Well, that's another deadline hit, an awareness module completed and published.    The stress built to a crescendo mid-morning before rapidly subsiding as the final proofreading was completed, the last bit of polish applied and everything came together nicely, albeit just in the nick of time. We're cutting it fine this time! It's our version of a just-in-time production process. The product is as fresh and topical as it could possibly be, short of near-real-time delivery to customers as events unfold anyway, a service that is already available from a plethora of news sites, aggregators, search engines and blogs just like this one. That's fine except that infosec incidents don't happen in a nice tidy sequence, one topic at a time! I'm not expecting sympathy, really. The end-of-month deadline and monthly cycle are our choices. We have a degree of control although our subscribers have signed up for the regular monthly service as described, so naturally we are compe...

The corporate security culture is something we absorb gradually through various encounters or interactions with an organization and its people. Specifically regarding the physical aspects of an organization's security culture, hundreds of installation security audits have taught me to open my eyes wide whenever I approach an organization's premises for the first time, starting well before I reach the visitor parking area, guard house, foyer or reception. Some organizations' buildings are proudly lit up with the company name in neon. Some are simply so large that everyone for miles around knows exactly who they are and has a pretty good idea what they are doing. I used to work for an electricity generator company: most - but not all - of the power stations are landmarks, some would say blots on the landscape.  In contrast, some organizational premises are more discreet, perhaps hard to find without an address and maybe a glance at Google's satellite images (hmmm, now the...

As we plummet rapidly towards our usual end of month deadline to deliver the next security awareness and training module, the scope is finally stabilizing. June's module will cover these four aspects: Physical information assets meaning the hardware processing, communicating and storing information in all forms; Physical information risks involving tangible, real-world   threats, vulnerabilities and/or impacts; Physical information security controls protecting various information assets; Management of the above physical issues within the broader context of managing information risk and security, business management, compliance, corporate governance and so on. Balanced delicately on the very edge of our scope is a fifth aspect: health and safety. It is our contention that workers, especially 'knowledge workers', qualify as valuable yet vulnerable information assets just as much as, say, databases. Workers receive, process and output information, in some cases generating and ...

I'm intrigued by the idea that management is risk management , hence today's blog.  Management primarily involves dealing with possibilities and uncertainties, determining objectives and influencing or guiding things in the preferred directions, driving things along unclear paths towards uncertain goals. Man-management (or, to be politically-correct, personnel or human resources management) is about herding the organization's cats, guiding and motivating people in order to get the best out of them, gaining their loyalty, productivity and creativity - lots of risks and uncertainties there!  Despite the intent of clear management instructions, policies, rules and directives ("Do this" and "Don't do that", or "Make it so!"), there's a degree of vagueness and complexity in how things actually turn out in practice. In particular, the future is inherently uncertain. Things don't always go to plan, but planning is essential. On that basis,...

Yesterday morning, I checked the ISO27k Forum messages as usual. Among the ping-pong of ongoing conversations was a sad request to stop emailing a Forum member who died just last week. His widow sent a few polite messages through his email account to the whole list, replying to an assortment of recent Forum emails. Presumably she didn't read or comprehend the 'unsubscribe' instructions from Google at the bottom of every message, and given the circumstances, it's entirely understandable - not least because I think she is Spanish, while the Forum and its instructions are in English. Unsubscribing someone from an email list is a simple example – something that’s easy for those of us who frequently use managed mailing lists (or groups or reflectors or Special Interest Groups or whatever they are called) but is not necessarily obvious to those who don’t, especially when they are in turmoil, grieving and overloaded with a million difficult tasks all at once. It’s an extraord...

For additional background and insight, we will once again be encouraging subscribers (through the train-the-trainer guide in June's awareness module) to take a close look at their information security metrics, incident reports, Help Desk tickets etc., specifically in the realm of physical information security. We'll urge them to dig out relevant data and anecdotes to pep-up their awareness programs. Rhetorical questions worth considering:  What are the most common kinds or causes of physical security incidents? Why would that be? Does that suggest an issue worth exploring further? Is management already on to it? Which are the most disruptive, costly or worrying incidents? What makes them so troublesome? Who is or should be concerned enough to take action? What has been the worst recorded incident (so far!) and what prevents it happening again? Roughly how much are physical incidents costing the organization per year/month/day? Is that acceptable? Do the incidents vary m...

Security Tip ST19-001 Best Practices for Securing Election Systems - an advisory from the US government - is fascinating for the things it leaves out, more than those few it includes. At least five substantial omissions occurred to me literally as I was skim-reading the piece for the very first time: Physical security for voting systems and associated paraphernalia; Application design of voting software; Social media and voter coercion (the elephant in the room); Information risk management - a systematic approach to identify, evaluate and address the information risks as a whole (not just a few items seemingly plucked out of thin air); Assurance - clearly a crucial concern for elections, underpinning the entire democratic process (a raging herd of angry elephants here!).  Items 3, 4 and 5 on my little list concern the bigger picture. It's pointless securing the computer systems alone, even if that could be achieved which would take a lot more than is implied by this astonishingly...

At the moment, as currently scoped, June's awareness module primarily concerns physical security measures protecting information, data and IT systems, including health and safety protection for workers ... but there's another aspect that potentially falls in scope: IT incidents with physical real-world impacts . Thus far, fortunately, such incidents have been very rare, mostly proof-of-concept demonstrations that hacking, say, the IT systems controlling an electricity generator could indeed cause it to liberate the smoke . The potential is very real and scary however once you appreciate just how much of modern life is controlled by vulnerable computers, often Internetworked, with design flaws and bugs mostly tucked out of sight, lurking in the extreme technical complexities under the hood. There be dragons, as the Iranians discovered . The proliferation and interconnectedness of IT systems has reached epic proportions lately with Internet-connected lightbulbs, air conditioners,...

Whereas tangible information assets and physical security are different to the intangibles we normally address, the process of managing the information risks is essentially the same: Variations on that diagram feature in many of our security awareness materials since the information risk management process is central to information security.  In June, we'll elaborate on it in the particular context of physical information assets and risks thereto, using typical assets, incidents and situations to help people understand what we're concerned about.  In subsequent modules, we'll pick out different aspects according to the monthly topic, and occasionally we'll zoom-in to explore certain parts of the process in more depth - risk identification, for instance, or incident management.  We may tweak the layout here and there but, over time, our awareness audiences gradually become familiar with the process - one of a handful of core concepts underpinning the field. These are t...

Sorry for the pause: among other things, I've been busy exploring a new subject for next month's security awareness and training materials. June's topic is physical information security , something we've covered a number of times previously. Physically protecting computer systems and storage media against threats such as intruders and thieves, fires, floods and power problems is an essential part of information security for all sorts of reasons that we'll soon be elaborating on. This time around, however, we'll also pick up on protection of another category of tangible information assets, specifically our people. Workers are definitely assets (otherwise, why would we pay them?) but do they qualify as 'information assets'? I'd argue yes for the reason that we value their brains at least as much as their brawn. Whereas brawn can generally be replaced by machinery, it's much harder to replace a competent person's knowledge, experience, expertise...

Hot off the production line comes May's security awareness and training module about working off-site . The 69th topic in our portfolio was inspired by a subscriber asking for something on home working. It ended up covering not just working at home but  the information risk and security implications of working on the road (digital nomads), in hotels, on supplier or customer sites and so forth , touching on online collaboration and other related areas along the way. Module #193 is 95% brand new, prepared from scratch during April and blended-in with a little updated content recycled from previous modules on workplace security and portable ICT security, plugging the gap, as it were. I'm proud of the guideline (item #04), part of the staff awareness stream .  At 16 pages, i t is lengthier than normal due to the sheer variety.  With the odd touch of humor and stacks of pragmatic security tips for home and mobile workers, it would make a neat little awareness booklet or eDoc...