This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Basics of information security detailed as IT managers admit employees do not understand their security policy

Share this article:

A panel of security experts and delegates have named their key information security ‘basics' at the (ISC)² SecureLondon Conference.

 

Brendan Rizzo, EMEA data protection specialist at McAfee, Leon Ward, senior security engineer at Sourcefire and Dr Cheryl Hennell, head of IT security and information assurance at Openreach, pointed out their three ‘basics' of information security.

 

Hennell named data awareness, keeping an audit and training, education and awareness; Ward named access control, the control of access and being an enabler; while Rizzo opted for top-level involvement, knowing what you don't know and achievable goals.

 

Ward said: “Access control and the control of access can't be seen as an emerging threat, there needs to be people that allow business to be done in harsh environments that allows business links and integration to happen.”

 

The audience offered the following suggestions – time, money and skills; responsibility for data information; accountable for actions; communicate what you are trying to do; know what you have; end user buy in and involvement; know who you are protecting against and why; know your risk appetite; and practice what we preach.

 

Later, in a poll of delegates, the question was asked ‘does your organisation track enforcement of your security policy?', with 31 saying yes and ten saying no. The next question asked ‘are there sanctions for non-compliance?', with 31 saying yes, five saying no and five saying they didn't know. Finally the delegates were asked ‘if yes, do you believe that the sanctions are understood?', with 14 saying yes and 26 saying no.

 

Hennell said: “It doesn't matter who you work for, the basic principles apply. Which is more dangerous to your company – chickens or sharks? The more senior security people are looking at bigger threats while we take it for granted that we are looking for chickens when we are looking for sharks.

 

“Security should be embodied in the culture of the organisation; it applies to risk appetite and focus. If you can make a thumb drive the size of a brick, and make things more obvious we'll be better off through education and awareness.”

 

 

 

 

 

 

 

 

 

 

 

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

SharePoint users break own security rules

SharePoint users break own security rules

Privilege controls can work, but cannot cater for all eventualities, says Quocirca analyst Rob Bamforth.

Heartbleed slows down the internet

Heartbleed slows down the internet

As Hearbleed slows down the internet, experts say that two-factor authentication may the way forward to protect our web sessions.

Biometric data collection sparks privacy debate

Biometric data collection sparks privacy debate

You could be implicated as a criminal suspect, just by virtue of having that image in the non-criminal file, says the Electronic Frontier Foundation (EFF).