Just a brief note today: it's a lovely sunny Saturday morning down here and I have Things To Do . I'm currently enjoying another book by one of my favourite tech authors: Yossi Sheffi's The Resilient Enterprise *. As always, Yossi spins a good yarn, illustrating a strong and convincing argument with interesting, relevant examples leading to sound advice. Specifically, I'm intrigued by the notion that major incidents/disasters leading to severe business disruption may not come "out of the blue". Sometimes (quite often?), there are little warning signs, hints ahead of time about the impending crisis, chances for alert business people to look up from the daily grind and perhaps brace for impact. It ought to be possible to spot fragile supply chains, processes, systems and people, provided we are looking out for them ...    Here in NZ at the moment, we are being treated to a public safety campaign using the analogy of meerkats, encouraging Kiwis to be constantly o...

From time to time as we chat about scoping and designing I nformation S ecurity M anagement S ystem s on the ISO27k Forum , someone naively suggests that we should K eep I t S imple S tupid . After all, an ISO27k ISMS is, essentially, simply a way of managing information security, isn't it? At face value, then, KISS makes sense. In practice, however, factors that complicate matters for organizations designing, implementing and using their ISMSs include different: Business contexts – different organization sizes, structures, maturities, resources, experiences, resilience, adaptability, industries etc. ; Types and significances of risks – different threats, vulnerabilities and impacts, different potential incidents of concern; Understandings of ‘information’, ‘risk’ and ‘management’ etc . – different goals/objectives, constraints and opportunities, even within a given organization/management team (and sometimes even within someone’s head!); P...

Today we completed and published a new "topic-specific" information security policy template on clear desk and screen . Having previously considered information risks within the policy scope, writing the policy involved determining how to treat the risks and hence what information security or other controls are most appropriate.   Here we drew on guidance from the ISO27k standards, plus other standards, advisories and good practices that we've picked up in the course of ~30 years in the field, working with a variety of industries and organizations - and that's an interesting part of the challenge of developing generic policy templates. Different organizations - even different business units, departments, offices or teams within a given organization - can take markedly different attitudes towards clear desk and screen. The most paranoid are obsessive about it, mandating controls that would be excessive and inappropriate for most others. Conversely, some are decidedly l...

On Sunday I blogged about preparing four new 'topic-specific' information security policy templates for SecAware. Today I'm writing about the process of preparing a policy template. First of all, the fact that I have four titles means I already have a rough idea of what the policies are going to cover (yes, there's a phase zero). 'Capacity and performance management', for instance, is one requested by a customer - and fair enough. As I said on Sunday, this is a legitimate information risk and security issue with implications for confidentiality and integrity as well as the obvious availability of information. In my professional opinion, the issue is sufficiently significant to justify senior management's concern, engagement and consideration (at least). Formulating and drafting a policy is one way to crystallise the topic in a form that can be discussed by management, hopefully leading to decisions about what the organisation should do. It's a prompt t...

We're currently preparing some new information risk and security policies for SecAware.com .  It's hard to find gaps in the suite of ~80 policy templates already on sale  (!) but we're working on these four additions: Capacity and performance management : usually, an organization's capacity for information processing is managed by specialists in IT and HR.  They help general management optimise and stay on top of information processing performance too.  If capacity is insufficient and/or performance drops, that obviously affects the availability of information ... but it can harm the quality/ integrity and may lead to changes that compromise confidentiality , making this an information security issue.  The controls in this policy will include engineering, performance monitoring, analysis/projection and flexibility, with the aim of increasing the organisation's resilience. It's not quite as simple as 'moving to the cloud', although that may be part of the...