We bring the year to a close with an awareness and training module on  a  universal control  that is applicable and valuable in virtually all situations in some form or other.    Oversight  blends monitoring and watching-over with directing, supervising and guiding, a uniquely powerful combination. The diversity and flexibility of the risk and control principles behind oversight are applied naturally by default, and can be substantially strengthened where appropriate. Understanding the fundamentals is the first step towards making oversight more effective, hence this is a cracker of an awareness topic with broad relevance to information risk and security, compliance, governance, safety and all that jazz. It’s hard to conceive of a security awareness and training program that would not cover oversight, but for most it is implicit, lurking quietly in the background.  We have drawn it out, putting it front and center.   In the most general sense...

My lack of blogging lately is due to working flat-out to complete December's security awareness module on oversight.  Today, Friday the 30th of November, it's P-day here in the IsecT office: Posters  - two more poster designs are due in from the art department today. This close to the deadline I'd be worried except that, over the years, we have developed a close relationship and understanding with the supplier. I'm confident we'll get the stuff on time, and that it will be good.  Generally, it's right-first-time, which is nice. Our contingency plan involves crayons and a scanner - not pretty but, um, distinctive! Proofreading - checking through the materials for errors and omissions, opportunities for improvement, loose ends to be tied-off and so on. This is oversight, in action.  Polishing - tying-off those loose ends and finalizing the materials. Often I find that having prepared the content for the first stream, working on the second stream reminds me about s...

High-level corporate, project and personal objectives are often very vague - “A trusted partner”, “A safe pair of hands” or “ T he best !”.   Same thing with corporate mission statements (“Don’t be evil”), marketing/branding (“Just do it”), politics (“Vive la revolution!”) and more.   To act on and hopefully achieve them in a rational, directed or controlled manner involves understanding what they really mean, peeling back the layers, exploring the meanings and interpretations in more detail – a process that is inherently uncertain i.e. risky.   The upside risk (opportunity) arises from the understanding, insight, specificity and consensus generated as they are discussed, amplified and clarified, while the downside risk includes the opposites e.g. misunderstandings, hand-waving generalities and fragmentation of objectives.   ISO/IEC 27001 tries to persuade organizations to think through their corporate or business objectives, elaborating on the information risk a...

According to an article on CFO.com by Howard Scheck , a former chief accountant of the US S ecurities and E xchange C ommission’s Division of Enforcement:  "Public companies must assess and calibrate internal accounting controls for the risk of cyber frauds. Companies are now on notice that they must consider cyber threats when devising and maintaining a system of internal accounting controls." A series of B usiness E mail C ompromise frauds (successful social engineering attacks) against US companies evidently prompted the SEC to act. Specifically, according to Howard: "The commission made it clear that public companies subject to Section 13(b)(2)(B) of the Securities Exchange Act — the federal securities law provision covering internal controls — have an obligation to assess and calibrate internal accounting controls for the risk of cyber frauds and adjust policies and procedures accordingly." I wonder how the lawyers will interpret that obligation to 'assess...

"Engaging with the board: Five ways for Chief Information Security Officers to stand out" was an excellent advisory from PwC that stimulated me to think of supplementary advice, a set of corollaries for PwC's advice. PwC tip #1: " Invest in your relationships ."   Hinson tip #1: " Don' t focus and rely entirely  on individual Board meeting/s ".  Board members may usefully be contacted and briefed or lobbied outside of the meetings, ideally in person over an extended period. You might be introduced through a well-connected senior manager who understands and is sympathetic to the information risk and security objectives (implying they need to be on-board first). Failing that, friendly email, text messages and phone calls work. Better still is to establish a long-term business-like social relationship with the Directors and executives based on mutual respect and trust ...  which means finding out about  their  concerns as much as expressing yours. An...

What can be done about the semi-literate reprobates spewing forth this sort of technobabble nonsense via email?  "hello, my prey. I write you since I attached a trojan on the web site with porn which you have visited. My malware captured all your private data and switched on your camera which recorded the act of your wank. Just after that the malware saved your contact list. I will erase the compromising video records and data if you pay me 350 EURO in bitcoin. This is wallet address for payment : [string redacted] I give you 30h after you view my message for making the transaction. As soon as you read the message I'll know it immediately. It is not necessary to tell me that you have paid to me. This wallet address is connected to you, my system will delete everything automatically after transfer confirmation. If you need 48h just Open the calculator on your desktop and press +++ If you don't pay, I'll send dirt to all your contacts.       Let me remin...

A strategic goal to become the person, team, function or department to whom people turn for advice on information risk, security and related matters is laudable, but what does that actually mean in fact?   What would you need to do to achieve it?   What would it require to put it into effect? How would you know whether it was working? Thinking through the implications and questions of that nature will suggest a number of avenues to work on, for instance: Becoming known as a source of advice means people need your contact details, the means to get in touch. Furthermore, the advisory services you offer need to be sound and strong, beneficial both to the business and to the individuals seeking advice. This implies the need to publicize and promote your activities, perhaps through an internal marketing campaign; Some people may be reluctant to approach you, for various rational and irrational reasons: figure those out and tackle them one-by-one, as best you can. An open-door...

Don’t just hoard your feedback and metrics: use them! Squeeze every last drop of value from them! It is all too easy to down-play or dismiss comments and especially criticisms about the awareness program. Resist your natural defensive tendencies.   Collate and take another, dispassionate look at your awareness metrics and the feedback you have received in recent months concerning information security and/or the awareness and training program.   Try to identify common threads or themes that might have escaped your attention previously, or that seem to crop up repeatedly. This kind of review is best conducted as a team exercise, better still if you persuade some of your most vocal/persistent critics to get actively involved (invite them to your review meetings, give them the floor and listen hard to what they have to say!).   SWOT analysis and brainstorming techniques can help tease out genuine concerns and novel ways to tackle them.   For example, if your budget is a ...

Among other findings, PwC's " The Journey to Digital Trust " report picked up on inadequate attention to awareness and training: "Many businesses could do more to raise employee awareness and accountability around cybersecurity and privacy. Only 34% of respondents say their company has an employee security awareness training program. Only 31% say their company requires employee training on privacy policy and practices." Less than a third of companies require training on their privacy policies and procedures? Wow! The other two thirds presumably expect their people to 'just know' this stuff. Perhaps it gets into their heads through osmosis, Vulcan mind melds or magic crystals. Perhaps management is over-reliant on the general news media and public awareness activities, forgetting that we are all awash in a vast ocean of information. Picking out the Stuff That Matters is getting harder and harder by the second. It is any surprise, then, that privacy breach...

A common misunderstanding among infosec professionals is that vulnerabilities include the lack or inadequacy of various infosec controls e.g.  'the lack of security awareness training'. No      No!     NO! Vulnerabilities are the inherent weaknesses that may be exposed and exploited by the threats, leading to impacts. In the lack-of-awareness example, people's  naïveté and ignorance are inherent human weaknesses that may be exposed in various situations ( e.g. when someone receives a phishing email) and exploited by threats (being the phishers in this case i.e. fraudsters using social engineering techniques to mislead or misdirect victims into clicking dubious links etc. ) leading to various impacts (malware infection, identity fraud, blackmail or whatever), hence risk.  Naïveté and ignorance are vulnerabilities. There are others too, including human tendencies such as greed and situations that distract us from important points, such as sec...

Today on the ISO27k Forum , a newly-appointed Information Security Officer as ked us for " a suitable set of questions ... to conduct security reviews internally to departments". I pointed him at my blog piece on "What to ask in a gap assessment" ... and made the point that if I were him, I wouldn't actually start with ISO/IEC 27002 's security controls as he implied. I'd start two steps back from there: One step back from the information security controls controls are the information risks. The controls help address the risks by avoiding, reducing or limiting the number and severity of incidents affecting or involving information: but what information needs to be protected, and against what kinds of incident? Without knowing that, I don't see how you can decide which controls are or are not appropriate, nor evaluate the controls in place. Two steps back takes us to the organizational or business context for information and the associated risks. Cont...

The controls suggested in Annex A of 27001 and the other ISO27k standards are typical, commonplace, conventional, good practice … whatever. Mature organizations often use them and find them useful.   They have evolved over decades of experience with IT and millennia of experience with the use of information in a business context, and they are still evolving today.  Cloud, BYOD and IoT, for examples, are all relatively new hence the associated risks are still emerging and the controls are a work in progress. Fraud, espionage and hacking are always going to remain challenging because of the ongoing arms-race between defenders and attackers: as fast as the controls are improved, the threats change.   The published ISO27k standards present a fraction of the accumulated knowledge of hundreds/thousands of ISO/IEC JTC 1/SC 27 committee members and helpers around the world with experience in myriad organizations and situations. Most committee members accept the advice is valid, ...

As we plunge towards the end of another year, now is an opportunity to take a long hard look at your awareness and training program as a whole, thinking forward to next year and beyond. Here are some rhetorical questions  to bear in mind: Is the program pitched appropriately?  Is your awareness and training approach polished in appearance? Does it look good?  Is it professional? Is the branding and presentation up to scratch?  Is it attracting sufficient interest and engagement?  Is it reaching all the right people across the organization? What about the delivery mechanisms and awareness activities: are you making good use of the available corporate communications and training facilities? Consider your Learning Management System, intranet, notice boards, seminar and training rooms, email circulations, newsletters, company magazines, courses, briefing sessions, lunchtime updates, security clubs and so on. By all means focus on the methods that achieve the most be...

Cloud computing is a strong and still growing part of the IT industry. It’s a hit! However, the relative novelty of cloud computing puts inexperienced or naive managers, staff and professionals at something of a disadvantage: lacking appreciation of the technology and the commercial/business context, the information risks and especially the security and other cloud-related controls aren’t exactly obvious. Information security (in the broadest sense – not just IT or cybersecurity) is a major concern with cloud computing, a source of aggravation and costs for the unaware. The organization's professionals/specialists in areas such as IT, risk, compliance and business continuity should have a deeper understanding of the pros and cons of clouds but have you every wondered how that level of knowledge is achieved?  Simply put, securing  the anticipated business benefits of cloud computing involves addressing the information risks that are associated with it.  If the risks are si...