Tuesday, 9 June 2015

Can you make IT security sexy? - a Guide to Awareness Campaigns

By Lone Forland, Neupart

Once you have read my article, you will have a good idea on how to approach your IT security awareness campaign. You will get concrete advice on choosing topics, forming alliances and how to measure how well your campaign worked.

IT security is hardly known for being the world's sexiest topic. In the eyes of many, it is time-consuming, limiting and boring. 

A boring housewife on a TV programme can get the help of a hairdresser, a stylist and fashion experts in highlighting her interesting sides. Similarly, you can give IT security a makeover in order to make the topic more accessible, relevant and exciting.

This is what you do:
  • get the support of the management
  • choose the right topics
  • meet people where they are 
The support of management
You must first and foremost ensure the involvement of the management. There are two reasons for this: 

For one thing, the employees should hear from the management why IT security is important. The message then carries more weight.

For another thing, awareness campaigns are not free. They cost the organisation time. You will only get the resources you need, if you make it clear to the management as to why you need an awareness campaign. If an IT audit has resulted in findings and recommendations or if you need to follow ISO 27001, you will have a compelling argument. Awareness is a requirement set out in ISO 27001 and ISO 27002, so there is no way around this. A focus on IT security can furthermore save you time and money. Both your finances and your image take a hit when a user error causes a data leak or system breakdown.

Moreover, awareness is about communication. If this is not your strong side, you should become good friends with your communications or marketing department, if you have those in the company. They will be able to help you to reach out to the employees in a language they understand.

Choose the right topics
With the backing of your new allies, you should now figure out the areas on which your awareness campaign should focus. There are many topics from which to choose, some heavier than others, and unnecessary information needs to be removed. 

Consider the problems you have experienced based on the ignorance of users. A few examples may be:

  • Guests to the company are not registered when they arrive and they walk around without access cards.
  • Documents with confidential information are lying around in an unlocked room.
  • Sensitive personal information is not sent through secure email (encrypted).
If you are unsure of anything, get hold of HelpDesk or IT support if you have those functions. They can tell you what employees most often ask about and of what they are unsure. You can also consider whether you recently began to use new systems or carry out tasks in a new manner. Have the employees become familiar with this or are there many mistakes?

You will possibly find more problems than you can address in a single awareness campaign. Focus on the most important parts and save the less important ones until your next campaign. We must make sure to use simple and powerful messages. Prepare short campaigns with simple themes, and then run campaigns more often. 

Meet people where they are
Now you need to go out and meet people where they are. The employees sit in front of their computers, they eat in the cafeteria and they go to Friday morning meetings. This is where you should meet them. One way to do this is by means of:
  • Happenings - Little funny things that get people talking. This can involve small figures or other such things placed on the employees’ table, or by handing out chocolate bars in exchange for them agreeing never to share their passwords with anybody. The possibilities are limited only by your imagination and it does not even have to be especially expensive.
  • Messages with good advice - E-mails that briefly describe a problem area and how the employee should act.
  • Postings on the intranet - Again: make them short and useful. Once the posting is read, the employee shall know precisely what he should (or should not) do and why it is important.
  • Posters in the cafeteria - The posters make employees aware of the campaign and get the employees (hopefully) to talk about why IT security is important.
  • Morning meetings - If everyone is assembled to a weekly morning or Friday meeting, you can try to squeeze in a little speech of your own.
  • Quizzes - A quiz has the benefit of involving the participants. Put up some wine or chocolate as a prize to the employee or department that does the best.
A quiz can also show management that your awareness campaign has had an effect on people. Set a realistic goal for yourself. If half of all the employees take the quiz, you have done a great job! A quiz also shows you the areas in which you need to do more to train the employees.

So, can you make IT security sexy? You can at least come a long way when you make it accessible, relevant and interesting.

There are many programs that can help you make quizzes. The new SecureAware Quiz module from Neupart not only makes it possible for you to write your own questions and answers, but also follows up on how many have been answered correctly. You also get an entire library of questions/answers concerning IT security from which you can pick. This way you efficiently ensure that the employees are made familiar with the relevant policies and rules, as well as any compliance with standards, such as ISO 27001. Read more here

Read more about the new Quiz module here

Other resources

Participate in 30 minutes webinar:  How to plan and run an effective awareness campaign

Sign up for our other webinars and events here

Contact us for a personal demonstration of SecureAware

About the Author: Lone Forland is a product specialist at Neupart and offers instruction in awareness campaigns, among other topics. Lone Forland furthermore helps Neupart's customers get started with Neupart's ISMS tool, SecureAware, and serves as a liaison between customers and development.

Wednesday, 25 February 2015

Why in the world should managers be interested in information security?

You should be involved in security since security means something to your customers and because cyber attacks and security incidents are beginning to occur within all kinds of businesses. We have all seen the numerous examples of data breaches, attacks and other security incidents in the news. Often, one might expect or hope the involved organisations were better protected then they actually were. Information security is very much on the agenda, both in the business world and in the media.
Your customers, regardless of whether you sell directly to customers or to other businesses, are presently interested in the topic. That is why you as a manager and a senior executive should take an interest in whether your organisation is sufficiently prepared for a major cyber attack or a systems crash. That should be as good an argument as any! However, there are even more good reasons that I would like to share with you.
Brand image and profitability: Perhaps you have spent years slowly but surely building credibility for your brand name(s). You want your customer to have confidence in you. One security incident can quickly serve to reduce the trust and confidence you have gained to such a degree that even the best (or most expensive) image campaign will not be able to bring it back.
Fees: Add to this the enormous costs to you when you need to deal with a major security breach. Such costs are incurred both due to the incident itself and the following investigation, cleanup and restoration. Theft of company secrets and/or intellectual property rights, as well as industrial espionage can obviously be expensive and even a threat to the very existence of some companies. Afterward, it will surely be shown that more investment in preventive security measures would have made good sense and would have saved money. Moreover, since the threat will continue to develop, it would be a good investment for the future as well.
Legal Statutes: You are subject to certain legal requirements demanding that you have a sufficient level of information security. Bear in mind present and future Personal Data Acts. The future EU personal data legislation (an ordinance) is expected to passed so that it will apply in all EU Member States. It provides for companies to pay fines of perhaps as much as 5% of their turnover for computer security breaches. There is a comprehensive requirement that the parties be notified (data breach notification), which is both expensive and difficult to perform. Add to this a number of industry-specific requirements: for example, that financial enterprises must comply with financial supervisory authorities' requirements concerning information security, requirements placed on the energy sector, the health sector and for state-run enterprises to comply with the ISO 27001 standard.
Governance Requirements: Corporate governance requirements determine 1) that management set out the procedures necessary for risk management and internal inspections, 2) that the administration take a position on strategic and commercial risks and 3) that managers who negligently has caused the company to suffer damages shall pay compensation for such damages. In other words, there is also an array of legislative reasons to be interested in information security.
Review: You likely also strive for your review to be consistent with most of everything that might be found in those long review guidelines. Your information security will also be reviewed. Keep in mind as well, that regardless of the fact that accounting firms play a dubious double role (at the same time offering a wide range of both executive and advisory consultancy services within the field of information security), it pays for you to prepare for the review proactively. It should be easy for you to document that you are in control of your information security.
However, what should you as an executive do, in addition to taking an interest in the topic? Easy: You should A) communicate to your organisation that security is important, that it is a basic condition for your business activities and b) you should investigate whether you have allocated sufficient financial and human capital in your organisation to deal with the everyday, practical management of your information security.
If you want to get a little bit deeper into the subject, I recommend you examine your maturity level in these areas:
  1. Policies, rules, procedures and documentation
  2. Risk management (risk assessment and continual risk treatment)
  3. Incident management and contingency plans
Proper governance and management of information security has become a common best practice simply because it has become a necessary condition for most commercial activities. That is why a manager should be interested in information security.

PS I have summarized the six reasons for you in this document here

Best regards
Lars Neupart

Blogger: Lars Neupart is the founder and CEO of Neupart

PS: Click here to follow us on LinkedIn

Wednesday, 29 October 2014

Choosing the right scenarios for your business continuity plans

By Jakob Holm Hansen, Neupart

Our most recent blog post dealt with The three golden rules of business continuity planning. This time, we continue in the world of business continuity planning and take a closer look at scenarios and strategies.

Let's start with establishing the terminology:

A business continuity scenario is a defined situation to which we may be exposed and which the continuity plan addresses.

A business continuity strategy is the manner in which we choose to handle a given scenario in the business continuity plan.

Many of us find it difficult to fully grasp these concepts, as we often associate the word "strategy" with a more general document describing the company's visions and future plans. In this case, however, it’s about strategies for dealing with fires, system crashes, virus attacks etc. So... the word strategy is correct, but only in the context of a specific scenario.

Where do I begin?

How do we choose the scenarios to be addressed by our business continuity plans?
The secret is not making the scenarios too specific, but at the same time making them specific enough to make them useful. If we believe we are able to come up with a complete list of detailed scenarios we may find ourselves experiencing a scenario that we had not anticipated.

So instead of a list of scenarios that looks like this:
  • Fire at the data centre 
  • Rainstorm affecting the data centre 
  • Lengthy power outage at the data centre 
  • Data centre vandalism
  • Etc. 
- we have one scenario called: Data centre out of service.

We need to be able to handle a situation in which we cannot use our data centre - regardless of the reason. When doing this, we avoid a great deal of unnecessary text in our business continuity plan (see The three golden rules of business continuity planning) and we indicate that our business continuity plan is able to handle several different situations.

In order to establish which scenarios are to be covered by our continuity plan, a workshop can be held involving selected employees from the organisation. 

As mentioned above, one scenario could be: Data centre out of service. Other examples of scenarios may include:
  • Critical systems out of service
  • Critical virtual server out of service
  • SQL server out of service
  • Extensive virus outbreak
  • Hacker attack 
  • Key supplier goes out of business 
  • Leak of information
  • Etc. 
As you can see, these scenarios differ in level of detail and the task is now to find the correct level.


Once we have established what scenarios our business continuity plan should cover, it is time to figure out what to do when the scenarios occur. In other words - defining the continuity strategies.

We need to describe our strategies before these scenarios occur. Otherwise we will have to come up with solutions on the fly. Be careful not to rely on "action team" based business continuity. In a crisis situation there is simply too much stress involved for us to be expected to come up with - and carry out - the right solution.

A good approach to describing the strategies is defining the steps to be taken in order to address the given situations. One way of doing this is by holding a workshop like the one mentioned above.

Furthermore, it is important to think through the entire situation:
  • Should a consultant/supplier be involved? 
  • Can we define a subset of data in advance that is especially critical and that must be recovered first? 
  • Remember communication! 
  • Remember testing! 
  • What are the prerequisites for this strategy? 
  • In what order must the systems be started? 
  • Etc. 
Neither should a continuity strategy be too detailed. We need to describe the various activities and the order in which they are to be performed, but we should not describe it right down to the level of every single nut and bolt.
If it is necessary to provide a precise description, for example, of how to restart an application, then this should be found in the disaster recovery procedures or the system documentation.

Once scenarios and strategies are in place, the backbone of our business continuity plan is established. We are now well on our way to writing a sound business continuity plan.

Please share your experience in creating effective, pragmatic and operational business continuity plans in the comments below.

About the Author:
Jacob Holm Hansen is a Senior Security Advisor at Neupart and advises companies on ISO 27001, IT risk assessments and business continuity planning. 

With Neupart's SecureAware BCP TNG you can improve your business continuity planning and make sure that your plans are always up to date. Read more here

More resources
30 minutes webinar:
How to create a structured continuity plan with operational scenarios

Find our other webinars and classes here: http://www.neupart.com/events

Wednesday, 27 August 2014

The three golden rules of business continuity planning

By Jakob Holm Hansen, Neupart

"How long should a business continuity plan be?" This is a question we often hear from our customers. My answer usually is: "As short as possible!" The truth is that the perfect business continuity plan (if such a thing exists) should be three - sometimes contradictory - things at once:
  • Comprehensive 
  • Short 
  • Operational
As implied above, we don't live in a perfect world, and sometimes we must create a balance between the three. Let's take a closer look at the three "golden rules of business continuity planning".

The business continuity plan must be comprehensive. Or at least adequate. Please note that I write comprehensive - not long. The business continuity plan must cover the critical processes and systems, otherwise it is worth nothing. This is one of the reasons we always recommend starting with a risk assessment.

So that's the first golden rule. The business continuity plan should include what is critical and important to our business, otherwise, it does not fulfill its sole and main function: to protect ourselves against unacceptable losses as a result of an incident.

But the business continuity plan should still be short. Very often we see business continuity plans of 150 pages or more. Although it is an impressive piece of work, some of the time spent typing it up might have been better spent.

But why is it so important to keep the plan short and simple? We have to keep in mind when and under what circumstances we will be needing the plan. In an emergency situation, the business continuity team should only be presented with the information they need in this situation. If they are handed a 150-page plan, one of two things will happen: 
  • Business continuity is slow, inefficient and inflexible
  • The business continuity plan will be scrapped, and the situation will be handled "ad hoc".
If this happens, it is obviously wasted effort writing a business continuity plan to begin with.

Finally, our business continuity plan must be operational. Unfortunately, many business continuity plans start with page after page of general considerations, such as introduction, purpose, objectives, stakeholders, approvals, references to standards and legislation etc. As I mentioned earlier, the business continuity plan will be used in emergency situations and must be operational from page 1! This is why these kinds of general considerations, even if they are justified, should be removed from the plan. One way to do this is to create a separate "Business Continuity Policy" - or at least place these as the last part of the plan.

To make the business continuity plan operational, it is important that we give some thought to the structure and flow of the plan. We don't want the business continuity team to have to turn page after page to find what they are looking for and thus lose track. Therefore, it may be a good idea to start the plan with a flow chart so that they can always return to this in order to get an overview. I am a big believer in the "one page management" concept, where the entire business continuity flow is described on one page.

You should also consider which style and language to use in the plan. Short, clear messages, preferably, in bullet form, is much better than long, convoluted chapters. Keep in mind that there is limited time and quite an amount of stress involved when experiencing an emergency situation.

So... Remember the three golden rules and keep your business continuity plan Comprehensive, Short and Operational.

Please share your experience in creating effective, pragmatic and operational business continuity plans in the comments below.

About the Author: Jacob Holm Hansen is a Senior Security Advisor at Neupart and advises companies on ISO 27001, IT risk assessments and business continuity planning. 

With Neupart's ISMS tool you can improve your business continuity planning and make sure that your plans are always up to date. Read more here

Thursday, 5 June 2014

Tips to help you building your information security policy - New vs. old ISO 27002

I have worked with information security for several years (despite my young age) and I have seen numerous different policies, rules, procedures and other types of security documentation. What really works best is to have a clear, well-defined breakdown between these, for example:
  1. Policy: Our ambitions and goals. What do we want to achieve? What is the scope? It should be short - Preferably no more than one page.
  2. Rules: What do we do? What don't we do? What are we (not) allowed to do? The rules must be precise as to who should carry out the various tasks.
  3. Procedures: 'How-to' documents.

I will focus the rest of this post on the rules document. The rules document tends to become (too) long in some companies. A good tip is to divide the rules up into target groups. In this way a user only needs to read the rules that are relevant to his or her job. Some companies even print an end-user-friendly folder containing only the most important rules on information security - We call it a PIXI.

And then there's the structure issue. What chapters should the rules document contain? Some users want descriptive headings sorted in a way that seems logical to them. Others prefer a structure that matches the 2005 version of ISO 27002 - these are typically the ones working directly with information security. The ISO structure is convenient for the security- or IT department, because the standard is an expression of best practice. Using a similar structure makes it easy to see if you have remembered everything, but sometimes at the expense of usability. Having a PIXI book can make up for this, though.

As you know, ISO 27002 was updated a little less than half a year ago. The question is: Should the structure of your information security handbook now be changed to reflect the structure of the new version? The 2013 version is very similar to the one from 2005, but some chapters have been moved around, some have been deleted and new ones have been added. This means that the numbering of chapters has been changed - even at the top level. The standard describes a number of controls (with a three level numbering) and for instance the control in chapter 8.1.1 in the 2005 edition is not the same as the control in chapter 8.1.1 in the new edition.

The answer to whether you should switch to the new standard is a definite "yes". You must keep your information security up to date and it is neither effective, nor good practice to follow obsolete standards for information security.

In order to help you on your way, Neupart has created an overview of the main chapters of ISO 27002:2013 compared to the2005 version

If you are using an ISMS tool, such as SecureAware, the switch can be made more or less automatically. The latest version of SecureAware includes a number of tools to generate an automatic gap analysis comparing your old information security handbook to the new standard. Since SecureAware knows both the old and the new standard it can create a new draft suggestion to a rules document based on the new ISO 27002. It simply moves your rules around and places them in the new standard where appropriate. It can place up to 90% of your rules correctly and the remaining rules are easily moved manually to the right chapter.

Please share your opinion and experience with building a useful and effective information security policy below.

More resources:

Wednesday, 23 April 2014

How to measure your ISO 27001 ISMS efficiency with KPIs

Efficiency and productivity are discussed in many contexts. In information security management, it also makes sense to ensure processes are working effectively. But how do you actually measure whether your information security is effective and whether it is developing in the right direction? Organisations that are using the ISO 27001 standard are to ensure ongoing improvements in their ISMS (Information Security Management System). Chapter 9 of the standard deals specifically with measurements. It says you shall define the processes and controls you will measure and you shall describe how, when and who should perform the measurements. You are also to decide who will assess the results of the measurements and how to do it. Basically you need to decide if the outcome is “good enough". This makes good sense in most companies, but ISO 27001 does not offer any guidance on which KPIs (Key Performance Indicators) it makes sense to measure or how to do it. Neupart has prepared a guide with a number of proposed metrics, KPIs or measuring points, if you will, that can be used to take the temperature of your ISMS processes. When you measure at appropriate intervals, you can see whether or not your ISMS develops as desired and if it has the effectiveness that you want. An ISMS measurement is a measure of whether a process is running, as opposed to measuring a specific security control. Some examples: In order to measure whether your controls work, you can perform internal audits or use common control measurements such as how much spam is caught by your spam filter, how many viruses are captured by your anti-virus, the number of attacks detected by your intrusion detection system or firewall, uptime/downtime, and other quantitative measurements. When you measure the processes, you measure improvements against targets or compare with previous periods. Measures could be the percentage of security tasks performed within the agreed time, the number of employees who has acknowledged the bring-your-own-device rules or the latest security policy update within one month, or the average time that is used to correct deviations from policy or from compliance requirements. The Neupart guide focuses on your ISMS processes, as there are plenty of other sources suggesting security control metrics. To make it short, ISMS metrics measure the value and effectiveness of the processes that make up your information security management system. Thus, ISMS metrics enable you to show changes over time, in order to e.g. report improvements and efficiency to management.    

You may also want to check out the efficient ISMS solution, SecureAware

We’d appreciate if you’d also share your experience or viewpoints on ISMS KPIs and metrics here below.

Friday, 4 April 2014

Has ‘Plan-Do-Check-Act´disappeared in the new ISO 27001?

The Plan-Do-Check-Act (PDCA) process originates from quality assurance in production environments, but has for some years also been a requirement in the ISMS standard ISO 27001 (ISMS = Information Security Management System). If you look at the new ISO 27001 that was published in late 2013, you may notice that it no longer contains a specific requirement for a PDCA process. Although it does contain headlines such as Planning, Operation, Performance Evaluation and Improvement, which admittedly are very close to PDCA, your company can now follow the new ISO 27001 without having an actual PDCA process. But there is a clear requirement that you continuously improve your ISMS, formally phrased as "the organization shall establish, implement, maintain and continually improve the ISMS". In general the new ISO 27001 introduces more flexibility in terms of selecting method and form than the previous version. A good example of this flexibility is the requirement for continuous improvement. You can choose to use PDCA - or another method - as your way of continuously improve your ISMS. My recommendation is that you only use PDCA to the extent that it makes sense to you. There are many other ways of ensuring ongoing improvement. Start with something as simple as having (or getting) an overview of your ISMS tasks. Since information security applies to most, if not all, your business processes, information security also involves a number of people. If you want to improve your information security you need to maintain a continuos overview of the security and compliance tasks people are assigned to, and you need to monitor whether or not the tasks are carried out. Strengthening information security by getting a grip on all security and compliance tasks is one of the main features in Workflow TNG, a new SecureAware module, which we are proud to announce. Read the news here.

We have a number of resources and offers for you: