We have started work on our next awareness module, covering email security.
Although there are plenty of information security issues with email, more than enough for a meaty awareness module, we may yet extend the scope to include SMS/texting, Skype, Instant Messaging and other forms of person-to-person messaging. System-to-system and system-to-person messaging have security issues as well, but they are perhaps best tackled in other modules. Maybe we'll mention them, along with other areas such as social engineering and fraud covered in other modules too. The scope partly depends on what comes up in the news in connection with email and messaging security, and partly on the threads and message that evolve as the module comes together so we'll see how it turns out in a few weeks' time.
My first job is simply to create a directory for the new module and grab relevant content from the NoticeBored Back Catalog for inspiration.
Next we need creative ideas for the awareness posters. Brainstorming in the office gets us thinking, although it's not always easy to capture our thoughts into an email to the graphics team, one that makes sense and is feasible to put into practice. Ironic really, our first email information security issue of the month is ... an information availability and communications challenge!
Today I've mostly been catching up with a 3-month backlog of 100 emails from the SC27 committee behind the ISO27k standards (hey, another email challenge!). Updating the ISO27001security.com website forces me to read and consider the messages, then summarize them with a pithy sentence or three. According to our website visitors and members of the ISO27k Forum, the site is a useful information resource, with much more content than, say, Wikipedia. I benefit too by staying in touch with all the ISO27k work the committee is doing, contributing to the standards development where I can. My most recent input was an empassioned critique of ISO/IEC TR 27008, a draft standard on IT auditing - well at least I think that is what it is meant to be on. It refers to 'reviews' as well as audits on 'technical controls', which may or not be IT. It should lead to one of several fascinating discussions at the next SC27 meeting later this month.