Today in a sudden flash of inspiration I invented a "device", a mechanism to raise awareness.  It's a graphical image, a metric, a simple visual device, an analytical or rhetorical tool to set people thinking about and discussing the topic - privacy in this case.  It explores their perceptions of the state of readiness of the organization to meet the May 25th GDPR deadline.  The specific thinkers and discussers I have in mind at this point are senior managers, executives or board members, with a significant interest in the organization's readiness for GDPR. They ought to know where things stand, and ought to have a reasonable grasp of the situation, but do they? The device is a way to find out. Generalizing from there, with minor changes the same device could be used to stimulate analysis and discussion on almost any deadline or situation where there are several non-exclusive options or possibilities on the table, and inherent uncertainties. That's most business d...

I'm working on an assignment, writing a few hundred words of awareness content for a client on each of a range of information security topics - all topics on which we have prepared entire awareness modules previously. "Privacy", for instance and, today, "Portable IT device security". I estimated taking an hour or two to prepare each piece. That turned out to be underestimated by about 100%, partly because it's a new format for a new client. As I settle in to the routine and respond to feedback from the client, it's getting easier and quicker with each passing topic. Hopefully I'll hit my estimate by the time we're done! The subject matter is the easy bit.  The challenge is to condense each topic to its bare essentials, express them in a readable and engaging style, and close with some pragmatic action-oriented advice. There's quite a variety of information security risks and controls relevant to, say, portable IT devices, lots of situations a...

As the world plummets towards the May 25th GDPR deadline, organizations are hurriedly revising their web-based privacy policies to align with both the new regulatory regime and their internal privacy practices. From May 10th, PayPal , for instance, has a new ~4,000 word ~11 A4 page privacy policy - well, several in fact depending on the user's location. Among other things, I notice that they "do not respond to DNT signals" (meaning, I think, that they simply ignore the D o N ot T rack flag sent by cautious browsers) and they: "... maintain technical, physical, and administrative security measures designed to provide reasonable protection for your Personal Data against loss, misuse, unauthorized access, disclosure, and alteration. The security measures include firewalls, data encryption, physical access controls to our data centers, and information access authorization controls ..." Providing 'reasonable' protection is perhaps all we can expect of anyo...

Thanks to a mention in the latest RISKS-list email , I've been reading a blog piece by Bruce Schneier about the Facebook incident and changing US cultural attitudes towards privacy. "As creepy as Facebook is turning out to be, the entire industry is far creepier. It has existed in secret far too long, and it's up to lawmakers to force these companies into the public spotlight, where we can all decide if this is how we want society to operate and -- if not -- what to do about it ... [The smartphone] is probably the most intimate surveillance device ever invented. It tracks our location continuously, so it knows where we live, where we work, and where we spend our time. It's the first and last thing we check in a day, so it knows when we wake up and when we go to sleep. We all have one, so it knows who we sleep with." With thousands of data brokers in the US actively obtaining and trading personal information between a far larger number of sources and exploiters, b...

For more than two decades now, I have been fascinated by whistleblowers - people who blow the whistle on various forms of impropriety.  In my experience, they are high-integrity, ethically-motivated and aggrieved individuals willing to take a stand rather than put up with Things That Should Not Be Going On. They are powerful change agents. To my mind, they are brave heroes taking significant risks to their careers, personal lives, liberty and safety (nods hat to Ed Snowden among others). I've blogged about it several times, most recently at the start of this month when I said: Organizations clearly  need  strategies, policies and procedures for receiving and dealing with incident notifications and warnings of all sorts.  And that set me thinking: do we actually offer anything along those lines - any awareness and training materials supporting such activities? We don't currently have a whistleblower policy as such in our suite of information security policy templates ...

We are fast approaching an event horizon - May 25th 2018 - beyond which the privacy landscape will be changed forever. As of today, most of the world respects the rights of individuals to control information about themselves that they consider personal, with the glaring exception of the US which treats personal information as merely another information asset, to be obtained, exploited and traded the same as any other. The changes brought about by GDPR will directly and indirectly affect the whole world, including the US in ways that are not entirely clear at this precise point. The European Union anticipates the whole world falling neatly into line, playing the privacy game the EU way or facing punitive fines until they do.  Some players in the US are making noises about continuing their exploitation of personal information with impunity, perhaps grudgingly paying their GDPR fines but only after a massive playground punch-up over whether the EU's rules even apply to the US, and wit...

Today I've dived deep into GDPR, poring over, becoming immersed in and trying to make sense of the legislation. The regulation itself is freely available online - handy really since it is intended to apply and to be implemented and complied-with very widely. It is an official EU regulation, almost a law, and as such it has clearly been drafted by and for the lawyers.  Readability is clearly not as high on their priority list as making it watertight. So, the door swings open to interpret and explain it for the common man and, for that matter, the common manager.

A countdown is a common way to align everyone towards some event - the launch of a space mission or start of a new year for instance, or the completion of your GDPR compliance project. As a communications, awareness and motivational technique, countdowns work well for that rather narrow objective, focusing attention on a given point in time. With a little more creativity and effort, it's not hard to use countdowns to get people to re-assess their progress and maybe prioritize things on the way down to the deadline ... and then to follow-through with count-ups - in other words, keep the timer going past the zero point, displaying the time since the deadline passed or expired.  This is often done for overdue activities, starting with gentle reminders then steadily ramping up the pressure (red reminders, warnings) and perhaps escalating matters (court orders, bailiffs) as time marches inexorably on.  Before you know it, the point-in-time spot focus has turned into a zone of conce...

Over the weekend, I've been mulling over the issue I raised at the end of last week about how to get management fully behind the security awareness and training efforts. I've come up with several possible strategies. A skunkworks approach is one possibility. "The designation 'skunk works' or 'skunkworks' is widely used in business, engineering, and technical fields to describe a group within an organization given a high degree of autonomy and unhampered by bureaucracy, with the task of working on advanced or secret projects." [ Wikipedia ]  The idea is to assemble a small close-knit group of like-minded colleagues to work informally ('unhampered by bureaucracy') on management's awareness, specifically, with the aim of formally proposing an organization-wide security awareness and training program once management's interest has been piqued. Being a small team with a narrowly-defined purpose, the work can probably be done without dedicat...

Today is Friday the thirteenth , a classic opportunity to do something special as part of the security awareness program. How about organizing a fancy dress day with a parade, award ceremony and after-hours social event?  The horror movie theme is obvious, perhaps too obvious ... but it's not hard to think of variants, ranging from the very simplest "Wear black or blood red" through "Dig out your best Halloween costumes" to "Audition to be a horror movie extra". You might give it more of an information risk and security spin by circulating stuff about malware, scams/frauds and nasty incidents, or not: a more subtle association might be good enough, a way to lighten-up a bit. I appreciate it's far too late now to organize anything special for today  but if you are keen, there are lots more awareness opportunities coming up throughout the year: May 25th, GDPR implementation deadline, an obvious candidate for a privacy day (we're already on to tha...

Today I Googled across a thought-provoking opinion piece in Computerworld back in 2008.  Jay Cline's   top 5 mistakes of privacy awareness programs  were: Doing separate training for privacy, security, records management and code of ethics.  Equating "campaign" with "program."  Equating "awareness" with "training."  Using one or two communications channels.  No measurement.  Hmmm, not a bad list that. I've trimmed almost all of it away so if those few remaining words intrigue you, please read the original article. We've been addressing all those points since launching our awareness services back in 2003. It's galling, though, to note that those 'top 5 mistakes' are still evident today in the way that most organizations tackle awareness.  We're doing our best to take current practice up a level through this blog, our awareness materials and services, and occasional articles. Perhaps we need a change of approach ... and...

Surprisingly often, a breaking news story falls into our laps at precisely the right moment. Today, I've been developing a general staff awareness presentation on privacy. Three core messages appeal to me, this time around: Privacy is an ethical consideration - something we anticipate or expect of each other as members of a civilized society. Privacy is also a compliance obligation - something enshrined in the laws of the land and imposed on our organizations. Those two issues together make privacy a business issue. So, what's been all over the news lately in relation to privacy? Why, the latest Facebook incident, of course.  I'm not going to re-hash the story now, nor draw out the privacy lessons for you. I've given you more than enough of a clue already, and if you read the press coverage with a slightly cynical and jaundiced eye, you'll find your own take on the incident - as indeed will our subscribers' employees ... which makes it an excellent, highly relev...

Aside from revising the materials from the privacy awareness module delivered last November, we're planning some brand new even fresher content this time around. The imminent go-live date for GDPR is the most obvious reason for updating and re-issuing the privacy materials in May. It's timely. The awareness content should prove useful for organizations that are on-track for the May 25th deadline, helping to explain the hubbub to people who are not so directly involved in the GDPR changes.  It may also be the final wake-up call for those who are still oblivious, ignorant of the wider effects GDPR will have, both within and beyond the EU. As of today, we're not exactly sure what changes to make though. More research required yet. Another brand new awareness item we're planning to write and deliver this time around is a 'privacy guide' - a document explaining privacy concepts and practices in a way that hopefully grabs attention, informing and stimulating readers t...

We've started working on May's awareness module - the final episode in a privacy series timed to support the run-up and coincide with GDPR (the General Data Protection Regulation) implementation. It would be hard to find anything new to say this time around if it weren't for the fact that our customers are in a different situation now than when the privacy modules were released previously. They should all (hopefully!) be in the final throes of their GDPR compliance projects. Some may have had a lot of work to do, clarifying and analyzing the requirements, substantially modifying IT systems and business processes, and liaising with assorted information service suppliers to ensure they too will be compliant by May 25th. Others may have had an easier time with most of the requirements covered already. All will be anticipating the changes in their own organizations, and in others since we are all connected.  The awareness materials they need now are (to some extent) different t...

Assorted vendor questionnaires and/or other audits, surveys, inquiries, pre-contract assessments, compliance reviews, self-assessments, invitations to tender  etc. received by the organization indicate various issues that are evidently of concern to third-parties such as customers, suppliers and stakeholders. Likewise those sent out by the organization to third-parties.  The forms and responses are part of the assurance processes associated with: Selecting between and contracting with third parties; Establishing, checking on and maintaining ongoing business relationships; Communicating relevant information, in the hope of concealing or identifying possible issues and concerns (depending on who is providing and consuming the information!); Due diligence or due care, satisfying compliance obligations and clarifying liabilities (in the same way that failing to declare relevant matters on an insurance application or claim form can invalidate the cover, the information ...

' Fail fast, fail often ' is the creative idea that businesses (or business units, departments, teams, projects or even individuals) can deliberately push the envelope, innovating and taking chances (knowingly accepting some risks) to the point that they are  prepared to fail. 'Fail often' is about being well-practiced at dealing with failure, having the appropriate arrangements in place, and responding positively - bouncing back on the front foot rather than being knocked back and landing in a heap, nursing their wounds. It's certainly  not about wanting or trying to fail, nor being inept, incompetent or reckless - far from it. It's about consciously and deliberately choosing to get into some risky situations for sound business reasons, based on information and projections about the risks and opportunities, the costs and benefits. That takes a mature approach to risk management, business continuity management in particular. More than simply accepting that shi...

This piece was inspired by a disarmingly simple request on the ISO27k Forum . Tom is implementing an Information Security Management System using the ISO27k standards, in a small company with fewer than 25 employees.  Tom said "I think I need to understand better what should be documented and what not". Good question, Tom! Documenting stuff forces you to concentrate and think carefully about whatever you are writing about. You focus on the topic at hand. It involves and requires a deeper level of analysis than simply doing stuff. [ Hinson tip: preparing documentation is an intellectual process that benefits from experience and expertise. Don't leave it to the office junior, or the person who is generally considered useless and hence has time on their hands. Don't leave it 'til the last minute. Invest in doing it properly and reap the rewards.] For anything formal (such as policies and procedures) the documentation process generally involves a sequence of activi...