As the hours evaporate before our self-imposed start-of-month delivery deadline, I'm trying to stay focused on completing and proofreading the "Working off-site" security awareness module ... but it's hard when there's a fascinating discussion in full flow on the ISO27k Forum about quantitative vs  qualitative methods of information risk analysis, plus all the usual stuff going on around me. I find myself physically on-site in the IsecT office, supposedly working flat-out, but my mind is drifting off-site. I just caught myself day-dreaming about the possibility of racing driverless cars, their algorithms competing against each other and the laws of physics. What a bizarre tangent! I think it's something the behavioural biologists call 'displacement activity'. Anyway, back to the grindstone.  Catch you later.

Leafing through our information security policy templates this morning, I couldn't find anything specifically covering off-site working, so I knuckled down and prepared one.   It took longer than planned due to a false start: I soon realized that there are lots of potential policy matters in this area, so I refined the scope to cover just the information risk and security aspects.  Following a general policy axiom, the more detailed policy statements describe 'typical examples' of the controls in three main categories (since they are likely to vary according to circumstances), plus a handful of others - about 2 sides of actual policy with the usual summary, applicability, introduction and references sections. This afternoon, I prepared a case study for May's awareness and training module on working off-site based around an intriguing scenario. What normally happens when a home-worker (someone who always, often or occasionally 'works from home') leaves the organ...

An article about hackers compromising IoT things mentions that IoT manufacturers choose not to make their devices more secure because the additional security controls would create 'friction' for users - in other words, they are making explicit commercial decisions about their products that take into account usability as well as various other factors, such as security, privacy and I guess cost. Well, who'd a thunk it?  Information risk and security management is all about making compromises and trade-offs. There are numerous options and decisions to be made, plus situations that are forced upon us. Re 'friction', it occurs to me that effective security awareness smooths the way for additional/better security . Once people such as the concerned mother in the article, and hopefully some of its readers, appreciate the need for and value of security, they are more likely to accept the cost of security - not just the slight increase in the price of things  for additional...

Catching up with recent infosec news, I stumbled across a piece about NSA contractor Harold T Martin III , accused of schlurping (pinching and hoarding) some 50 terabytes of secret data.  50 Tb!   Along with Julian Assange, Ed Snowden and Chelsea Manning, the US government appears to be hemorrhaging secrets by the shed-load, despite all the extraordinary security controls designed to prevent and detect it. I say 'shed-load' advisedly: a typical page of a typical document has about 500 typical words per side i.e. 1,000 words per double-sided sheet needing about 200 kb of rich text data ( e.g. a Word document). That's 5 sheets per Mb*. 50 Tb is 50 million Mb or about 250 million sheets. A typical box of printer paper contains 10 reams of 500 sheets i.e. 5,000 sheets per box, enough to print out about 1 Gb of data*. So, printing 50 Tb would take about 50,000 boxes of paper, a stack of about 37x37x37 boxes. That's a shed-load ... a big shed, a small warehouse or ...

Acquiring top-quality creative security awareness and training materials is easier, quicker and cheaper than ever through our online shop at www.SecAware.com   Browse a selection of awareness materials including policies, the  Information Security 101   orientation module and more.    Pick, pay and download - "easy-as" as we [adopted] Kiwis say. Please let me know if there are other materials or topics you'd like us to offer through SecAware ... and please excuse the minimalist site design: it's just a starting point as we figure out how to build and maintain websites for mobiles and desktops.   So much left to do, so much left to learn.

We're rapidly spiralling-in on a scope, purpose and hence title for the next security awareness and training module, currently extruding its way through the awareness module sausage machine at IsecT HQ. Inspired by a customer request to cover the security aspects of 'home working', we set out to complement the BYOD and business continuity topics ... but in exploring the associated information risks and controls, we've realized that there are other ways and means of working with similar issues.  Mobile or portable working, for example, is almost the rule for managers and professionals these days, at least to the extent of being constantly in touch by cellphone, keeping up with emails and TXT messages, and using work apps on smartphones, laptops and tablet PCs. Commuters on public transport often seem totally absorbed by their screens and ear-buds, whether that's personal or work emails, podcasts, news from the city desk, Harry Potter, Game of Thrones, Bach or BoyZone...

Do your mobile sales reps look after the information relating to products, pricing, contracts, supplies, specifications, strategies and all that – not just the sales apps, spreadsheets and slide decks on their laptops, tablets and smartphones, but all the other sensitive and valuable corporate and personal data they carry or access? What about your roaming product/tech support and maintenance people? Your company doctor? The Board of Directors? Managers and business travelers generally? Workers catching up with email on their way home, or putting the final touches on a progress report while stretched out on the couch watching an episode of CSI? Are they vigilant and alert? Do they have the faintest clue about the information risks around them, or what's expected of them in the way of information security and privacy? Do they  care ? Portable ICT has revolutionized our lives to the point that we take it for granted these days. We've become b lasé  about it. No longer are we tie...

From time to time on the ISO27k Forum , someone claims that certification auditors 'like to see', 'require' or even 'insist on' or 'demand' certain information security controls. Sometimes, it is further claimed or implied that certification auditors have actually raised or might yet raise nonconformances regarding the lack of certain controls, and consequently might refuse to certify their clients. I'm not entirely convinced that such claims are true, for starters, but if so that hints at a problem with the certification and perhaps accreditation processes. In accordance with ISO/IEC 27006 , ISO/IEC 27007 , ISO 19011  (revised last year) and their own internal certification audit procedures, accredited certification auditors should be certifying an ISO27k I nformation S ecurity M anagement S ystem against the requirements formally specified in the main body clauses of ISO/IEC 27001 . They should definitely raise major nonconformances and refuse to c...

One of my all-time top-N books, this one. Love it! The author, Yossi Sheffi, is an expert in systems optimization, risk analysis and supply chain management. He’s a professor at MIT , the Director of the Center for Transportation & Logistics, a faculty member of the Civil and Environmental Engineering Department and Institute for Data, Systems, and Society. As well as his academic credentials, he’s a level-headed clear thinker . Yossi’s thesis is valuable and convincing. There is no organization that would not benefit from being even more resilient, and for the vast majority even modest improvements along these lines could make a huge difference to their capabilities and capacities, both in disastrous conditions and in normality. I particularly like the emphasis on resilience as a strategic matter, for example making organizations fit and ready to seize the business opportunities that open up when their less-resilient peers are struggling to cope with nightmare scenarios. Resi...

It's official - summer's over in the Southern hemisphere.   Not only did we need to light a fire to keep warm yesterday but at 3 am last night our clocks went back an hour at the end of NZ Daylight Savings Time. We're now 12 hours ahead of UTC. ◄ My Windows PC clock reset itself automagically, dropping an information entry into the system logs 12 seconds later ▼ Consequently the normally sequential Windows system log appears out of sequence.  According to the time stamps ►  log entries at 02:55 and 02:56 were followed by the informational entry at 02:00.  That's just an reporting/display artifact though.  Under the covers, the operating system uses UTC. UTC didn't change by an hour at 02:00 but just kept ticking away like normal. Log entries always join the top of the heap in a strictly sequential log. UTC does occasionally change by a second, though, to keep it in step with the Earth's rotation which is how we animals measure time - by reference to the cyc...