Welcome to NBlog, the NoticeBored blog

Like the finer things in life, quality trumps quantity.

Apr 25, 2017

NBlog April 25 - getting back on track

After a busy week away at the ISO27k meeting, I'm catching up with the day-job, working flat out to complete the email security awareness module by the end of this month.

Yesterday, the professionals' seminar slide deck came together nicely:

It's not quite finished yet but the 'story' behind/linking the slides is taking shape.

We've incorporated a mixture of graphic images, diagrams and recent press clippings to illustrate and enhance the content. Notice the near absense of bullet points, avoiding 'death by Powerpoint'. There are a few paragraphs of text quoted in the press clippings (which, we believe, are relevant, topical, interesting and worth it) but most slides use striking visual imagery and strong colors. The idea is for a seminar leader, presenter or facilitator to explain and talk about each slide, conversing and interacting with the audience, where appropriate expanding on the literal content of the slides, interpreting things in the particular context of the organization, the audience and the individuals present, perhaps going off-script to pick up on specific matters of concern and interest. 

If we simply wrote out a bunch of bullet points or paragraphs, there would be a tendency for presenters to read them out word-by-word, a very tedious and boring approach for all concerned. Worse still, it would be harder for them to ad lib, for instance picking up on corporate strategies and policies, current incidents, applicable laws and regulations etc

Someone (who shall remain nameless) actually did that at the ISO27k meeting last week. He read out the entire contents of several wordy slides, verbatim, destracting us from reading and contemplating the content ourselves and so, in a sense, detracting from the value of the slides. We would have been better off without the presenter! To give him his due, it was a formal meeting and I strongly suspect he was asked to present someone else's unfamiliar content. He did seem uncomfortable in that position, a shame given his presence, expertise and ability to project quite strongly. Personally, I got far more value from the nature of the presentation than from the content.

Anyway, the slides above illustrate a distinctly different approach. The scope diagram, risk graphics and mind map, for instance, are meant to intrigue as well as inform the audience. The 'speaker notes' accompanying each slide (not shown here) pick out the key points that we hope the presenter will emphasize, preferably NOT by literally reading out the speaker notes verbatim! We want everyone to contemplate the meaning for themselves: in so doing, they will internalize the key messages, reconsider/adjust their perspectives and ultimately behave more securely, which is of course the ultimate aim of security awareness. 

If the awareness approach has no impact - if the materials and activities don't improve workers' decisions and behaviors, we might as well not bother. To put that anotehr way, lame (as in inept, inappropriate, ineffective, boring ...) security awareness and training approaches destroy value.  This is why some people say awareness doesn't work. They're doing it wrong!

To be fair, it takes a lot of effort to design and develop good seminar materials, to find, incorporate and reference those press clippings, prepare the risk graphics and mind maps etc., and most importantly clarify the 'story' and the messages we want to express. We've had lots of practice, producing at least 3 awareness slide decks per month for many years and presenting frequently at conferences and courses ... and also (as noted above) attending and critiquing presentations by others. Aside from the conferences and courses we have attended as punters, we have given and received numerous management and group presentations (e.g. audit reports, board presentations, phone meetings and video conferences), webinars and sales pitches over the years, and we've read the odd website, article and book concerning presentation and communications techniques. We observe TV and radio presenters doing their thing, thinking about their differing approaches and styles. We are still learning and improving, all the time discovering new techniques to explore and adopt as well as those to avoid like the plague. We're continually investing not just in the product but also the production methods, approaches and tools, not least our own competencies and skills. Genuine, honest, especially constructive feedback from others (yes, you!) is gold dust for us.

Hopefully you are getting useful hints and ideas from this blog. Thank you for taking the time to read this. I hope I've made you think. Anything you'd like to add? Comments are open ... over to you ...


Apr 24, 2017

NB hyperlinked information security glossary

In the course of researching security awareness topics, I frequently stumble across new words (neologisms) and obscure terms of art. Often the meaning is reasonably obvious from the context and/or the derivation, but not always - "cybersecurity" being a classic example of a popular term that evidently means different things to different people. Technical authors who rudely fail to expand their acronyms are another bugbear of mine. 

For as long as I can remember, I have maintained a personal information security glossary as a memory aide. It is a living document, frequently updated to reflect new terms and interpretations as the language evolves. Earlier this week I quoted a stack of definitions from the NZ Information Security Manual for instance, adding to those quoted from the ISO27k standardsNIST Special Publications and other definitive reference sources, plus my own 'plain English' explanations.

About 20 years ago, I realized that most specialist terms are defined using or in relation to other specialist terms, which means following a trail from word to word in much the same way that one would use a thesaurus. Hyperlinks make the process much easier than alphabetical lookups, as with a conventional dictionary. For those of us who enjoy language, browsing the glossary is both fun and educational - so much so that sometimes I need to stop and get on with proper work!

The NoticeBored information security glossary, now published as a Kindle eBook on Amazon, explains about 2,000 terms. If printed out, it would take about 300 A4 pages ... but in electronic form it is cheaper (under $10), lighter, easier to search and saves trees.


[By the way, the Kindle version of the glossary is read-only and only gets updated occasionally. Every month as part of the security awareness module, the updated edition is delivered to NoticeBored subscribers as an editable MS Word document. Get in touch to subscribe.]


Apr 22, 2017

NBlog April 22 - ISO27k meeting report

A plenary concluded the main business of the ISO/IEC JTC1/SC27 WG1 meeting in Hamilton, NZ.  This was a formal session to vote on and record decisions and progress made during the week, including deadlines for the next tranche of work.

The next SC27 meeting will be in Berlin at the end of October 2017, then Wuhan in China in April 2018.

The main resolutions from this meeting were:
  • A minor revision will update ISO/IEC 27000:2016 to reflect the recent publication of 27002, 27004 and 27011.
  • Governmental/regulatory use of 27001 will become Standing Document 7 and will be maintained for internal committee use.
  • 27002 revision project will generate two versions of the standard demonstrating alternative structures for commenting at the next stage.
  • 27005 will produce a revised design specification for the revision work, plus a corrigendum for the current standard.
  • 27007 will produce revised text for FDIS, requesting a project extension to complete this.
  • 27008 will produce revised text for a DTS.
  • 27009 will be revised early rather than issuing a corrigendum, and the accompanying 'use cases' will become a SD.
  • 27014 SP on information security governance will generate a NWIP to revise the standard, with an outline document.
  • 27019 will produce revised text for FDIS.
  • 27021 on ISMS professionals' competencies will also go to FDIS (despite four disapprovals, indicating concerns with this standard).
  • 27102 on cybersecurity insurance will produce a first working draft next.
  • Cybersecurity frameworks and cybersecurity resilience work will be combined initially into an SD which will then become a PDTR.
  • Risk Handling Library will produce a Standing Document.
  • Terminology Working Group will hold a Webex meeting to discuss definitions, and is developing conceptual maps.
  • Several liaison statements will be produced to inform and align WG1's work with various other committees and bodies.


NBlog April 22 - ISO/IEC 27003 ISMS implementation guide published

ISO/IEC 27003:2017 has been published.  This is a fully revised version of the Information Security Management System (ISMS) implementation guide, originally published in 2010.

The new version is a significant improvement on the 2010 version.  It follows the structure of ISO/IEC 27001, providing pragmatic advice section-by-section on how to satisfy the requirements. I'm happy to recommend it.

The following core ISO27k standards are a sound basis on which to design and implement a management system to manage information risks (for historical reasons, termed "information security risks" or "cybersecurity risks" in the standards):
Unfortunately, ISO/IEC 27005 on information risk management is out-of-line with the set. A revised version of '27005 is not expected to surface for at least a couple of years. Meanwhile, '27003 gives useful advice in this area, while ISO 31000:2009 (a well respected de facto risk management standard) is readily applied to information risks. There are several other information risk management standards, methods and approaches as well, all of which have their advantages and disadvantages: if your organization is already familiar with and using some other approach to risk management, it can probably be applied directly or adapted to suit information risk management.

For more information on the ISO27k standards, ISMS implementation, information risk management and so forth, please browse the ISO27k FAQ. If you are active in this area, you are very welcome to join the 3,500-strong ISO27k Forum. Although it is not 'official' ISO information, it is FREE.


Apr 21, 2017

NBlog April 21 - ISO27k meeting progress report

ISO/IEC TR 27019 concerns Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry. 27019 identifies information security controls that are either specific to the energy utilities, or are critical in that domain and perhaps need to be bolstered.

The 2013 standard is currently being revised and will be published as a full International Standard, possibly later this year. There are some formatting issues to resolve with ITTF but the content is stable enough to move forward to FDIS.

The SC27 project on cybersecurity insurance is developing a standard explaining cyberinsurance concepts to information security professionals, and cybersecurity concepts to insurance professionals, forming a common basis for specifying, discussing and adopting cyberinsurance. The Study Period has developed a solid donor document with plenty of meaty content.

The SC27 Study Period on Risk Handling Library (RHL) resolved to develop and then maintain an SC27 Standing Document that references ISO27k and other standards that concern or mention information security risk. The next step is to call for contributions to help flesh out the initial SD.

A minor revision of ISO/IEC 27000 may be required as a result of publishing 27003, 27004 and 27011.

The SC27 Terminology Working Group resolved to develop a new approach to the management of terminology, using 'concept maps' (similar in style to mind maps) as a way to clarify and distinguish terms and their relationships. A half-day workshop is proposed, possibly for the next SC27 meeting in Berlin in October.

The SC27 Annex SL special working group is preparing to respond to possible changes pushed by JTCG concerning the common/boilerplate text for all the ISO management systems standards. JTCG will be circulating a questionnaire to national standards bodies concerning the possible changes.

A cybersecurity standard will initially become an SC27 Standing Document 27103 that may then go forward as PDTR 27103.

Tomorrow's plenary session will include formal voting on these projects and activities. This evening, though, we are visiting Hobbiton for a tour and gala dinner.

Gary (Gary@isect.com)

Apr 20, 2017

NBlog April 20 - ISO/IEC 27005 and 27014 revisions

The study period researching the possibility of revising ISO/IEC 27005 on 'information security risk' has resolved to limit the scope of the revised standard primarily to supporting and expanding on sections 6 and 8 of ISO/IEC 27001:2013, with some consideration of other standards including ISO 31000.

An outline/skeleton document structure has been developed as part of the design specification, although it is hard even to assess it without the corresponding content. It is likely to change as the project proceeds. It was agreed to request a further 6 months to prepare a more complete draft standard before proposing a new work item.

The study period considering the revision of ISO/IEC 27014 is proposing various improvements to make the standard more generally applicable and useful. 


Apr 19, 2017

NBlog April 19 - SC27 interim sit-rep

27001 ISMS for government use - comments agreed, Standing Document to be produced.

27001 ISMS defect concerning 'risks and opportunities' should have covered risks to the ISMS not to information security.  Issue was slopy-shouldered to 27005 revision project (then promptly rejected by them!). Decision to defer this to next planned revision of this standard.  

27002 security controls revision SP - challenging meeting. Plan to develop 2 versions of a template standard: (1) with the controls laid out in the front part in 4 categories with various 'views' of the controls appended according to the attributes; (2) with the views up front and the controls laid out in a catalogue as an annex. SP to be extended another 6 months, giving time for expert comments. [Meeting ongoing]

27005 information security risks - challenging meeting and robust discussion. 27005 scope changed again to support 27001 clauses on 'Risks and opportunities' plus 'risk assessment and treatment' only (not the rest of information risk management). [Meeting ongoing]

27007 ISMS auditing - all comments resolved.  Standard to go to FDIS next, plus a justification to extend the deadline by 6 months to allow finalization.

27008 technical auditing - comments resolved, some issues to be held over to next revision. All agreed.

27009 use cases SP - comments agreed, except for a problem with clause numbering using letters (falls foul of the ISO Directives).  Plan to issue a SD not an IS.

27011 telecomms security - simple defect reported, one subsection title to be corrected from 'Classification guideline' to 'Classification of information' to align with 27002.

27015 ISMS for financial services - 91% approval to withdraw, so that's it really.

27021 infosec management competencies - comments resolved, moves towards completion. All bar 1 vote turned to yes, hopefully will move to FDIS next. 

Cyber security/resilience - a robust discussion. Agreed to merge SPs and continue another 6 months as cybersecurity SP. New Call For Contributions to be prepared soon.

IEC liaison - waiting for/working on liaison statements. Published standard 62443-2-4 covers certification for IACS solution providers. 62443-2-1 is being revised, but alignment with ISO/IEC 27001 is problematic. It can still provide a useful catalogue of controls for a 27001 ISMS.

STRATUS project: NZ government+industry funded research project on cloud security, in conjunction with CSF and others. Research aims include data provenance, data protection, situational awareness and business continuity. See stratus.org.nz for more info. STRATUS wants to engage with, use and support SC27 activities through a 'category A' liaison.


NBlog April 19 - ISO/IEC 27002 revision

It should be obvious from my previous comments here on this blog, on www.ISO27001security.com and on the ISO27k Forum, that the last revision of ISO/IEC 27002 was less than satisfactory in my jaundiced opinion. When released in 2013, the standard was already out of date (e.g. it pretty much ignores cloud computing, BYOD and IoT - all topical issues that were emerging at the time the standard was being revised) and had some serious flaws  (e.g. in the garbled continuity section). What may not be quite so clear is that the team responsible for the revision is a top-rate international group of experts in the field - experienced, intelligent, committed professionals. 

It wasn't the team that let it down so much as the tortuous revision process we had to follow.

The next revision of 27002 could easily go down the same muddy path but there's hope, now, for a different approach. A major stumbling block, to date, has been the structure of 27002, derived from the original donor security policy that became first BS 7799, then ISO/IEC 17799, then 27002. Things have moved on some way since the 1970's and 80s! It's high time to update the structure. The crucial question we are tackling right now is how to update it. 

Yesterday we considered and discussed seven proposed structures, plus an eighth straw-man option (i.e. no structure is perfect so we could forget about the structure to concentrate solely on the content). The favoured option, currently, is two-fold: 
  1. The standard could be structured into the following 'themes' (categories or types of control): organizational security; behavioural security; technical security; physical security; and third party security. Most information security controls would fit quite naturally and easily into one or other of those categories (or 'themes'), leaving relatively few ambiguous or complex controls to be allocated arbitrarily between them (or simplified and perhaps split up). Few if any controls would be orphaned, being out of place in all those options. The explicit names for the categories are not cast in stone but the structure works better than the other options considered so far ... 
  2. ... while those other structural options could be taken into account anyway in the form of 'attributes' or 'tags' for the same controls e.g. aside from where they are placed in the main structure, we could also tag the controls as preventive/detective/corrective, confidentiality/integrity/availability etc., reflecting the other classifications or structures considered.
If this proposal is agreed, the work to define, classify and tag the security controls can start as soon as the revision project is approved. Admittedly, there may still be disagreements about the classification and tagging, but hopefully most of the discussion will be more productive in connection with the controls themselves - what they are and how they are described - rather than where they should sit in the standard.

Offsetting the advantages, there would be additional work in this approach including:
  • Carefully defining the criteria or rules for classification and tagging
  • Classifying and tagging the existing controls 
  • Reviewing and revising the existing controls
  • Retiring controls that are no longer applicable
  • Adding new controls in areas that are weak
  • Addressing any anomalies, gaps and duplicates
  • Dealing with controls that are already documented adequately in other ISO27k and non-ISO27k standards (e.g. ISO/IEC 27001, 27003, 27004, 27005, ISO 22301 etc.)
  • Generating one or more appendices (possibly just a table) with the controls grouped by or referencing their respective tags 
  • Mapping the controls from ISO/IEC 27002:2015 to the new structure, so current users can migrate more easily
  • Coordinating and leading the overall effort to ensure that the end product is user-friendly, comprehensive, accurate, valuable, up-to-date, maintainable, fit for purpose and on time.  That's a tough job, whatever approach is taken!

Apr 18, 2017

NBlog April 18 - ISO27k meeting

The ISO/IEC JTC 1/SC 27 meeting is under way in Hamilton. After a stormy couple of weeks in NZ, the weather is fine and sunny so hopefully delegates will have some time to see the country after the meeting.

Work on the ISO/IEC 27000-series information security management standards ("ISO27k") standards this week includes:

27000 (glossary & intro) - terminology working group to review process for maintaining terms

27001 - its use in governments and regulators is going well, may become a SD as it demonstrates the value of 27001

27002 - structure & future to be discussed in depth this week, particularly the ~5-10 themes (chapters or sections of the standard, the logical sequence, classes of control) and control attributes (tags, categories) that may form the basis of a revised, smaller, more usable 27002

27005 - reported defect to be discussed and resolved; revision project to be discussed too

27007 - comments to be discussed and resolved this week: should go to DIS stage after the meeting. 

27008 - comments to be discussed and resolved this week: should go to DIS stage after the meeting.

27009 - reported defect to be discussed and resolved; use cases to be discussed

27011 - technical defect to be discussed

27015 - withdrawal to be discussed

27019  - comments to be discussed and resolved this week: should go to DIS stage after the meeting

27021 - comments to be discussed and resolved this week: should go to DIS stage after the meeting

27102? - cyber insurance SP, likely to go ahead to IS

Other cybersecurity stuff - may be combined

I'll be providing updates during the week as I attend various meetings and talk to other delegates.


Apr 17, 2017

NBlog April 17 - ISO/IEC JTC 1/SC 27 meeting

Today I'm off to the University of Waikato in Hamilton for the SC 27 meeting. 

I'm planning to catch up with developments on most if not all of the ISO27k standards, in particular:
  • ISO/IEC 27000 - is this going to be dropped in favour of an online glossary? What happened to the definitions for 'information asset', 'information risk' and 'cyber'? 
  • ISO/IEC 27001 - how did the boilerplate section on 'risk & opportunity' get hijacked as information risk?
  • ISO/IEC 27002 - how is the idea of tagging the controls going to work out? Is that just another recipe for interminable 
  • ISO/IEC 27003 - new version due soon, all done?
  • ISO/IEC 27005 - any chance of this being updated and published soon/ever? And if it is fast-tracked, where next - 'information risk management' maybe?
  • ISO/IEC 27007 - new version due soon, all done?
  • ISO/IEC TR 27008 - new version nearing completion, ready to finalise?
  • ISO/IEC 27017, 27018, 27036 and others - where are we with cloud security standards?
  • ISO/IEC 27021 - is the competency framework well thought out? How will this drive the ISO27k training & qualifications?
  • ISO/IEC 27031 - where does this stand in relation to ISO 22301?
  • ISO/IEC 27034 - is application security getting there?
  • IoT and IIoT security - what's happening?
There are some general issues I'm hoping to chat about too, such as:
  • High level, generic information risk and security principles or axioms as a unifying theme and structural framework
  • SC 27 project governance e.g. requiring all NWIPs to be accompanied by reasonably complete WD1 drafts of proposed standards or be canned; perhaps splitting 27002 into static and dynamic parts, or reducing it to a controls overview standard supported by as many detailed controls standards (i.e. the remainder of the ISO27k suite plus others) as necessary
  • Non-technical, non-IT, non-cyber information, information risks and information security controls, the meaning of 'cyber', and revisiting the scope and purpose of SC 27
  • Explicitly describing the information risks addressed by each of the ISO27k standards
  • Collaborative working practices, filling-in the gaps between SC 27 meetings with discussion and joint development, making the committee more responsive to surging market demands
  • ISO27k marketing e.g. reducing the price of the core standards for a trial promotional period; bulk pricing for sets of standards; advertising; branding; sales and certification figures
  • NZ and Australia shadow committees & collaboration
Most importantly, I'm really looking forward to socialising with committee members from around the world, welcoming them to NZ, renewing old friendships and establishing new ones. About 400 delegates are expected to attend, a massive challenge for someone as shy and retiring as me!

I'll be blogging from Hamilton this week as time permits.