Over the past decade or so, 'supplier questionnaires' have become A Big Thing in the business world. Organizations have long appreciated that there are risks associated with doing business (well, fancy that!) and most quite reasonably wish to mitigate those risks, particularly in business-to-business relationships. Increasingly that involves checking out prospective suppliers' information security and privacy arrangements* as part of the supplier evaluation, selection and contracting process. A common approach is to ask prospective and current suppliers to complete security/privacy questionnaires. Being self-assertions by organizations with an obvious interest in securing the business, the assurance value of questionnaires is limited although it may be reinforced by suitable legal wording in the contracts and agreements arising: essentially, the suppliers formally confirm that their questionnaire responses are accurate, complete and valid, and/or formally accept their secur...

Since home and mobile workers rely on IT to access critical business systems and corporate data, and to communicate with others, organisations need a robust IT network infrastructure that extends to workers' homes or wherever they hang out. If, in reality, the infrastructure turns out to be fragile and unreliable, business activities are likely to be equally fragile and unreliable, leading to frustration and grief all round. In other words, the extended IT infrastructure is quite likely business-critical. W orking F rom H ome or on the road can increase various information risks relative to conventional office-based work, due to factors such as: Use of cloud computing services*; Workers using their own or shared devices and internet connections for work purposes, raising questions about their suitability and security, ownership of and access to any intellectual property or personal information on them;

A post on LinkeDin this morning led me to a news piece  about an IT professional's attempt to divert/steal his employer's payoffs for a ransomware infection, back in 2018. According to the article, his attempt ultimately failed, largely due to his inept and naive execution ... but I have not come across this particular insider threat before. It was a new one on me, a man-in-the-middle attack layered on top of the ransomware.

I have developed a generic procedure documenting the incident notification process  for sale through  SecAware .  I'm surprised how involved, complex, time-boxed and fraught the disclosure process turned out to be - depending, of course, on the nature and scale of the incident (perhaps a ransomware or malware infection, privacy breach, hack or fraud), who needs to be informed about it, and how to do so.

Lately, I've read a couple of articles complaining that metrics are driving things inappropriately, either stating or implying that metrics should be abandoned. It's pretty obvious (if you think about it) that measuring the wrong things is - at best - a pointless waste of effort, and potentially harmful if it leads things in the wrong directions, taking attention from the things that truly matter.   Likewise, measuring the right things in the wrong way leads to disappointment and frustration.   However, neither of those issues is a valid argument to stop measuring. They are good reasons to measure the right things competently, easier said than done maybe but surely better than the alternative. I've already mentioned which are the right things to measure: the Things That Truly Matter. Of course that is context-dependent, and changes over time ... so one approach is to consider the organisation's long-term (strategic), mid-term (tactical) and short-term (operational) o...

In the management context, measuring requires that we consider aspects such as: What is important : what do we need to achieve/avoid and, by implication, what is not [so] important, the stuff we can afford to ignore or perhaps monitor passively. Score bonus points for determining importance specifically in relation to achievement of the organisation's business objectives , goals, aims, purposes, visions, missions, targets, strategies, plans, future state or whatever, given that I'm talking about measuring in the corporate management context. There is clearly a strong emphasis on the future here, although where we are now and how we got here may also have some relevance ( e.g. if the organisation has done particularly well in innovation or market penetration  or resilience or whatever, management should probably retain and protect those capabilities, ideally enhance and build upon them - avoid inadvertently harming them anyway).    What does 'success' look like : develo...

A warning in the New Zealand Information Security Manual  caught my beady eye yesterday: “Electrical and electronic equipment contains a complex mix of materials, components and substances, many which can be poisonous, carcinogenic or toxic in particulate or dust form. Destruction and disposal of WEEE [Waste from Electrical and Electronic Equipment] needs to be managed carefully to avoid the potential of serious health risk or environmental hazard.” Disposing of eWaste presents environmental and safety hazards arising from noxious/toxic/carcinogenic chemicals such as gallium arsenide (GaAs) and polychlorinated biphenyls (PCBs), plus the obvious dangers when handling sharp-edged metal or plastic chassis fragments, wires, printed circuit boards and CD/DVD discs plus  leaky electrolytic capacitors and old batteries . While there may be money to be made by extracting and recycling valuable metals  and reusable components ,  subsystems and modules , that's really a jo...

I freely admit to being an Old Fart, old and plenty farty enough to remember a time even before the DTI Code of Practice was released and then in 1995 became  BS7799 , making information security A Thing. OK so I'm not quite so old as to remember when computers were women in rank and file, studiously calculating missile trajectories, but I've read about them and I remain fascinated by the early mechanical, electro-mechanical and then electronic computers - initially single-purpose tools such as that nice Mr Babbage's difference engine, then machines capable of various tasks using toggle switches, punched tape and cards to program their instructions. Back in the 80's when I escaped the genetics lab to become a net/sysadmin, computer security was just becoming important: people (particularly managers, few of whom had a clue about IT) were vaguely concerned about these new fangled, complicated, mysterious and expensive computers. Securing data processing hardware was seen ...