Is it Tuesday already? I’ve lost track of the days…I’ve been here at the CSI NetSec conference since Friday, giving Chris Grillo’s and my “Handling Complex and Difficult Information Security and Privacy Issues” pre-conference seminar on Saturday and Sunday.
We had 16 outstanding participants from a wide range of industries, including government, technology, and retail, just to name a few. I love having this variety; it leads to very good discussions and increased understanding of what information assurance practitioners are dealing with. Thanks again to those of you who attended; your interaction was fantastic!
Posts Tagged ‘policies and procedures’
Greetings from Arizona!
Tuesday, June 12th, 2007Avoid Some Common Email Pitfalls
Friday, June 8th, 2007There are increasing reports of email misuse, malicious use, mistaken use, and just plain bad implementations of email systems that allow the many outside threats and desperado insiders to exploit vulnerabilities.
It is most common for information assurance pros to be fairly diligent in trying to keep malware out of the enterprise network through scanning and filtering emails, and it is good to see that it is also becoming a growing trend to try and prevent sensitive data from leaving the enterprise, “leaking” is the current buzzword of choice, by using scanning and encryption. However, there are many other email mishaps and business damage that can occur through the use, or misuse, of email that can have negative business impact and legal implications.
Could I Have a Side of Fries With That Security Please?
Thursday, June 7th, 2007There’s a pretty good McDonald’s commercial that started running recently. It shows two guys looking down at the office area on the floor below saying something like, “Janet’s so lame. She only buys McDonald’s for everyone so they’ll do her work for her.” Then the other guy says something like, “Yeah, it’s disgusting.” Then they both take a bite of a McDonald’s sausage McBiscuit, and then one says something like, “Well, we’d better get busy doing Janet’s invoices.”
Another Information Security Awareness Method
Wednesday, June 6th, 2007Organizations need to provide ongoing information security and privacy awareness communications and activities. Messages need to be made in a variety of ways to accomodate the variety of learners and how people actually soak into their brains and memories the information you want them to understand and retain.
“Getting Tough” With Information Security Is Really Just Getting Smart
Tuesday, June 5th, 2007Today I saw the headline, “Energy gets tough on laptop use” in Government Computer News and I was curious to see that the story was about how the U.S. Department of Energy (DOE) is going to start actually enforcing their security practices by accurately inventorying and tracking their mobile computing devices after having “lost” 1,415 laptops in the past 6 years. The DOE also indicates they are going to start enforcing their security policies and procedures.
Web Hackers Fined $15 Million by SEC
Sunday, June 3rd, 2007I remember reading in an issue of 2600 The Hacker Quarterly magazine several years back about how easy it is to commit crime, without being noticed, by hacking poorly secured web sites.
Hacking is often viewed to be a safe, almost anonymous, type of crime that is often very hard to pin upon one individual.
If People Aren’t Trained The Best Security Will Go For Naught
Saturday, June 2nd, 2007This week there has been much talk in the U.S. news about how Andrew Speaker, the now notorious TB patient (more specifically extensively drug-resistant tuberculosis, or XDR-TB), apparently very easily circumvented security controls to come back into the U.S. via Canada.
My heading is a paraphrase of a longer quote I really like from Charles Schumer that he made about this incident, but that also applies very nicely to all information security practices.
It’s Hard to Keep Secrets When You Entrust Them To Others
Friday, June 1st, 2007When you entrust sensitive information to a contracted company or individual, you are also accepting risk. If you do not perform due diligence to ensure your contractor has effective safeguards in place, and understands that your information is sensitive, and if you do not have specific security requirements within your contract, you are opening yourself up to a major embarassment, major incident, or both.
The U.S. State Department entrusts many of their secrets to many different contractors. They have found themselves with yet some more bad press as a result of one of their contractors.
The Eyes of IT are Upon You! Curiosity Often Trumps Do The Right Thing According to New Study
Thursday, May 31st, 2007At a company I did work for there was a middle manager in the IT area who liked to be the person “in the know.” At meetings he always would talk about ideas or plans that otherwise he should not have been privvy to.
