For August, the spotlight turns towards the threat from within the organization, insiders. “Insider threats” may be a common term but it's  technically incorrect. “Insider risks” is more accurate since there is more to this than just the threats posed by insiders. Our awareness materials explore the vulnerabilities and impacts too. “Insiders” in this context are primarily employees - both staff and management - of the organization, those on its payroll. “Outsiders”, then, are third-party employees (particularly those working for competitors or other adversaries) and unemployed people – a much larger group of course.  In the government/military context, ‘foreigners’ (citizens of other nations and cultures, regardless of where they live) are generally considered outsiders too: we’ll have more to say about outsider threats in September’s awareness materials. Both August and September's modules cover the overlap between insiders and outsiders - the no-mans-land inhabited by contr...

Something on the Just Security law blog caught my attention today: "For a growing number of states, cyber operations are now firmly ensconced as a means of conducting traditional and not-so-traditional statecraft, to include conflict. Cyberspace has delivered tremendous benefits, but its unique construct and ubiquity have also created significant national security vulnerabilities, generating unprecedented challenges to the existing framework of international peace and security. One need look no further than North Korea’s destructive and subversive actions against Sony Pictures, its launch of the Wannacry ransomware, Russia’s launch of the indiscriminate NotPetya malware against the Ukraine, or its cyber-enabled covert influence campaigns against the U.S. and other western democracies to realize that cyber capabilities are increasingly part of a powerful arsenal states are using to pursue their interests, oftentimes through aggressive actions aimed at disrupting the status quo. ...

Today I've spent (?invested?) some time and brainwaves into the ISO27k standards. First, ISO/IEC 27002  is currently being revised. The revision involves completely restructuring the controls described in the current standard into 4 "themes":  Organizational;  People;  Physical; and  Technical.  Clearly those are not truly orthogonal or distinct categories - for example organizational controls are quite likely to involve people (e.g. policies and procedures), physical (e.g. physical access) and/or technical (e.g. IT) aspects. Some security controls may fit into any of those categories, so the choice is arbitrary. However, the categorization doesn't matter much. It is really just a convenient order for the standard, especially as the controls are going to be further 'tagged' with other attributes such as: "Information security properties" i.e. confidentiality, integrity or availability (the classic CIA triad - not Donn Parker's hexad, I note); ...

I've just completed an internal audit of an ISO27k ISMS for a client. By coincidence, a thread on ISO27k Forum  this morning brought up an issue I encountered on the audit, and reminded me of a point that has been outstanding for several years now. The issue concerns the formal status of  ISO/IEC 27001:2013 Annex A arising from ambiguities or conflicts in the main body wording and in the annex.   Is Annex A advisory or mandatory? Are the controls listed in Annex A required by default, or optional, simply to be considered or taken into account? The standard is distinctly ambiguous on this point, in fact there are direct conflicts within the wording - not good for a formal specification against which organizations are being audited and certified compliant. Specifically, main body clause  6.1.3 Information security risk treatment  clearly states as a note that " Organizations can design controls as required, or identify them from any source. " ... which means they ...

Over on the new CISSPforum , in a thread about  helping our corporate colleagues understand what information security is all about, someone asked about raising awareness among the general public - specifically whether we might learn from how other industries explain fraud and abuse. Well, they may not all concern fraud and abuse but there are loads of 'public awareness' activities going on all the time, some much more successful than others. Examples include: Health and safety awareness (about the H&S legislation mostly) Health awareness (with much broader objectives about living healthier lifestyles, getting fit, reducing obesity, not smoking etc .) Illness awareness e.g. cancer, mental ill-health etc. (aiming to support sick people and get them to seek professional help ... such as the breast cancer awareness ad I'm hearing right now on NZ local radio) Safety awareness (such as driving more carefully ... a n d   s l o w l y ... and preparing for various disasters)...

The security awareness module for July concerns conceptual or architectural frameworks, standards, methods and good practices in the area of information risk and security – ‘security frameworks’ or ‘frameworks’ for short. Both the organization and individual workers are obliged to comply with various rules concerning information security.   Some rules are imposed on us by external authorities in the form of laws and regulations, others we impose on ourselves through corporate policies and procedures, contracts etc.   There are numerous laws and regulations relating to information security, far too many for us to cover in detail.   We can only talk in general terms.   We face a similar practical constraint with corporate security policies, procedures etc .: we are not familiar with our customers' policies, nor with their current internal compliance challenges.   But the ‘policy pyramid’ is a near universal structure or framework, so the generalities apply again ....