The drone incident at Gatwick airport makes a good backdrop for a security awareness case study discussion around resilience.   It's a big story globally, all over the news, hence most participants will have heard something about it. Even if a few haven't, the situation is simple enough for them to pick up on and engage in the conversation. The awareness objective is for participants to draw out, consider, discuss and learn about the information risk, information or cybersecurity aspects, in particular the resilience angle ... but actually, that's just part of it. It would be better if participants were able to generalize from the Gatwick drone incident, seeing parallels in their own lives (at work and at home) and ultimately respond appropriately. The response we're after involves workers changing their attitudes, decisions and behaviors e.g. : Considering society's dependence on various activities, services, facilities, technologies etc. , as well as the organizat...

Earlier this year I heard about the threatened shutdown of WWV and WWVH, NIST's standard time and frequency services, due to the withdrawal of government funding - an outrageous proposal for those of us around the world who use NIST's scientific services routinely to calibrate our clocks and radios. Today while hunting for a NIST security standard that appears to no longer be online, I was shocked to learn that it's not just WWV that is closing down: it turns out all of NIST is under threat, in fact the entire US Department of Commerce. Naturally, being a large bureaucratic government organization, there is a detailed plan for the shutdown with details of certain 'exempt' government services that must be maintained according to US law although how those services and people are to be paid is unclear to me. After the funding ceases, DoC employees are required (or is that requested?) to turn up for work for a few more hours to set their out-of-office notifications (on...

We've come up with an idea for our next awareness challenge .  January's topic is 'resilience', a concept that means different things to different people.  So what does it mean to workers? What is 'resilience' about? What does it imply? What are the key aspects, the things that everyone ought to know about? The concept we have in mind for the awareness challenge is simple enough: u nder guidance from our security awareness materials, groups of workers discussing and exploring their understanding of the term 'resilience' will occupy the bulk of the challenge.  Turning that into a practical and engaging awareness activity takes a bit more work though. Our approach involves prompting and supporting someone - ideally an information security awareness professional - to deliver an effective session.  Short of actually leading the session in person, we provide the materials and the inspiration to make the event fly,  awareness by proxy you could say. Despite ou...

A resilient workforce is well-prepared to cope with whatever  stuff  is thrown at it, all manner of challenges and incidents ... like this for instance: Security-aware workers are an extremely important defensive control: we really ought to recognize this email for what it is - an obvious social engineering attack, a crude attempt to dupe us into opening the attachment ... but awareness is not the only control, a good thing too since we are only human.  A truly resilient organization has a comprehensive suite of information security controls that come into effect both before, during and after the email gets delivered, even if a hapless worker receives and falls for the con, opening that attachment. In information security, resilience is largely achieved through layered, overlapping and complementary controls. Individually none of them can totally eliminate the risks, but collectively the risks are reduced to the point that we can handle the remaining issues - at least tha...

On ISO27k Forum today, a new member asked for advice on whether a 'complete package' would help the organization achieve ISO/IEC 27001 certification. It's hard to answer without knowing more about the organization and its people (especially the management and specialists), their experience and maturity in respect of information risk and security, and ISO management systems, and the business context.    For example: A small engineering company is in a different position to, say, a large charity, a government department or a multinational: its complexity, information risks, information security controls and other factors vary; A company in a heavily-regulated industry such as healthcare, finance or defense is probably more compliance-driven, its management and workforce more comfortable with structured and systematic ways of working than, say, a retailer or farmers' cooperative; An organization that is 'surrounded' or owned by ISO27k-certified organizations may b...

Auditing compliance or confomity with rules defined in policies, standards, laws and regulations is just one audit approach, commonly and disparagingly known as tick-n-bash auditing.    The rule says X but you do Y ……. BASH! It is like being rapped over the knuckles as a kid or zapping a trainee sheep dog through its radio-controlled shock collar.   It's a technique that may work in the short term but it is crude and simplistic.   The trainee/auditee is hurt and ends up resentful.   Strong negative emotions persist long after the tears have dried and the bruising has gone down, making it counterproductive.   It’s best reserved as a last resort, in my considered opinion.* Certification audits are ultimately compliance audits but even they can be performed in a more sympathetic manner.   The trick is to combine bashing (where justified) with explaining the requirements and encouraging compliance. It means motivating not just dragging people , and a lot ...

Michael Rasmussen published an interesting, thought-provoking piece about the common ground linking specialist areas such as risk, security and compliance, breaking down the silos . “Achieving operational resiliency requires a connected view of risk to see the big picture of how risk interconnects and impacts the organization and its processes. A key aspect of this is the close relationship between operational risk management (ORM) and business continuity management (BCM). It baffles me how these two functions operate independently in most organizations when they have so much synergy.” While Michael’s perspective makes sense, connecting, integrating or simply seeking alignment between diverse specialist functions is, let's say, challenging. Nevertheless, I personally would much rather collaborate with colleagues across the organization to find and jointly achieve shared goals that benefit the business than perpetuate today's blinkered silos and turf wars. At the very least, I...

A question came up on the ISO27k Forum about an A cceptable U se P olicy. I'll take this opportunity to dispense a few Hinson Tips (free, and worth every penny!).  AUP isn’t a generally-defined and globally-agreed term. Even “policy” has a spectrum of meanings. So, regardless of what any of us might think or claim it means, what matters is the organization that’s using it – the organizational context. What does your management expect an AUP to be? To achieve? To look like? You should get some useful clues from other similar materials in other areas such as IT, HR and Finance, other functions that to some extent formally express directives. They may or may not be called AUPs, so take a look around the policy-related guidance materials, and preferably talk to the original authors about their work. You will probably pick up some useful tips, maybe even some help to knock your materials into shape.  Some organizations use AUPs formally, stating employees' obligations for l...