Categories
Uncategorized

How to check the validity of an ISO certificate

Many organizations want to check that their suppliers and partners are managing information security risk, and possession of an ISO 27001 certificate is often the preferred way to evidence this. If you are reliant upon the assurances that an ISO certificate can provide, checking that the certificate is valid is an important but not particularly […]

Categories
Cyber security

Culture, Media and Sport Committee Enquiry into Cybersecurity

Shortly after the recent attacks on TalkTalk the Culture, Media and Sport Committee decided to hold an inquiry into the circumstances surrounding the data breach, but also the wider implications for telecoms and internet service providers. This raised a number of issues around the premature speculation around the causes of the incident, cybersecurity within the telecoms industry, and the […]

Categories
Uncategorized

Responding to username and password breaches

The past week saw a number of breaches of usernames and passwords from well-known websites. People are prone to reuse passwords across personal and corporate accounts, and compromised social networking accounts can be used to conduct social engineering attacks. These incidents have the potential to impact on your own organisation but it can be difficult to […]

Categories
Cyber security

TalkTalk and Encryption

In the week since the TalkTalk breach there’s been commentary on encryption of data, particularly with their CEO’s comments that they were not legally required to encrypt data. Of course encrypting the storage of data at rest is a common sense control against a range of threats such as physical theft or loss of the […]

Categories
Uncategorized

UCISA publish guidance on information security governance

Yesterday UCISA published the Information Security Management Toolkit that provides guidance to higher education institutions wishing to establish systems to manage information security. Authors from across the sector contributed to the content including Andrew Cormack and myself from Jisc. Previous guidance from UCISA which mainly focused on the application of ISO/IEC 27002:2005 to Higher Education. This new […]

Categories
Uncategorized

Encouraging safe behaviour with technology

User education is a hot topic in information security. Through education we can empower our users to protect information in a environment that’s frequently challenging and where natural assumptions about behaviour don’t always hold true. I wonder though if it’s possible to take this too far. Not all responsibility for the insecurity of systems, even […]

Categories
Uncategorized

Reviewing risk mangement

For many if not most organisations information security risk management is a new and relatively immature activity that they are still discovering and learning more about. This can mean that the results of the activity can be imperfect. As we learn we can improve the process to better fit the requirements of the organisation but […]

Categories
Cyber security

Incorporating Cyber Essentials into your ISO 27001 ISMS

A brief post this time on my thoughts as to how best integrate certification to the Government’s Cyber Essentials scheme into an ISO 27001 ISMS. I’m going to intentionally stay away from how to achieve certification to Cyber Essentials, and just focus on how it might sit within your ISMS. Assuming that you’ve identified a good business […]

Categories
Uncategorized

Talking about information security impacts

Over the past week I’ve been looking at our existing processes for managing risk, how information security risk fits within this framework, and what improvements can be made overall. One of my concerns is that most people aren’t used to explicitly thinking about risk and that my colleagues need to be able to relate to […]