The NZ politicians and news media are updating us daily on selected COVID-19 statistics (metrics), particularly concerning NZ of course but also the global situation. Countries with the largest numbers (regardless of which metric) are naturally media-fodder. It's fair to ask, though, what all these numbers mean, why we should care about them, and why they  are being reported rather than others. As with information risk and security metrics, there are various audiences of the metrics with numerous concerns, objectives, purposes, uses for or interests in them e.g. : Those actually managing the national response, day-by-day, need to know how they are doing relative to their plans and intentions, and how they might improve Central and local government politicians giving oversight and direction to the response ... with a keen eye on their popular standing, given that an election is in the offing (unless deferred) ... plus administrators in the civil service The Treasury and Inland Reven

Our "broadband" is gradually becoming narrower by the day as an increasing number of Kiwis on staycation are working from home, downloading/watching videos, playing online games or whatever. Normally I listen to online music stations while working and I still can: thanks to bufferuffering and the relatively little bandwidth required, streaming audio still works OK ... but instead I'm listening to my music CDs for a change, figuring there are those out there who need the Interweb bandwidth more than me. Besides which, I like my CDs and it's easy to skip the duff tracks. 

Yesterday I wrote about exploiting/making the most of opportunities that arise in a crisis. Here's an example - using COVID-19 as an analogy to help explain a concept. A question came up on the ISO27k Forum about how to handle 'primary and secondary assets' in the risk assessment processes described by ISO/IEC 27005. This is my response ... Primary assets (business processes and activities, information) … usually the core processes and information of the activity in the scope” [ ISO/IEC 27005:2018 section B.1.2] are the focal point: that’s what we need to protect. However, in order to do that, we also need to take care of other matters, including the supporting/enabling information systems, networks etc . Those have some  intrinsic value ( e.g . used but now redundant servers can be upgraded, redeployed, sold or scrapped) but their main value relates to their roles in relation to the primary assets. A topical analogy is “health” – an asset we all need to protect. For vi

With a bit of lateral thinking, there are ways to hook-in to and even exploit the COVID-19 brouhaha. More time for reflection is one of the advantages of the lockdown, for some of us at least.  Many organizations, for instance, have sent out customer comms about what they are doing to maintain services during/despite the pandemic. Although most are matter-of-fact and boring (maybe not even branded), some are more creative and engaging, even acknowledging that COVID is not going to blow over in a couple of weeks. Most are generic, superficial and bland, often supplier-focused, whereas some are personalised, unique, detailed and customer-focused. Most appear to be one-off broadcasts, hurriedly cobbled together by teams immersed in the chaos and confusion, then slowly refined and authorized. Not many that I've seen so far even hint that there might be more to come. The odd tinge of humour is welcome.   Unlike the vast majority of incidents and crises, a global incident such as COVID-1

I said yesterday that we've identified our home essentials - things such as food, fuel, booze, the web etc . - and stocked up accordingly, like any sensible family would do. Those are the thing we all  need . Pretty obvious really and not particularly interesting. But what about the things we don't need? What would we rather not have during this pandemic, or in general?  While painstakingly giving my chisels a long -overdue regrind and manual sharpen in the man-shed, I came up with the following A-to-Z list. These are the things I can do without : Accidents Aches & pains Alzheimer's Armed forces Authorities Bad backs Bad breath Bad debts Bad decisions Bad design Bad dreams Bad engineering Bad habits Bad health Bad memories Badges & thumbs-up Badness generally Bias Bramble Breakages Briscoes sales Broken promises Cancer Cheating Classrooms Climate change Coffins Compliance enforcement Concerts Constraints Crappy software & patching Criminals Crises Crowds Cruises

From midnight last night, New Zealand is now at civil emergency "stage 4", which means all except essential services personnel are supposed to stay isolated at home for about a month. The official NZ government list of essential services appears to have been finalised and published hastily. Naturally, 'the authorities' consider themselves essential as overnight we've become a police state: police and courts are working through the lockdown, albeit providing limited services, health and immigration/customs services too. What will happen as their workers are or suspect themselves to be infected with coronavirus is unclear at this point. Presumably they have contingency plans, plus controls to limit the spread of infection within police stations, court houses, hospitals, customs halls, mail sorting offices etc.  ... but staffing and service problems are entirely possible as the lockdown continues. Since they aren't entirely self-contained , there's also a se

I bumped into an insightful piece by Jeff Immelt 'Lead through a crisis'  yesterday. This paragraph really caught my eye:  I agree there are material differences between us in how we react under pressure, differences that are exaggerated during a crisis.  The same applies to social groups and families as well as work teams: some of us are (or at least give the appearance of being) fully on top of things, some are 'coping', some are struggling, and some are in turmoil, overwhelmed by it all. The current situation reminds me of the  Kübler-Ross  grieving curve . Here's a version I've used to help explain our emotional responses to traumatic events such as information security incidents and changes: In any group of people, there will be individual differences e.g. in the rate at which we go through the process, the depth of the 'pit of despair', and the symptoms we show of our inner turmoil.   Also, the curve is figurative, not literal, so the shape and de

Today I trawled through our back catalog of information security awareness content for anything pertinent to COVID-19. The "Off-site working" security awareness module published less than a year ago is right on the button.  "Off-site working" complements the "on-site working" awareness module, about the information risk and security aspects of working on corporate premises in conventional offices and similar workplaces. Off-site concerns the information risk and security aspects of working from home or on-the-road ( e.g. from hotels or customer premises), often using portable IT equipment and working independently ... which is exactly the situation many of us are in right now. Off-site working changes the information risks compared to working in purpose-built corporate offices. Mostly, the risks increase in line with the complexities of remote access, portability and physical dispersion … but offsetting that, off-site working can be convenient, productive

Here's today's update to my COVID-19 information risk P robability I mpact G raphic: I've slightly shifted and revised the wording of some of the risks but there's nothing really new (as far as I know anyway).  Reports of panic buying from the UK and US are concerning, given the possible escalation to social disorder and looting … but hopefully sanity will soon return, aided by the authorities promoting “social distancing” and “self-isolation”.   Meanwhile, I hope those of you responsible for physically securing corporate premises have appropriate security arrangements in place. Remotely monitored alarms and CCTV are all very well, but what if the guards that would be expected to do their rounds and respond to an incident are off sick or isolated at home? Do you have contingency arrangements for physical security? ‘Sanity’ is a fragile condition: there is clearly a lot of anxiety, stress and tension around, due to the sudden social changes, fear about the infectious dis

I've updated the PIG showing information risks relating to COVID-19, originally published here five days ago:  Two additional information risks now feature in the middle: Mental health issues arising from the sudden widespread introduction of work-from-home, social distancing, cancellation of many leisure activities etc., on top of the stress of potentially being infected and becoming sick. Laid-off workers are basically cast adrift, placing them under immense personal stress at this difficult time because of the scale of COVID-19: they are unlikely to walk directly into their next contract or permanent role with some other organisation if everyone is in crisis. Remaining workers may have 'survivor guilt', and fear also being laid off - hardly conducive to productive working. It may  increase 'insider threats'. Also, this risk may increase over time once we get beyond the honeymoon period as workers settle in to their more isolated workspaces, and face up to the r

From my narrow perspective as a practitioner, manager and consultant in the field, some 20-30 years ago, B usiness C ontinuity P lanning revolved around  IT D isaster R ecovery which generally involved (at the time) either powering up an alternative data centre or hiring a few servers on the back of a truck and plugging them in to restore services taken out when the data centre was flooded/burnt.   It was almost entirely IT focused, expensive, and could cope with very few disaster scenarios (there still had to be somewhere for the truck to park up and plug in, while the backups to be restored had to have survived miraculously, plus of course the rest of the organization - including the alternative data centre plus the people and associated essential services). From that primitive origin, BCP started to get better organised, with scenario planning and tabletop exercises, and actual 'management' instead of just 'planning' - leading to B usiness C ontinuity M anagement.  

Further to yesterday's assessment of the information risks associated with the coronavirus pandemic and the discussion arising, here are a few more aspects. An increased number of knowledge workers are now working from home, some of them for the first time. What equipment and services are they using? What are the information risks and security arrangements? Who knows? Larger organizations tend to have in place suitable policies plus structured, systematic approaches towards home and other off-site working, with controls such as management authorization, remote security management of end user devices (corporate or BYOD), VPNs, network security monitoring, network backups, automated patching, antivirus etc.  Hopefully they have all scaled easily to cope with the changing proportions of off-siters. Medium and especially small organizations, however, may be less well prepared ... and all of them are likely to be feeling the strain of changed working practices and social interaction. T

I'll kick off with a disclaimer: IANAV*. I have a scientific background in microbial genetics but left the field more than 3 decades ago. I have far more experience in information risk management, so what follows is my personal assessment of the information risks ('risks pertaining to information') associated with the Coronavirus pandemic . Here's my initial draft of a  P robability- I mpact- G raphic showing what I see as the main information risk aspects right now, today, with a few words of explanation below: Top left, the reported shortages of toilet rolls, facemasks, hand sanitiser and soap qualify as information incidents because they are the result of panic buying by people over-reacting to initial media coverage of shortages. The impacts are low because most people are just not that daft.  F ear, U ncertainty and D oubt, however, is largely what drives those panic buyers. To an extent, I blame the media (mostly social media but also the traditional news media, d

Anyone who read Orwell's masterpiece or saw the film "1984" appreciates the threat of mass surveillance by the state a.k.a. Big Brother. Anyone who has followed Ed Snowden's revelations knows that mass surveillance is no longer fanciful fiction. There are clearly privacy impacts from surveillance with implications for personal freedoms, assurance and compliance. At the same time, surveillance offers significant social benefits too, in other words, pros and cons which vary with one's perspective. Big Brother sees overwhelming benefits from mass surveillance and has the power, capability and (these days) the technology to conduct both overt and covert mass or targeted surveillance more or less at will.  The same thing applies to other forms of surveillance and other contexts: many of us gleefully carry surveillance devices with us wherever we go, continuously transmitting information about our activities, conversations, locations, contacts and more. We may call them

I'm reviewing and revising our information security policy templates , again. At the moment I'm systematically compiling a cross-reference matrix in Excel showing how each of the 65 policies relates to others in the set - quite a laborious job but it will result in greater consistency. The objective is to make the policies knit together coherently, without significant overlaps or gaps in coverage - less mess, more mesh. All our policies include a reference section noting other relevant policies, procedures, guidelines etc . but only the main ones: the information risk management policy, for instance, is relevant to all the others but there's no point listing it as a reference in all of them, nor listing all of them in it. I have shortened the titles of a few policies for readability, and need to check/update the formatting then generate new screenshots for the website . Once that is all done, I will be checking coverage: a couple of policies are similar enough that they mig

◄ This amuses me - part of an advertisement by NZ farm supplies company FFM for their quad bike safety helmets ... but the principle applies equally to knowledge workers in any industry. We used a similar concept for one of our social engineering awareness posters, emphasising the manipulation rather than protection ► Earlier this week, Gelo asked on the ISO27k Forum: "Based on ISO 270001 definition of Information Processing Facilities, can we consider a person as such? Considering that a person can process and store information in his mind?" I replied: " Before electronic computers, “computers” were people who computed . So yes Gelo, we can. People generate, store, process, use and communicate information." That is my cue for yet another dig at the cybersecurity movement. Do humans even feature in the myopic tech-centric world of those self-anointed cybersecurity experts? Would hard hats, other Personal Protective Equipment and Health and Safety appear on their li

I've heard rumours about the possibility of SIM-swap "identity theft" (fraud) but wasn't aware of the details ... until reading a couple of recent articles pointing to an academic paper from a team at Princeton University . The fraud involves socially-engineering the cellphone companies into migrating a victim's cellphone number onto a new SIM card, one in the fraudster's possession. That gives the fraudster control of a factor used in several multifactor authentication schemes ... and in some cases, that's enough to take full control ( e.g. resetting the victim's password - another factor). Otherwise, it might take them a bit more effort to guess, steal or brute-force the victim's password or PIN code first.  Authentication is usually a key control, yet authentication schemes often turn out to have vulnerabilities due to: Fundamental design flaws ( e.g. saving passwords unencrypted or weakly encrypted)  Bugs in the software and firmware ( e.g.