Compliance
My Favourite Standard: ISO 3103
My Favourite Standard: ISO 3103 The standard that governs the process of making a cup of tea When I write about ISO, more often than
20th March 2023
One important practice of operational security is to ensure that your computer is secure before you leave it unattended. In other words, lock your laptop. This is covered by ISO 27001 control A.11.2.8
If a malicious actor gets their hands on your computer, you don’t want them to be able to steal your data, or impersonate you through your online accounts.
Here’s something that may surprise you about Inverifi and its sister companies: Malicious actors roam our offices every day.
I myself have acted maliciously. I’ve roamed our offices, hunting down weaknesses in our security, and jumped at the opportunity to exploit any weaknesses I have found.
I’ve done it all: I’ve impersonated a board member on our internal intranet; I’ve plugged a malicious USB device into a company computer; I’ve even stolen customer devices, with highly sensitive data on them.
Each subsidiary of Inv Group. is trusted by its customers to handle their sensitive data. With that in mind, why would the group company want to keep malicious actors like me around? Why do I still have a job?
All the malicious actions that I, and many other employees, have done, are known within the group company as dishing, after the traditional punishment given to the victims of this practice: washing the dishes.
These days, our offices have dishwashers, so the traditional punishment has mostly died out. Still, the name has stuck. There is also a sense of humiliation that comes with it; nobody wants to get dished.
Dishing, in its original form, entails getting to the victim’s unlocked computer, and posting the word ‘dishes’ to one of our communication channels; typically, either our internal intranet or the company-wide group chat.
The screenshot above shows one of my favorite hits. Our CTO closed his MacBook, left it on a table, and walked off to attend a meeting. The Apple logo was still glowing.
As you can see, shortly after impersonating one of our board members on our internal intranet, I decided to taunt another board member in the comments.
These days, dishing extends to pretty much any instance of negligence that can be exploited by a malicious actor. Common examples include leaving office keys and customer devices unattended, where they can be stolen.
Each dish is logged in a record, including the victim, the perpetrator, and the nature of the security breach. Typically, at the end of the year, the one who’s been dished the most is given a penalty for our annual Christmas party.
On my way to our office, I walk past many other offices, where I see unlocked and unattended computers. Perhaps they don’t have policies that require them to lock their computers; perhaps they just ignore those policies.
When I get to our office, most of the time, all unattended computers are locked.
Dishing forces us to actually comply with our operational security policies. It prevents the possibility of many security breaches. Dishing works.
My Favourite Standard: ISO 3103 The standard that governs the process of making a cup of tea When I write about ISO, more often than
ISO 27001 Controls: Handling Security Breaches How to deal with them when to do when they do happen The purpose of ISO 27001 is to
Introducing Answers Simplify Documentation Management with Inverifi At Inverifi, we understand that managing documentation for compliance can be time-consuming and laborious. That’s why we have
©Copyright Inverifi 2023, All rights reserved. Registered in England, No: 06959535, , +44 20 4574 9908