What's On The Horizon

Along with Kees Leune, the ISO at Adelphi University, I will be presenting, "When To Declare An Information Security Incident and How To Respond Once You Do" at the EDUCAUSE Security Professionals Conference April 15-17 in St. Louis. Details can be found here:

My most recent contributions to the information security community are presentations on the philosophy of security and on information security incident response at the Idaho Fraud & High Tech Investigation Conference, November 2012.

Thursday, August 26, 2010

Policy & Auditors

We just got dinged by internal audit for not having an anti-virus and patch management policy. Both issues are spoken to in another policy, entitled "Information Privacy and Security," but the auditor has a point. Our A-V and patch management posture isn't very well publicized. I'm working on reviewing all of our IT and Information Security policies--you can't say I don't know how to have a good time--and there is some work to do. I believe policy should be concise with implementation details worked out in separate "procedures" or "standards" documents (our policy structure is not designed like that). That way, we can all agree on a philosophical vision of how IT and InfoSec should function in our organization. Then the nuts & bolts get tweaked by flexible, ever-changing procedures and standards which are reviewed and updated by the people closest to them.

Here is an example of the A-V and patch management policy I am thinking of proposing--in the form of a haiku!

Malware harms data.
Deploy updates. Be timely!
Please get protected.

1 comment:

  1. This comment has been removed by a blog administrator.