Tucked in among the avalanche of 'please confirm your details to continue receiving our marketing tripe' and phishing emails this week came some sad news about the GDPR-related demise of what has been a useful service ... "Dear AuroraWatch UK subscriber, It’s with great sadness that we are going to have to close the AuroraWatch UK email alert system with immediate effect.  This doesn’t mean that we’re shutting down AuroraWatch, it’s just that we won’t be sending out any more alerts via email. You will still be able to get alerts via social media platforms including Twitter, Facebook, Telegram and via our smartphone apps ( https://aurorawatch.lancs.ac.uk/alerts/ ). We know that this will disappoint some users. We’re also very sad, but this is something we’ve been putting off for some time. Operating a reliable mailing list service for 100,000+ individuals requires constant effort and ongoing resources. Up to now, we have been able to undertake this service (for free) amid o...

One of the items in June's awareness module is a model job description for a B usiness C ontinuity M anager. It's generic since our customers are unique and we don't know precisely what any of them might expect from a BCM. We do know, however, the kinds of things that a BCM would typically be expected to do, and the personal qualities that make for an effective BCM. Well at least we believe so. Don't forget that we are providing a security awareness and training service . Its purpose is to support customers' security awareness and training programs. So, the job description doesn't have to be perfect: it has to be stimulating, something that some customers might like to use as a starting point to prompt a discussion with management around whether it might perhaps be worth appointing a BCM.   It matters to our customers but  not to us whether the eventual decision is yes or no. We want them to have a fruitful, informed and productive discussion, leading them to ma...

The demise of Cambridge Analytica  hot on the heels of the latest Facebook privacy scandal is, let's say, unsurprising. The firm has served its purpose. Its day done. Call me a cynic (" Gary, you're a cynic! ") but I'd be amazed if this was anything other than an attempt by the company owners and managers to bury the bad news and move on. Will their continuing and future business activities be any more ethical and appropriate? We shall see. As long as there are paying customers, businesses will continue making money however they can, as they have always done. Whether you and I consider their activities legal, illegal or in the twilight zone doesn't particularly matter to them. Profit corrupts, obscene profit corrupts obscenely.

I guess everyone has received a slew of emails this week from companies asking us to opt-in to their newsletters, updates, special offers and other eJunk. Most have said something along the lines of "If you don't click the link to reconfirm your details by May 25th, you will be unsubscribed", almost identical to a million phishers that we have been patiently training people to avoid for many years now. Hmmm. Most are going directly to the bin, some as a result of the training but most as a result of people taking the opportunity not to opt-in to being marketed-at. I suspect contact databases around the world are being decimated as a result of GDPR, so we might finally see a drop in the volume of spam once this week is out of the way. Spam reduction is a very welcome side-effect of GDPR. Previous anti-spam laws have had limited effect. This one, although badged 'privacy', could be the best yet. Hoorah for 'privacy'!  A round of applause for the EU!

I've mentioned already that we'll be using the imminent GDPR implementation deadline as an example of an incident in June's awareness module. The eruption of Kilauea volcano on Hawaii's Big Island presents another awareness opportunity. To the people and organizations directly involved, it may qualify as a disaster already ... and it's not over yet. The possibility of a massive explosive eruption cannot be totally discounted. Even the geologists, seismologists and vulcanologists aren't entirely sure what is going on and disagree on what will happen next. Yesterday's news coverage concerned lava flowing across major highways used as evacuation routes. Today it's acidic mists as molten lava hits the Pacific. Tomorrow there will probably be something else. Dealing with that uncertainty, or risk, is bang on-topic for the awareness module. It's a classic contingency situation. Some of our customers are also subject to volcanic/geological threats, while ot...

This week, a newcomer to the ISO27k Forum asked about metrics for vulnerability management:   "[I] Would like to take your view on metrics from great vulnerability management perspective which may have integration with asset, patch, application and risk management databases.  Can you share [your] experience from security and business metrics based on vulnerability management - security metrics intended for technical management and business metrics for Board?" The first respondent offered a stack-dump of possible metrics in three groups: Security Metrics for Technical Management: Total no Critical, High, Medium, Low Vulnerabilities found on each Asset. Repeated Vulnerabilities from previous assessment. Total No of False-positive Vulnerabilities --> this is essential to evaluate your Vulnerability Management solution effectiveness. Whenever Technical change happens or new launch happens you can present report to the management, because Technical Management should be awa...

I love the Apollo 13 film with Tom Hanks . It is commonly used in management training courses to illustrate team working, particularly the coordination and communications between and among the flight and ground crews.  Personally, I'm more impressed at the process of managing a serious incident to avert disaster.  Not only that, it's a compelling story and great entertainment, eminently watchable many times over. In the film, one of several life-threatening issues facing the crew of the stricken lunar module is the accumulation of carbon dioxide. The bright sparks on the ground quickly cook-up a cunning plan for the astronauts to fabricate a scrubber to remove CO2 from the cabin air supply before they are all asphyxiated. Among other things such as the cover of a flight manual and a spare filter, the procedure calls for "a roll of gray tape - duct tape". Whoever had the foresight to propose putting duct tape on board Apollo 13, and to approve the proposal despite the ...

A significant challenge we face on a daily basis is to convince people to drop their preconceptions, opening their eyes and ears to new stuff and considering things more broadly. Here are three illustrative examples: We are concerned about information risks  defined as risks to or involving information in all its forms, not just computer data. Information is the asset we are trying to protect, our prime focus. IT- or cyber-security is clearly a major part of it these days, but there's more besides. There are, have always been, and will always be,  shed-loads of incidents involving information that have little if anything to do with computers, networks or technology.  Information incidents are not limited to the loss of confidentiality . Other aspects such as integrity and availability of information are just as important, sometimes more so. Details of a hospital patient's medication, for instance, should remain private but for obvious reasons  must remain reasonably...

Security awareness and training materials are inevitably aligned in the general sense that they all concern or relate in some way to information security. The materials have a lot in common, building upon the same foundational principles and concepts.  With our service, consistency is virtually guaranteed since the materials are all conceived, researched and prepared by the same close-knit team. While we enjoy exploring novel approaches, and our own perspective is constantly evolving, we can't help but continue along the same tracks. Most of the time, relationships between topics are incidental. Every so often, though, we like to point out and use the linkages deliberately as part of the awareness approach. We're delivering a coherent campaign, a planned rolling/continuous program rather than a sequence of discrete, independent and unconnected episodes.  Grab the crayons and join the dots to reveal the whole glorious technicolor picture. It occurred to me this morning tha...

Over on the  ISO27k Forum   recently, someone raised the concern that a cloud services provider may have deleted and certified deletion of a customer's data at the primary location but somehow neglected to delete the copy/copies at their Disaster Recovery location/s, leading to problems later if the data then turns up unexpectedly, possibly in a different legal jurisdiction such as an overseas DR facility. That scenario is possible and might be a concern ( e.g. for GDPR compliance reasons) so yes it’s an information risk of sorts. Potential mitigating controls include: Clarifying the requirement for the cloud services provider to delete and certify deletion of ALL data copies including DR, backups, archives, caches and assorted fragments that might be loitering in odd corners of the data centres, IT systems, networks, fire safes and filing cabinets, and reinforcing it with additional checks/audits plus strong penalties and liabilities; Using encryption wit...

June's awareness module covers the related areas of incident management and business continuity management , but "Security awareness and training module on incident management and business continuity management" is decidedly unwieldy, so I've been trying to think of something more apt. Today I've come up with a new snappier title: " Incidents and disasters ". That covers it nicely, I think, well the core of it anyway.  There is always some fuzziness at the scope boundary, and that's by intention since we're weaving the individual subjects together into a tapestry - the bigger picture. The module's title is quite important because it sets expectations. It is the ultimate precis of the month's materials: if someone sees "Incidents and disasters" on some list, they have a clue about the module's focus.  So there we are, the entire topic summed up in just 3 words. I quite like the idea of "Keep calm and carry on" too ...

With less than a fortnight now remaining, are you all set for the GDPR deadline with everything on your privacy projects either completed or well in hand? If not, now is your last chance to refocus on priorities and squeeze the last ounce of effort from all involved. The usual approach for many managers and team leaders facing just such a situation is to crack the whip. Maybe you have already done that. Maybe you are being thrashed, and feel obliged to do the same. Hey, listen. Stop a moment and think. That's not the only way. Assuming things have been run reasonably effectively to this point, everyone is well aware of the impending deadline. The increasing tension will be plain to all. People will have been slaving away, playing their part and (in most cases) doing their level best to hit the goal ... so piling on the pressure now may be counterproductive. When people are close to their breaking points, there's a chance they'll snap rather than bend, especially if they...

Yesterday I was wrestling with different ways to view and structure the topic on Post-It Notes. Today, a breakthrough! [Click the diagram for a larger version] We are not totally out of the weeds yet as the diagram is too "busy" for non-specialist audiences, but it won't be hard to simplify.  T he incident management aspects need more work too. The professionals' awareness and training seminar, plus accompanying briefing, will explain the diagram a section at a time, slide-by-slide building up the whole glorious picture. For the management audience, a simpler version will emphasize the governance, strategic, management and business aspects. For general staff, another simple version will emphasize their perspectives, the things they need to know - once we figure out what they are!

Yesterday I said I'd invest some time into reconsidering and simplifying the awareness topic for June - "Incident and business continuity management". Specifically, I said I would have a go at mind-mapping on Post-It Notes. So I did. I splashed out on 6 Post-Its and set aside 10 precious minutes for quiet contemplation.  The first attempt broke down the processes associated with incident management into a conventional sequence - plan, prepare, exercise and refine ... but the sequence doesn't readily extend to cover business continuity, other than somehow 'coping' with incidents that turn out to be massive.  And then I thought about focusing on the essentials, and added "Focus" as a reminder about focusing the incident and business continuity management activities on critical business processes.  That doesn't quite work so l et's try another approach.  Still thinking about how the organization identifies its critical business processes, this t...

There's more than a grain of truth in the saying that complexity is the enemy of security.  Complex systems, processes and situations are harder to analyze and control. There are more things to go wrong, more interactions, more states to consider, more factors to bear in mind. Complex things are generally more fragile, less resilient, more likely to fail or be broken.  The same applies to security awareness and training. People can only take in so much new stuff at a time. I've blogged before about today's information overload, people constantly working on interrupt with a million distractions. If we make our awareness stuff too hard, requiring too much time and attention from the audiences, they won't bother so we're not going to achieve much. Two complementary awareness and training approaches to address this issue are: Break the awareness and training content into discrete chunks - bite sized pieces from which to construct the whole jigsaw; and Simplify each chun...

Our awareness topic for June is in the area of incident and business continuity management .  Although the scope is quite indistinct at this point, it will gradually fall into place as the materials come together and at first broad themes then specific awareness messages emerge during the remainder of May. There are several aspects of interest and concern, such as: Identifying events and incidents  Reporting them Evaluating them Triggering incident responses Responding appropriately Maintaining critical information services, IT systems etc ., supporting critical business processes Recovering/restoring/replacing broken stuff Getting back to normal  Learning and improving for the next time around So, straight away, the idea of a loop, a cyclical or repetitive process springs to mind, one that the organization runs routinely with relatively minor events and incidents, practicing and preparing for The Big One ... although I'm thinking there are probably material differences i...

I expect you know already but hey it's privacy week everyone !  Woo-hoo!   [Cue rockets and Catherine wheels] Well OK, it's privacy week in New Zealand. And a short week at that, 5 days not 7. But who am I to knock it?   We've settled and live here.  We pay our dues.  We have both a personal and proprietary interest in the NZ gummt's privacy and security, and we're doing our level best to ensure that the NZ authorities Get It.  We want the same things. Don't get me wrong, 5 days of privacy awareness stuff is better than nothing ... but hang on, isn't this the month that GDPR comes into effect?  Isn't this privacy month ?  Couldn't the week have at least been moved to coincide with the GDPR deadline, leveraging the global news coverage of privacy matters? Oh well. Here's Dilbert's take .

I was genuinely surprised to find New Zealand topping the 'corruption perceptions index 2017' from Transparency International. I thought we'd be in the top quartile maybe but didn't expect to lead the field. New Zealand's 89% score leaves room for improvement but is way above the "average" (the mean score, presumably - or do they mean the median or some other statistic?) of 43%. The index rates public sector corruption, specifically. According to Transparency International's video promoting the latest findings , high scores are associated with the ability for journalists and activists to speak up about corrupt officials.  Ah, OK then, so this isn't really about bribery and corruption in general but more specifically about journalism and activism, and repression by the authorities.  I'm not entirely sure I understand the scale. It is described as a 'scale of 0-100 where 0 equals the highest level of perceived corruption and 100 equals the l...