Basics of information security detailed as IT managers admit employees do not understand their security policy

Share this article:

A panel of security experts and delegates have named their key information security ‘basics' at the (ISC)² SecureLondon Conference.

 

Brendan Rizzo, EMEA data protection specialist at McAfee, Leon Ward, senior security engineer at Sourcefire and Dr Cheryl Hennell, head of IT security and information assurance at Openreach, pointed out their three ‘basics' of information security.

 

Hennell named data awareness, keeping an audit and training, education and awareness; Ward named access control, the control of access and being an enabler; while Rizzo opted for top-level involvement, knowing what you don't know and achievable goals.

 

Ward said: “Access control and the control of access can't be seen as an emerging threat, there needs to be people that allow business to be done in harsh environments that allows business links and integration to happen.”

 

The audience offered the following suggestions – time, money and skills; responsibility for data information; accountable for actions; communicate what you are trying to do; know what you have; end user buy in and involvement; know who you are protecting against and why; know your risk appetite; and practice what we preach.

 

Later, in a poll of delegates, the question was asked ‘does your organisation track enforcement of your security policy?', with 31 saying yes and ten saying no. The next question asked ‘are there sanctions for non-compliance?', with 31 saying yes, five saying no and five saying they didn't know. Finally the delegates were asked ‘if yes, do you believe that the sanctions are understood?', with 14 saying yes and 26 saying no.

 

Hennell said: “It doesn't matter who you work for, the basic principles apply. Which is more dangerous to your company – chickens or sharks? The more senior security people are looking at bigger threats while we take it for granted that we are looking for chickens when we are looking for sharks.

 

“Security should be embodied in the culture of the organisation; it applies to risk appetite and focus. If you can make a thumb drive the size of a brick, and make things more obvious we'll be better off through education and awareness.”

 

 

 

 

 

 

 

 

 

 

 

Share this article: