Archive - November 2000
Vulnerability at the Highest Level: Corporate Boards
Imagine a boardroom a generation ago. Smoke fills the air and sidebar discussions thrive while the board members wait for the presentation to begin. Manila packets filled with research, financials and other sensitive information are distributed around the table. The meeting progresses; a decision might be made, and afterwards the packets would be collected in their entirety and destroyed lest they end up falling into the wrong hands, compromising company research or spilling sensitive secrets.
So what happens today where technology is so prevalent? In a recent August-September 2011 study, Thomson Reuters conducted a survey of general counsel and corporate secretaries to understand how company information is secured when provided to corporate board members. The survey titled “Better board governance: Communication, security and technology in a global landscape of change” looked at a global cross section of companies from a variety of industries. These companies ranged in size from under $500 million to over $10 billion. The results indicated a lack of secure procedures for corporate board information management.
Teaching Users to Spot Malicious Programs
We have worked hard to educate users of the need for computer hygiene, using anti-spyware, multiple browsers, data backups, and antivirus programs. Unfortunately, users are getting fooled into installing fake antivirus programs through clever pop-ups that work off the fear users have of viruses. These programs install themselves and trick users into paying for bogus services or they gather private information on user activities and send it off to spammers and thieves.
Achieving High Availability with Change Management
Eric Vanderburg
Change management is a key information security component of maintaining high availability systems. Change management involves requesting, approving, validating, and logging changes to systems. This process can bring significant benefits to an organization. Namely, it can strengthen the decision making ability of an organization by training personnel to fully think on and evaluate changes before they are made and it provides a knowledge base of past changes and the lessons learned from situations.
The Essential Link between Awareness and Security Policies
Information security policies and security awareness go hand in hand. Frankly, a policy is worthless if it sits on someone’s desk. Information security policies find value when they are understood, adhered to, and enforced. In order to do this, employees must be made aware of the policy, the policy’s reason for being, and how it impacts them.
This article outlines the problem of enacting security policies without associated awareness programs. It also cites recent research on harmful user activities that could be mitigated through implementing awareness training following policy enactment.
Developing a Virtualization Security Policy
Eric Vanderburg
Since many organizations are rapidly virtualizing servers and even desktops, there needs to be direction and guidance from top management in regards to information security. Organizations will need to develop a virtualization security policy that establishes the requirements for securely deploying, migrating, administering, and retiring virtual machines. In this way a proper information security framework can be followed in implementing a secure environment for hosts, virtual machines, and virtual management tools. This article is part two of a series on virtualization. The previous article was titled “Critical security considerations for server virtualization.”
