Information Security Program

Influencing our user community….

by kriggins on May 1, 2008

in Awareness, General

Mike Rothman in his latest Pragmatic CSO Newsletter (I highly recommend subscribing) has a really good post up about our responsibility to ensure that user community understands why they should be adhering to established policies and not attempting to circumvent controls put in place to protect our organizations.

I left the following comment and now am going to reuse it as a post 🙂


I have been reading the book "Influencer: The Power to Change Anything" which I highly recommend. In it they posit that there are essentially six sources of Influence. They fall into two categories and what I call three strata. The categories are motivation and ability and the strata are personal, social and structural. Where motivation and personal intersect, the source of influence is defined as "Make the Undesirable Desirable."

If the general user community does not desire to adhere to or follow established policies and is actively attempting to circumvent controls, then we have failed to instill in them a desire to be compliant. It is our responsibility to influence them to change that mindset, in other words, to make the undesirable desirable.

So how do we do that? What you suggest exemplifies what the authors of the book have discovered. People are much more likely to embrace ideas when they have been shown the consequences of ignoring those ideas in a very personal and impactful way. I'm not saying that we should all use the specific scenario you suggest, although it would certainly bring
home the messages :), but we do need to find ways to instill awareness into our user communities that is much more personal than "read this policy and sign this paper."

Kevin Riggins

{ 1 comment }

Information Security Program…..huh…what?

by kriggins on April 17, 2008

in General


The CEO walks into your office/cube/dark cave. He has one of those looks on his face that does not bode well for you. He pauses, takes a breath, looks you straight in the eye and says, "We need an Information Security Program."

You reply, "An Information Security Pro....what?"

He says again, "We need an Information Security Program thingy. All my CEO buddies have one. We need one. Figure it out. Get on it!" and leaves. No explanation of what this thing called an Information Security Program is and no guidance as to what he expects from you.

After fighting off those panicky feelings that threaten to cause you to run about and scream and shout. You fire up your friend Google and get to work trying to figure out what an Information Security Program is.

One good thing

This scenario may seem quite far fetched to you. Unfortunately, it probably isn't. On the good side, the CEO wants it, or at least thinks he does. On the bad side, he doesn't appear to have any idea what he is asking for and frankly neither do you.

What is an Information Security Program?

So you start searching away and come up with things like the NIST Information Security Handbook: A Guide for Managers and this paper by Bruce C. Gabrielson, PHD Information Security Program Development, both of which are great resources.  However, as I was looking about, I came across the Univerisity of Iowa's page that describes their Information Security plan.  I really like what they call the Objective as a good general definition:

This program is a collection of policy statements, an architecture model, and a description of the approach taken at the University of Iowa for information security. Together, they describe administrative, operational, and technical security safeguards that must be implemented for systems that create, maintain, house, or otherwise use confidential or sensitive information.

The objective is to provide Business Value:

  • Applications delivered to more individuals, more timely, with better/definitive data
  • Broader deployment of services and data increases both the value and the risk
  • Information security is crucial to this environment
  • There are many layers of security involved, each managed in concert with the rest to provide “Defense in Depth”:
    1. Physical access to systems
    2. Server or host controls
    3. Client or workstation controls
    4. Data access controls (confidentiality)
    5. Policy & Procedures
    6. Network controls
    7. Employee practices

Management is responsible for taking the necessary steps to identify internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of institutional data.  Risks may include, but are not limited to:

  • Unauthorized access to confidential information
  • Compromised system security as a result of access by an intruder
  • Interception of data on the network
  • Physical loss of data center or computer equipment
  • Errors or corruption introduced into systems
  • Inadequate system administration practices

Responsibility for managing the Enterprise Information Security Program is described in Roles and Responsibilities for Information Security. This document will be reviewed and updated on an annual basis by the IT Security Officer.  Documentation supporting compliance with regulatory controls, (e.g., memoranda received from service providers attesting to their security safeguards), will be maintained by the IT Security Office.

Great. Now what?

Okay. So you are saying to yourself, "That looks hard."  It is hard, but also necessary.  We will be looking at some of the challenges in the future and some ways that we can overcome them.

Your thoughts

I am really interested in your thoughts on this definition.  Please leave them in the comments.

Kevin Riggins