Monday 26 September 2022

Authorisation is ...

 

... "permitted, accepted and/or agreed by management or some other authority as being in the best interests of the organisation, the workforce, the stakeholders or society at large" [source: SecAware glossary]

... ideally formalised and explicitly documented, providing evidence

... the opportunity to check a proposed course of action

... deciding what should or should not be permitted

... deciding who should or should not be permitted

... one means of issue, incident or error detection

... often informal, implicit and undocumented

... a crossroads, where processes intersect 

... usually manual, sometimes automated

... the acquisition of privileges and rights

... granting or withholding permission

... an important process control point

... only effective if actually checked

... (mis)spelled with a zee 

... a management process

... a governance approach

... the removal of barriers

... the point of no return

... authority to proceed

... a mere formality

... a delaying tactic

... a business issue

... a policy matter

... the green light

... discretionary

... empowering

... sanctioning

... delegation

... go ahead

... approval

... red tape

...

Monday 19 September 2022

Information is ...

... exploitable (legitimately or not, authorised or not, effectively or not ...)
... more complex and convoluted than we imagined
... full of paradoxes and conundrums (conundra?)
... required for rational debates and decisions
... sometimes out of place
... the common basis of science and the arts
... passed down through the generations
... possible to secure (to some extent)
... independent of the form and format
... a source of competitive advantage
... the product of research and study
... impossible to secure (absolutely)
... dangerous in the wrong hands
... something to be challenged
... powerful in the right hands
... something to be cherished
... something to be despised
... something to be disputed
... of uncertain provenance
... competitive advantage
... the presence of data
... a body of knowledge
... in the public interest
... worth taking care of
... intellectual property
... the absence of data
... of uncertain vintage
... easy to accumulate
... naturally degrading
... of uncertain quality
... of unknown validity
... a means to an end
... extraordinarily rich
... subject to entropy
... of uncertain origin
... of unknown origin
... derived from data
... distinct from data
... what fills the void
... a class of assets
... for the sake of it
... food for the soul
... for coordination
... mind-mappable
... the booby prize
... why we're here
... hard to protect
... an end in itself
... communicated
... acknowledged
... understanding
... self-referential
... entertainment
... consequential
... untrustworthy
... collaborations
... out of context
... dependencies
... unanticipated
... a prerequisite
... embarrassing
... trade secrets
... architectures
... a by-product
... relationships
... raw material
... multifaceted
... unbelievable
... motivational
... inspirational
... fundamental
... appreciation
... disreputable
... matauranga
... for planning
... entertaining
... educational
... a belonging
... a technique
... untraceable
... educational
... perceptions
... fascinating!
... reputations
... perspective
... trustworthy
... threatening
... intellectual
... operational
... anticipated
... disclaimed
... destructive
... conceptual
... experience
... depressing
... incomplete
... misleading
... modulation
... ephemeral
... knowledge
... contextual
... disordered
... expressed
... sequential
... boundless
... inaccurate
... duplicated
... duplicated
... allegorical
... substance
... instructive
... innovation
... invaluable
... processed
... measured
... vulnerable
... streaming
... up to date
... quantified
... indifferent
... subjective
... calculable
... enhanced
... a weapon
... nonfiction
... sentience
... a product
... imprecise
... incredible
... humdrum
... corrupted
... emergent
... metadata
... intangible
... an output
... damaged
... irrelevant
... indistinct
... of no use
... life-blood
.. severable
... authentic
... complete
... disclosed
... reputable
... historical
... guidance
... degraded
... a liability
... shocking
... expertise
... concepts
... a liability
... meaning
... traceable
... worrying!
... historical
... 'ownable'
... creativity
... asserted
... structure
... evidence
... a prompt
... accurate
... outdated
... objective
... an asset
... pertinent
... the prize
... personal
... licensed
... an asset
... frangible
... withheld
... strategic
... dynamic
... complex
... timeless
... copiable
... beautiful
... sharable
... uplifting
... valuable
... learning
... inherent
... linkages
... forensic
... valuable
... credible
... an input
... tradable
... hearsay
... designs
... relevant
... a threat
... relevant
... claimed
... parallel
... precise
... sensed
... ordered
... tactical
... content
... pirated
... sounds
... denied
... artistry
... refined
... factual
... topical
... worthy
... cloudy
... copied
... unique
... brands
... smells
... stories
... private
... stored
... boring
... partial
... timely
... signal
... useful
... costly
... fiction
... a tool
... public
... sights
... vague
... stolen
... fragile
... useful
... power
... words
... belief
... crude
... static
... plans
... novel
... finite
... good
... news
... stale
... tales
... data
... ugly
... fake
... free
... lost
... ties
... raw
... bad
... key
...

... very hard to pin down, define and describe comprehensively ... and despite the extraordinary length of this piece in the series, I freely admit I've failed: so what angles have I missed? What springs to your mind in relation to 'information'?

Wednesday 14 September 2022

Complete security is an oxymoron

An interesting Kiwi business startup caught my beady eye today. Without being too specific, they are offering a financial service, making me curious about the legal and regulatory hoops they presumably had to clear in order to do so.

Checking their shiny new website hasn't exactly inspired me with confidence. The home page claims to be using a completely secure platform ... which is, I suspect, a bit of a porky, an exaggeration, stretching the truth. Maybe they have been carried away by their own marketing. Perhaps they are just naive.

I have never come across a totally secure system, and seriously doubt there is such a beast. Sure, I've dealt with many highly secure systems, all of which were vulnerable in various ways. None of the organisations concerned had the nerve to claim they were totally secure however, since (with a little guidance from pro's like me!) management accepted that there were residual risks, despite all our efforts. 

Paradoxically, by claiming total security, they are painting a large target on themselves, setting themselves up for a fall - and that's a shame because, as I said, they are a Kiwi startup with an interesting business product that the founders have personally invested in getting to market. I'm not naming the company to avoid adding fuel to the fire. I would love them to soar, not crash and burn. I wish them well.

It gets worse: I can't find any further information about their security arrangements on the website, partly due to some broken links. That's not a good look for any business - ourselves included but we aren't offering financial services and don't claim to be totally secure. The security bar is set higher for them.

[Hint: integrity and availability are both core parts of information security.]

So, what next? I guess I'll try contacting them about this, softly-softly. I'd rather they considered me a friend than a threat. 

Monday 12 September 2022

Accountability is ...


 

... "in contrast to responsibility, a sticky property that cannot be unilaterally delegated or passed by the accountable person or organisation to another, in other words the buck stops here" [source: SecAware glossary] 

... less ambiguous and yet, strangely, more confusing than other terms
in this blog series

... being able to give a satisfactory reason or justification

... distinct from, but often conflated with, responsibility

... an inherent part of various jobs, roles or positions

... knowing that things must be done properly

... easily forgotten until an incident occurs

... both a threat and an opportunity

... the latitude to decide and act

... a token of respect and trust

... a governance arrangement

... a degree of independence

... beyond mere expectation

... having to explain oneself

... imposed by an authority

... a powerful disincentive

... invariably bad news

... the sting in the tail

... a niggling concern

... power, moderated

... having guard rails

... a strong incentive

... best avoided

... mandatory

... formalised

... obligation

... awkward

... personal

... squirmy

... sticky

...

Tuesday 6 September 2022

Ten tips on tackling a thorny infosec issue

A member approached the ISO27k Forum this morning for advice:

"What would you recommend to do if our warnings as ISMS department specialists/auditors are not taken into account?"

What can realistically be done if management isn't paying sufficient attention to information risks that we believe are significant

This is a thorny issue and not an uncommon challenge, particularly among relatively inexperienced or naïve but eager information risk and security professionals, fresh out of college and still studying hard for their credentials. It can also afflict the greybeards among us: our passion for knocking down information risks can overtake our abilities to convince managers and clients.

Here are ten possible responses to consider: 

Monday 5 September 2022

Responsibility is ...

 

... "an obligation placed on an individual person or organisation by an authority e.g. to ensure that an asset is properly protected i.e. a duty of care" [source: SecAware glossary)

... an integral part of maturity, professionalism and competence

... acting in a socially considerate and adult manner

... a blend of specific and general requirements

... often informal, incompletely specified

... often confused with accountability

... expressing expectations of others

... complementary to accountability

... doing what's right and proper

... an inherent part of the job

... commonly misunderstood

... stepping up to the plate

... not having to apologise

... an opportunity to shine

... something one accepts

... a sign of being trusted

... doing the right thing

... playing by the rules

... something to duck

... self-determination

... doing things right

... a fragile control

... a heavy burden

... a guilty feeling

... an expectation

... not offending

... discretionary

... an obligation

... internalised

... more work!

... severable

... shirkable

... deniable

... serious

... intent

... will

...

Strexecution

A provocative piece on LinkeDin about the gap between strategy and execution set me thinking. Paraphrasing the original poster, managers admit to being generally lousy at executing business strategies, which may well be true (for some at least) but it could also be that:

  • Strategies are unrealistic, infeasible or impracticable;