in

Training And Awareness Blog

May 2007 - Posts

  • Another week...

    Another top ten review... This time, the entire ISM top ten is being put into one overall document and into a bit more of a logical flow. I'm awating the esteemed members of the Steering Commitee to review and we will re-publish. Each individual item in the top ten has been downloaded a few times but solid feedback has been somewhat lacking - hoping this will change that.

    I am trying to get together a list of Security Awareness online courses. Is anyone working on any open source versions at the moment that are SCORM compliant? Would love to se somethign we could start to use maybe to take the top ten to the next level - having an online distribution model.

    Please assist!

    Posted May 13 2007, 09:58 PM by tsmith with 2 comment(s)

  • What you don't see can't hurt you, my son

    Things are a little strange in the State of Queensland. We are on level 5 water restrictions meaning no car washing (suits me), 4 minute showers (thats 3.45 minutes over what I have anyway), I can't even put any more water in the swimming pool so you can see this is pretty serious. 100kms North of Brisbane lies the Sunshine Coast area - these boys have their dams at 80% capacity! Laughing and joking as they water their car, garden, flush the toilet 20 times - they probably even water the water that's how much water they have.

    In a week where our esteemed prime minister, Little Johnny Howard told us to all pray for rain, you might think that perhaps we have lost a few marbles in this very very brown land. I've just found out that there's a national rain day here in Canberra on the 8th May. Mr McCallum of Melbourne, said National Rain Day involved people standing on the earth barefoot and being led through a guided short visualisation at 11am on the day. “The process is a prayer of attracting rain through raising collective consciousness, as opposed to attracting the lackof rain by acknowledging it,” Mr McCallum said. “This is a powerful tool that everyone can use to create positive change. Many successful sports people and ancient races use visualisation.”

    Well, I can visualise a lot of press for McCallum, a speaker and meditation leader of 17 years who helps people create the life they want to live with the law of attraction and quantum physics. “When you hold a thought with emotion for one minute and 11 seconds, you will attract that which you think about. Well, I vote we get some sponsorship at the ISM Community and get Mr McCallum around to a few of our cleints to give him the ultimate test - not easy stuff like making it rain but writing a series of policies and procedures that people read, get and follow. I can visualise Mr McCallum a beaten man and I further see me madly visualising for my alloted one minute and 11 seconds and still not understanding why any one would support Tottenham Hotspur.

    Posted May 06 2007, 01:31 AM by tsmith with 9 comment(s)

  • The Top Ten is Complete

    The ISM Top Ten is now complete! All ten now uploaded for everyone's pleasure. Please check them out and give me your opinions.

    Posted May 04 2007, 11:10 PM by tsmith with 2 comment(s)

  • One more to go

    Took some advice and have blasted 9 of the ISM Top Ten up for review. The 10th and final one, 'Make it easy for people to do the right thing (Polices and Proceudres Matter) will follow real soon.

    Posted May 02 2007, 11:23 PM by tsmith with no comments

  • First of the ISM Top Ten - Use, Adopt and Align to Industry Standards

    I've just published the first guidline out of the ISM Top Ten as referenced in my previous blog post. Look forward to some feedback, in the meantime, I'll keep them coming on a weekly basis!

     

    TS.

    Posted May 02 2007, 12:26 PM by tsmith with no comments

  • Some Meat on the Bones

    Last post I highlighted the ISM Top Ten but didn't actually put any context behind the topics. That's rectified below. Next up will be my first try at the "Use, Adopt and align to Industry Standards" topic. Well, it's kind of my second try but that's not important. Look forward to some assistance!

    Executive Sponsorship and Commitment

    Security programs that are driven and publically supported by executive management are more widely adopted than those that aren't. You should ensure that your information security program has the appropriate level of executive sponsorship and the ongoing commitment to implement an appropriate information security program. That commitment should include an appropriate budget to both implement and maintain a program; a commitment to develop and maintain a company culture that includes information security as an integral (and transparent) part of it and a commitment to publically sponsoring the program

    Company Wide Support and Participation

    Security programs that are aligned to support the goals of the business and which have active participation from business units are more successful than those that don't. By understanding the needs of each business unit and aligning your program to support the specific goals and unique challenges of the business, allows corporate information security to "add value" and not be seen as a cost. This in turns promotes an upwards spiral or participation and self-improvement. This is often referred to as community policing.

    Use, Adopt and align to Industry Standards

    Security programs should adopt established information security management standards like ISO 17799 and embrace IT standards such as COBIT and ITIL. These of course should be tailored to meet the exact needs of the business. While not perfect or indeed a panacea, ISO17799/ISO27001 is a widely adopted and well respected standard that defines components of an information security management program and process. Adopting it enables an organization to leverage existing public domain work, as well as interoperate with other business easier

    Make it easy for people to do the right thing (Policies and Procedures matter)

    In general, people want to do the right thing. Making it easy for people to do the right thing is a key mantra in gaining corporate wide support and participation for an information security program. Many information security departments are introspective; writing and publishing documents and guidance for themselves. Information security programs should get back to basics and make it easy for people to do the right thing. This includes writing and publishing accessible and useful policies, standards and guidance. The focus of all guidance should be "how to do things securely" as opposed to simply "What not to do". Ensure there is an easy process for additional support (asking clarifying questions). Security should be integrated into peoples existing environments wherever practical.

    Document, Publish and Refine your Processes

    In general people want to do the right thing. When they understand what they should do they can easily follow a process. Information security programs should document their processes, ideally with simple to follow flowcharts and publish them in an accessible place. Processes should define roles and responsibilities, activities and where appropriate service level agreements. By observing and measuring business activity against these processes organizations can optimize and refine them to improve performance and reduce cost.

    Training and Education is Key

    Tailored training and awareness for all users will pay ongoing dividends. Training should range from small digestible "sounds bites" for business orientated people to deeper technical training for IT and development.

    Manage Risk, not Security

    Few companies in the world are in business to be secure. Almost all companies in the word need to have an environment that is secure enough to do business. Information security programs should focus on managing risk and working with the business to determine a level of appropriate risk for their business. Risk levels are usually best determined by a combination of security advice and business acumen. Partnering with the business to determine and manage risk usually works best.

    Manage with Facts and Numbers

    Information security decisions should be made with facts wherever possible. While it is not a science, it is also clearly not an art and making business decisions based on fact makes sense. Ensuring you collect, capture and analyze appropriate metrics and facts will allow you to make smart business decisions and recommendations. Metrics and facts avoid security religion.

    Don't Fall in the Compliance Trap

    After the cash cow of SOX, many information security consultants and product vendors would have you believe the world is falling (Chicken Little Syndrome) and that new regulations like the PCI are key to information security. Companies should understand which regulations actually apply to them and what the implications of those regulations are in reality. Managing a good information security program will mean you will likely meet all the requirements of most regulations; managing to a regulation will mean you will likely not have a good information security program and will be constantly fighting fires.

    Leverage Corporate Business Initiatives

    Information security should be an integral part of company culture and leveraging existing corporate wide business initiatives will help instill that culture.

     

    TS.

    Posted May 01 2007, 09:26 PM by tsmith with no comments
More Posts
All Rights Reserved - The ISM-Community
Powered by Community Server (Commercial Edition), by Telligent Systems