I am seeing lots of “debate” about the value in red teaming, so I thought I would put together my thought process of how I look at as a broad stroke when I consider a generic starting position in an organisation. When I’m defending a business, I tend to ask myself (and the team/customers etc.) these kind of questions (they are not exhaustive):Read more “Red Team Readiness Assessment”
I am not a legal export! Haha get used to saying that a lot if you work in cyber and are not in fact a legal expert! I wanted to put together a list of common laws that people should be aware of when doing business in the UK, it’s just a starter for 10 and there are likely others, but this should get people started for their security awareness and security policy documentation:Read more: UK laws and cyber security considerations for business
- Data Protection Act 2018
- Freedom of Information Act
- Communications Act
- Computer Misuse Act 1990
- Investigatory Power Act 2016 (IPA)
- Theft Act 1990
- Terrorism Act 2000
- The General Data Protection Regulation (GDPR)
- The Privacy and Electronic Communications Regulations 2003 (PECR)
- The Regulation of Investigatory privacy Act 2000 (RIPA)
- Official Secrets Act 1989 (OSA)
- Companies Act 2006
- Copyright and Design patents Act 198
- Trademarks Act 1994
- The Malicious Communication Act 1988
- Forgery and Counterfeiting Act 1981
- Police and Criminal Evidence Act 1984
- Contracts (Rights of Third Parties) Act 1999
- Fraud Act 2006
- Network and Information Systems Regulations 2018 (NIS)
- Telecommunications (Security) Act 2021
- The Bribery Act 2010
- Freedom of Information Act 2000
- Defence of the Realm Act 1914
can you think of any others that I should add?
Thanks Gary and Kevin and the other AVIS I can’t name for inputting!
I wrote this in 2018 and don’t believe it ever made it to the interwebs, so I’m basically posting as is with an extra section for some useful links! Hopefully it still stands the test of time!
Risk Management doesn’t have to be risky!
Risk assessments are complex, they require cross domain knowledge and generally do not deal in absolutes. Threats, vulnerabilities and asset intelligence is combined, weighed and assessed, leading to the construct of a risk assessment document. It can be easy to overcomplicate this process, which in turn (in my experience) often leads to far wider reaching consequences (the business starts to bypass security management or take short cuts), so I thought I would write a short post to clarify what I’ve seen work out in the field. So, to start with let’s try and align on what exactly a risk is.Read more “Information Security Risk Management “
When it comes to digital technology, we have to consider many things.
Availability, Confidentiality, and Integrity are good building blocks for considerations. We can probably split this into two major views to start with:
- What does a typical consumer care about?
- What security and privacy considerations could be made?
A typical consumer may be about:
- WIFI Coverage
- Ease of Use
- Ease of Support/Troubleshooting
- What happens if it breaks?
- Can I stop my kids messing with it? (Probably not so why bother)