Although I wrote this in the context of ISO/IEC 27001 certification audits, it applies in other situations where there is a problem with something the auditors are reporting such as  a misguided, out of scope or simply wrong audit finding. Here are some possible strategies to consider : Have a quiet word with the auditor/s about it, ideally before it gets written up and finalized in writing. Discuss the issue – talk it through, consider various perspectives. Negotiate a pragmatic mutually-acceptable resolution, or at least form a better view of the sticking points. Have a quiet word with your management and specialist colleagues about it, before the audit gets reported. Discuss the issue. Agree how you will respond and try to resolve this. Develop a cunning plan and gain their support to present a united front. Ideally, get management ready to demonstrate that they are definitely committing to fixing this e.g. with budget pro...

I'm not happy with the idea of 'levels' in many contexts, including information classification schemes. The term 'level' implies a stepped progression in one dimension. Information risk and security is more nuanced or fine-grained than that, and multidimensional too. The problems with 'levels' include: Boundary/borderline cases, when decisions about which level is appropriate are arbitrary but the implications can be significant;  Dynamics - something that is a medium level right now may turn into a high or a low at some future point, perhaps when certain event occurs;  Context e.g. determining the sensitivity of information for deliberate internal distribution is not the same as for unauthorized access, especially external leakage and legal discovery (think: internal email);  Dependencies and linkages e.g. an individual data point has more value as part of a time sequence or data set ...  ... and aggregation e.g. a structured and systematic compilation of p...

An interesting example of warped thinking from Amos Shapir in the latest RISKS-List newsletter : "A common tactic of authoritarian regimes is to make laws which are next to impossible to abide by, then not enforce them. This creates a culture where it's perfectly acceptable to ignore such laws, yet the regime may use selective enforcement to punish dissenters -- since legally, everyone is delinquent." Amos is talking (I believe) about national governments and laws but the same approach could be applied by authoritarian managers through corporate rules, including policies. Imagine, for instance, a security policy stating that all employees must use a secret password of at least 35 random characters: it would be unworkable in practice but potentially it could be used by management as an excuse to single-out, discipline and fire a particularly troublesome employee, while at the same time ignoring noncompliance by everyone else (including themselves, of course). It's not ...

Kaspersky blogged about security policies in the context of human factors making organizations vulnerable to malware: "In many cases, policies are written in such a difficult way that they simply cannot be effectively absorbed by employees. Instead of communicating risks, dangers and good practices in clear and comprehensive instructions, businesses often give employees multipage documents that everyone signs but very few read – and even less understand." That is just the tip of an iceberg. Lack of readability is just one of at least six reasons why corporate security policies are so often found lacking in practice: Lack of scope: ‘security policies’ are typically restricted to IT/cyber security matters, leaving substantial g aps, especially in the wider aspects of information risk and security such as human factors, fraud, privacy, intellectual property and business continuity. Lack of consistency : policies that were drafted by various people at various times for various ...

Social engineering scams are all the rage, a point worth noting today of all days. A Kiwi farmer literally lost the farm to a scammer he met and fell for online.  Reading the original TVNZ news report (no longer online), this was evidently a classic advance fee fraud or 419 scam that cost him a stunning $1.25m.  This is not the first time I've heard about victims being drawn-in by the scammers to the extent that they refuse to accept that they have been duped when it is pointed out to them. There's probably something in the biology of our brains that leads us astray - some sort of emotional hijack going on, bypassing the normal rational thought processes. On a more positive note, the risks associated with online dating are reasonably well known and relatively straightforward to counter. And old-school offline dating is not risk-free either.  Relationships generally are a minefield ... but tread carefully and amazing things can happen. Be careful (safe hex, remember)...

The malware encyclopedia destined for inclusion in our next awareness module is coming along nicely ... It's interesting to research and fun to write in an informative but more informal style than the glossary, with several decidedly tongue-in-cheek entries so far and a few graphics to break up the text. I guess it will end up at about 20 pages, longer than usual for a general security awareness briefing but 100% on-topic. There's a lot to say about malware, being such a complex and constantly evolving threat. I hope the relaxed style draws readers in and makes them think more carefully about what they are doing without being too do-goody, too finger-wagging. Prompting changes of attitudes and behaviors is our aim, not just lecturing the troops. Awareness and training is pointless if it's not sufficiently motivational. PS After trimming out the more obscure entries, it worked out at 11 pages plus the cover page.

We're slaving away on the 'malware update' security awareness and training module for March. Malware is such a common and widespread issue that we cover it every year, making it potentially tedious and dull. People soon get bored by the same old notices - not exactly ideal for awareness and training purposes.  Simply tarting-up and repackaging malware awareness materials we have delivered previously would be relatively easy for us but is not sufficient. Our subscribers deserve more! Aside from needing to reflect today's malware threats and current security approaches, we must find new angles and inject new content each time in order to spark imaginations and engage the audiences, again and again.  Luckily (in a way), malware is a writhing vipers' pit, constantly morphing as the VXers and antivirus pro's do battle on a daily basis. So what's new t his year? The rapid evolution of malware risks is a story worth telling, but how can we actually do that in pract...

In the ISO27k context , ' risks and opportunities' has  at least four meanings or interpretations: Information risks and information opportunities are the possibilities of information being exploited in a negative and positive sense, respectively.   The negative sense is the normal/default meaning of risk in our field, in other words the possibility of harmful consequences arising from incidents involving information, data, IT and other ‘systems’, devices, IT and social networks, intellectual property, knowledge etc . This blog piece is an example of positively exploiting information: I am deliberately sharing information in order to inform, stimulate and educate people, for the benefit of the wider ISO27k user community (at least, that's my aim!).   Business risks and business opportunities arise from the use of information, data, IT and other ‘systems’, devices, IT and social networks, intellectual property...

Security awareness and training programs are primarily concerned with incidents involving deliberate or intentional threats such as hackers and malware. In February, we take a look at mistakes, errors, accidents and other situations that inadvertently cause problems with the integrity of information, such as: Typos; Using inaccurate data, often without realizing it; Having to make decisions based on incomplete and/or out-of-date information; Mistakes when designing, developing, using and administering IT systems, including those that create or expose vulnerabilities to further incidents (such as hacks and malware); Misunderstandings, untrustworthiness, unreliability  etc . harming the organization’s reputation and its business relationships. Mistakes are far more numerous than hacks and malware infections but thankfully most are trivial or inconsequential, and many are spotted and corrected before any damage is done. However, serious incidents involving inaccurate or incomplete inf...