Kick-off 2023 with a bang!
Visit SecAware for special deep discount deals on our information security policies, ISO 27001 ISMS templates and more.
Happy new year!
Kick-off 2023 with a bang!
Visit SecAware for special deep discount deals on our information security policies, ISO 27001 ISMS templates and more.
Happy new year!
Earlier this year I wrote a retrospective on Y2K and said that I'd be back to talk about what is surely the biggest cluster of information risks facing the world over two decades on, namely those associated with the Internet.
Well OK, so it has taken me a couple of months to get around to it but anyway here goes.
Preventive controls
Detective controls
Corrective controls
Technical controls
Procedural controls
Administrative controls
I have railed repeatedly at the vague and often inappropriate or misleading use of 'cyber', in particular cyber-risk and cybersecurity (inconsistently hyphenated, as shown).
Usually, cyber simply means IT - all the usual humdrum risks and controls relating to IT systems and networks. This is everyday stuff, nothing special. Plain IT covers it.
Sometimes cyber alludes to far more extreme and sinster threats associated with highly competent and resourceful adversaries sponsored by governments, organised criminals or terrorists attacking critical national or global infrastructures - the sorts of things that might be experienced during war. Those using the term in this way tend to speak in riddles, trying hard to avoid admitting or disclosing vulnerabilities while denying knowledge of any involvement in such activities.
Security awareness program can be planned and prioritised on the basis of risks
Leave room (flexibility) to respond to opportunities that arise off-plan
It goes with the territory: professionals working in information risk and related areas are, of course, highly aware of risks within our specialism. It's what we do.
Furthermore, many of us would admit to being naturally risk-averse: people outside the profession seem to take chances that we would prefer to avoid or shy away from, whether through plain ignorance or failure to appreciate the risks.
Risk-aversion is a personal characteristic or bias that varies from mild caution and pessimism up to extreme, debilitating paranoia. It doesn't necessarily mean that we are timid, scared or weak, rather that we tend to place more emphasis on the possibility of problems or incidents compared to non-risk-averse people.
At the very moment when the negotiations are completed and management finally agrees your infosec budget, their interest, motivation and support for it is high ... so, before the dust settles, why not seize the moment: a window of opportunity has opened. Before long, the wave of enthusiasm will subside and management's focus will turn to other matters.
Are you responsible for your organisation's information risk and security or cybersecurity budget? Are you busily putting the finishing touches to your FY 2023 budget request?
Budgeting is a stressful management task, figuring out the figures and anticipating tough battles ahead leading (usually) to a disappointing outcome and yet more problems resulting from inadequate investment. With clear signs of another global recession looming (as if COVID, climate change and the war in Ukraine weren't challenging enough already), tightened belt-buckles are the order of the day*.
Two and a half years ago in March 2020 as we were fast approaching our first lockdown, I published the following Probability Impact Graph depicting my analysis of the information risks relating to COVID:
I can think of eight key advantages and opportunities in adopting the new third edition of ISO/IEC 27001 as opposed to the second edition nearly a decade old:
There are clearly substantial information risks associated with the redaction of sensitive elements from disclosed reports and other formats, risks that the controls don't necessarily fully mitigate.
Yes, controls are fallible and constrained, leaving residual risks. This is hardly Earth-shattering news to any competent professional or enlightened infidel, and yet others are frequently shocked.
A new report* from a research team at the University of Illinois specifically concerns failures in the redaction processes and tools applied to PDF documents. The physical size of redacted text denoted (covered or replaced) with a variable-length black rectangle may give clues as to the original content, while historically a disappointing number of redaction attempts have failed to prevent the original information being recovered simply by removing the cover images or selecting then pasting the underlying text. Doh!
You needn't learn everything the hard way like I did: I can help you move ahead smartly, avoiding tar pits, finding taller ladders and shorter snakes.
Like ambient music (muzak, elevator tunes), ambient information security blends into the background. The idea is that infosec controls are subtle, seamless, integral parts of whatever is going on, as opposed to blatant in-yer-face shouty SECURITY.
Of course it's not always possible, and there are circumstances where the visibility of security is itself a valuable part of the controls - deterrents, for example, warning signs, distinct boundaries and the menacing presence of beefy security guards, with guns, dogs and attitude.
Personal identification and authentication processes that require user interaction are hard to miss e.g. security passes/tokens, passwords, PIN codes, SMS codes and all that rigmarole. Nevertheless, there are choices for system/security architects when designing login mechanisms that affect the amount of time and effort required from each user.
Those are the exceptions. A majority of security controls go largely unnoticed. Federated identity/social media systems, for instance, slim down subsequent logins to little more than an extra click. Network traffic encryption and message integrity controls use sophisticated cryptography under-the-hood, automatically correcting minor transmission errors or flagging more serious issues such as potentially fake websites with dubious, invalid or missing digital certificates. Antivirus scans, backups and software updates mostly take place quietly in the background, or wait for quiet periods to spring into action.
Once logged-in to some systems, they quietly monitor your activities for indications that it really is you, doing more or less what you normally do, at your normal pace, from your normal device/s and location/s, showing your normal preferences, quirks and errors - or not, in which case as the anomalies stack up, Big Brother takes an increasing interest in what you are up to, perhaps blocking dubious or risky transactions pending further investigation.
Prompted by a random podcast comment and inspired by a productive day in the garden, here's an analogy between governance and gardening.
... "strategic frameworks, organisational structures, policies and processes used
to guide/direct, oversee/monitor and to some extent control the organisation, ensuring that it fulfils its strategic objectives and complies with internal and external obligations" [source: SecAware glossary]
... applicable to corporations, organisations, nations, the globe, industries, business units, finance, the environment, governments, projects, land, health,
steam engines, watches, IT, information, information risk and security ...
... for the benefit of stakeholders, owners, regulators, authorities, society
... designing and implementing appropriate corporate structures