The past week saw a number of breaches of usernames and passwords from well-known websites. People are prone to reuse passwords across personal and corporate accounts, and compromised social networking accounts can be used to conduct social engineering attacks. These incidents have the potential to impact on your own organisation but it can be difficult to […]
In the week since the TalkTalk breach there’s been commentary on encryption of data, particularly with their CEO’s comments that they were not legally required to encrypt data. Of course encrypting the storage of data at rest is a common sense control against a range of threats such as physical theft or loss of the […]
Yesterday UCISA published the Information Security Management Toolkit that provides guidance to higher education institutions wishing to establish systems to manage information security. Authors from across the sector contributed to the content including Andrew Cormack and myself from Jisc. Previous guidance from UCISA which mainly focused on the application of ISO/IEC 27002:2005 to Higher Education. This new […]
User education is a hot topic in information security. Through education we can empower our users to protect information in a environment that’s frequently challenging and where natural assumptions about behaviour don’t always hold true. I wonder though if it’s possible to take this too far. Not all responsibility for the insecurity of systems, even […]
Categories
Reviewing risk mangement
For many if not most organisations information security risk management is a new and relatively immature activity that they are still discovering and learning more about. This can mean that the results of the activity can be imperfect. As we learn we can improve the process to better fit the requirements of the organisation but […]
A brief post this time on my thoughts as to how best integrate certification to the Government’s Cyber Essentials scheme into an ISO 27001 ISMS. I’m going to intentionally stay away from how to achieve certification to Cyber Essentials, and just focus on how it might sit within your ISMS. Assuming that you’ve identified a good business […]
Over the past week I’ve been looking at our existing processes for managing risk, how information security risk fits within this framework, and what improvements can be made overall. One of my concerns is that most people aren’t used to explicitly thinking about risk and that my colleagues need to be able to relate to […]