« Where's my phone? | Main | Data breach laws out of favour »
Banging the same old security drum
Some of the advice on offer at security events is interesting, thought-provoking, pertinent and pretty useful for those working in the IT industry; and lots of it is grandmother-sucking-eggs type stuff. And yet it still apparently needs to be said.
At the ISSE security show in Madrid this year, which has always claimed to have one of the more discerning audiences on the security conference circuit - ie the great and good from the information security community - one or two presentations fell into the later category.
Case in point. A presentation on SME security by a researcher from Cardiff University told us that SMEs aren't very good at security. Well, to be fair there was a little more to it than that.
Specific points raised from the research were that very few small firms have requirements in place for security; few test their backup data, even if they actually back up; and most tellingly, only around a quarter said they actually know what information assets they have.
A bit worrying, especially when you consider that SMEs employ about two-thirds of the workforce and contribute in total more to the economy than large organisations.
And then the more useful stuff for security chiefs. Many in the security industry get a lot of value from sharing best practice, looking at the things their peers are doing that have proven to work.
And so Roland Muller, corporate information security officer from Daimler Financial Services, explained the value of security assessments in a multinational organisation. To put it simply: they're very valuable. But the key points Muller made for anyone wanting to do similar were:
1) Get management buy-in for any security assessment scheme.
2) Link the scheme to international standards, rather than a local approach.
3) Maintain regular contact with management and local security guys: "The people who are always the victims".
4) User education is vital: "Policies are written by security guys for security guys. You need a simple way to bring the message to people," Muller said.
October 8, 2008 | Permalink
All to often do companies even know anything about security in terms of Identity Theft in the workplace. Maybe 13% of corporate America is Compliant or really knows what it is. If you do Payroll, Direct Deposit, Payroll Deduct,take Social Security number, Name, Phone number, Address this applies to your business. You must Mitigate the Crime and have a Mitigation Plan in place according to the FTC ruling. This was signed into law Dec. 4, 2003 by President Bush of The United States and all aspects of the law were phased in and businesses were to be compliant by June of 2005. Even when presenting the Power point Presentation corporations think that it does not apply to them. This is a Federal Law. This law applies to ANY BUSINESS regardless of size! Now, as of Nov. 1, 2008 no more dragging feet for corporations says the Federal Government. Executives and owners will be held accountable and responsible for ANY and ALL Civil and Criminal Liabilities, potential removal, one million dollar fines starting, potential closure of business, 10 years in Federal prison. Is that reason enough to offer the Mitigation Plan Required by the FTC for the protection of Identity Theft in the Workplace for employees? Since 9/11, the Patriot Act, Homeland Security every American Citizen has the Right to have their information protected. Every business has the fiduciary responsibility to offer the Mitigation Plan and train employees in Identity Theft in the Workplace.I am an American looking to hire American Citizens that are being laidoff from Fidelity Investments and Sun Microsystems. I believe every Citizen deserves to have a certain standard of living where compromise is not an option.
Erick Mann, CEO, GSS
Posted by :Erick Mann | November 15, 2008 1:04 AM