Regulatory Developments

Last updated: 
1 week 5 days ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

The Benefits of Near Misses

Thursday, January 15, 2015 - 09:26

Recently we had one of our regular reviews of security incidents that have affected the company in the past few months. All three – one social engineering attack, one technical one, and one equipment loss – were minor, in that only limited information or systems were put at risk; all were detected and fixed, to the best of our knowledge, before anything was accessed that shouldn't have been. If we had only been looking at data breaches they probably wouldn't even have made it to the agenda.

But our definition of incidents includes events that might put information security at risk, so we were able to have a useful discussion of our processes for detecting incidents, for dealing with reports, for prevention and for mitigation. We learned, or had reinforced, something at each stage:

  • Incidents can be detected by a wide variety of people (the owner, an external CERT and an alert signing officer) so awareness and processes need to ensure that everyone knows how and when to identify and report the signs of one;
  • Holidays and periods of organisational change are challenging for receiving and handling incident reports so information needs to be kept up to date and information flows resilient;
  • Layered precautions are good – people supported by policies supported by technologies – so that even if an incident manages to evade one layer there's a reasonable chance it will be detected by another.

So even non-breaches generated plenty of ideas that we can use to make our systems more robust, increasing the likelihood that the next incident will be no more than a near-miss too.

The great thing about near-misses is that there is much less blame hanging around. In each of our incidents, enough did work that the consequences of the things that didn't were minimal. That encourages discussions that are positive and focussed on processes and systems: it's much easier to have an open discussion of why things went wrong if this time it didn't matter but next time it might. And, as a former incident responder myself, it was a very pleasant change to be able to thank a colleague for being one reason that a breach didn't happen.

incident response
Information Security
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo