Welcome to the SecAware blog

I spy with my beady eye ...

30 Sept 2011

Privacy awareness module

Today we released the October NoticeBored awareness module on privacy ...

The awareness materials introduce basic privacy concepts using the OECD privacy principles, emphasizing compliance with privacy laws and regulations, as well as corporate privacy policies and procedures.  Information security controls underpin privacy for personal information and data.  Ethical considerations take privacy beyond mere compliance into the realm of appropriate and inappropriate use and disclosure of private matters, while the business impacts of privacy breaches, and the costs of privacy controls, are also discussed.

The awareness quiz is a new idea.  I hope customers will have fun with that.  The quiz format will no doubt continue to evolve over future months, and as always improvement suggestions are very welcome.
Gary (Gary@isect.com)

28 Sept 2011

Social media policies

Seems free speech is alive and well in the US ...
"Most of the social media policies that we've been presented are very, very overbroad," Solomon said in an interview. "They say you can't disparage or criticize the company in any way on social media, and that is not true under the law."  ... Doreen Davis, a management-side labor lawyer based in Philadelphia, said many of her corporate clients are often "surprised and upset" when they learn they can't simply terminate employees for talking about work online.
Employers should develop sound, legally-sanctioned policies concerning what employees can and can't say about them on Facebook or whatever, but more importantly they need to provide mechanisms for employees to voice genuine grievances and have them addressed properly by management, without fear of persecution or recrimination.  That's the real issue here, isn't it? And it's a governance matter in my book.

So why is it that whistleblowers' hotlines are still as rare as rocking horse poo?

Gary (Gary@isect.com)

21 Sept 2011

40 hard-won business continuity lessons from the NZ and Japan quakes

Rob Slade and I wrote an article capturing forty business continuity lessons arising from the massive earthquakes in New Zealand and Japan. It has just been published in EDPACS and, thanks to the generosity of the publishers Taylor and Francis, it is available as a free PDF download.
Aside from the specific lessons concerning resilience, crisis management, disaster recovery, and contingency management, our article illustrates a broader point, namely that it is not necessary to experience disasters first-hand in order to learn from them.  If you are fortunate enough not to live and work in an earthquake-prone area, there are still valid lessons here to help you survive other natural and unnatural disasters.

Gary (Gary@isect.com)

7 Sept 2011

What use is a BCP that won't work?

While contemplating the latest PwC security survey report, I was intrigued to read:
"At first glance, the nearly six out of every 10 (58%) respondents who report their organization has a contingency plan in place for security incidents is a healthy number. (Figure 15)  But when you factor this number by the percentage who report that their plan is effective (63%), the results are disheartening.  In effect, most organizations (63%) have no plan or the plan they have doesn’t work." 
I'm curious about the implication that about a third of organizations have nonfunctional contingency plans for information security incidents.  Presumably they know their plans don't work because:
  1. They have used the plans but they failed in operation.  It's possible some such organizations are too busy trying to recover from the incidents, or conceivably they are too badly damaged, to work on their contingency plans right now.  What are the others doing?;
  2. They have tested the plans but the tests failed.  Surely these organizations are in the process of re-working their plans?  The alternative - failing to respond to the test failure - sounds to me like more than just a matter of incompetence or not knowing how to fix their broken plans.  Isn't this a governance issue, verging on negligence?;  or
  3. For some reason they assume their plans would not work, perhaps because they are clearly incomplete, unworkable or missing vital components.  They believe they have an issue but are they doing anything about it?  This looks like an assurance issue and poor governance again.
I could understand a small proportion (5 to 10%?) of organizations finding themselves caught in the act of checking and updating their plans at the time of the survey, but I would not have predicted the proportion would reach as high as one third, on top of the 42% without any plans at all (doh!).  Such is the value of surveys, I guess.

IMNSHO it's high time that contingency, or rather business continuity, planning came into the mainstream of business management, under professional leadership, as an expectation of every soundly-governed organization.  Having no workable plans is simply an untenable position for management, especially knowing that there is no such thing as perfect or complete information security, and given that serious incidents will certainly be costly and could easily destroy the business.  Standards such as BS 25999 and NFPA 1600 are already available with ISO/IEC 27031 and ISO 22301 on their way, while professional organizations such as the BCI support their members with information and guidance on good practices.  

An article for EDPACS that I wrote in conjunction with Rob Slade, currently 'in press', uses the earthquakes and tsunami in Christchurch and Sendai to highlight 40 valuable lessons for business continuity planning.  I'll let you know as soon as it's released  :-)

Gary (Gary@isect.com)