1 February 2016 at 1:10pm
One of the many organizational tools to come out of manufacturing is called 5s. Based on a list of five Japanese words Seiri, Seiton, Seiso, Seiketsu, and Shitsuke (Sort, Set, Shine, Standardize and Sustain) it provides techniques that promote efficiency and quality, particularly in a workplace where multiple workers share responsibility for production. Seiton and Seiso, promote the organization and tidying of a workspace. Are these methods relevant to information security? Are organized, tidy and maintained systems more secure?
26 November 2015 at 4:17pm
Analogies are regularly used in Information Security. Our work can be difficult to understand, and a good analogy can be a powerful tool to simplify complex issues. Despite this I’m not their greatest fan. My apprehensions are because it’s not the only tool available to us. Clear and precise explanation in simple language can be overlooked in favour of analogy. Superficial or weak analogies can become clichés with no real thought for the underlying issues.
30 October 2015 at 12:00pm
In the week since the TalkTalk breach there's been commentary on encryption of data, particularly with their CEO's comments that they were not legally required to encrypt data. Of course encrypting the storage of data at rest is a common sense control against a range of threats such as physical theft or loss of the storage device.
19 December 2014 at 2:11pm
There's been a huge amount of press coverage of the attack and subsequent data breach at Sony and the few facts that are public knowledge have been swamped by hearsay and conjecture. What can we learn so far? Here are a few thoughts to end the year on.
4 December 2014 at 2:15pm
For many if not most organisations information security risk management is a new and relatively immature activity that they are still discovering and learning more about. This can mean that the results of the activity can be imperfect. As we learn we can improve the process to better fit the requirements of the organisation but in the meantime we need the ability to deal with flawed results. Some might even go a step further and propose that most risk management methods are inherently flawed and don't go far enough to investigate and measure the root causes of risks.
5 November 2014 at 4:17pm
A brief post this time on my thoughts as to how best integrate certification to the Government's Cyber Essentials scheme into an ISO 27001 ISMS. I'm going to intentionally stay away from how to achieve certification to Cyber Essentials, and just focus on how it might sit within your ISMS.
28 October 2014 at 2:11pm
I'm curious about the language used to talk about information security issues. Does our choice of words influence the way we think about security, or does the way we think about security affect our words? Which is the cause and which is the effect? I think that at times both can be due and that does give me hope that this is something we can actively influence and control if we wish. Issues of risk can be complicated and difficult to communicate. Although we all innately (and largely successfully) deal with risk we don't routinely express these ideas through words.
15 October 2014 at 3:27pm
Over the past week I’ve been looking at our existing processes for managing risk, how information security risk fits within this framework, and what improvements can be made overall.
Subscribe to infosec