Home > Intel Communities > Open Port IT Community > IT@Intel > Blog > Tags > policy
Up to Blog Posts in IT@Intel

IT@Intel Blog

5 Posts tagged with the policy tag
Matthew Rosenquist
0

Don't assume people will read the security policy!

 

Just because the policy is posted, does not mean everyone will read it.

 

Listen to the Audiocast:Information Security policy must be marketed to employees

 

Policy, like any other communication, must be marketed.  It is the role of the security professional to show the end-users the value and how it helps them.   Make it personal.

 

References: SANS.org blog: How to Suck at Information Security

0 Comments Permalink Tags: optimal_security, policy, strategy, value, security, risk, matthew_rosenquist, rosenquist, information_security, model
Matthew Rosenquist
0

Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

 

Common Sense

I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

 

Here is my Fortune Cookie advice for November:

 

When it comes to employees and how securely they use their system, "trust, but verify".

 

We give them tools, harden their software, teach them good security practices, and reward them for safe behaviors. But end users may still cause great harm to their computers and more severely, the organizations data, systems, and operations. Trust must exist, but every security pro worth his salt, is paranoid with good reason.

 

It is not practical to wall out our own users. Some level of trust must exist. I believe the right balance for most organizations which maintain mature foundational controls, is to “trust, but verify”.

 

Made famous by former US President, Ronald Reagan, this quote was applied to situations where another party possesses the capability to do harm but agrees to refrain, for the greater good. Trust they will act appropriately, but maintain diligence to validate.

 

In the information security world, we too can strike the balance of security and functionality by allowing end users access to do their work effectively, while maintaining verification controls to insure they are not causing themselves or others unacceptable harm. This is no substitute to good training, security awareness, security tools, etc. as part of preventing undesirable events. But detection capabilities are a key element to a good defense in depth security program, which can allow more of a tradeoff between risk and productivity.

 

 

 

 

 

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

 

 

 

Information Security Defense In Depth Whitepaper is Now Available

 

 

Fortune Cookie Security Advice - September 2008

 

 

Fortune Cookie Security Advice - August 2008

 

 

Fortune Cookie Security Advice - June 2008

 

 

Fortune Cookie Security Advice - May 2008

 

 

Deconstructing Cyber Security Attacks - Threat Model

 

 

Defense in Depth Information Security Strategy

0 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, policy, defense_in_depth, threat
Matthew Rosenquist
0

Everyone wants information security to be easy. Wouldn't it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don't try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

 

Common Sense

I think the key to fortune cookie advice is ‘common sense' in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

 

Here is my Fortune Cookie advice for September:

 

In information security, like in sports, knowing your adversary is far more important than knowing the condition of the field.

 

 

 

 

Information security is an adversarial pursuit. It all begins with threat agents, those people who will negatively affect your organization. Some are malicious, others are not. The key is they are living, breathing opponents whose motivations drive actions which cause loss. They learn, adapt, and change as they seek their objectives.

 

Know your threats. This is an important first step. Knowing all your vulnerabilities is fine, but secondary in importance.

 

For those who are malicious, understand what they target and the likely methods they will employ. Only then can the vulnerabilities be narrowed to show the most probable exposures. This prediction gives the security professional a focus on what to protect, how best to monitor, and preparations necessary to respond when needed.

 

 

 

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

 

 

Fortune Cookie Security Advice - August 2008

 

 

Fortune Cookie Security Advice - June 2008

 

 

Fortune Cookie Security Advice - May 2008

 

 

Deconstructing Cyber Security Attacks - Threat Model

 

 

Defense in Depth Information Security Strategy

0 Comments Permalink Tags: threat, security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, policy, defense_in_depth
Matthew Rosenquist
0

Everyone wants information security to be easy. Wouldn’t it be nice if it were simple enough to fit snugly inside a fortune cookie? Well, although I don’t try to promote such foolish nonsense, I do on occasion pass on readily digestible nuggets to reinforce security principles and get people thinking how security applies to their environment.

 

Common Sense

I think the key to fortune cookie advice is ‘common sense’ in the context of security. It must be simple, succinct, and make sense to everyone, while conveying important security aspects.

 

Here is my Fortune Cookie advice for August:

 

Security policy is like a seatbelt. It will not protect you every time, but it is guaranteed to fail if you choose not to use it.

 

No security policy is perfect. In fact, it should be a continuously evolving body of work which is improved as the industry changes and learns. The biggest challenge is not the exactness of the policies; rather it is the awareness and consistent adoption by the employees. An appropriate level of effort must be directed at the successful marketing and support by the target audience.

 

It may not be sexy, but policy can empower the Management support and maintenance of policy are key factors in leveraging this tool. Clear and straightforward verbiage coupled with sufficient marketing saturation can deliver necessary awareness to affect behaviors. With employee support of security principles, an organization takes a great step forward in achieving an optimal security posture.

 

 

So am I contributing to the problem of over simplifying security? Or am I reaching out to those who might not take an inordinate amount of time necessary to understand the complexities and nuances of our industry? You decide and feel free to share your knowledge-nuggets.

 

 

A Company’s Greatest Security Threat and Asset

 

 

Fortune Cookie Security Advice - June 2008

 

 

Fortune Cookie Security Advice - May 2008

0 Comments Permalink Tags: security, roi, value, rosi, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist, policy
Matthew Rosenquist
1

Can an organizations greatest security asset also be its most serious threat? Yes it can.

 

 

 

 

 

The Greatest Asset

I manage information security for Intel’s mergers and acquisitions. Recently, I was evaluating an acquired company and delivering information security training to our newest employees on their collective hire date. As I was presenting the fundamentals of how to keep the company, their work, and our industry safe from cyber threats, an important security maxim was exemplified.

 

In interacting with the audience, I understood how they were accustomed to conduct business, the scope of information they handle on a daily basis, and their views on the value of security. I began to emphasize how the employee base was the greatest asset to information security and the combined force of a well informed, properly trained, and security savvy workforce dwarfs the efforts of the dedicated security staff. My recruitment speech sunk in and their faces glowed with pride. I saw a bit of excitement from the audience, that of empowerment and newfound responsibility. I was setting them up. Although absolutely true, a few slides later in my presentation I unveiled the stark reality.

 

 

 

The Greatest Threat

I asked to my newly recruited security champions what the greatest threat to the company was. Amid different answers, I revealed that THEY were the greatest threat. Not just them, but the entire workforce. The glow in their faces dimmed a bit. How can this be? How can our employees be both the greatest asset and the worst enemy in the cyber warfare trenches? They were shocked. They were dumbfounded. They were intrigued. I gave a dramatic pause. It is not often people are captivated by the boring and bothersome topic of information security. I savored the moment.

 

The real battlefield is in hearts and minds of employees. These new employees, more than any, represent the greatest challenge. They are accustomed to their previous ways, inundated with new-hire information, and are not familiar with the security expectations of their new corporate parent. Security policy is a distant concern on their first day. Every subsequent day, the separated cluster of workers will not benefit from the social reinforcement of good security practices as they are distanced from the collective body of experienced employees who exhibit secure behaviors.

 

We discussed how apathy, laziness, and circumventing policy for a quick gain, can cause significant weaknesses in security. Every employee has a responsibility to be secure and reinforce those fundamentals with their peers. A single employee through malice or carelessness can cause more damage than a legion of hackers. They must decide, through their actions, if they are the security marshals or the villains of the story. The battle is with the mindset of the employees. The finest security policy is worthless in the hands of an apathetic workforce.

 

In the end, the discussion was a success. It was not just training; it was an interactive dialogue talking to what is important and how every employee, now including them, work as a team to be Intel’s greatest security asset.

 

 

 

So, who do you market to?

1 Comments Permalink Tags: security, value, policy, threat, security_threat, information_security, optimal_security, model, risk, matthew_rosenquist, rosenquist

Popular Blog Posts