Showing posts with label Is. Show all posts
Showing posts with label Is. Show all posts

Monday 5 December 2022

System is ...


... “a related set of IT equipment and software used for the processing, storage or communication of information and the governance framework in which it operates” [source: New Zealand Information Security Manual]

... "all connected parts of the organisation that may be at risk of a cyber attack" [thanks Steven Os]

... a set of computers plus their software, users, administrators and managers, the associated policies and procedures, plus the links to
connected systems, plus the operating environment,
all of which are required to deliver services ...

... “a combination of interacting elements organised to achieve one or more stated purposes” [source: ISO/IEC 27036-1, notes omitted,
also 
NIST SP800-161r1 & SP800-53r5]

... a black box within which inputs are mysteriously converted to outputs

... "an integrated suite of related items and processes forming a discrete operating or functional unit, such as a management system"
[source: SecAware glossary]

... the software layer that mediates access between user applications 
and the middleware, hardware, CPU, memory, network connections,
ports and peripherals of an IT device

... a tightly coupled and synchronous set of parts working as one

... "all parts of your organisation that could provide attack paths,
especially the supply chain and cloud" [thanks Steven Os]

... the Internet, an interconnected global network-of-networks

... a carefully architected, designed and constructed suite of
technologies, people, processes, relationships etc.

... a coherent and contiguous set of interacting components

... ICT hardware plus the associated firmware and software
forming a discrete functional unit

... a computer plus its user/s and administrator/s

... a motley collection of things loosely coupled

... a unit of analysis, management and control

... the network and devices on the network
[suggested by Eric Johnson]

... more than just the sum of its parts

... something to do with ecology?

... a governance arrangement

... a computer plus its user/s

... favoured by consultants

... systematic, naturally

... a unit of analysis

... an arrangement

... a framework

... an approach

... a computer

... a device

... a thing

...

Monday 28 November 2022

ISO27k is ...



... a cluster of international standards on information security management and related topics

... derived from British Standard BS 7799, itself based on an information security manual generously donated to the UK government's Department of Trade and Industry by the fuel company Shell International


Monday 21 November 2022

Governance is ...


... "strategic frameworks, organisational structures, policies and processes used
to guide/direct, oversee/monitor and to some extent control the organisation, ensuring that it fulfils its strategic objectives and complies with internal and external obligations" [source: SecAware glossary]

... applicable to corporations, organisations, nations, the globe, industries, business units, finance, the environment, governments, projects, land, health,
steam engines, watches, IT, information, information risk and security ...

... for the benefit of stakeholders, owners, regulators, authorities, society

... designing and implementing appropriate corporate structures

Monday 14 November 2022

Impact is ...

... "adverse change to the level of business objectives achieved"
[source: 
ISO/IEC 27000]

... the inertial energy imparted by a moving mass impinging upon an object

... "the adverse outcome or consequences caused by or arising from an
information security incident, leading to direct and/or indirect
(consequential) losses/costs to the
organisations and/or
the individuals concerned" [source: SecAware glossary]

... the point when probability functions collapse

... when possibility becomes reality

... when threat meets vulnerability

... short, medium and long-term

... loss of control over an asset

... too late to prevent or avoid

... being smacked in the head

... when p(occurrence) hits 1

... when gloved fist hits chin

... what we tried to prevent

... what we sought to avoid

... an impressive entrance

... the resonance of a bell

... when risk eventuates

... when shit meets fan

... not too late to react

... being compromised

... a successful attack

... the point of failure

... adverse outcome

... the after-effects

... hard to quantify

... inconsequential

... career-limiting

... a wake-up call

... loss of control

... consequences

... being harmed

... consequential

... unanticipated

... ramifications

... a pivot point

... motivational

... the moment

... open-ended

... unexpected

... anticipated

... predictable

... memorable

... an incident

... a dull thud

... percussion

... disastrous

... dispersed

... an exploit

... negligible

... bad news

... predicted

... expected

... dramatic

... being hit

... a breach

... a failure

... a crater

... a driver

... focused

... harmful

... gradual

... striking

... serious

... a crash

... sudden

... general

... moving

... a miss

... severe

... shared

... crunch

... a dent

... costly

... trivial

... oh oh

... a flop

... hurty

... costs

... bang

... ouch

... a hit

...

Monday 7 November 2022

Vulnerability is ...

... "an inherent and potentially exploitable weakness in an information asset, system, process, organisation etc." [source: SecAware glossary]

... exposed by one or more missing, ineffective or inadequate controls

... “a security weakness in a computer” [source: NIST SP800-114 rev1]

... “a weakness, susceptibility or flaw of an asset or control
that can 
be exploited by one or more threats”
[source: Financial Stability Board 
Cyber Lexicon]

... "weakness of an asset or control that can be exploited
by one or more 
threats” [source: ISO/IEC 27000]

... "weakness in a system, system security procedures,
internal controls, or implementation that could be
exploited or triggered by a threat"
[source: 
NIST SP 1800-17b]

... a chink in the armour

... a gap in our defences

... revealed in incidents

... asking for trouble

... taking a chance

... misplaced trust

... the weak link

... unprotected

... an opening

... exploitable

... a soft spot

... deficiency

... endearing

... weakness

... inevitable

... inherent

... pathetic

... a flaw

... latent

... a bug

...

Monday 31 October 2022

Threat is ...


... "any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through
an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service" 
[source: NIST SP800-30r1]

... "a person, situation or event (whether deliberate or accidental, targeted
or generic in nature) that is hazardous or dangerous, capable of causing
an information security incident" [source: SecAware glossary]

... "potential cause of an unwanted incident, which can result in
harm to a system or organization" [source: ISO/IEC 27000:2018]

... a competitor's unexpected shift of tactics

... an ominous promise to cause harm

... an accident waiting to happen

... the cause of a really bad day

... nature red in tooth and claw

... storm clouds on the horizon

... an active component of risk

... an unfortunate coincidence

... sometimes hard to detect

... intended to provoke fear

... advanced and persistent

... go ahead, make my day

... mitigated by deterrents

... a laser dot on the torso

... a stated intent to harm

... the catalyst for change

... a burst of testosterone

... external to the system

... all mouth and trousers

... retarded and tentative

... not always recognised

... what might go wrong

... part of the landscape

... dark and foreboding

... obvious in hindsight

... economic downturn

... when luck runs out

... bad consequences

... competitive intent

... a ransom demand

... coming tooled-up

... potential to harm

... marauding gangs

... an implied attack

... easily discounted

... over-emphasised

... impending doom

... adverse weather

... lack of oversight

... a nasty promise

... a nasty surprise

... static discharge

... unpredictability

... a show of force

... not when but if

... not if but when

... something bad

... hard to control

... a warning sign

... Freddy Kruger

... worth ducking

... the unknown

... a probability

... best avoided

... an oversight

... a possibility

... a prediction

... provocative

... a likelihood

... xenophobia

... generalised

... unintended

... a certainty

... intentional

... theoretical

... the enemy

... hazardous

... bad actors

... existential

... accidental

... a warning

... deliberate

... menacing

... or else ...

... uncertain

... fearsome

... outsiders

... expected

... criminals

... technical

... for show

... ominous

... coercion

... volatility

... left-field

... demonic

... violence

... physical

... directed

... mythical

... genuine

... looming

... bravado

... a worry

... a pitfall

... insiders

... disease

... a bomb

... obvious

... a scowl

... a tactic

... assault

... human

... spooky

... feared

... failure

... 'them'

... anger

... death

... social

... scary

... fake

...

Monday 24 October 2022

Oversight is ...

... "various forms of supervision and inspection used to ensure that important information security activities and controls are operating properly, and to identify any anomalies" [source: SecAware glossary]

... "forgetfulness, carelessness, neglect or incompetence, typically leading to errors, omissions and other information security incidents"
[source: SecAware glossary]

... absent from ISO/IEC 27002 except for one measly mention (clause 5.16)

... maintaining a watching brief

... an opportunity to review

... the four eyes principle

... the act of overseeing

... the prompt to revisit

... keeping a close eye

... hands off, eyes on

... something missed

... a sign of distrust

... an opportunity

... a vulnerability

... a sign of trust

... incompetence

... management

... carelessness

... an omission

... an accident

... an override

... supervision

... inspection

... ineptitude

... a problem

... assurance

... a mistake

... authority

... guidance

... a control

... checking

... freedom

... a threat

... skipped

... neglect

... caring

... a risk

... audit

...


Monday 17 October 2022

Assurance is ...

... "provision of a certain level of trust, confidence, confirmation or proof of something, typically by reviewing, checking, testing, certified compliance or auditing it" [source: SecAware glossary]

... knowing when to stop climbing the ladder

... the absence of anxiety and doubt

... a necessary part of management

... the result of testing - pass or fail

... swimming out of the shark cage

... an integral governance function

... stepping into the shark cage

... packing your own parachute

... a friendly hand reaching out

... engineering the shark cage

... an underappreciated goal

... an undervalued objective

... certifying the shark cage

... welding the shark cage

... confidence in another

... an independent view

... holding all the cards

... a measure of power

... plausible deniability

... taking a space walk

... stacking the deck

... hitting the mark

... being confident

... a winning hand

... self-confidence

... not insurance

... being certain

... confirmatory

... bearing it all

... unnecessary

... nice to have

... checking-up

... baring it all

... naïve belief

... mandatory

... knowledge

... comforting

... reassuring

... being sure

... necessary

... insurance

... oversight

... essential

... checking

... a control

... valuable

... optional

... security

... a game

... testing

... costly

... audit

... valid

... trust

...

Monday 10 October 2022

Audit is ...


... "a structured assurance process of examination, review, assessment, testing and reporting by one or more competent and trusted people who – crucially – are independent of the subject area being audited" [source: SecAware glossary]

... senior management's not-so-secret weapon

... how to use friends and influence people

... how to lose friends and alienate people

... proof that management distrusts us

... where failed accountants go to die

... seeing things through fresh eyes

... a massive and unnecessary cost

... "Go ahead punk, make my day"

... derived from the Latin audio

... forever re-opening old sores

... like a bear with a sore head

... the skin-hardening function

... watching your every move

... dependent on information

... bayonetting the wounded

... the bottom of the barrel

... the third line of defence

... something best avoided

... always late to the party

... policies and procedures

... asking dumb questions

... lurking in the shadows

... a governance function

... the four eyes principle

... part of the inner circle

... poking at the remains

... a service organisation

... generating assurance

... coming, ready or not

... resource-constrained

... divorced from reality

... rigorously controlled

... tracing relationships

... a corporate function

... bound by regulation

... a challenging career

... sampling selectively

... something to evade

... looking under rocks

... simply doing its job

... an agent of change

... modern and with-it

... grounded in reality

... sampling randomly

... wide-eyed naïveté

... incompetent fools

... a little black book

... a system function

... a service function

... digging in the dirt

... following its nose

... up with the times

... bloody hard work

... humour-impaired

... behind the times

... second-guessing

... part of the team

... always on guard

... hunting in packs

... hard to convince

... a necessary evil

... self-opinionated

... non-operational

... hard to manage

... a strong control

... counting assets

... evidence based

... much maligned

... unconventional

... misunderstood

... stock-checking

... grumpy as hell

... finger-wagging

... process-driven

... "Persuade me"

... "Convince me"

... following trails

... set in its ways

... fuddy-duddies

... highly trusted

... heavily biased

... a vulnerability

... hunting alone

... highly trained

... old-fashioned

... Chinese walls

... after-the-fact

... out on a limb

... out to get us

... a nasty smell

... bloodhounds

... retrospective

... under-valued

... conventional

... accountancy

... collaborative

... adding value

... incompetent

... uncontrolled

... independent

... unnecessary

... a backwater

... complicated

... the Gestapo

... a specialism

... a profession

... professional

... experienced

... trustworthy

... a technique

... assessment

... humourless

... insufferable

... challenging

... wordsmiths

... full of itself

... exceptional

... fresh-faced

... "Show me"

... compliance

... metrication

... methodical

... unwatched

... systematic

... a diversion

... challenged

... competent

... aggressive

... the enemy

... procedural

... conformity

... mysterious

... combative

... persuasive

... underhand

... competent

... risk-based

... unbending

... prejudiced

... evaluating

... inspection

... suspicious

... delusional

... structured

... self-aware

... respected

... distrusted

... a catalyst

... pragmatic

... necessary

... menacing

... checklists

... assessing

... a process

... legendary

... friendless

... observant

... the police

... obsessive

... rotational

... privileged

... masterful

... tooled-up

... persistent

... defensive

... a pentest

... obsessive

... evidential

... polarising

... malicious

... "Prove it"

... untainted

... repetitive

... repetitive

... blinkered

... well-paid

... specialist

... snooping

... sampling

... watching

... infamous

... pointless

... assertive

... proactive

... secretive

... objective

... tough-as

... offensive

... powerful

... unbiased

... hopeless

... listening

... paranoid

... overpaid

... suffered

... external

... doubtful

... required

... sporadic

... doubted

... red tape

... officious

... faceless

... deluded

... external

... scary-as

... post hoc

... admired

... rigorous

... periodic

... 'special'

... forensic

... focused

... dubious

... clueless

... a threat

... a brand

... ticklists

... periodic

... creative

... reactive

... too late

... pointed

... divisive

... tedious

... needed

... aligned

... distrust

... probing

... modern

... internal

... sinister

... I listen

... a team

... trouble

... special

... famed

... feared

... review

... cynical

... formal

... stilted

... lonely

... a tool

... a trail

... stuffy

... hated

... naïve

... fierce

... a log

... retro

... gruff

... dark

... sad

... fun

...

Monday 3 October 2022

Trust is ...


 ... "a relatively weak but commonplace information security control in which supposedly trustworthy people, systems, programs, functions, organisations etc. are expected, anticipated or to various extents required to behave predictably, appropriately, responsibly, ethically and in the trusting party’s best interests." [source: SecAware glossary]

... a "relationship between two entities and/or elements, consisting of a set of activities and a security policy in which element x trusts element y if and
only if x has confidence that y will behave in a well-defined way (with
respect to the activities) that does not violate the given security policy"
[source: ISO/IEC 27036-1]

... "a belief that an entity meets certain expectations,
and therefore, can be relied upon"
[source: NIST SP800-160v1r1]

... placing your fortunes in someone else's hands

... built on a base of trustworthiness

... key to strong relationships

... ceding control to another

... a shared social construct

... climbing a slippery slope

... knowing it'll be alright

... sometimes misplaced

... losing independence

... a two-way street

... being dependent

... being vulnerable

... a precious gift

... understanding

... custodianship

... fundamental

... a foundation

... dependable

... confidence

... being sure

... conviction

... assurance

... a ratchet

... verifiable

... certainty

... essential

... reliable

... no fear

... in care

... fragile

... safety

... belief

... hope

... faith

...

Monday 26 September 2022

Authorisation is ...

 

... "permitted, accepted and/or agreed by management or some other authority as being in the best interests of the organisation, the workforce, the stakeholders or society at large" [source: SecAware glossary]

... ideally formalised and explicitly documented, providing evidence

... the opportunity to check a proposed course of action

... deciding what should or should not be permitted

... deciding who should or should not be permitted

... one means of issue, incident or error detection

... often informal, implicit and undocumented

... a crossroads, where processes intersect 

... usually manual, sometimes automated

... the acquisition of privileges and rights

... granting or withholding permission

... an important process control point

... only effective if actually checked

... (mis)spelled with a zee 

... a management process

... a governance approach

... the removal of barriers

... the point of no return

... authority to proceed

... a mere formality

... a delaying tactic

... a business issue

... a policy matter

... the green light

... discretionary

... empowering

... sanctioning

... delegation

... go ahead

... approval

... red tape

...

Monday 19 September 2022

Information is ...

... exploitable (legitimately or not, authorised or not, effectively or not ...)
... more complex and convoluted than we imagined
... full of paradoxes and conundrums (conundra?)
... required for rational debates and decisions
... sometimes out of place
... the common basis of science and the arts
... passed down through the generations
... possible to secure (to some extent)
... independent of the form and format
... a source of competitive advantage
... the product of research and study
... impossible to secure (absolutely)
... dangerous in the wrong hands
... something to be challenged
... powerful in the right hands
... something to be cherished
... something to be despised
... something to be disputed
... of uncertain provenance
... competitive advantage
... the presence of data
... a body of knowledge
... in the public interest
... worth taking care of
... intellectual property
... the absence of data
... of uncertain vintage
... easy to accumulate
... naturally degrading
... of uncertain quality
... of unknown validity
... a means to an end
... extraordinarily rich
... subject to entropy
... of uncertain origin
... of unknown origin
... derived from data
... distinct from data
... what fills the void
... a class of assets
... for the sake of it
... food for the soul
... for coordination
... mind-mappable
... the booby prize
... why we're here
... hard to protect
... an end in itself
... communicated
... acknowledged
... understanding
... self-referential
... entertainment
... consequential
... untrustworthy
... collaborations
... out of context
... dependencies
... unanticipated
... a prerequisite
... embarrassing
... trade secrets
... architectures
... a by-product
... relationships
... raw material
... multifaceted
... unbelievable
... motivational
... inspirational
... fundamental
... appreciation
... disreputable
... matauranga
... for planning
... entertaining
... educational
... a belonging
... a technique
... untraceable
... educational
... perceptions
... fascinating!
... reputations
... perspective
... trustworthy
... threatening
... intellectual
... operational
... anticipated
... disclaimed
... destructive
... conceptual
... experience
... depressing
... incomplete
... misleading
... modulation
... ephemeral
... knowledge
... contextual
... disordered
... expressed
... sequential
... boundless
... inaccurate
... duplicated
... duplicated
... allegorical
... substance
... instructive
... innovation
... invaluable
... processed
... measured
... vulnerable
... streaming
... up to date
... quantified
... indifferent
... subjective
... calculable
... enhanced
... a weapon
... nonfiction
... sentience
... a product
... imprecise
... incredible
... humdrum
... corrupted
... emergent
... metadata
... intangible
... an output
... damaged
... irrelevant
... indistinct
... of no use
... life-blood
.. severable
... authentic
... complete
... disclosed
... reputable
... historical
... guidance
... degraded
... a liability
... shocking
... expertise
... concepts
... a liability
... meaning
... traceable
... worrying!
... historical
... 'ownable'
... creativity
... asserted
... structure
... evidence
... a prompt
... accurate
... outdated
... objective
... an asset
... pertinent
... the prize
... personal
... licensed
... an asset
... frangible
... withheld
... strategic
... dynamic
... complex
... timeless
... copiable
... beautiful
... sharable
... uplifting
... valuable
... learning
... inherent
... linkages
... forensic
... valuable
... credible
... an input
... tradable
... hearsay
... designs
... relevant
... a threat
... relevant
... claimed
... parallel
... precise
... sensed
... ordered
... tactical
... content
... pirated
... sounds
... denied
... artistry
... refined
... factual
... topical
... worthy
... cloudy
... copied
... unique
... brands
... smells
... stories
... private
... stored
... boring
... partial
... timely
... signal
... useful
... costly
... fiction
... a tool
... public
... sights
... vague
... stolen
... fragile
... useful
... power
... words
... belief
... crude
... static
... plans
... novel
... finite
... good
... news
... stale
... tales
... data
... ugly
... fake
... free
... lost
... ties
... raw
... bad
... key
...

... very hard to pin down, define and describe comprehensively ... and despite the extraordinary length of this piece in the series, I freely admit I've failed: so what angles have I missed? What springs to your mind in relation to 'information'?