An interesting topic cropped up on the ISO27k Forum this week. In essence, the issue is whether a small, immature company without an I nformation S ecurity M anagement S ystem could or should have an information security policy. ​ Speaking as an infosec pro, the knee-jerk response is "Yes, of course!". Why do I say that? If SmallCo's CEO or owner asked me to explain, how would I justify my recommendation to have a policy? Hmmm. Tag along or watch from the precipice as I dive into another rabbit warren.

Whereas ISO/IEC 27001 indicates that only fourteen (14) types of ISMS documentation are strictly required  (mandatory), they are barely a start, even for a barebones ISMS.  In practice,  both mandatory and  discretionary documents are valuable . ISO/IEC 27001 c lause 4.4   states: “The organization shall establish, implement, maintain and continually improve an information security management system, including the processes needed and their interactions, in accordance with the requirements of this document.” Documentation (termed 'documented information' in the standard - see clause 7.5) is generally the best way for management to inform workers about their information security responsibilities  e.g. through written policies, procedures/work instructions and job/role descriptions, accompanied by awareness and training materials such as guidelines and briefings. In addition, many security-related processes generate 'records' such as completed forms, ...

First, two definitions: " Certification " is the process of checking something against defined criteria, and if it passes (meets the criteria), issuing a certificate of compliance or conformity or assurance or whatever. Certification gives some assurance that the certified organisation or individual meets the criteria ... provided the certification body or person is competent and trustworthy, the checks were done properly, and the certificate itself is authentic. Hmmm, quite a few caveats there ... " Accreditation " is the process of confirming that whoever is checking and issuing certificates is properly qualified, competent and trusted to issue meaningful certificates by following prescribed processes. It adds credibility, meaning and value to the certification and issued certificates ... provided the accreditation body or person is competent and trustworthy, the checks were done properly, and the a...

Title: Permanent Record Author: Edward Snowden ISBN: 978-1-250-23723-1 Price: US$18 from Amazon GH rating: 90% Summary Until I read this book, I considered my personal integrity a fundamental strength, core to my very being. It pales in comparison to Ed's extreme courage and intense determination to expose the shocking truth about the NSA's mass surveillance programme and the way it was concealed from Congress.

A warning in the New Zealand Information Security Manual  caught my beady eye yesterday: “Electrical and electronic equipment contains a complex mix of materials, components and substances, many which can be poisonous, carcinogenic or toxic in particulate or dust form. Destruction and disposal of WEEE [Waste from Electrical and Electronic Equipment] needs to be managed carefully to avoid the potential of serious health risk or environmental hazard.” Disposing of eWaste presents environmental and safety hazards arising from noxious/toxic/carcinogenic chemicals such as gallium arsenide (GaAs) and polychlorinated biphenyls (PCBs), plus the obvious dangers when handling sharp-edged metal or plastic chassis fragments, wires, printed circuit boards and CD/DVD discs plus  leaky electrolytic capacitors and old batteries . While there may be money to be made by extracting and recycling valuable metals  and reusable components ,  subsystems and modules , that's really a jo...

Given research indicating that security culture trumps security policies , how can we strengthen the corporate security culture? Here are a few ideas to set you thinking:

A note on LinkeDin led me to an intriguing scientific research study that tested the following five hypotheses: People who receive instructions via a written policy about rules will have better knowledge of these rules than those that do not.  People who receive a shorter form version of policy about the rules with less text will have better knowledge of the rules than those who receive a longer training form.  People who receive a written policy outlining the rules in a more vernacular and less legal technical language will have better knowledge of the rules than those presented with a more formal-legal-styled training text.  People with better knowledge of rules will also comply more with such rules. The more legal rules align with people’s personal and social norms, the higher people score in their knowledge of these legal rules.  

According to a Radio New Zealand news report today: "Hackers have taken names, addresses, contact details and expired credit card numbers from the AA Traveller website used between 2003 and 2018. AA travel and tourism general manager Greg Leighton said the data was taken in August last year and AA Traveller found out in March. He said a lot of the data was not needed anymore, so it should have been deleted, and the breach "could have been prevented"." The disclosure prompted the acting NZ Privacy Commissioner to opine that companies 'need a review policy': "Acting Privacy Commisioner Liz Macpherson told Midday Report that if data was not needed it should be deleted ... Companies needed a review policy in place to determine if the data stored was neccessary, or could be deleted, Macpherson said." So I've looked through our SecAware information security policies to see whether we have it covered already, and sure enough we do - well, sor...

Last week's release of a completely restructured ISO/IEC 27002:2022 has naturally prompted a rash of questions from anxious ISO27k users around the world about the implications for ISO/IEC 27001:2013, particularly around certification since '27002:2022 no longer aligns with '27001:2013 Annex A. The situation, today, is that ISO/IEC 27001:2013, plus the associated accreditation and certification processes, remain exactly as they were: Organisations that choose to adopt the standard are required to use Annex A of '27001:2013 to check that they have not accidentally neglected any relevant/necessary information security controls, documenting the associated justified decisions to include/exclude the controls in a S tatement o f A pplicability. Accredited certification bodies are required to confirm that clients comply with the mandatory obligations in '27001:2013, including that SoA requirement among others, both during the initial certifications and any subsequent inter...

We're seeing a steady stream of 'update your email'-type crude phishers along these lines: I have lightly redacted the URL, but those action buttons are clearly not  pointing to an IsecT domain.   Firebase Storage is a Google cloud storage/app service: Google promotes Firebase security in terms of high availability and authentication for their customers i.e. web developers using Firebase to host content on the web. No mention of security for their customers' victims though and although Google can't be held entirely responsible for its customers' nefarious activities, I presume (hope!) they have the processes in place to identify and respond efficiently to incidents of this nature. I've reported this incident through a Firebase customer support channel as there is no obvious way for us to report misuse of their services by phishers etc. I'll let you know how they respond. PS  They didn't.  Harrumph.

This morning I've been studying the final draft of the forthcoming second edition of ISO/IEC 27014 "Governance of information security" , partly to update ISO27001security.com but mostly out of my fascination with the topic. Section 8.2.5 of the standard specifies the governance objective to "Foster a security-positive culture": "Governance of information security should be built upon entity culture, including the evolving needs of all the interested parties, since human behaviour is one of the fundamental elements to support the appropriate level of information security. If not adequately coordinated, the objectives, roles, responsibilities and resources can conflict with each other, resulting in the failure to meet any objectives. Therefore, harmonisation and concerted orientation between the various interested parties is very important.  To establish a positive information security culture, top management should require, promote and support coordination...

From midnight last night, New Zealand is now at civil emergency "stage 4", which means all except essential services personnel are supposed to stay isolated at home for about a month. The official NZ government list of essential services appears to have been finalised and published hastily. Naturally, 'the authorities' consider themselves essential as overnight we've become a police state: police and courts are working through the lockdown, albeit providing limited services, health and immigration/customs services too. What will happen as their workers are or suspect themselves to be infected with coronavirus is unclear at this point. Presumably they have contingency plans, plus controls to limit the spread of infection within police stations, court houses, hospitals, customs halls, mail sorting offices etc.  ... but staffing and service problems are entirely possible as the lockdown continues. Since they aren't entirely self-contained , there's also a se...

Further to yesterday's assessment of the information risks associated with the coronavirus pandemic and the discussion arising, here are a few more aspects. An increased number of knowledge workers are now working from home, some of them for the first time. What equipment and services are they using? What are the information risks and security arrangements? Who knows? Larger organizations tend to have in place suitable policies plus structured, systematic approaches towards home and other off-site working, with controls such as management authorization, remote security management of end user devices (corporate or BYOD), VPNs, network security monitoring, network backups, automated patching, antivirus etc.  Hopefully they have all scaled easily to cope with the changing proportions of off-siters. Medium and especially small organizations, however, may be less well prepared ... and all of them are likely to be feeling the strain of changed working practices and social interaction. T...

In the context of information risk and security management, I define and use the terms "exemption" and "exception" quite deliberately. “ Exceptions ” are unauthorized non-conformance or non-compliance situations.  For example if the organization has a policy to use multi-factor authentication for all privileged system accounts, a privileged account that only has single-factor auth for some reason (maybe an oversight or a practical issue) would constitute an exception, something that has not [yet] been officially notified to, risk-assessed and accepted, authorized, permitted or granted by management.  Depending on the circumstances and the nature of the information risks, identified exceptions may be classed as issues or events, perhaps even incidents worth reporting and managing as such. “ Exemptions ” are where management has formally considered and risk-assessed non-conformance or non-compliance situations and explicit...

Although 7 Ways to Improve Employee Development Programs by Keith Ferrazzi in the Harvard Business Review is not specifically about information security awareness and training, it's straightforward to apply it in that context. The 7 ways in bold below are quoted from Keith's paper, followed by my take. 1. Ignite managers’ passion to coach their employees.   I quite like this one: the idea is to incentivize managers to coach the workforce. As far as I'm concerned, this is an inherent part of management and leadership, something that can be enabled and encouraged in a general manner not just through explicit (e.g. financial) incentives. For me, this starts right at the very top: a proactive CEO, MD and executive/leadership team is in an ideal position to set this ball rolling on down the cascade - or not. If the top table is ambiguous or even negative about this, guess what happens! So, right there is an obvious strategy worth pursuing: start at, or at the very least, includ...

Departments that have an ISO 9000-type approach to quality assurance, or any other mature ‘management system’, typically have standard ways of managing documents involving things such as: Document lifecycles from cradle-to-grave: how does the need for a new document arise?   How does that happen, in practice?   Who determines and specifies the requirements or objectives etc. ? Document ownership, accountabilities and responsibilities: who is in charge?   Who has the final say?   Classification of documents, even if only by name [policies, procedures, guidelines etc. ], with implications on authorization, use, assurance, disclosure etc .; Structured document review, update, authorization and release processes; Standard, consistent document formats and styles – preferably emphasizing readability and utility – perhaps using templates with mandatory and optional elements; Maintained and managed inventory of [important] documents, ...

Catching up with recent infosec news, I stumbled across a piece about NSA contractor Harold T Martin III , accused of schlurping (pinching and hoarding) some 50 terabytes of secret data.  50 Tb!   Along with Julian Assange, Ed Snowden and Chelsea Manning, the US government appears to be hemorrhaging secrets by the shed-load, despite all the extraordinary security controls designed to prevent and detect it. I say 'shed-load' advisedly: a typical page of a typical document has about 500 typical words per side i.e. 1,000 words per double-sided sheet needing about 200 kb of rich text data ( e.g. a Word document). That's 5 sheets per Mb*. 50 Tb is 50 million Mb or about 250 million sheets. A typical box of printer paper contains 10 reams of 500 sheets i.e. 5,000 sheets per box, enough to print out about 1 Gb of data*. So, printing 50 Tb would take about 50,000 boxes of paper, a stack of about 37x37x37 boxes. That's a shed-load ... a big shed, a small warehouse or ...

Today being Pi day 2019 , think of the organization's suite of policies as a delicious pie with numerous ingredients, maybe a crunchy crust and toppings. Whether it's an award winning blue cheese and steak pie from my local baker, or a pecan pie with whipped cream and honey, the issue I'm circling around is how to slice up the pie. Are we going for symmetric segments, chords or layers? OK, enough of the pi-puns already, today I'm heading off at a tangent, prompted by an ongoing discussion around policies on the ISO27k Forum - specifically a thread about policy compliance. Last month I blogged about policy management. Today I'll explore the policy management process and governance in more depth in the context of information risk and security or cybersecurity if you will. In my experience, managers who are reluctant or unable to understand the [scary cyber] policy content stick to the bits they can do i.e. the formalities of 'policy approval' ... and that...