Our own assurance measures kick into top gear about now with the impending completion of the next awareness module - specifically proofreading and final corrections on the awareness materials before they are packaged up for delivery. Like any craftsmen, we take pride in our work. It's what we do , our specialism. We strive to make our output as good as we possibly can, a perfectionist streak that probably goes beyond what's strictly necessary. It flows from our deep-set belief in the value of integrity, both as individuals and as a business.  It matters. Quality assurance is integral to our production process. Checking our finished work (quality control) is the final stage and an opportunity for me to take stock. Having had my head inside the topic all month, it's good to step back for a look at the whole package of awareness goodies as it comes together. Provided the proofreading reveals few issues, I'm reassured that we did a good job, bringing the month's activit...

With just days to go to the delivery deadline, April's security awareness module on assurance is rounding the final corner and fast approaching the finishing line. I've just completed updating our 300+ page hyperlinked glossary defining 2,000+ terms of art in the general area of information risk management, security, privacy, compliance and governance. Plus assurance, naturally. As I compiled a new entry for Dieselgate, it occurred to me that since things are getting smarter all the time, our security controls and assurance measures need to smarten-up at the same rate or risk being left for particulates. Emissions and other type-testing and compliance verification for vehicles needs to go up a level, while the associated safety and technical standards, requirements, laws and regulations should also be updated to reflect the new smart threats. In-service monitoring and testing becomes more important if we can no longer rely on lab tests, but that creates further issues and risks...

Business continuity management involves three distinct but complementary approaches: Resilience arrangements aim to maintain essential/critical information services despite incidents if at all possible, at a reduced, fallback or emergency service level at least; Disaster recovery arrangements to recover and restore services that have failed for whatever reason (including failed or overwhelmed resilience); Contingency arrangements to help the organization cope with whatever situations turn up unexpectedly (including failures in the other approaches, plus other novel incidents and crises, unfortunate coincidences and extreme/outlier risks involving  Little Green Men From Mars ). Resilience is often neglected or misunderstood, yet it’s a valuable approach with benefits under normal operational conditions as well as during and following major incidents. Plenty of capacity generally means good performance, for instance. Assurance is another advantag...

It is often said (repeatedly in fact) that repetition is the key to learning. Well is that true? Is that a fact? It must be true if it is said often enough, surely?   This blog piece is about using and misusing repetition as an awareness technique, repeatedly. You may have come across the classic 3-step tell-em technique for classes, lectures and seminars: Tell them what you're about to tell them about. Tell them it. Tell them about what you told them about. It's a simple, or rather simplistic approach, a crude technique based on simple repetition. You have probably sat through repetitive classes, lectures and seminars by teachers or speakers that follow the advice slavishly, every time, some of them even pointing out what they are doing as if that helps. It's obvious, without being pointed out. You don't need to tell us that you're using the tell-em technique!  In my experience, the tell-em technique is most often used by teachers and presenters who are not comfort...

Today I'm writing about 'security assurance metrics' for April's awareness module.   One aspect that interests me is measuring and confirming (being assured of) the correct operation of security controls.  Such metrics are seldom discussed and, I suspect, fairly uncommon in practice. Generally speaking, we infosec pros just  love measuring and reporting on incidents and stuff that doesn't work because that helps us focus our efforts and justify investment in the controls we believe are necessary.  It also fits our natural risk-aversion. We can't help but focus on the downside of risk. Most of us blithely assume that, once operational, the security controls are doing their thing: that may be a dangerous assumption, especially in the case of safety-, business- or mission-critical controls plus the foundational controls on which they depend ( e.g. reliable authentication is a prerequisite for access control, and physical security underpins almost all other forms o...

Since "assurance" is a fairly obscure concept, April's awareness materials inevitably have to explain it in simple enough terms that people can grasp it, without glossing over things to such an extent that nothing matters, nothing registers. Tricky that! Harder still, our purpose for raising this at all is to emphasize the relevance of assurance to information security - another conceptual area that we're trying hard to make less obscure! The approach we've come up with is to draw parallels between assurance for information security, and assurance for safety. Safety is clearly something that matters . People 'get it' without the need to spell it out in words of one syllabub. With just a gentle help, they understand why safety testing, for instance, is necessary, and why safety tags and certificates mean something worthwhile - valuable in fact ... and that gives us a link between assurance and business. For awareness purposes, we'll be using bungy-jumpi...

Facebook is facing a crisis of confidence on stockmarkets already jittery about interest rates and over-priced tech stocks, thanks to a privacy breach with overtones of political interference: "Facebook fell as much as 8.1 percent to $170.06 on Monday in New York, wiping out all of the year's gains so far. That marked the biggest intraday drop since August 2015. Facebook said Friday that the data mining company Cambridge Analytica improperly obtained data on some of its users, and that it had suspended Cambridge while it investigates. Facebook said the company obtained data from 270,000 people who downloaded a purported research app that was described as a personality test. The New York Times and the Guardian reported that Cambridge was able to tap the profiles of more than 50 million Facebook users without their permission. Facebook first learned of the breach more than two years ago but hadn't disclosed it. A British legislator said Facebook had misled officials while S...

Perusing a CIS paper on metrics for their newly-updated  recommended network security controls (version 7) , several things strike me all at once, a veritable rash of issues. Before reading on, please at least take a quick squint at the CIS paper. See what you see. Think what you think. You'll get more out of this blog piece if you've done your homework first. You may well disagree with me, and we can talk about that. That way, I'll get more out of this blog piece too! [Pause while you browse the  CIS paper on metrics ] [Further pause while you get your thoughts in order]

Today was a thinking day - time away from the office doing Other Stuff meant my reluctant separation from the keyboard and a chance to mull over the awareness materials for April, free of distractions. I returned sufficiently refreshed to catch up with emails and press ahead with the writing, and inspired enough to come up with this little gem: I say 'gem' because that single (albeit convoluted) statement helps us explain and focus the awareness module.  We will explain assurance in terms of confidence, integrity, trust, proof etc. and discuss the activities that get us to that happy place, or not as the case may be.  Discovering any problems that need to be addressed is an important and obvious part of various forms of testing, but so too is giving the all-clear. Gaining assurance, either way, is the real goal, supporting information risk management: if you discover, later, that the testing was inept, inadequate, biased, skipped or otherwise lame, the whole thing is devalued,...

We've been engaged to write a series of awareness materials on a variety of information security topics - a specific type of awareness product that we haven't produced before. So the initial part of the assignment is to clarify what the client wants, come up with and talk through our options, and draft the first one.  That's my weekend spoken for! Once the first one is discussed, revised and agreed, s tage two will be to refine the production process so future products will be easier and quicker to generate, better for the client and better for us. Like sausages. We're building a sausage machine.  We'll plug in a topic, turn the handle and extrude a perfectly-formed sausage every time. Sounds fine in theory but on past experience that's not quite how it will work out, for two key reasons: Since the topics vary, the content of the awareness product will vary, naturally ... but so too may the structure and perhaps the writing style. Awareness content on, say, viru...

Of all the typical corporate departments or functions or teams, which have an assurance role? Internal Audit - audits are all about gaining and providing assurance; Q uality A ssurance plus related functions such as Product Assurance, Quality Control, Testing and Final Inspection, S tatistical P rocess C ontrol and others; Risk Management - because assurance reduces uncertainty and hence risk; IT, Information Management, Information Risk and Security Management etc. - for example, ensuring the integrity of information increases assurance, and software quality assurance is a big issue; Information Security Management - which is of course why this is an information security awareness topic; Business Continuity Management - who need assurance on everything business-critical; Health and Safety - who need assurance on everything safety-critical; Production/Operations - who use QA, SPC and many other techniques to ensure the quality and reliability of production methods, processes and produc...

The assurance word-art tick (or boot?) that we created and blogged about a few days ago is still inspiring us.  In particular, some assurance-related words hint at slightly different aspects of the same core concept: Assure Assurance Assured Assuredly Ensure Ensured Insure Insurance Reassure Along with the tongue-in-cheek terms 'man-sure' and 'lady-sure', they are all based on 'sure', being a statement of certainty and confidence. Insure is interesting: in American English, I believe it means the same as ensure in the Queen's English ( i.e. being certain of something), but in the Queen's English, insure only relates to the practice of insurance, when some third-party offers indemnity against particular risks. Assured, ensured and insured are not merely the past tenses of the respective verbs, but have slightly different implications or meanings: If someone is assured of something, they have somehow been convinced and accept it as true. They internalize a...

One type of assurance is audit, hence auditing and IT auditing in particular is very much in-scope for our next security awareness module. By coincidence, yesterday on the ISO27k Forum , the topic of 'security audit schedules' came up. An audit schedule is a schedule of audits, in simple terms a diary sheet listing the audits you are planning to do. The usual way to prepare an audit schedule is risk-based and resource-constrained.  Here's an outline (!) of the planning process to set you thinking, with a sprinkling of Hinson tips: Figure out all the things that might be worth auditing within your scope (the 'audit universe') and list them out. Brainstorm (individually and if you can with a small group of brainstormers), look at the ISMS scope, look for problem areas and concerns, look at incident records and findings from previous audits, reviews and other things. Mind map if that helps ... then write them all down into a linear list. Assess the associated informat...

... will be resumed, soon. We've been slaving away on a side project, putting things in place, setting things up, trying things out. It's not quite ready to release yet - more tweaking required, more polishing, lots more standing back and admiring from a distance - but it's close.

Yesterday I wrote about mind mapping. The tick image above is another creative technique we use to both explore and express the awareness topic. To generate a word cloud, we start by compiling a list of words relating in some way to the area. Two key sources of inspiration are:  The background research we've been doing over the past couple of months - lots of Googling, reading and contemplating; and  Our extensive information risk and security glossary, a working document of 300-odd pages, systematically reviewed and frequently updated.  Two specific terms in that word cloud amuse me: "Man-sure" and "Lady-sure" hint about the different ways people think about things. When a lay person (man or woman!) says "I'm sure", they may be quite uncertain in fact. They are usually expressing a subjective opinion, an interpretation or belief with little substance, no objective, factual evidence. It can easily be wrong and misleading. When a male or female expe...

At this early stage of the month, although we have some ideas in mind for the content of the next awareness module, they are unstructured. We need to clarify the scope and purpose of the module, developing themes to pull things together and 'tell the story'. Mind mapping is our favourite technique for that: we sketch out the topic area on a single sheet starting from a central topic word ("Assurance" this month) and arranging a few major themes around it, connecting the words to show their relationships.  On paper, it starts out simply like this with 3 key themes: Then we expand on those initial themes with further details ... ... and keep going until we run short of inspiration and decide to move ahead to the next stage ... On paper, with my handwriting, the rough diagram is quite scrappy but that's something we can work on later, normally by redrawing the mind map in Microsoft Visio. In Visio, it will be easy to amend or adjust things, for example rewording the ...

You might have noticed the Digital Guardian logo in the side bar: we're honoured to be listed among their "top 50 infosec blogs you should be reading" . Cool! Thanks Digital Guardian , purveyors of "Threat Aware Data Protection to Safeguard Your Sensitive Data from ALL THREATS!" One of their topical product lines is ransomware protection that "FILTERS OUT THE NOISE SO YOU FOCUS ON REAL THREATS". Last year we made it onto Feedspot's top 100 information security blogs list to earn a nice virtual medallion. There's more to this piece than mutual grooming and product placement though. Top-N lists are handy starting points for those seeking new sources - me included. I track a fair number of information risk and security blogs and websites routinely, specifically the ones I have discovered and liked enough to add to my bookmarks and blog aggregator. Every so often I review my selections, trimming off the ones that are either no longer actively up...

I've completed the revision of www.ISO27001security.com , bringing the site up to date with the status of all the ISO27k information security management standards. There are  currently some  50  published ISO27k standards , by my count, with a further 12 or so in development. Way down in the weeds, there are several inconsistencies and issues within individual standards, and some gaps in the coverage. Overall, though, the standards do a pretty good job of promoting a systematic approach to information risk management (without using that specific term!). ISO/IEC standards cost about  US $150 each so a full set of 50 would set you back about  US $ 7,000 - a non-trivial amount. I've argued for years that the ISO27k standards should be free to encourage global adoption of good security practices for the benefit of society at large ... but so far only two of the set are free, and worse still it takes a determined hunter to find them since the standards bodies and com...