Posts

Showing posts from 2020

Black Swans and other things

Image
Back swans and other things. For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security. Two [of many] questions [the context throughout this blog are businesses, organisations, and information and cyber security] . Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question. Why, given the current situation of COVID-19, were many businesses unprepared? The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm. The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced

Info and Cybersecurity tips - working from home

Image
Working from home - hints and tips Pretty sure you will have seen so many hints lately about working from home, using laptops and so forth.  First, if you have not heard of KanSecurity Ltd - it is based in Carlisle, Cumbria, and in fact has been for a good number of years. As a company it provides, advice; guidance; help; training, on all matters related to information and cybersecurity.  Nigel, the owner, is a veteran [25 years] and has been working in the world of information and cybersecurity for over 30 years. So, work is mainly with larger organisations and businesses BUT, KanSecurity Ltd is here to help micro, small and medium businesses in any way it can.  Lets face it information and cybersecurity is complex, and not always fully understood by your IT Service Provider. KanSecurity works with your IT Service Provider, not against them. So whilst they will do a brilliant job of sorting out IT - is that IT Security, Computer Security, Information Security or Cyb

Rise of the Checklist

Image
Rise of the checklist With thanks to the coronavirus, there has been a rise in checklists; what you should or shouldn’t do and so forth. Well here is another one, but this time with a twist. Let’s suggest for the moment that there is no business continuity plan [BCP] in place, or if there is a plan [created to satisfy a client] but quite frankly isn’t worth the paper upon which it was printed, then: What did the IT team have to put in place, at a rush and without testing [probably] to enable staff to work from home? Make a list What did the HR team have to put in place, at a rush and without testing [probably] to enable staff to work from home? Make a list What did the payroll team have to put in place at a rush to ensure that staff can continue to be paid? Make a list What did team leaders have to put in place, at a rush, to ensure that staff working from home are supported; do not feel isolated; do not become stressed? Make a list What did the b

A laptop called information

Image
Information asset – a laptop too far An asset is most often defined as being something of value [to the business]; a resource that has economic value. In accounting terms, ‘of economic value [to the business]’ means, a resource that has the ability to generate financial benefit [or loss].  An information asset could be defined as being a body of knowledge [information], a resource that has economic value, [benefit, or loss to the business]; where a body of knowledge is the collection of information gathered together in one or more places. For example: an information asset [a body of knowledge] that is intellectual property [IP] could be said to have financial benefit; it is has economic beneficial value to the rightful owner. However, if other parties gain unlawful access to the IP for their financial benefit, this could impact upon the lawful owner’s rights. How important then is that IP to its rightful owner?  To put it another way; if the lawful owner of the

Sleepless nights, and business owners

Image
What keeps the business owner up at night? I am talking about owners of the micro, small, and in some cases medium sized business; those owners who on a daily basis put their heart and soul into building their business and doing all they can to keep it running successfully; making profit; keeping customers happy; employing people etc. The farthest thing from their minds will be information and cyber security.  It could even be suggested that the mere mention of the subject is likely to result in a furrowed brow followed by, this is what I pay the IT Service Provider to look after. It is not surprising then that the evangelist, having worked in the information and cyber security space for many years, comes across disinterest; disregard; and perhaps just a bit of indifference when the subject is raised. That is not meant to insult the business owners, it’s simply a fact of the evangelist's life. For 20 years and more so many thoughts around how to change mind-sets h

The Statement of Applicability

Image
ISO/IEC 27001:2013 and your SoA The journey that sees an organisation gaining its Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) must include the creation of a statement of the applicable controls (or measures) used within the scope of the ISMS. The Statement of Applicability (SoA) is a mandatory requirement, and is a 'statement' of the controls (or measures) you have implemented in response to the options you have selected to treat a particular risk. The simple diagram above (and yes it is simple) shows that the SoA is an 'output' document! I am going to say that the following is all theory, but only because it causes so much angst. Having identified within the scope of your ISMS the source; the cause; the event; and consequence of a risk, and found through analysis and evaluation that it is unacceptable, the business makes the decision to 'treat' the risk in some fashion.

Information and Cyber security

Image
Information and Cyber security I know that the most obvious thing to do is use the phrase, cyber security. But to me it is so much more than that, and will be the reason I always use the phrase  information and cyber security. Perhaps that is not such a good thing from a marketing perspective. However, I am going stick my heels in and go against the grain. Being a tad flippant about this; I am able to justify securing (in whatever way) information, but the cyber? I've personally not come across any cybers that needed securing, unlike Dr Who of course. Moving away from flippancy, to me it comes down to a word, 'intent'.  What are the intentions of those acting against us as businesses; as humans; and as nations in such a negative (criminal) way? Published more or less on a daily basis will be the statistics that demonstrate just how many records (containing information) are lost. But, the records may not simply be lost (stolen), they

Risk and context

Image
Risk tree...for Certification This being the 3rd in the series about information and cyber security risk; but who's counting? ISO/IEC 27001:2013 (27K1:13) sets out the requirements for an information security management system (ISMS).  ISO tells us that an ISMS is: a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. There are some key words and phrases within that statement: Sensitive company information, Secure, People, processes, and IT systems, Risk management process. Starting at the top; information, sensitive information to be more precise that if not protected (kept secure) could perhaps result in a negative consequence. Keep in mind though, risk is not just about the negative, it is also about opportunities. Can 'sensitive' (whatever that means) information actually protect itself, or is there a need t

Risk and Certification

Image
Risk too...for Certification The previous discussion on information and cyber security risk was focused toward the micro and small business; the purpose being an attempt to get their ball-rolling on looking at risk. Certification to ISO/IEC 27001:2013 (information security management system (ISMS), requirements) needs the business to seriously focus on information and cyber security risk. In fact, clause 6 (Planning) and its sub-clauses are all focused on risk; this is the 'plan' element of the plan, do, check, act (PDCA) dance. On the other hand, clause 8 (Operation) and in particular 8.2 and 8.3 are all about carrying out risk assessment and treatment, the 'do' element of PDCA. The International Organisation for Standardisation (ISO) does not dictate to your business any particular process or methodology for risk. But, whatever process you adopt it must produce consistent, valid and comparable results (clause 6.1.2b).  If not, the syst

Risk and micro, small business

Image
Risk; why is it so difficult? Information security risk management, or if you wish cyber security risk management; either way it appears to cause a bit of a problem. Over many years now I have seen and audited different concoctions, the majority of which fail completely to be effective in managing the risk.  That said, I have also seen some scarily good processes, many of which are application driven rather than spreadsheet driven. This is an out and out plug, but the best and most effective examples have usually be driven by Acuity Risk Management's Stream application .  However, for the micro or small business the best approach is to keep things simple, for the moment at least. Risk description - there are excellent definitions for risk published within various ISO documents. However it all boils down to the following: Source (what is the source of the thing that could happen - internal or external parties) Event (what is going to occur) Cause

Personal data or PII

Image
PII or not to PII, that is the question PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data. What is personal data vs PII? Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)). PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Offic

Compliance or Conformity

Image
Compliance is not security, or is it? There is a view (anecdotal)   that compliance is not security. To be more precise, information and cyber security. For those aware of this standard, ISO/IEC 27001:2013 (information security management system, requirements) asks those organisations seeking certification to conform to its requirements. On the other hand, the Payment Card Industry (PCI) security standards, and for example the Data Security Standard (PCI DSS), requires compliance. Conformity or compliance; in the cases above they both seek to achieve something similar; security, in the context of information and cyber security, by ensuring that important data assets are protected (specifically card holder data for PCI DSS, and ‘other’ sensitive and critical information/data for ISO/IEC 27001:2013). Having generalised with the use of the word ‘other’ for 27001, in truth if card holder data were in scope then in fact ‘other’ would include cardholder data.