You are viewing 'security policy'
Understanding the Importance of Checklists
Whether required by industry regulations or simply implemented as part of a solid incident response program, most organizations have at least a rudimentary incident response policy in place. A carefully crafted policy lays a foundation for the entire program. This policy, however, should be viewed as the jumping off point, not the end game. A successful incident response program needs to be supported, and not just by a few policies, but by procedures, checklists, people, training and tools.
An essential part of every incident response program is a checklist. Using procedures as a guide, checklists should provide direction for those who will be carrying out the tasks. Perhaps because they are the last step in the process, or perhaps because of their need for frequent updates, incident response checklists are often overlooked, underutilized, or at best, outdated.
Responding to a security incident can be stressful and chaotic. Well-designed checklists can supplement a... read more >
CMU and Advocacy for Strong Security Review Policies
At a high level, Tor is a privacy focused technology that routes traffic to hide the identity of its users. Tor became a favored technology by political activists and whistleblowers who need such protection, as well as cyber criminals and other unsavory types who want to abuse this protection. It isn’t a surprise that a government agency would be interested in breaking the veil of anonymity. The FBI supposedly used research from CMU to help bring down an illegal marketplace known as the Silk Road, which offered services ranging from normal legal goods, to forged documents, and a... read more >
The impact of culture on cybersecurity
In our blog last week, we discussed items that can influence culture and dabbled a bit into ‘planning to fail’ or ‘failing to plan’, oddly synonymous. I wanted to share a quick story that hopefully is motivational in some way to a very wide audience about the influences that culture can have on a defense-in-depth approach and some of the cataclysmic events that can ensue.
Last month, photos of the Transportation Safety Administration (TSA) master keys for unlocking TSA approved luggage locks were recently re-published by popular news and media outlets. Why is this a problem? The photos allow other master keys to be derived or cloned and used to gain physical access to travelers' possessions with little effort. Copies of the key be can be easily made by taping the paper printout to a blank key, sheet metal, plastic, etc. and using a grinder or Dremel tool to make a replica.
Surely, a dedicated... read more >
Compliance doesn’t equal security
Security enables the continued success of any compliance program, not the other way around. If an organization chooses to do the bare minimum for security, then they should (in theory) expect a maximal impact as a result of a breach.
Take a moment and think about 2014, “The Year of the Data Breach.” It is highly unlikely that the information security (IS) and information technology (IT) teams in each of the major 2014 breaches were not aware of the vulnerabilities or the poor security architecture. However, was management aware of these vulnerabilities? And if so, what mitigation action did they take to correct those vulnerabilities?
It is crazy to me, as an information security manager at Solutionary, that an organization will wait for a catastrophic event or a third-party review before... read more >
Developing Policy, Training Employees and Ensuring Compliance
Last weeks’ post, Lobby Security and Beyond – Week 6 of 7: Utilizing Signage Effectively, offered guidance on how to use signage as a communication tool. This final blog in the seven week Lobby Security blog series, covers the importance of defining and publishing policies, providing training to employees and ensuring compliance.Policy
It is very important to develop policies regarding the physical security measures you implement. These policies will help to define your security standards, and ultimately integrate with your overall security plan. Once you define your policies, be sure to get executive sponsorship for those policies, and then publish and communicate the policies to the organization.
Two items not... read more >