Blog

Like nearly all information security professionals my training has taught me that there are three objectives of information security. The CIA triad: • Confidentiality • Integrity • Availability It’s been our mantra for a very long time that these are the three things that need to be achieved to obtain information security, but are they [...]

In June the GCSB released version 1.01 of the New Zealand Information Security Manual. However, they have not published a list of changes from v1.0. I have analysed the differences between v1.0 and v1.01 and found that only two controls have been updated. There are a small number of minor corrections. The following provides a [...]

Whilst reading through the New Zealand Information Security Manual (NZISM) I came across this recommendation in section 9.4 Using the Internet within 9. Personnel security: “Posting personal information on the Web System Classification(s): R, C, S, TS; Compliance: recommended It is recommended that personnel undertake a Web search of themselves to determine what personal information [...]

It sounds almost trite, but the only practical approach to developing a security architecture for an organisation is to start at the most abstract level and consider what the business drivers and requirements are. This is fundamental to any approach for developing an organisation-wide strategy.  If you don’t know what the business drivers and requirements [...]

I hate the term “best practice”. There I’ve said it….. It feels good to get that off my chest. But why do I hate it? The term “best practice” is thrown around by IT professionals to justify their recommendations. However, the use of the word “best” is a very bold statement. To state that something [...]