Daily Archives: December 1, 2018

NBlog Dec 2 – Acceptable Use Policies

A question came up on the ISO27k Forum about an Acceptable Use Policy. I'll take this opportunity to dispense a few Hinson Tips (free, worth every penny!). 

AUP isn’t a generally-defined and globally-agreed term. Even “policy” has a spectrum of meanings. So, regardless of what any of us might think or claim it means, what matters is the organization that’s using it – the organizational context. What does your management expect an AUP to be? To achieve? To look like? You should get some useful clues from other similar materials in other areas such as IT, HR and Finance, other functions that to some extent formally express directives. They may or may not be called AUPs, so take a look around the policy-related guidance materials, and preferably talk to the original authors about their work. You will probably pick up some useful tips, maybe even some help to knock your materials into shape. 

Some organizations use AUPs formally, stating employees' obligations for legal purposes. Personally, I prefer conventional policies and employment-related contracts, terms and conditions, rulebooks etc. for that purpose.  I treat AUPs more as guidelines than policies ... but even so that’s on the premise that a ‘guideline’ CAN and generally SHOULD incorporate obligations defined in various policies, laws and regulations – in other words, despite the name, a guideline includes and revolves around mandatory elements. Its purpose, for me, is to explain those obligations in plain language and thereby encourage people to comply. 

Employees shouldn't need to consult a lawyer to figure out what is expected of them. Management should ensure not only that employees are instructed, but they are also helped to understand and fulfill their obligations.

There are various ways to ‘explain and encourage’ employees. A useful approach is to lay out examples covering both acceptable AND unacceptable activities, hence the AUPs in our awareness and training materials look something like this little extract:

The language is reasonably simple and straightforward (avoiding the technobabble and pseudo-legalese that afflicts some of our esteemed colleagues!) and we’re using the obvious green and red color cues plus the ticks and crosses to emphasize do’s and don’ts. We try to have roughly the same number of each, countering the tendency for the whole thing to preach “Thou shalt not …” And separating the reds from the greens gives an otherwise jumbled list a little structure. We’re trying hard to encourage and make it easy for even reluctant, busy, distracted and disinterested readers to read. 

For the same reason, we also take the position that ‘less is more’, meaning that our AUPs have less than 500 words each. They are all one-pagers with a two-column layout. That’s quite a challenge for the AUP author [me!] since words are at a premium which means condensing the AUP down to essentials. Aside from careful wordsmithing, it’s worth asking “If someone barely has the time or interest to glance at this, what are the key messages we’d must put across?”. That approach in turn begs questions about what happens to the other stuff that we’re forced to leave out. For us, it’s easy enough because we also provide briefings and seminar slide decks and conventional policy templates etc., a coherent and comprehensive package of goodies and awareness activities supporting the AUP, all covering the same infosec topic ...

... Which brings up another part of our approach: we don’t try to cover everything all at once. We deliberately break things down into a series of distinct topic areas, allowing us to focus and go into a bit more depth on each topic, moving ahead month-by-month to cover the entire field

Consuming the elephant one bite at a time

If you think one or more AUPs would be useful in your organization but are unsure about the format, you might like to prepare or compile a variety of AUPs in different styles, giving management the chance to consider the options and choose the best ones or the best bits. As well as AUPs from within the organization, look for examples from other organizations (including ours!) to see the range of styles and formats in use. Once you get management's agreement and generate something that is acceptable to all parties, that becomes the template for others ...

... And that's how we work too. All our security awareness and training materials are prepared from templates, making it easier to adopt and stick to a consistent look-and-feel. The templates pre-set things such as:
  • Page/paper size and orientation;
  • Language for spell-checking;
  • The font, font sizes and colors, both for plain content plus the titles, headings, hyperlinks etc. using 'styles';
  • Headers and footers with titles, page numbering and our copyright notice;
  • Page layouts e.g. columns, tables;
  • Document structure e.g. cover page, main headings;
  • Boilerplate text such as sources of further information and contacts at the bottom of almost everything (sometimes customized according to the topic);
  • Miscellaneous formatting e.g. line thicknesses and colors, arrowheads;
  • Diagrammatic styles e.g. the risk-control spectrum and PIG diagrams you'll see pop up occasionally on this very blog;
  • Metadata such as tags to make it easier to search for specific kinds or items of material. 

Our full suite of templates has evolved in the course of a decade and is still being tweaked from time to time. In particular we review and where necessary modify the whole lot annually at the start of the calendar year: updating the copyright notices triggers that process. We try to keep a lid on minor changes during the year in order not to introduce noticeable inconsistencies, so the annual template re-vamp is our opportunity to address any little issues and if appropriate adopt more significant changes, sometimes retiring templates that are no longer proving useful.

Another source of change is the creation of new formats or styles of awareness materials, such as the AUP seen above. New items normally take a couple of iterations and adjustments before stabilizing and being templated, becoming part of the set. 

Finally, there are other tricks of the trade in researching, writing and polishing awareness and training materials that both are and appear professional. A suite of templates is an excellent start but just as important is the way the templates are used, and of course the quality of the information content. We take pride in our work. We care about spelling and grammar. We consider our audiences, and we learn and improve systematically. We're perfectionists by nature. That's the secret weapon that gives us an edge over the usual rather amateurish and slapdash awareness and training content that is so common out there, the stuff that gives our profession a bad reputation. We must do better, raising our game. We're doing our bit. What about you?

First Smartphone: Are You Putting Cyberbullies Under the Tree This Year?

first smartphone

There’s pressure — lots of pressure. And not the typical I-want-a-bike or a doll-that-poops kind of pressure your kids may have foisted upon you just a few Christmases ago. No, this is the big leagues. Your child wants his or her first smartphone to show up under the tree this year. Is your son or daughter ready? Bigger question: Are you ready?

A first smartphone is a big step in a family that can’t be unstepped. Because it’s not about what a phone used to be about, which is dialing the number of a person you need to speak with. Today, giving your child a cell phone unlocks a hidden wardrobe door that leads to a whole new Narnia-like world abounding in both hills of goodness and valleys of emotional punches.

A first cell phone isn’t a casual purchase. Besides the financial investment (these things aren’t cheap), there’s a family dynamic that will likely change and a peer-to-peer dynamic that will go through its tumultuous metamorphosis.

Here are a few things to consider and talk through with your family before making your final decision to purchase that first smartphone.

Family talking points

first smartphone

  1. Maturity milestones. A phone is a small computer your child will carry in his or her pocket from this point forward. Has your child demonstrated maturity in other areas? Can he or she stay home alone responsibly for short periods? Does your child take care of his or her possessions, complete chores, and homework on time and without you nagging? Does your child earn/save/spend his or her allowance in a mature way? Does your child show empathy for others or deal with conflict well? These milestones are worth examining. If you feel uneasy about your child’s overall maturity, you might consider setting some goals to move your child toward cell phone ownership sometime in the future.
  2. The cyberbully factor. We know you’d never willingly invite a cyberbully into your home and especially wouldn’t put one under the tree for your child to discover on Christmas morning. However, that’s the reality of what phone ownership will bring sooner or later. Is your child emotionally strong enough to handle mean comments, feeling excluded, or being criticized or joked with in public? How does your child handle peer conflict without a phone? The emotional impact of owning a phone is not something you will see advertised, but it’s a huge factor to consider.
  3. Peer pressure. Digital peer pressure is a real thing. There’s pressure to dress a certain way, post pictures a certain way, and post activities online to gain status points in certain social circles. The selfie craze, online dares, digital trends and hashtags, and other pressures are all part of the smartphone equation.
  4. Harmful content. There’s a lot of great content online — educational, entertaining, and fun — but there’s a lot of content that is harmful to kids such as pornography, hateful ideology, and cruelty. Can your child resist the temptation to seek out or look at concerning content? Can your child discern ideas? Are you as a parent willing to take the extra steps to filter inappropriate content?
  5. Privacy issues. With a new phone comes great responsibility toward guarding first smartphoneone’s personal information. Do you have the time to communicate, teach, and monitor your child’s online footprint? Getting kids off to a strong start will require much time and care up front until your son or daughter has a grasp on the value of personal data.
  6. Social media. Social media owns vast real estate on a child’s phone and includes everything from gaming, to social networks, to various “communities” attached to apps. Anywhere your child can create a username and profile and connect with others, opens him or her up to risks of cyberbullying, strangers, and scams. Discuss new apps and establish ground rules and phone usage boundaries that make sense for your family. The most important part of setting rules is to enforce the rules.
  7. Screentime ground rules. With a first smartphone comes the risk of too much screen time. Addiction to online gaming, social media, and phones, in general, have become a public health concern. Put family rules in place that set time limits and phone free zones. Keep communication open and consistent to keep your kids following healthy screen time habits.



The post First Smartphone: Are You Putting Cyberbullies Under the Tree This Year? appeared first on McAfee Blogs.

Weekly Update 115

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

Weekly Update 115

I'm pushing this out a day late so firstly, apologies for the break in what's otherwise a pretty steady cadence. But having said that, as I say at the start of this video I've really been struggling with work / life balance lately. As such, I recorded this Thursday evening then spent most of Friday on the jet ski with my son. We balanced out a lot of work on this trip 😎

Getting back to business as usual, I was in Sydney for a day trip during the week, I'm off to Canada in a week from today, example.com forgot to renew their cert, there was a massive new breach to go into HIBP and York City Council seriously screwed up their handling of a very ethical security report. Oh - and the massive Marriott / Starwood breach only came to light Saturday morning my time so it didn't get a mention this week, I'll see if there's anything worth covering off next week. For now, here's this week's update and I'll come to you once more next week before heading off to waaay colder times:

Weekly Update 115
Weekly Update 115
Weekly Update 115


  1. Data and Leads had a massive 44M record breach (yet another data aggregator trading all personal info by the look of it)
  2. York council - wow! (that thread summarises what happened and how they dealt with it)
  3. DigiCert is sponsoring my blog this week (they're talking PKI and securing IoT)