Friday, 22 August 2014

How do you identify crown-jewel information assets and protect them?

I have developed an 'Information Asset Register Tool' that is undergoing testing.   Take a look!     If you do, please let me have your comments.

Excellent Information Security Guide

Internet2 has an excellent Information Security Guide.   It is designed to support university Information Security managers and is a superb resource with an excellent front page interface.

Definitely worth a look.

Wednesday, 2 July 2014




Why senior leaders are the front line against cyberattacks


Found a very interesting McKinsey article which empahsises that senior managers need to lead.  An extract:


"Cybersecurity is a CEO-level issue. The risks of cyberattacks span functions and business units, companies and customers. And given the stakes and the challenging decisions posed by becoming cyberresilient, making the decisions necessary can only be achieved with active engagement from the CEO and other members of the senior-management team."

Tuesday, 27 May 2014

The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills and carried out by PwC, was announced by David Willetts at the Infosecurity Europe conference.

The survey reported that 81% of large organisations suffered a security breach over the last year, and whilst this is down from 86% a year ago - and organisations are experiencing fewer breaches overall - the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.

A very important and relevant finding this year is that, "70% of companies that have a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood. This suggests that communicating the security risks to staff and investing in ongoing awareness training results in fewer breaches."

The full PwC report is available from: http://www.pwc.co.uk/audit-assurance/publications/2013-information-security-breaches-survey.jhtml, and provides a useful perspective for our University's Information Security activities and priorities.

eBay attack is ‘wake-up call to all of us' - Information Commissioner

The Information Commissioner Office blog makes very interesting reading regarding the recent eBay breach. Here is a quote, "This needs to be a wake-up call to all of us. It shows consumers the importance of having different, strong passwords for different online services. It’s a wake-up call to government that the 20-year-old data protection laws are showing their age. But most of all it’s a wake up to businesses. Cyber crime is real. Hacking is real."

Thursday, 20 February 2014

Holistic Management of Employee Risk (HoMER)

Holistic Management of Employee Risk (HoMER)

Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Managing employee risk has become a critical issue for organisations, for which a fine balance is required between treating employees fairly and ethically, and ensuring comprehensive data security. This guidance from the CPNI is worth a read.
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf

Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf

Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf

 

Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Employee risk is defined as counterproductive behaviour, whether inadvertent, negligent or malicious, that can cause harm to an organisation.
The guidance sets out:
  • Principles, policies, procedures and examples of good practice which help manage the risk of counterproductive behaviour in the workplace
  • Ways to strengthen compliance with legal and regulatory frameworks
  • A framework to help improve trust amongst employees, customers and shareholders.
- See more at: http://www.cpni.gov.uk/advice/Personnel-security1/homer/#sthash.PzQvBqmo.dpuf
Holistic Management of Employee Risk (HoMER)
Holistic Management of Employee Risk (HoMER)
Holistic Management of Employee Risk (HoMER)

European Information Security Summit

The Summit was held at the British Museum (18-19 February).Videos of the talks will be available shortly.

One development discussed in many Panels, and of particular interest, is Europe's new data regime. The European data privacy framework includes a new regulation and a new directive, and will apply to all 27 European member states. The package of measures is aimed at fundamentally overhauling and harmonising the EU’s data protection regime, and will introduce enhanced rights for individuals and tough penalties for non-compliance. It is designed to eliminate the uncertainty created by a patchwork of data protection laws and data breach notifications faced by businesses. One result of this new regime would be that the level of possible fine would increase significantly from the current ICO's limit (in the UK), possibly to between 2 and 5% of a company's global revenue.