommission’s Division of Enforcement:  "Public companies must assess and calibrate internal accounting controls for the risk of cyber frauds. Companies are now on notice that they must consider cyber threats when devising and maintaining a system of internal accounting controls." A series of B usiness E mail C ompromise frauds (successful social engineering attacks) against US companies evidently prompted the SEC to act. Specifically, according to Howard: "The commission made it clear that public companies subject to Section 13(b)(2)(B) of the Securities Exchange Act — the federal securities law provision covering internal controls — have an obligation to assess and calibrate internal accounting controls for the risk of cyber frauds and adjust policies and procedures accordingly." I wonder how the lawyers will interpret that obligation to 'assess...

"Engaging with the board: Five ways for Chief Information Security Officers to stand out" was an excellent advisory from PwC that stimulated me to think of supplementary advice, a set of corollaries for PwC's advice. PwC tip #1: " Invest in your relationships ."   Hinson tip #1: " Don' t focus and rely entirely  on individual Board meeting/s ".  Board members may usefully be contacted and briefed or lobbied outside of the meetings, ideally in person over an extended period. You might be introduced through a well-connected senior manager who understands and is sympathetic to the information risk and security objectives (implying they need to be on-board first). Failing that, friendly email, text messages and phone calls work. Better still is to establish a long-term business-like social relationship with the Directors and executives based on mutual respect and trust ...  which means finding out about  their  concerns as much as expressing yours. An...

What can be done about the semi-literate reprobates spewing forth this sort of technobabble nonsense via email?  "hello, my prey. I write you since I attached a trojan on the web site with porn which you have visited. My malware captured all your private data and switched on your camera which recorded the act of your wank. Just after that the malware saved your contact list. I will erase the compromising video records and data if you pay me 350 EURO in bitcoin. This is wallet address for payment : [string redacted] I give you 30h after you view my message for making the transaction. As soon as you read the message I'll know it immediately. It is not necessary to tell me that you have paid to me. This wallet address is connected to you, my system will delete everything automatically after transfer confirmation. If you need 48h just Open the calculator on your desktop and press +++ If you don't pay, I'll send dirt to all your contacts.       Let me remin...

A strategic goal to become the person, team, function or department to whom people turn for advice on information risk, security and related matters is laudable, but what does that actually mean in fact?   What would you need to do to achieve it?   What would it require to put it into effect? How would you know whether it was working? Thinking through the implications and questions of that nature will suggest a number of avenues to work on, for instance: Becoming known as a source of advice means people need your contact details, the means to get in touch. Furthermore, the advisory services you offer need to be sound and strong, beneficial both to the business and to the individuals seeking advice. This implies the need to publicize and promote your activities, perhaps through an internal marketing campaign; Some people may be reluctant to approach you, for various rational and irrational reasons: figure those out and tackle them one-by-one, as best you can. An open-door...