Today in the final stages of preparing the awareness module on "Security frameworks", I'm thinking and writing about the NIST C yber S ecurity F ramework  (CSF). For awareness purposes, there's no point describing and elaborating on the CSF in great detail, but I need to read and evaluate it in order to sum it up and comment meaningfully for our subscribers.  I'm investing m y time and effort partly on their behalf, partly for my own education: I'm interested in infosec standards, keen to discover NIST's take on 'cyber security', and on the look out for good security practices. So, indulge me for a moment as I talk you through the evaluation of just one small part of the CSF, specifically the core framework's advice on a wareness and training (denoted "PR.AT", making it the prat section :-). "The organization’s personnel and partners are provided cybersecurity awareness education and are trained to perform their cybersecurity rel...

Slogging away tediously for 3 full days, I've caught up with a 3-month backlog of emails from the ISO/IEC JTC 1/SC 27 committee, picking out and checking through all the ISO27k-related items and updating our website . It's a laborious process but worth it, I think, to keep up with developments, especially as the ISO27k standards will feature heavily in July's awareness module on security frameworks. Here's a potted selection of news highlights on the ISO/IEC 27000-series standards : 27001 (ISMS) is likely to see some changes in the wording around risks and opportunities, and the Statement of Applicability. Hopefully the end result will be an improvement! The 27002 (controls) revision is starting to get to grips with reorganizing and tagging the information security controls. This is going to be a slog ... but at the end of it, there will be more flexibility for users of the standard, for example if you are auditing, reviewing or (re)designing the IT suite, it should ...

A comment at the end of a piece in The Register about the safety aspects making it tricky to patch medical equipment caught my beady eye: "Hospitals are now considered part of the critical national infrastructure in Israel and ought to be given the same status elsewhere". Personally, I'm not entirely sure what being 'considered part of the critical national infrastructure' really means, in practice. It may well have specific implications in Israel or elsewhere, but I suspect that's just stuff and nonsense. Those of you who don't work in hospitals, or in Israel, nor in critical national infrastructure industries and organizations, please don't dismiss this out of hand.  Ultimately, we are all part of the global infrastructure known as human society , or wider still life on Earth but it is becoming increasingly obvious that we are materially harming the environment  (= the Earth, our home) and if Space Force is real (not Space Farce ) then even the sk...

10 o'clock this evening on June 21st is the Winter solstice for us down here in the Southern hemisphere. According to Wikipedia, we should be celebrating with "Festivals, spending time with loved ones, feasting, singing, dancing, fires". I lit the wood fire to warm the IsecT office before 8 this morning as usual. Having just fed the animals, I'm singing along to the radio as usual while I work. As to feasting, maybe we'll splash out on a special meal this weekend. Up there on the Far Side, it's Midsommerfest which means festivals, spending time with loved ones, feasting, singing, dancing ... but no fires, hopefully. Most people are looking forward to summer holidays, I guess. We're looking forward to longer, warmer days and spring lambs, talking of which our Prime Minister is in hospital having a baby. It's OK though because we have a caretaker PM keeping an eye on things. The next few weeks will be interesting in NZ politics.

Advertisers know the value of a parting message at the end of an advertisement. It's something catchy to stick in the memory, reminding people about the advertisement or rather the messages the ad was meant to convey, generally concerning the brand rather than the specific product. Making ads memorable is one thing: making them influential or effective is another. Some ads are memorable for the wrong reasons, annoying and intrusive rather than enticing and beneficial. However, one man's hot button is another's cancel/exit. Ads are usually targeted at audience segments or categories, as opposed to everyone, though, so don't be surprised that you hate some ads and love others. Translating that approach to security awareness, the end of an awareness event is just as important as the start and the main body of the session. It’s your final chance to press home the key awareness messages and s et people thinking about the session as they wander off.  In the closing remarks a...

Given that measurement can both establish the facts and drive systematic improvement, I wonder whether I might develop a metric to measure organizations' approach to security metrics?  Specifically, I have in mind a security metrics maturity metric (!).  Immature organizations are likely to have few if any security metrics in place, with little appreciation of what they might be missing out on and little impetus to do anything about it. In short, they are absolutely rubbish at it. Highly mature organizations, in contrast, will have a comprehensive, well-designed system of metrics that they are both actively using to manage their information risk and security, and actively refining to squeeze every last ounce of value from them. They are brilliant. Those two outlines roughly describe the end points of a maturity scale, but what about those in the middle? What other aspects or features have I seen in my travels, what other characteristics are indicative of the maturity status? E...

I'm rapidly bringing myself back up to speed on information security frameworks for July's security awareness materials. Today, I've been updating my knowledge on the wide range of frameworks in this area, thinking about the variety of concepts, approaches and recommendations out there. There are several space-frame models. For some reason presumably relating to our visual perception, they are almost always symmetrical, often triangular or pyramidal in shape such as the ICIIP ( I nstitute for C ritical I nformation I nfrastructure P rotection) one above, developed at the USC Marshall School of Business in Los Angeles. The ICIIP model caught my eye back in 2008 shortly before ISACA adopted it as BMIS ( B usiness M odel for I nformation S ecurity ). Alternatively the shape might represent the magic number 3, or perhaps 9 (3 squared) counting the nodes and links of a triangular 'pyramid' (glossing over the fact that the ancient Egyptian pyramids have square bases and h...

I'm researching (well OK, I've done a little Googling) how other, non-infosec policy suites are structured, accessed/presented and managed, for clues that might be relevant to ours. First, financial policies.  Funds for NGOs  specifies "seven principles suggested by [unnamed] experts" as good practice: "6.1 Principle of Financial Policy : While developing a financial policy it is a good practice to incorporate the following seven principles suggested by experts. These principles lay the foundation of an effective financial policy which would ultimately result into a healthy organization. Consistency : The financial policy should be consistent, which simply means that it should not allow manipulation of processes and systems. All the staff members should consistently adhere to the financial policy and there should not offer much flexibility. A consistent policy will ensure better accountability, transparency, better information dissemination and timely reporting. ...

Some interesting suggestions concerning structures, content and management tools came up on CISSPforum yesterday as we chatted about security policies.  I mentioned before that I'm getting glimpses of structure within the policy suite. In fact, there are several structures, different ways to group, link and use them which complicates matters. It's a mesh of  multiple partially-overlapping categories, and a number of possible viewpoints reflecting  the perspectives and interests of the various users.  Much the same issue affects ISO/IEC 27002: numerous possible controls addressing a plethora of risks can be groups and arranged in several ways. At the same time the standard is aimed at a wide variety of people and organizations, with perspectives and needs that, by the way, aren't static but change as they get stuck in the subject and their interests develop. ISO/IEC JTC 1/SC 27 is tackling this issue by systematically 'tagging' the controls with labels, allowing user...

As I mentioned on the blog yesterday, we are working our way systematically through the suite of ~70 information security policies, making sure they are all up to scratch. For context, the suite consists of 60-odd topic-based policies, plus an overarching high-level Corporate Information Security Policy , plus a handful of ‘acceptable use policies’ which are really guidelines with a misleading name. We have here the bare bones of a typical policy pyramid with policies supported by corporate standards, guidelines and procedures and, of course, stacks of awareness and training stuff beneath. The 60+ topic-based policies cover a wide range of information risk and security topics such as: Awareness and training ; Identification and authentication ;  Access control ;  IPR ;  BYOD ; Insider threats ;  Whistleblowing (new!); IoT security ; Assurance .  ... and so on (derived originally from the structure of BS7799 then ISO27k), all in about 3 pages each in a standard ...

The awareness and training materials for July will cover 'security frameworks', at least that's the working title at present. It may change as the scope is refined and the materials come together during June. In addition to public standards such as ISO27k and NIST SP800 , we plan to cover the internal frameworks or structures for information security within the corporation, important elements of information governance plus information risk and security management. I'm talking in particular about corporate security policies . We are currently reviewing and revising our suite of generic information security policy templates, partly for subscribers as part of July's module. We routinely create or revise one or more of these templates each month in connection with the month's awareness topic, a systematic maintenance process that keeps the individual policies up to date. However it is a piecemeal process, meaning that changes may be required to several existing pol...

A few hours after we com pleted and delivered the Incidents and disasters awareness and training module, Rob Slade posted an interesting little note on CISSPforum* about P sychological F irst A id and/or D isaster P sycho-social S upport, terms that I hand't come across before. The World Health Organization's 64-page Psychological first aid: guide for field workers offers pragmatic advice to people such as aid workers, teachers and I guess emergency services professionals on how to help others suffering extreme emotional distress in the aftermath of a serious incident or disaster. Fair point: "Different kinds of distressing events happen in the world, such as war, natural disasters, accidents, fires and interpersonal violence (for example, sexual violence). Individuals, families or entire communities may be affected. People may lose their homes or loved ones, be separated from family and community, or may witness violence, destruction or death." PFA is described as ...

Despite our very best efforts to avoid or prevent incidents and avert disasters, infosec and cybersec pros may concede that they remain a possibility. A remote possibility. Vanishingly small, we hope. Being prepared for incidents and disasters puts our organizations in a better position to survive and thrive, keeping essential business processes and systems running despite the events ( i.e.  continuity and resilience ), recovering non-essential ones as soon as practicable afterwards (that's recovery and resumption ), and generally coping with whatever comes our way ( contingency , as in what we need to do is contingent on what actually transpires in the event of our worst nightmares coming true). Preparedness involves getting ourselves ready in case something goes seriously wrong. Whereas we may cope perfectly well with relatively minor events, more serious incidents or disasters such as the following deserve or require better preparation: Power cuts, surges and dips (that's ...