Welcome to the SecAware blog

I spy with my beady eye ...

31 Jan 2012

BYOD security awareness

[Click the diagram to enlarge it]

“Bring Your Own Device” (BYOD) - corporations allowing employees to use their personally-owned ICT gadgets for work - is a hot topic.  BYOD started appearing in the computer press about a year ago.  Now it seems to be on everybody’s watch list for 2012, the benefits for both employers and employees making this a trend that’s hard to ignore. 

While researching BYOD security for February's security awareness module, I have read a lot of glib statements in the security press, a fair number of scare-stories and lots of marketing drivel from vendors desperate to steer the PR bandwagon in their general direction.  Several journalists recommend “a BYOD policy”, for instance, but actually finding BYOD policy examples on the Web proved virtually impossible. 

Along with the usual mind maps, developing the risk-control spectrum diagram above helped me get my thoughts in order, and provides a useful structure for one of the three seminar presententations in February's awareness module.  Given that one might be forgiven for thinking of BYOD as a purely technical subject, I find it interesting that the bulk of the awareness materials focus not on IT pros but on general employees and management.  The governance aspects of BYOD are particularly fascinating: without management-level understanding and support through strategies and policies on BYOD security, the IT security controls noted on the spectrum diagram are moot.

Gary (Gary@isect.com)

24 Jan 2012

Oxfam report on disasters

A little gem this - a report from Oxfam examines trends in natural disasters over the past few decades.  A substantial increase in the number of disasters largely reflects a significant increase in the number of floods.  The trend is marked and easy to see since the 1990s.

The report's conclusion brings up the issue of country governance:
"Countries with better governance are less vulnerable to natural hazards, which implies that securing increased standards of governance could help to mitigate future increases in exposure and hazards."
Though the report stops there, I would be utterly amazed if the same was not equally valid at the level of corporations and corporate governance - in other words:
Corporations with better governance are less vulnerable to natural hazards, which implies that securing increased standards of governance could help to mitigate future increases in exposure and hazards.
So ... just how good are your business continuity and disaster response arrangements at coping with, say, floods?  Have you ever simulated a flooding disaster? 

Gary (Gary@isect.com)

2 Jan 2012

Keep calm and carry on

Happy new year everyone.

The monthly NoticeBored security awareness deliveries continue with the relase of a thoroughly updated and refreshed module on business continuity management.

Do you like the new graphic?  It's even more impressive as a poster-sized image!

We started researching and planning this module around ISO/IEC 27002’s coverage of business continuity management, and ended up going well beyond what the standard advises.  In our opinion, the standard focuses rather myopically on disaster recovery, largely neglecting other equally significant business continuity controls such as disaster avoidance, resilience and contingency.  It talks about business continuity planning and testing the plans, but hardly mentions business continuity preparations and exercises.

Resilience, being the ability to keep critical business processes running right through a disaster, is an important organizational capability that management can proactively develop and enhance, provided they are aware of the possibilities and benefits of resilience.  We’re talking here about the use of hot sites and cloud computing, for instance, for the IT systems and services supporting core business processes.  Furthermore, the concept of resilience extends to supply chains (e.g. having alternative suppliers for vital supplies) and individuals (e.g. the make-do-and-mend so-called “number 8 wire” mentality recently demonstrated by those amazing Kiwis in Christchurch who get on with things and have a go at fixing stuff up rather than passively waiting around for help from the authorities).

All the best for 2012,
Gary (Gary@isect.com)