Cyber Security Awareness

This week is Cyber Security Awareness Week (CSAW). Cyber security awareness programs impress upon users the importance of cyber security and the adverse consequences of its failure. Awareness may reinforce knowledge already gained, but its goal is to produce security behaviors that are automatic. The goal is to make "thinking security" a natural reflex for everyone in the organization. This week's articles contain information that will help you protect the confidentiality, integrity, and availability of information in today's highly networked systems environment.

An information security audit is one of the best ways to determine the security of an organization's information without incurring the cost and other associated damages of a security incident. (Item #1)   Why is security awareness and training so important and what constitutes a security awareness and training program? (Item #2)   Here's how to implement a security awareness program in your organization. (Item #3)  

Do you know what sorts of fundamental rights people have with respect to their data? (Item #4)   There are seven steps chief information security officers can take to launch their organizations in the direction of Information Security compliance. (Item #5)   What do you know about the Internet Kill Switch? (Item #6)  

As always, we look forward to hearing your comments & insights regarding business continuity. If you have a topic you'd like us to cover, email me at [email protected].

Bob Mellinger, President
Attainium Corp

1. Conducting a Security Audit: An Introductory Overview

The word "audit" can send shivers down the spine of the most battle-hardened executive. It means that an outside organization is going to conduct a formal written examination of one or more crucial components of the organization. Financial audits are a familiar area for most executives: they know that financial auditors are going to examine the financial records and how those records are used. But they are unlikely to be acquainted with information security audits; that is, an audit of how the confidentiality, availability and integrity of an organization's information is assured. They should be.
http://www.symantec.com/connect/articles/conducting-security-audit-introductory-overview

2. Security Awareness and Training 101

Security awareness and training should be an integral part of your corporate security program. Though many businesses overlook the opportunity to tell their employees how to assist with protecting the corporate infrastructure, security awareness and training is really the first line of defense your company has to protect its valuable corporate assets. Your employees are the stewards of your critical data and information assets, and with the proper training corporations can enlist the assistance of their employees to mitigate risks.
http://www.intranetjournal.com/articles/200410/ij_10_11_04a.html

3. Success strategies for security awareness

A corporate security awareness program aims to make all the employees understand and appreciate not only the value of the company's information assets but also the consequences in case these assets are compromised. In theory, the process is straightforward and painless. But as every IT/security manager knows, in real life, an awareness program can be a monstrous headache-especially in a large enterprise.
http://articles.techrepublic.com.com/5100-10878_11-5193710.html

4. Data Privacy: The Facts of Life

As networking sites become more ubiquitous, it is long past the time to look at the types of data we put on those sites. We're using social networking websites for more private and more intimate interactions, often without thinking through the privacy implications of what we're doing. The issues are hard and the solutions to them harder still.
http://www.schneier.com/essay-324.html

5. Seven Steps to Information Security Compliance

The affordability of computers coupled with the world's level of information dependency creates a critical problem for the security and privacy of data. Many organizations need to comply with a myriad of standards and rules such as FISMA, HIPAA, SOX, ISO 17799, and GLBA, to name a few. Information security policies and standards can provide an organization with an accurate security baseline and the tools to strengthen its security posture. To achieve compliance, any organization must master the "Big Four"-perimeter defenses, system certifications, auditing, and user involvement.
http://www.securityinfowatch.com/root+level/1295992

6. Three Reasons to Kill the Internet Kill Switch Idea

In June, Sen. Joe Lieberman, I-Conn., introduced a bill that might -- we're not really sure -- give the president the authority to shut down all or portions of the Internet in the event of an emergency. It's not a new idea. Sens. Jay Rockefeller, D-W.Va., and Olympia Snowe, R-Maine, proposed the same thing last year, and some argue that the president can already do something like this. If this or a similar bill ever passes, the details will change considerably and repeatedly. So let's talk about the idea of an Internet kill switch in general.
http://www.schneier.com/essay-321.html