... "permitted, accepted and/or agreed by management or some other authority as being in the best interests of the organisation, the workforce, the stakeholders or society at large"  [source:  SecAware glossary ] ... ideally formalised and explicitly documented, providing evidence ... the opportunity to check a proposed course of action ... deciding what should or should not be permitted ... deciding who should or should not be permitted ... one means of issue, incident or error detection ... often informal, implicit and undocumented ... a crossroads, where processes intersect  ... usually manual, sometimes automated ... the acquisition of privileges and rights ... granting or withholding permission ... an important process  control  point ... only effective if actually checked ... (mis)spelled with a zee  ... a management process ... a governance approach ... the removal of barriers ... the point of no return ... authority to proceed ... a mere for...

... exploitable (legitimately or not, authorised or not, effectively or not ...) ... more complex and convoluted than we imagined ... full of paradoxes and conundrums (conundra?) ... required for rational debates and decisions ... sometimes out of place ... the common basis of science and the arts ... passed down through the generations ... possible to secure (to some extent) ... independent of the form and format ... a source of competitive advantage ... the product of research and study ... impossible to secure (absolutely) ... dangerous in the wrong hands ... something to be challenged ... powerful in the right hands ... something to be cherished ... something to be despised ... something to be disputed ... of uncertain provenance ... competitive advantage ... the presence of data ... a body of knowledge ... in the public interest ... worth taking care of ... intellectual property ... the absence of data ... of uncertain vintage ... easy to accumulate ... naturally degrading ... of ...

An interesting Kiwi business startup caught my beady eye today. Without being too specific, they are offering a financial service, making me curious about the legal and regulatory hoops they presumably had to clear in order to do so . Checking their shiny new website hasn't exactly inspired me with confidence. The home page claims to be using a completely secure platform ... which is, I suspect, a bit of a porky, an exaggeration, stretching the truth. Maybe they have been carried away by their own marketing. Perhaps they are just naive. I have never come across a totally secure system, and seriously doubt there is such a beast. Sure, I've dealt with many highly secure systems, all of which were vulnerable in various ways. None of the organisations concerned had the nerve to claim they were totally secure however, since (with a little guidance from pro's like me!) management accepted that there were residual risks, despite all our efforts.  Paradoxically, by claiming total s...

  ... "i n contrast to responsibility , a sticky property that cannot be unilaterally delegated or passed by the accountable person or organisation to another, in other words the buck stops here " [source:  SecAware glossary ]   ... l ess ambiguous and yet, strangely, more confusing than other terms in this blog series ... being able to give a satisfactory reason or justification ... distinct from, but often conflated with,  responsibility ... an inherent part of various jobs, roles or positions ... knowing that things must be done properly ... easily forgotten until an incident occurs ... both a threat and an opportunity ... the latitude to decide and act ... a token of respect and trust ... a governance arrangement ... a degree of independence ... beyond mere expectation ... having to explain oneself ... imposed by an authority ... a powerful disincentive ... invariably bad news ... the sting in the tail ... a niggling concern ... power, moderated ... having guard...

A member approached the  ISO27k Forum   this morning for advice: " What would you recommend to do if our warnings as ISMS department specialists/auditors are not taken into account?" What can realistically be done if  management isn't paying sufficient attention to information risks that we believe are significant ?  This is a thorny issue and not an uncommon challenge, particularly among relatively inexperienced or naïve but eager information risk and security professionals, fresh out of college and still studying hard for their credentials. It can also afflict the greybeards among us: our passion for knocking down information risks can overtake our abilities to convince managers and clients. Here are ten possible responses to consider: 

  ... "an obligation placed on an individual person or organisation by an authority e.g . to ensure that an   asset is properly protected i.e . a duty of care" [source:  SecAware glossary ) ... an integral part of maturity, professionalism and competence ... acting in a socially considerate and adult manner ... a blend of specific and general requirements ... often informal, incompletely specified ... often confused with  accountability ... expressing expectations of others ... complementary to  accountability ... doing what's right and proper ... an inherent part of the job ... commonly misunderstood ... stepping up to the plate ... not having to apologise ... an opportunity to shine ... something one accepts ... a sign of being trusted ... doing the right thing ... playing by the rules ... something to duck ... self-determination ... doing things right ... a fragile control ... a heavy burden ... a guilty feeling ... an expectation ... not offe...

A provocative piece on LinkeDin about the gap between strategy and execution set me thinking. Paraphrasing the original poster, managers admit to being generally lousy at executing business strategies, which may well be true (for some at least) but it could also be that: Strategies are unrealistic, infeasible or impracticable;