This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Basics of information security detailed as IT managers admit employees do not understand their security policy

Share this article:

A panel of security experts and delegates have named their key information security ‘basics' at the (ISC)² SecureLondon Conference.


Brendan Rizzo, EMEA data protection specialist at McAfee, Leon Ward, senior security engineer at Sourcefire and Dr Cheryl Hennell, head of IT security and information assurance at Openreach, pointed out their three ‘basics' of information security.


Hennell named data awareness, keeping an audit and training, education and awareness; Ward named access control, the control of access and being an enabler; while Rizzo opted for top-level involvement, knowing what you don't know and achievable goals.


Ward said: “Access control and the control of access can't be seen as an emerging threat, there needs to be people that allow business to be done in harsh environments that allows business links and integration to happen.”


The audience offered the following suggestions – time, money and skills; responsibility for data information; accountable for actions; communicate what you are trying to do; know what you have; end user buy in and involvement; know who you are protecting against and why; know your risk appetite; and practice what we preach.


Later, in a poll of delegates, the question was asked ‘does your organisation track enforcement of your security policy?', with 31 saying yes and ten saying no. The next question asked ‘are there sanctions for non-compliance?', with 31 saying yes, five saying no and five saying they didn't know. Finally the delegates were asked ‘if yes, do you believe that the sanctions are understood?', with 14 saying yes and 26 saying no.


Hennell said: “It doesn't matter who you work for, the basic principles apply. Which is more dangerous to your company – chickens or sharks? The more senior security people are looking at bigger threats while we take it for granted that we are looking for chickens when we are looking for sharks.


“Security should be embodied in the culture of the organisation; it applies to risk appetite and focus. If you can make a thumb drive the size of a brick, and make things more obvious we'll be better off through education and awareness.”












Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

NCA wants security pros to become cybercrime fighters

NCA wants security pros to become cybercrime fighters

The UK's National Crime Agency is on the hunt for cyber security professionals to "join the fight against some of the world's most significant cyber criminals" on salaries ranging from ...

GCHQ head says agency was 'never involved in mass surveillance'

GCHQ head says agency was 'never involved in ...

Sir Iain Lobban says GCHQ staff "are normal decent human beings who watch EastEnders and Spooks".

Apple Mac OS criticised for sending search results to third parties

Apple Mac OS criticised for sending search results ...

Apple is under pressure to make changes to the Spotlight feature on the new Mac OS X Yosemite 10.10, which tracks location and sends data back to the firm and ...