Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Staff 'need reasons' to believe in security

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Staff 'need reasons' to believe in security
Date: Thu, 13 Oct 2005 23:14:05 -0500 (CDT) 
http://www.zdnet.com.au/news/security/soa/Staff_need_reasons_to_believe_in_security/0,2000061744,39217156,00.htm

By Tom Espiner
ZDNet UK
14 October 2005 

Companies must ensure that their staff understand the reasons behind
security policies and support them, rather than just dictating them
from on high, a government consultant said at Secure London 2005 on
Tuesday.

Paul Hansford, class consultant for GCHQ and senior consultant at
Insight Consulting, said that many security procedures fail because
staff don't understand what their company is trying to do.

"It is not enough to get staff to literally 'sign up' to procedures --
they must fully appreciate their purpose," he said.

He recalled an apocryphal story illustrating the point: "A colleague
went into a government agency and at one cluster of desks saw a line
of 'bobbing bird' toys. The system locked out the user if they didn't
touch the keyboard for a certain length of time, and required them to
re-input their password. The 'bobbing birds' were lined up next to
everyone's computer so that they would tap the 'enter' key every 30
seconds."

The underlying beliefs of staff can be at odds with security policy,
he said. "People tend to have a 'What's in it for me?' attitude. For
example, some people may feel that it's fine to share passwords if it
makes the business tick over, their attitude being that business is
more important than security," Hansford said.

"Companies need to assess people's security training needs, which
includes having to elicit how security 'aware' they are," he said.  
"Awareness is not just about education and training, but is also an
appreciation of, and a motivation to support, an issue."

An IBM security expert emphasised the need to monitor personnel to
maintain security levels.

"Personnel security is not just about initially screening and vetting
employees, but it's also about monitoring the guy who might have
personal problems," said Julian Lander, IT security programme manager
with IBM. "If their work performance isn't right, they may be involved
in drug or alcohol abuse, or if they have an overelaborate lifestyle
-- which I've seen in the past -- that can indicate possible security
problems."

Lander argued that security procedures need to recognise the human
factor. "Security is about people. Speaking generally, the way to
address the problem is by coaching, mentoring or counselling -- all
the soft skills that HR has. You have to work with HR to maintain a
successful security policy," Lander said.

According to Hansford, security standards become harder to maintain as
more staff work remotely - noting that more than half of all UK
businesses currently allow staff remote access.

"As more staff work remotely, physical security is difficult to
achieve. At the end of the day (employers and security professionals)  
won't be there, so procedural security needs to be got right," he
said.




_________________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ISN] Security fix assures long election nights, InfoSec News
Next by Date:  [ISN] Critical Windows patch may wreak PC havoc, InfoSec News
Previous by Thread:  [ISN] Security fix assures long election nights, InfoSec News
Next by Thread:  Re: [ISN] Staff 'need reasons' to believe in security, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]