- Create a new document using an existing template
- Update the template content
- Save the updated file as a template (in my default templates directory - I've been here before) with a new name
- Close the open file
- Navigate to the templates directory in Windows Explorer (made easier using a previously-saved shortcut)
- Delete the original template
- Rename the revised template the same as the now deleted original
- Open a new document using the updated template to check it out.
Feb 17, 2020
On that point, I will be encouraging NB customers to allocate suitable information risk and security pro's to conduct the induction courses, in person. Information Security's 'customer services' or 'help desk' people and experienced trainers are the obvious choices for this job. Furthermore, if the Information Security Manager or CISO or CEO turns up, in person, to say hello and reinforce some point or other (implying a little preparation), that sends a more subtle message about the importance of information security for new workers. It's a powerful technique to cut through the avalanche of information assaulting inductees.
If it is simply not practicable for the relevant InfoSec people to make the time to attend induction courses, other approaches include:
- Playing a brief 'talking heads' video statement by the ISM, CISO or CEO;
- A quick live phone call or videoconference appearance by the ISM, CISO or CEO during the session;
- Showing 'meet the team' biographies - mugshots and a few choice words about the pro's in the InfoSec team (which, in fact, means everyone in the organization, including those currently in the induction session!).
I have other ideas up my sleeve for making the induction content stickier, more memorable, but that's enough for now. Over to you: what would you suggest? Comments open!
Feb 14, 2020
Feb 12, 2020
Feb 11, 2020
Feb 8, 2020
- Information risk and security fundamentals, including common terms
- Policies and procedures, with a touch of compliance
- User IDs and passwords ... and why they matter
- Phishing and other social engineering scams
- Apps and mobile security
- Ransomware and antivirus
- Physical security in the office
- Physical security when on the road or working from home
- Cloud, Internet, network and system security basics
- Vigilance: spotting, reacting to and reporting concerns
- Who's who - putting faces to the names behind information security
- Information risk and security management basics e.g. net value of incidents avoided/reduced less the costs of control
- A little more on compliance e.g. privacy
- Roles, responsibilities and accountability, with a little on governance
- Strategies, architecture, plans and big-picture-stuff
- Insider/outsider threats including fraud
- Awareness and training, plus motivation and culture, plus 'executive security'
- Information security in business relationships e.g. with vendors, partners and customers
- Security metrics, reporting and systematic improvement
- Business continuity
- Identification and authentication
- Access controls
- Logging, alerting and alarms
- Cryptography fundamentals
- Cybersecurity vs information security
- Intellectual property? Copyright at least
Feb 5, 2020
Jan 31, 2020
Jan 30, 2020
"Simplicity is the default unless there's a good business reason to do something else. What is typically lacking are the business reasons ..."
One of the nice things about that is our approach in practice, at 'run-time' when our content is actually being used in, say, an awareness session, workshop, course or online discussion, the way the materials are used depends on the presenter, the audience, the topic and its relevance to the organization, and the context (e.g. is it a half day session in a meeting room or half minute chat in the lobby?). Diagrams are much more flexible than text - although techniques such as headings, contents pages, side-bars, pullquotes and text boxes make it easier for people to skim through the text to pick out whatever catches their eye in, say, a briefing paper or report. Generally speaking, bright, colourful, 'interesting' pictures make the best eye-catchers.
Individuals vary in our preferred modes of learning too. Some of us like to read stuff (words and/or pictures) while others prefer to listen, be shown or experience things first-hand. Some simply accept new information at face value (especially if provided by an 'expert' or 'senior') whereas some challenge or are inspired to contemplate and explore the topic as their way of internalising it. A few reject stuff by default, only ever accepting things on their own terms. And yes, some simply can't be bothered, don't understand and/or don't care. We all have our off-days and Other Stuff Going On Right Now.
PS Although I'd love to supplement or even replace this blog piece with a neat little diagram, I don't have the time to simplify things right now. That's the downside of graphics: visual creativity takes time to express. Must dash, module to finish ...
Jan 29, 2020
Jan 28, 2020
Jan 27, 2020
Jan 25, 2020
In 2006, the Council of Europe launched Data Privacy Day as an annual event on January 28th.
Data privacy day was later taken up by some American organizations. According to the Wikipedia page, participants in the 2016 "event" included the Anti-Phishing Working Group, Carnegie Mellon University, Cyber Data-Risk Managers, EDUCAUSE, Georgetown University, Federal Trade Commission (FTC), Federal Communications Commission (FCC), Federal Bureau of Investigation (FBI), Identity Theft Council, the Privacy Commissioner of Canada, New York State Attorney General Office, the UK Information Commissioner and Data Security Council of India. I have no idea if they are still involved this year, and frankly I can't be bothered to find out just as none of them, it appears, could be bothered to update the Wikipedia page in 4 years.
The fact that I had no idea data privacy day was coming up on Tuesday suggests that all those years of publicity haven't been entirely successful.
Protect Your Personal Information
- Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media.
- Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces!
- Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords.
- Write it down and keep it safe: Everyone can forget a password. Keep a list that’s stored in a safe, secure place away from your computer. You can alternatively use a service like a password manager to keep track of your passwords.
Jan 24, 2020
The discussion concerns the disarmingly simple phrase "information asset", used in some but no longer defined in any of the ISO27k standards. Among other things, we've discussed whether people/workers can be classed as information assets, hence information risks associated with people potentially fall within scope of an ISO27k ISMS.
"Knowledge is generally broken down into three different types - explicit, implicit, and tacit. When we are talking about classing employees as an asset or simply treating the information that they know as an asset, I think maybe this can be broken down further using these different knowledge types.
Explicit knowledge is knowledge that is easily transferable, can be recorded and stored. Things like standard work instructions, guides, procedures, policies. Due to the nature of this information, it seems obvious to class the information itself as the asset here - you can mitigate the risk of information loss simply by recording the information.
Implicit knowledge is the practical application of explicit knowledge. This can include knowing your way around a particular security product, or a particular piece of equipment. This type of knowledge is difficult to record, however, things like best practices are the best attempt although it's difficult to include the entire background knowledge of the best practice. Due to this, loss of this information is difficult to completely mitigate, and hence, I think the employee here could be classed as the information asset. The best mitigation is to keep the employee.
Tacit knowledge is the practical application of implicit knowledge. Examples of this are knowing not only a particular security product but how and why this product fits into your infrastructure. The small details which make the infrastructure whole - having the history of decisions and incidents which led to this point directly on hand. This type of knowledge is inherently most difficult to record and I think due to this, the employee would again be classed as the information asset. The best mitigation is to keep the employee."
- Communicated/passed on to others ... or withheld from them
- Valued, sufficient for accounting, sales or other purposes
- Disputed or challenged
- Expanded upon
- Protected by intellectual property laws ... or pirated, plagiarized and disclosed inappropriately
- Submerged, hidden, stolen, damaged/modified, garbled, deliberately mis-stated or destroyed in that physical form. It can certainly still be misunderstood or misinterpreted (ask any lawyer about the 'precision' of even formally-worded statutes and contracts!).
“If I send my people on training courses to get better qualified, they’ll leave!” the reluctant manager explained. “Ah but”, said the wise advisor, “what if you don’t train them … and they stay?”
- Their explicit knowledge is already captured, making it available to exploit even without the person ... provided the knowledge capture is sound (accurate and complete - integrity properties) and available when needed;
- Their implicit knowledge may be captured and then exploited so long as the person is there and is cooperating, and so long as someone (possibly the same person) has the inclination, resources and capacity to 'capture' it with integrity - which is far from certain;
- Their tacit knowledge can be exploited but would be difficult or impossible to capture, or at least it would take an extraordinary effort to do so, and the worker must be available, willing to cooperate and able to disclose the knowledge or unable to prevent its disclosure.