This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Basics of information security detailed as IT managers admit employees do not understand their security policy

Share this article:

A panel of security experts and delegates have named their key information security ‘basics' at the (ISC)² SecureLondon Conference.


Brendan Rizzo, EMEA data protection specialist at McAfee, Leon Ward, senior security engineer at Sourcefire and Dr Cheryl Hennell, head of IT security and information assurance at Openreach, pointed out their three ‘basics' of information security.


Hennell named data awareness, keeping an audit and training, education and awareness; Ward named access control, the control of access and being an enabler; while Rizzo opted for top-level involvement, knowing what you don't know and achievable goals.


Ward said: “Access control and the control of access can't be seen as an emerging threat, there needs to be people that allow business to be done in harsh environments that allows business links and integration to happen.”


The audience offered the following suggestions – time, money and skills; responsibility for data information; accountable for actions; communicate what you are trying to do; know what you have; end user buy in and involvement; know who you are protecting against and why; know your risk appetite; and practice what we preach.


Later, in a poll of delegates, the question was asked ‘does your organisation track enforcement of your security policy?', with 31 saying yes and ten saying no. The next question asked ‘are there sanctions for non-compliance?', with 31 saying yes, five saying no and five saying they didn't know. Finally the delegates were asked ‘if yes, do you believe that the sanctions are understood?', with 14 saying yes and 26 saying no.


Hennell said: “It doesn't matter who you work for, the basic principles apply. Which is more dangerous to your company – chickens or sharks? The more senior security people are looking at bigger threats while we take it for granted that we are looking for chickens when we are looking for sharks.


“Security should be embodied in the culture of the organisation; it applies to risk appetite and focus. If you can make a thumb drive the size of a brick, and make things more obvious we'll be better off through education and awareness.”












Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...