Search Results
11 items found for ""
- Free! | SecAware
Free downloads! ​ Click an image to d ownload th e Adobe PDF document. ​ ​ Adaptive SME security guideline 53 pages July 2024 Pragmatic guidance on ChatGPT risks and controls 24 pages Apr 2023 Pragmatic ISMS implementation guideline 39 pages Feb 2024 Professional services infosec guideline 20 pages Feb 2023 Secure the planet 11 pages Jan 2024 ISMS Internal audit & management review template 2 pages Oct 2022 Please note that all our material s are covered by copyright law and are released under li cense . They ar e NOT public domain. You are NOT completely free to use o r share them as you wish.
- About | SecAware
About Sec Aware Supporting your ISO/IEC 27001 I nformation S ecurity M anagement S ystem ISMS Launchpad gets you to the starting blocks with the essential documentation that is mandatory for every certified ISMS. These are basic but indispensable materials, the bare minimum. Despite what you may have read elsewhere, an ISMS can be certified with only the bare minimum of mandatory documentation an d processes specified in the main body of ISO/IEC 27001, and whichever information security controls management feels are appropriate (theoretically, that may be none at all!). In practice, while the information security controls from Annex A may be appropriate as described, most organisations require custom controls - perhaps adapted/interpreted versions of the Annex A controls supplemented by controls from other sources ( e.g . privacy and business continuity controls). ISMS Take-off adds a pack of discretionary (optional) materials for your managers to govern, direct and oversee the ISMS. ​If the ISMS is to add real value to the business and so earn its keep, genuine management engagement and support is essential. There's more to this than approving the implementation project budget! For a start, managers need to understand what a 'management system' is, and appreciate the business case for systematically managing information risks, security controls, incidents, compliance, exceptions and exemptions. They need more than just a clue about 'information risk management' since they will be making the key decisions about policies, risk appetite, risk treatments etc . If managers are to be held to account for protecting and exploiting information, the distinction between accountability and responsibility is crucial, along with an appreciation that, important though it is, IT or cybersecurity only addresses part of the organisation's information risk landscape. ISMS Orbit adds a further stack of discretionary materials for the specialists currently designing and building the ISMS ready for the launch, who in due course will be operating and maintaining it. This content is more detailed and often technical, written in a style that suits the professional audience. It distils real-world experience of building, running and auditing ISMSs, supplemented with good practices that we know work well in practice. Your colleagues in Risk Management, IT, HR, Legal/Compliance and other business functions are more likely to engage with and support the ISMS if they understand what it is meant to achieve and how it is structured. Even the language can be confusing for specialist from other areas, so there's a comprehensive hyperlinked glossary in Orbit. If eyes glaze-over when you use terms-of-art such as certification and accreditation, compliance and conformity, vulnerability, threat and risk, you may have lost your audience. ISMS Mission puts it all together - a cut-price package deal for all the above materials, plus the full suite of topic-specific information security policies. The SecAware ISMS templates contain top-quality generic content based on our decades of experience in the field. These are the materials we use in our consulting gigs: we wrote it all . Adapting or customising the templates to your particular circumstances is straightforward, easier, quicker, and much more cost-effective than writing everything from scratch, or adapting disparate materials written by various authors for various purposes. Get a head-start on ISO 27001 with Sec Aware. Sec Aware information security policies are formal statements of management intent concerning various aspects of information risk and security. These are what ISO/IEC 27002 calls 'topic-specific policies - intentions and direction on a specific subject or topic, as formally expressed by the appropriate level of management'. Despite the inevitable formalities, we've developed a readable, consistent style and format for the policy templates: In a background section, the the reasoning/rationale behind each policy is explained, followed by one or two* high-level axioms succinctly mandating good security practices. The axioms, in turn, are elaborated into about a dozen* policy statements, expanding on and explaining how the axioms are to be implemented in practice. These embody pragmatic guidance - stuff that people can realistically and reasonably be expected to do. The aim here is to guide, encourage and support your people to do the right things and do thigs right, rather than constrain them so tightly that they have no breathing space. Each policy concludes with a set of responsibilities associated with specific roles. ​ The policies hav e been researched, prepared and continually refined over decades as a coherent, comprehensive suite. While they have meaning and value individually, the policies complement and support each other, working together to raise your game. ​ * Those numbers vary between policies. Most policy templates are about 3-4 sides Sec Aware security awareness modules are zip files containing editable Microsoft Office files on a variety of topics - creative content for your information security awareness and training program. Briefings - designed to appeal to particular audiences: relatively simple, straightforward, action-oriented and informative for general employees; succinct guidance focused on governance, strategy, policy, compliance, metrics etc . for managers including execs and board members; more technical/in-depth information for the professionals from IT, risk, security, HR. legal/compliance and other corporate support functions; Checklists including I nternal C ontrol Q uestionnaires to review/audit things; Diagrams such as mind maps, Probability Impact Graphs, risk-control spectra and process flowcharts; FAQs - F requently A sked Q uestions with straightforward answers; Leaflets - single or double-sided glossies, readable and engaging awareness materials; Metrics - suggested ways to measure in order to improve various aspects of information risk and security; Newsletters demonstrating that information risks are real, not merely academic concerns; Policies - generic/model "topic-specific" policy templates to consider, adapt and adopt for your organization; Posters - bright, eye-catching, thought-provoking artwork supplied as high-resolution JPGs suitable for professional or desktop printing, or to illustrate other materials (such as an infosec area on your intranet); Puzzles such as as word searches, so people become security-aware while having fun on their breaks; Quizzes , tests and challenges - designed to set people thinking, assess their understanding and engage them with the awareness program; Slide decks - largely graphical/visual slides with detailed speaker notes, for seminars, meetings, briefings and courses, including self-study using L earning M anagement S ystems or on your intranet; Train-the-trainer guides - bags of creative suggestions to bring your security awareness and training activities to life. There is a lot of content in each Sec Aware awareness module, giving you plenty of choice. You are not expected to use everything - simply pick out the items that suit your purposes. We do it this way because every customer is different: some of you are new at this and only need the basics right now, while others who have been doing awareness for a while are looking for something fresh, perhaps more in-depth or simply 'different'. All of you have a range of workers, some of whom will appreciate the one-page leaflets and pretty pictures, and some who need something more meaty to get their teeth into, or need to be shown stuff. ​ Sec Aware combines striking graphics with powerful words. Perhaps less obviously, the materials delve into fundamental concepts, ideas and approaches, while offering pragmatic, down-to-Earth guidance according to the topic and the audience. We're talking breadth and depth here - an innovative and creative yet mature and proven approach to security awareness . ​ All the Sec Aware materials have been researched and prepared to a consistently high standard of quality by an experienced, competent team of information risk and security professionals, providing continuity across all the materials and topics. ​ Sec Aware content can be used straight out of the box if you want. However, we use our own templates and MS Word styles making it simple to adopt your corporate look-and-feel. If terms such as "Help Desk" and "Security Zone" don't suit you, simply search-and-replace with whatever you prefer. If you use "cybersecurity" or "IT security" rather than "information security", go ahead, be our guest. Swap your ISMS logo in place of ours, and include your contact details. Rather than employing a specialist to develop ISMS, policy and awareness content specifically for your organization from ground zero, simply adapt the Sec Aware templates to get quickly up to speed ... and we can even help you with that ... Sec Aware/IsecT management consulting services are custom-designed according to your situation and needs. Typical assignments: Strategic reviews, strategy and policy development : do you know how information security supports and enables the business? Scared by the prospect of selecting and implementing security controls? Need to develop an approach that holds water and secures long-term advantage? Puzzled and annoyed by persistant problems or incidents? We can help! Gap analyses and pre-ISMS implementation reviews: reviewing information risk and security management arrangements, governance, policies etc. ; ISMS implementation project proposals : helping to draft, review, promote and finalise proposals, budget requests, business cases etc. ; ISMS briefings for management (up to Board level, down to supervisor/team leader, sideways through all departments and even out to business partners and external stakeholders), plus security awareness sessions , risk workshops, courses and what-have-you; ISMS implementation support: mentoring the CISO, implementation project manager and team, providing feedback, guidance, suggestions and support on demand; ISMS/infosec documentation : drafting, customising, updating/refreshing and generally tarting-up documentation of all types, including ISMS IT system documentation, plus policies, procedures, guidelines and associated collateral - forms, user guides, diagrams ... Are your pre-packaged ISMS materials lousy, incomplete, out-of-date and unsuited to your particular business? ISMS management reviews : review the ISMS from management's overall perspective , emphasising the business angles (e.g. the busioness case, information risk and security strategies, policies, implementation plans, governance arrangements, security metrics, continuous improvement, cost-effectiveness ...); ISMS internal audits : review the ISMS independently and dispassionately, focusing on addressing conformity and/or compliance requirements and perhaps smoothing-off any rough edges; Training : information risk and security management, IT auditing, metrics, ISO27k ... whatever you need in this general area really; ISMS certification readiness reviews and stage 1 or stage 2 certification audit support : is your ISMS implementation project on-track to complete all the essentials before the certification auditors turn up? How are you doing on conformity and compliance? Do you need an expert on-hand to smooth the way, accompany/shadow the certification auditors, deal with issues arising, negotiate a settlement ...? General IT audits, IT installation audits, security maturity benchmarking, supplier assessments, cybersecurity audits, accreditation ... : a competent, thorough assessment provides assurance and rational improvement recommendations, free of the inevitable biases and prejudices of those directly involved. We bring fresh eyes, experience, insight ... and being independent, we have no axe to grind: we'll tell it like it is. Security measurement & reporting reviews, metrics development : of all the myriad aspects that could be measured, what are the handful that really matter, and why is that? How will measuring those things drive meaningful improvements in information risk and security that truly support/enable the business? Interim management: need a CISO, Information Security Manager, IT Audit Manager or similar? Short-term assignments are ideal for us - up to three months, long enough to help you locate and recruit a permanent replacement while we simply 'hold the fort' or perhaps restructure and re-energise the team, tackle longstanding issues, initiate new strategies or whatever you need to set things up for new recruit. ​ We prefer remote working wherever possible, avoiding the travel and subsistence costs thanks to videoconferencing, email and phone calls. It gives you and us the flexibility to adapt to changing circumstances and priorities. If you need more from us, or if something comes up that needs our help, we can probably accommodate. If you are getting along just fine without us, that's OK too. Remote working is eco-friendly, low-stress, highly productive and cost-effective since we only charge for hours worked! ​ Hybrid approaches combine discrete (and discreet!) periods on-site (e.g. ISMS audit fieldwork; requirements gathering; training courses; presentations; workshops) with remote working as appropriate (e.g . off-site planning/preparation and reporting; strategy, policy and business case development; web-based training or presentations ...). Travel and subsistence costs are chargeable but you have the benefit of our full attention while on-site . ​ P lease browse the shop for off-the-shelf products, or get in touch to explore how we can best help you . ​
- ISO27k | SecAware
ISO/IEC 27001 information security management standards SecAware draws on the good security practices promoted by ISO/IEC 27001, ISO/IEC 27002 and other standards. Security strategies, policies and awareness are essential parts of any ISO27k I nformation S ecurity M anagement S ystem. Attempting to mitigate information risks without them is like boxing with one hand tied behind your back. Blindfolded. On ice. ​ ​
- Topics | SecAware
About the awareness topics There are lots of aspects relevant to information risk and security, meaning plenty of areas for your ISMS and awareness and training program to cover. ​ Rather than confusing people by attempting to cover everything at once, we recommend focusing on specific areas, one at a time. Pick a topic, introduce it, explain and expand on it, bring it to life and make it real. Educate and motivate your audiences , giving them them the chance to soak it up, discuss it among themselves and take it in ... before moving on to the next topic. Lather, rinse, repeat. ​ Start the sequence and launch your awareness program with the Sec Aware I nformation Security 101 module , bringing everybody quickly up to speed on the basics. ​ After that, it's up to you what topics to cover, when and how. ​ We offer materials on a deliberately wide range of information risk, security and related topics. In addition to the obvious areas such as phishing, passwords and viruses, we're not afraid to delve into the concepts and principles of information risk management, incident management, business continuity management and more. The Sec Aware materials confidently tackle difficult issues such as hacking, insider threats, cybersecurity and Internet security, and take on sensitive topics such as BYOD and privacy. Focusing on each topic individually means scratching beneath the surface, describing the issues and explaining the concerns. People are more willing to behave securely and uphold the controls if they understand why they are needed and what they are intended to achieve. ​ We recommend regularising security awareness activities, with periodic updates ("refresher training") several times a year. This is a dynamic field so don't leave it too long between updates: new threats are emerging, new vulnerabilities are discovered and the organization's use and dependence on information is constantly evolving. As your existing content becomes out of date, it loses its relevance, interest, impact and value. Don't let it go stale like a moldy old loaf. Keep it fresh. Keep it Sec Aware. ​ ​
- About | SecAware | New Zealand
About you You are busy running the show, juggling priorities and trying to keep everyone happy. ​ Under pressure to comply with GDPR, HIPAA, PCI-DSS, ISO27k, SP800-53 and more, you're concerned about cyber incidents. Management demands action. ​ You're looking for an approach that is both effective and pragmatic, something to get you started and drive long-term success. ​ A 'management system' for information risk and security is more than just good practice. It enables the achievement of your organisation's business objectives. ​ Discover how we helped a U.S. client re-build its failed ISMS, regaining its ISO certification and customer trust (case study ) ... and worked with an innovative agritech business to implement ISO/IEC 27001 (case study ) This NZ tech startup needed an information security policy manual, quick ! (case study ) Auditing an OT process control specialist's information security controls (case study ) Find out more about us and how we help you succeed.
- Audiences | SecAware
About your audiences It makes little sense to blast out awareness and training content without first understanding your audiences, their perspectives and their information needs. To that end, Sec Aware materials are designed to appeal to the following three corporate audiences: ​ 1. Workers in general (everyone!) Persuading workers to participate willingly in your information risk, security, privacy and compliance activities takes more than just policies and management edicts. Workers need to understand what is expected of them, and be sufficiently motivated to act accordingly. Top quality, professionally crafted security policies and other awareness and guidance materials are key. For the general audience, the materials take the individual's perspective, addressing their self-interests, their families and personal lives, as much as their working roles. ​ 2. Managers Management sets the tone for your organization. Without management’s understanding and support, information security is doomed. Getting senior and general management on-board with information risk and security is the quickest and most powerful - if not the only - way to influence your corporate culture. Content for the management audience revolves around the business perspective: how does information security support and enable the business? What is its commercial value? What are the compliance imperatives, the strategic and policy options? How should information risk and security management people be structured and directed? There are governance as well as information risk and security management aspects here. ​ 3. Professionals Various experts are typically involved in designing, implementing, operating and managing the organization's information risks and the security arrangements. Despite their specialist knowledge in areas such as IT, risk management, HR, physical security and compliance, information security presents unique challenges. Sometimes even the professionals need guidance and support. Sec Aware helps them understand the issues and options, get to grips with the technology, and get things on-track. Think about it: would you let an untrained mechanic work on your car brakes? ​ All three audiences are addressed in the Sec Aware content - for instance, each Sec Aware awareness module covers the same topic from their distinct perspectives. We plant the seeds, leading the audiences to consider and discuss information security, exploring their common interests and (in some cases) points of difference. Overall, Sec Aware, in conjunction with you and your employees, brings the content to life, lifting it off the page or screen. Gradually those seeds germinate, security becoming simply 'what we do around here', an integral and vital part of the corporate culture. ​ ​
- Attributes | SecAware
DOWNLOAD (PDF v1.7)
- About us | SecAware
About us IsecT Limited (sec urity in IT ) is an independent freelance consultancy, specialising in information risk and security management. ​ We have a keen interest in the human aspects as much as the technology , with a strongly pragmatic business perspective. We help you protect and exploit information, enabling your business do things that would otherwise be too risky. We add value in areas such as: Information, IT and cyber risk and security management in general Preparing security strategies and plans plus business cases, project proposals and budgets Writing and customising security policies, procedures and technical documentation Security metrics - figure out what to measure, how , when and why Security awareness and training - creative, motivational content, briefings for executives and directors, awareness programme planning and rejuvination Designing and implementing ISO27k I nformation S ecurity M anagement S ystems Governance arrangements - corporate structures, reporting lines, accountabilities, roles and responsibilities Assurance - IT and ISMS internal audits, management reviews, gap analyses and supplier assessments Benchmarking and maturity scoring of your information risk and security Interim management of information risk and security, cybersecurity or IT audit teams temporarily short of a leader Mentoring/coaching for CISOs, on-demand support and guidance. ​ ​ From our base in rural New Zealand, we serve organisations worldwide, of all sizes and industry sectors. We have supplied government and commercial customers, not-for-profits and charities, consultancies and professional services companies, cloud-based and bricks-and-mortar businesses, greenfield start-ups and mature multinationals. We have worked with utilities, banks & financial services, defence, manufacturing and hi-tech companies. ​ Sec Aware builds on our experience and expertise. We know the subject inside out. It's our passion. ​ Read more about IsecT CEO Gary Hinson on LinkeDin . Gary has been in the security and audit trenches since the 1980's, consulting since the start of the millennium. ​ Track the Sec Aware blog to see what has caught our beady eyes lately. Join the ISO27k Forum at ISO27001security.com for frequent updates on the standards plus free advice and content from the active global community of 5,000 professionals. ​
- SecAware | ISO27k toolkits; templates; policies; information security; cybersecurity | Hawke's Bay
Implementing or running an ISO 27001 I nformation S ecurity M anagement S ystem? Need guidance to protect and exploit valuable information? Sec Aware delivers top-quality ISMS toolkits , security policies and awareness materials, plus information risk and security consulting. If funds are tight, check out our half-price privacy materials and freebies ! About Shop Specials
- Ts & Cs | SecAware
Terms and conditions 'SecAware' LICENCE AGREEMENT for INTERNAL CORPORATE USE ONLY ‘We’ (meaning IsecT Limited, a company registered in New Zealand) grant ‘you’ (meaning the individual person if acting in a personal capacity, or the organization that employs you if you are authorized to procure on their behalf) a licence to use the ‘SecAware content’ (meaning all materials provided to you by IsecT Limited in relation to information security awareness and training through the SecAware.com website) on the following terms: The SecAware content is owned by IsecT Limited and protected by copyright law. We reserve ownership of all Intellectual Property Rights in the SecAware content, and all rights other than those expressly granted by this Agreement. The SecAware content is licensed to you for your personal information security awareness and training purposes, or for the internal corporate use by your employer if procured on their behalf. We grant to you a non-transferable and non-exclusive licence to install and use the SecAware content for a period of 365 days from first installation only. In addition, you may make no more than one backup copy of the SecAware content. After that 365 days has elapsed, your rights to use the SecAware content under this Licence will terminate, and you must destroy all copies thereof in your possession. You may customize or adapt the SecAware content for your personal or employer’s internal corporate use. This Agreement and licence is personal to you and (if applicable) your employer at the time of procurement. You may not modify, copy, rent, lease, assign or otherwise distribute or part with the SecAware content or any part thereof. You must take reasonable steps to protect the SecAware content from unauthorised copying, publication, disclosure or distribution. Warranties, and Limitation of Liability: You acknowledge that it is not technically practicable to guarantee software to be error-free, and you agree that if any such errors are found to exist they shall not constitute a breach of this Agreement. TO THE EXTENT PERMITTED BY THE APPLICABLE LAW, WE DISCLAIM ALL WARRANTIES WITH RESPECT TO THE SecAware content, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. WE SHALL NOT BE LIABLE TO YOU OR TO ANYONE ELSE FOR ANY LOSS OR DAMAGE WHATSOEVER OR HOWSOEVER CAUSED ARISING DIRECTLY OR INDIRECTLY IN CONNECTION WITH THIS LICENCE, THE SecAware content, ITS USE OR OTHERWISE, EXCEPT TO THE EXTENT THAT SUCH LIABILITY MAY NOT BE LAWFULLY EXCLUDED UNDER THE APPLICABLE LAW. NOTWITHSTANDING THE GENERALITY OF THE ABOVE, IN NO EVENT WILL WE BE LIABLE FOR INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL LOSS OR DAMAGE WHICH MAY ARISE IN RESPECT OF THE SecAware content, ITS USE, OR IN RESPECT OF OTHER EQUIPMENT OR PROPERTY, OR FOR LOSS OF PROFIT, BUSINESS, REVENUE, GOODWILL OR ANTICIPATED SAVINGS, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS. IF ANY EXCLUSION OR LIMITATION CONTAINED IN THIS LICENCE SHALL BE HELD TO BE INVALID FOR ANY REASON AND WE BECOME LIABLE FOR LOSS OR DAMAGE THAT MAY LAWFULLY BE LIMITED, SUCH LIABILITY SHALL BE LIMITED TO THE PRICE PAID. We do not exclude liability for death or personal injury to the extent only that it arises as a result of our negligence or that of our employees, agents or authorized representatives. You acknowledge that these terms supersede all prior agreements, and are complete and exclusive. No oral or written information given by us or on our behalf shall create a warranty or collateral contract, or in any way increase the scope of this warranty in any way, and you may not rely on any such advice. If any provision in this Agreement shall be determined to be invalid, such provision shall be deemed omitted; the remainder of this Agreement shall stand. This Licence shall be governed by the laws of New Zealand. Important caveat The SecAware security awareness materials are generic and need to be tailored to your particular circumstances. None of this is legal advice. We strongly recommend consulting competent lawyers and other professionals to ensure that the guidance you dispense is accurate, appropriate and sufficient. Payment methods We accept payments in United States dollars via credit/debit cards or PayPal. Contact us to pay via international bank transfer or in another currency. Customer care We fully intend to exceed your expectations with the content supplied through this website, and our services. We want it to be more than just 'good enough'. If you are unhappy with the quality or value of our materials and services, please let us know and we'll do something about it. Privacy policy As information risk and security specialists by trade, we take your privacy seriously. We comply in letter and in spirit with the New Zealand privacy laws and regulations. This site uses HTTPS, for instance, to ensure that personal and credit card details are encrypted. We collect the minimum amount of information needed to do business with you, and we do not share your information with third parties except as necessary to provide our services (e.g. your payment details are passed securely to the bank so we can collect your payment, and we record your name and other customer details in order to license the SecAware content to you). Consultancy Please contact us for further details of our consultancy services. We prefer to negotiate custom contracts for substantial assignments.