21 Sep 2007

Seven Habits of Highly Effective Security Plans [Part 3]

In this post we deal with habit 1: Be Proactive

Please first read The Seven Habits of Highly Effective Security Plans [Part 1]
Please first read the Seven Habits of Highly Effective Security Plans [Part 2]

This is based on Stephen Covey's book The Seven Habits of Highly Effective People and in this post we look at how being proactive can help raise the general security of an organisation. This is applicable from a micro 1 person business to a multi-national company.

Being proactive really translates into taking ownership. There is a general feeling that Information Security is someone else's problem - usually IT. The thing is that even IT shelve the responsibility onto technology such as Firewalls, Antivirus and IDS boxes.

It has taken legislation in the United States and Europe (not so much in South Africa yet) to put Information Security risk back where it should be - the Business and by "Business" I mean non-IT people. Is this fair? Sure, it is their data and they must protect it from getting lost. Security is there to help and IT is there to make sure that the technology is there but at the end of the day if a spreadsheet with financial information goes missing - it is the department that owns the spreadsheet that is going to suffer.

Of course, all the three camps can be proactive. InfoSec can, should, must promote awareness of Security. They need Business and IT to understand what the dangers are and what is expected from a regulatory point of view. Posters, education, emails, etc etc can all be done.

IT can help by telling InfoSec of incidents that they may find, by making systems secure from the start, from being enthusiastic about patching and hardening servers and helping out with standards that are secure.

Business can be aware that it is information they use everyday that IT and InfoSec are protecting and the protection is for them so they can do their work more effectively which is what business is all about. They should strive to understand the tools that they use and how to use them securely. Strong passwords, clean desk policy, locking workstations, locking offices, thinking twice before opening strange files are all things that can be done for free and together are far more effective than anti virus, firewalls and NAC.

It is difficult to get the inertia going and people are reluctant to change but it is important to at least start working on a culture where information is seen as an important asset is protected as such.

I think this is lot more productive than playing each part of the business off against each other.

In this post we deal with habit 1: Be Proactive

Please first read The Seven Habits of Highly Effective Security Plans [Part 1]
Please first read the Seven Habits of Highly Effective Security Plans [Part 2]

This is based on Stephen Covey's book The Seven Habits of Highly Effective People and in this post we look at how being proactive can help raise the general security of an organisation. This is applicable from a micro 1 person business to a multi-national company.

Being proactive really translates into taking ownership. There is a general feeling that Information Security is someone else's problem - usually IT. The thing is that even IT shelve the responsibility onto technology such as Firewalls, Antivirus and IDS boxes.

It has taken legislation in the United States and Europe (not so much in South Africa yet) to put Information Security risk back where it should be - the Business and by "Business" I mean non-IT people. Is this fair? Sure, it is their data and they must protect it from getting lost. Security is there to help and IT is there to make sure that the technology is there but at the end of the day if a spreadsheet with financial information goes missing - it is the department that owns the spreadsheet that is going to suffer.

Of course, all the three camps can be proactive. InfoSec can, should, must promote awareness of Security. They need Business and IT to understand what the dangers are and what is expected from a regulatory point of view. Posters, education, emails, etc etc can all be done.

IT can help by telling InfoSec of incidents that they may find, by making systems secure from the start, from being enthusiastic about patching and hardening servers and helping out with standards that are secure.

Business can be aware that it is information they use everyday that IT and InfoSec are protecting and the protection is for them so they can do their work more effectively which is what business is all about. They should strive to understand the tools that they use and how to use them securely. Strong passwords, clean desk policy, locking workstations, locking offices, thinking twice before opening strange files are all things that can be done for free and together are far more effective than anti virus, firewalls and NAC.

It is difficult to get the inertia going and people are reluctant to change but it is important to at least start working on a culture where information is seen as an important asset is protected as such.

I think this is lot more productive than playing each part of the business off against each other.