Tuesday 20 December 2022
Cyber-collateral
Friday 16 December 2022
'The Internet issue'
Earlier this year I wrote a retrospective on Y2K and said that I'd be back to talk about what is surely the biggest cluster of information risks facing the world over two decades on, namely those associated with the Internet.
Well OK, so it has taken me a couple of months to get around to it but anyway here goes.
Threats
- Malicious individuals
- Malicious groups
- Accidents and natural events
Vulnerabilities
- Shared resource
- Insecure base
- Naivete
Impacts
- Extreme dependence
- Cascading effects
- Catastrophic outages
Preventive controls
Detective controls
Corrective controls
Technical controls
Procedural controls
Administrative controls
Thursday 15 December 2022
Audit/review questions
- Are there any legal, regulatory or contractual compliance implications of X?
- Are there any other things about X that I/management should know about?
- Can I do some audit tests on X, please?
- Compared to Y and Z, how risky/valuable/reliable is X?
- Does anything strike you as strange or worrying about X?
- Explain the controls relating to X …
- Has X ever hurt anyone? What happened?
- Have you or anyone else raised concerns about X?
- How big is X - how wide, how heavy, how numerous, how often?
- How come previous efforts did not fix X?
- How costly was X?
Wednesday 14 December 2022
ISO27k ISMS metrics
Tuesday 13 December 2022
Yet another interpretation of 'cyber'
I have railed repeatedly at the vague and often inappropriate or misleading use of 'cyber', in particular cyber-risk and cybersecurity (inconsistently hyphenated, as shown).
Usually, cyber simply means IT - all the usual humdrum risks and controls relating to IT systems and networks. This is everyday stuff, nothing special. Plain IT covers it.
Sometimes cyber alludes to far more extreme and sinster threats associated with highly competent and resourceful adversaries sponsored by governments, organised criminals or terrorists attacking critical national or global infrastructures - the sorts of things that might be experienced during war. Those using the term in this way tend to speak in riddles, trying hard to avoid admitting or disclosing vulnerabilities while denying knowledge of any involvement in such activities.
Friday 9 December 2022
Awareness risks & opportunities
Security awareness program can be planned and prioritised on the basis of risks
Leave room (flexibility) to respond to opportunities that arise off-plan
Thursday 8 December 2022
Tempering professional paranoia
It goes with the territory: professionals working in information risk and related areas are, of course, highly aware of risks within our specialism. It's what we do.
Furthermore, many of us would admit to being naturally risk-averse: people outside the profession seem to take chances that we would prefer to avoid or shy away from, whether through plain ignorance or failure to appreciate the risks.
Risk-aversion is a personal characteristic or bias that varies from mild caution and pessimism up to extreme, debilitating paranoia. It doesn't necessarily mean that we are timid, scared or weak, rather that we tend to place more emphasis on the possibility of problems or incidents compared to non-risk-averse people.
Wednesday 7 December 2022
Riding the waves
At the very moment when the negotiations are completed and management finally agrees your infosec budget, their interest, motivation and support for it is high ... so, before the dust settles, why not seize the moment: a window of opportunity has opened. Before long, the wave of enthusiasm will subside and management's focus will turn to other matters.
Tuesday 6 December 2022
Budgeting and preparing for ISO27k
Are you responsible for your organisation's information risk and security or cybersecurity budget? Are you busily putting the finishing touches to your FY 2023 budget request?
Budgeting is a stressful management task, figuring out the figures and anticipating tough battles ahead leading (usually) to a disappointing outcome and yet more problems resulting from inadequate investment. With clear signs of another global recession looming (as if COVID, climate change and the war in Ukraine weren't challenging enough already), tightened belt-buckles are the order of the day*.
Monday 5 December 2022
System is ...
connected systems, plus the operating environment,
all of which are required to deliver services ...
also NIST SP800-161r1 & SP800-53r5]
[source: SecAware glossary]
ports and peripherals of an IT device
especially the supply chain and cloud" [thanks Steven Os]
technologies, people, processes, relationships etc.
forming a discrete functional unit
[suggested by Eric Johnson]
Sunday 4 December 2022
COVID information risk analysis - retrospective
Two and a half years ago in March 2020 as we were fast approaching our first lockdown, I published the following Probability Impact Graph depicting my analysis of the information risks relating to COVID:
Friday 2 December 2022
On a mission
take the first step on your mission!
Thursday 1 December 2022
ISO/IEC 27001:2022 pros and cons
I can think of eight key advantages and opportunities in adopting the new third edition of ISO/IEC 27001 as opposed to the second edition nearly a decade old: