Archive for Policy
Author: Dave Lewis
September 18, 2008 at 11:42 am · Filed under Airline Security, Dumbass, Physical Security, Policy
Oh for the love $deity. Are you kidding me? I find this a painful story in the level of insult that is visited upon the collective us. TSA screeners are apparently, by policy no less, allowed to bypass screening themselves. Glad to see they’re keeping their eye on the important problems.
From 9NEWS.com Denver:
The new policy says screeners can arrive for work and walk behind security lines without any of their belongings examined or X-rayed.
“Lunch or a bomb, you can walk right through with it,” said Mike Boyd, an aviation consultant in Evergreen. “This is a major security issue.”
At DIA, 9NEWS videotaped a dozen TSA screeners walk through a side gate and enter the sterile area of the airport carrying backpacks, purses and lunch boxes. Nothing was screened.
Sources tell 9Wants to Know, the reason for the security change may be tied to the new uniforms and badges.
And what might that tie in be? Well…because the new metal badges set off the metal detectors. Ah, but wait, there’s more.
The TSA says its employees have background checks before they are hired. TSA policy says employees are supposed to report any other arrest, including an alcohol related arrest, within 24 hours or, due to circumstances beyond their control, as soon as possible after that.
And we all know that no one could be so devious as to steal another’s identity.
My brain is all melty at the moment.
Article Link (via ComputerWorld)
Author: James Arlen
July 8, 2008 at 8:51 am · Filed under Education, Policy, Ranting
I’m so totally behind in my reading…
Think of this as an Internet Years time capsule of the news from a week ago.
(Hey — it’s less than two weeks to the Last HOPE — I’m freaking out here.)
The nice folks over at TechWeb’s Dark Reading put up an article about the ease of identity theft through plain ole meatspace hacking.
Much as I’ve said repeatedly, right now, most security policy/posture is predicated upon making the “right thing” the damn hardest possible thing.
If you’ve grappled with this version of the analog hole… how did it work out?
Participate!
Tags: social engineering, policy decisions
Author: Dave Lewis
July 8, 2008 at 7:28 am · Filed under Policy, Security Mgmt
OK, I’ll take this copy of the Washington Post, a bottle of milk, a box of nails and a bag of skittles. Oh, and a PCI package.
The hosting provider, Rackspace, has come out with a PCI solution package called the PCI Toolbox.
From Internet News:
The bundle, known as the PCI Toolbox, consists of standard components such as anti-virus protection, customer network scanning services, firewall services, intrusion detection systems, and log and patch management services.
It also includes Rackspaces’s support team of experienced security professionals, who will modify the Toolbox offerings in line with changing PCI requirements.
“In many cases, customers are left to fend for themselves; we’re putting the pieces together into our compliance framework,”
One stop shopping.
Article Link
Author: Dave Lewis
November 7, 2007 at 5:16 pm · Filed under News, Policy
From CSO Online:
Microsoft fired its Chief Information Officer, Stuart Scott, the company confirmed on Tuesday.
Microsoft would not share details beyond saying that Scott was let go after an investigation for violation of company policies.
Until a replacement for Scott is found, Shahla Aly, a general manager, and Alain Crozier, a corporate vice president, will take over his responsibilities, Microsoft said.
No word on whether it was because he bought the MacBook or the MacBook Pro.
Couldn’t resist.
Article Link
Tags: Microsoft CIO Fired, Microsoft CIO Policy Violation
Author: Dave Lewis
October 7, 2007 at 9:38 am · Filed under Policy, Security Mgmt
From Computer Weekly:
I am sure that it will not come as any surprise that to many organisations compliance to multiple legislative and regulatory standards is seen as another cost and resource burden impacting on bottom line business goals.
It may be surprising though that to me, as the MD of a GRC (Governance Risk and Compliance) company, that this “hardened cynicism” is understandable and forgivable given that historically new business processes to meet “next big thing” needs are often perceived as having added little to the business other than cost.
With reference to compliance, some argue that the same cynics mantra can be chanted again. For as the tidal wave of recent new standards has appeared, with draconian penalties for non-compliance, many private and public sector organisations alike have adopted multiple systems to manage compliance problems on a case-by-case basis. Unfortunately, too often responsibility for ensuring compliance lay initially with individual line managers; not trained compliance staff. Here imposition of new processes has led to a tick box culture where managers effectively do the minimum to comply hoping to minimise the impact on their department’s daily working practices. A recent Achiever survey revealed too that 8 out of 10 managers responsible for GRC felt that “overkill” levels of “noise” were too onerous and threatening management attitudes.
Read on.
Article Link
Tags: Governance, Compliance, Risk Management
Author: Dave Lewis
September 12, 2007 at 1:03 pm · Filed under Policy, Security Mgmt
I’m at a bit of loss today.
I have recently discovered a new method of security management at another company. Rule by guess work. There is an overwhelming number of policies and governance documents that we, as an industry, have to contend with such as SOX, BASEL2, HIPAA and PIPEDA. Pick your poison. But, the part that has me gobsmacked is the practice of quoting/invoking/referring to some of the aforementioned documents without ever having read a word of them.
It is something of a marvel.
The party in question quoted liberally, as if an authority, from a certain standard. I sat there with my jaw hanging open in utter confusion. The individual had just laid out in vivid detail the ins and outs of the standard and how it applied to their enterprise. The head nods around the table wagged in concurrence. I could feel the vein in my temple begin to throb and my throat became parched. I feebly raised the coffee to my lips all the while wishing it would spontaneously alter into a more appropriate elixir, say, Scotch perhaps? The sermon that as received by the masses was an absolute work of fiction. And no one at the table seemed to understand that. Except, yours truly.
I wondered if anyone else could hear that grinding noise. “Wait, it’s just me” I thought. It was my teeth.
(Insert Deity) help them if they ever get audited. It would be like watching a train wreck in slow motion.
How often do you (the readers) encounter this sort of co-mingling of affectation and bravado?
Tags: Security Policy, Policy Gaps, Security Policy Affectations, SOX, PIPEDA, HIPAA, Security Standards
Author: Dave Lewis
June 4, 2007 at 5:30 pm · Filed under Policy, Security Mgmt
Picking up on the thread from my last post I found this article on Computer Weekly.
Technical controls certainly have a relevant role in information security, but all forms of controls are liable to fail unless the organisation has a clearly-written regularly-voiced policy that is communicated in a language that the employees will understand.
Well, yeah. I had an opportunity to meet with yet another company last month. They said that they had a great set of policies and that they had covered all the bases. OK, great. When was the last review of the policies? Blank looks from around the room. Hmm, not good. So, who can tell me what is the company’s internet usage policy.
“We have one that was written in 1998″ was the response. Yet no one could tell what was in the policy. You could have the greatest set of policies ever written. But, if the employees don’t know what they are then they aren’t worth squat.
Article Link
Tags: Information Security Policy, Infosec, Policy Enforcement
Author: James Arlen
February 15, 2007 at 3:03 pm · Filed under Data Security, Education, Policy, Ranting
Today I’ve seen two posts which cause me some level of discomfit.
In both cases, the outlined “security issue” is not really a security issue - it’s something else entirely.
Case the First - Close the Barn Too Late.
In a widely linked Search Security Dot Com “tip”, SANS darling Peter Giannoulis hits us with his THREAT MONITOR - Pod slurping: The latest data threat - in which he lays out the threat of the 80gb iPod Video as the latest and greatest way to steal all information from your organization… and tells you how to solve the problem in 3 easy steps:
- Restrict access to the USB port(s) on a computer system.
- Implement and enforce policies. No USB devices in the office means, no USB devices in the office for ANYONE (including technical staff, managers, etc.).
- Implement the principle of least privilege. Doing so will ensure a user can’t access files which they do not need to access.
Welcome to the dark ages.
How about an enlightened approach which is based not on some limp pseudo preventative, but really just compensating controls - tell staff that you appreciate them, then follow up with actually meaning it - make the disgruntled insider the exception rather than the rule. Taking away someone’s music at work isn’t going to endear you as an infosec professional - it makes you one of the top disgruntling forces.
But I suppose that a Technical Director for the GIAC family of certifications might have a different set of design criteria for policy than an actual in-the-field-up-to-h(is|er)-eyeballs-in-regulatory-compliance-working-infosec-stiff. I’m much happier with a set of policies that make me the champion of the business by letting them be risk takers who know that someone is watching their back. And who isn’t toting around a glue gun as a “tool of the trade”.
I’m not afraid of a good technical preventative measure, but I’m convinced (and have the proof to back it up) that a good awareness program delivered by people who actually care not just about the material, but about the attendees, combined with a willingness to help the business rather than just saying “no” is the way to solve security problems. People want to do things securely, it is not our job to mock them or treat them like children - it is our job… our career… our calling - to bridge the gap between what IT can offer and what the users need to get their jobs (and lives) done.
What kind of professional do you want to be?
Case the Second - Brilliance.
In a posting to the focus-apple@securityfocus.com list, Todd Woodward points us to an Ars Technica article - Infinite Loop: New Airport Extreme could expose Macs via IPv6 - in which is described the behaviour of the new 802.11n Airport Extreme and it’s handling of IPv6 in a default configuration.
It is decried as a security issue, however, I think it’s pure brilliance. You see, the time of perimeters was short enough, and now it’s over. In 1998, I can recall a certain ISP which ran without firewalls or packet filters of any kind other than a bogon filter. It ran that way until 2001 - when it had to go have a permanent lie-down. It was the way of things. Of course it was under constant attack, but the servers were designed, configured and secured in order to operate in that environment. Bill Gates and Craig Mundie cheerfully told us that last week - you should design and build systems which simply do not require a perimeter firewall in order to operate safely on the Internet. Additionally, it’s time to send IPv4 on it’s way - I’m tired and frustrated with the endless “which port-forward on the firewall/router goes to which internal box” dance that happens because I’ve got 3 machines that I’d like to talk to from the Internet. What Apple has done is essentially build in “get me out of RFC1918 hell and please do it automagically” functionality. Without any of the other features of the newest Airport Extreme, this feature (not security issue — FEATURE) is selling me on spending 3 times the price of a reasonable alternative. I want to be able to hop on IPv6 and get past the 1918 world… sooner rather than later.
As always, please post a comment, a counter-rant, or colourful pictures of unicorns and kittens - we here at Ye Olde’ Digest would love to hear from the ?thousands? of you who read the RSS feeds every day.
Author: Dave Lewis
September 25, 2006 at 6:08 pm · Filed under Policy
This is a subject that I think needs some greater attention. Most corporations don’t permit access to web based email such as Hotmail and Gmail. These same companies also block access to porn sites. But, most do nothing to address blogging. A a recent American Management Association/ePolicy Institute study of 416 U.S. businesses found 8% of organizations operate official corporate blogs.
- 9% have policies about personal blogging during business hours
- 7% have policies covering the use and content of business blogs
- 7% cover employee’s personal blogging activity from home
- 6% prevent personal blogging on corporate blogs
- 5% ban blogging at work outright
- 3% have blog retention policies
Here are some things to take into account when you look into drafting a corporate policy.
- Does your organization permit blogging? If so, are there specific approved blogs or can any employee create their own? What is the new blog approval process?
- Do you wish to place any restrictions on employees’ use of personal blogs? Are these restrictions different depending upon whether they are blogging from home or from the office?
- Are there any specific regulatory requirements that limit what you post to your corporate blog? Do these requirements extend to employees using personal blogs?
- What is the approval process for postings to official corporate blogs?
- How long will records of blog content be maintained and where will they be stored?
- Are there any specific types of content that are taboo on corporate and/or personal blogs? For example, may blogs include the names of employees or customers? Are products in development fair game for bloggers?
- Do you require that non-official blogs carry a disclaimer that the opinions expressed in the blog are those of the blogger only and do not necessarily represent the opinions of the organization?
Being an avid blogger myself I can see the potential for abuse if this type of activity is not outlined by a corporation.
Article Link
Tags: Blogging, Blogger, Corporate Blogs, Blog Policy, Information Security Policy
