writing an effective security procedure in 2 pages or less and make it stick
DESCRIPTION
In this Security management workshop we will discuss the Oral Law and the Written Law: The good, bad and ugly of procedures. We will show you how to write an effective data security procedure in 2 pages or less and make it stickTRANSCRIPT
![Page 1: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/1.jpg)
Licensed under the Creative Commons Attribution LicenseDanny Lieberman
[email protected] http://www.controlpolicy.com/
Writing an effective data security procedure
in 2 pages or less.
![Page 2: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/2.jpg)
Agenda
• Introduction and welcome• Defining the problem• Too much choice• Workplace ethics – the Internet• AUP• Enforcement• Monitoring to reinforce ethical behavior
![Page 3: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/3.jpg)
Defining the problem
• Means– Multiple
accounts
• Opportunity– Multiple
channels
• Intent– Jérôme Kerviel– Albert Gonzales
![Page 4: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/4.jpg)
What employees have
• 1995– 1 Company phone– 1 Company mail account– Mozilla 1.0
• 2009– N mobile devices– N accounts to M applications– Web 2.0
![Page 5: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/5.jpg)
Why too much choice is bad
• Paralysis• Make worse decisions• Doing better, feeling worse.
![Page 6: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/6.jpg)
Workplace ethics – the Internet
• Good– Internet is a great work tool
• Bad– Time waster– Malware– Can violate privacy of other employees – Sexual harassment suits
![Page 7: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/7.jpg)
Workplace ethics – the Internet
• Ugly– Loss of proprietary information
• Trusted insider theft– Mail, Web, IM– Smart phones
• Front-door attacks– Lost passwords makes it easy
• Back-door attacks– Spyware, Trojans– Piggy back on legit sessions
![Page 8: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/8.jpg)
Acceptable usage policy
• Reduce number of options by default
– No “opt-in” check box
![Page 9: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/9.jpg)
AUP read and understand agreement
The AUP states that:• The Internet is to be used to further the
company’s business and improve customer service and not for personal entertainment or gain
• Protect company assets physical and digital
![Page 10: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/10.jpg)
Digital Assets
• Any computerized information that the firm uses to compete or accomplish it’s missions
– Customer Lists– Transaction records– Strategic marketing plans– Credit cards
![Page 11: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/11.jpg)
Enforcement - management
• Corporate culture– A little fear in the workplace is not a bad idea
(Andy Grove)
• Everyone signs• Managers teach
![Page 12: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/12.jpg)
Enforcement – the AUP
• For example:– “The AUP applies to laptops, PDA’s and smart
phones even when you’re out of the office”• No downloads• No offensive content • Physical, password and email/web
security
![Page 13: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/13.jpg)
Enforcement - monitoring
• Monitoring – Monitor for policy violations
• To protect staff and customers against unlawful disclosure of personal records
• Loss/abuse of assets
– Physical– Network
![Page 14: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/14.jpg)
Coming attractions
• Sep 24: Write a 2 page procedure• Oct 1: Home(land) security• Oct 8: SME data security• Oct 15: Business process & security
http://www.controlpolicy.com/workshops
![Page 15: Writing An Effective Security Procedure in 2 pages or less and make it stick](https://reader036.vdocuments.mx/reader036/viewer/2022081821/549896d9ac7959182e8b55c7/html5/thumbnails/15.jpg)
Learn more
• Presentation materials and resourceshttp://www.controlpolicy.com/workshops/data-security-workshops/
• Includes a sample AUP read and understand agreement in MS Word format.