a blog about technology management
Currently Browsing: Security

secure360 conference

lanyard I’ve finished the mid-May 2-day secure360 conference here in St. Paul. It was generally quite good even though it was very corporate-focused. Security is security no matter what you’re protecting. But first off I got my lanyard! That’s a Marvel’s Agents of S.H.I.E.L.D. reference for those not familiar.

The best session was the first one I attended – Users: your first line of defense (click for Slideshare) which had many immediately useful tips.  Taking cues from social psychology, Ari Elias-Bachrach focused on methods for influencing people for making effective training.  Some tips include

  • Use positive advice: rather than tell someone “don’t run in the house” instead say “we walk in the house.”  Frame things not as “don’t do” but instead “how to do” the right thing.  And be sure to tell people what they should be doing.  So instead of “don’t use weak passwords” frame it as “you should use strong passwords and here’s how to do that.”
  • Use real images in your presentations, not the usual clip art.  Take this masked man at computer
    Users are never going to encounter a man in a ski mask on a laptop.  Instead use a picture of a real phishing email.
  • Use language appropriate to the audience and not technical security terms.  He mentioned using the general term virus rather than the technically accurate term of malware.  This spawned a good discussion.  The idea being, use a term that is commonly known.  Malware was agreed to be almost common but virus was more strongly common.  I am torn between being accurate vs. understandable in this case.
  • Try making trainings about home or personal computing but all the concepts apply to the office.  For example, hold an optional brownbag about how to protect your kids on the internet or how to protect your computer at home from hacking.  People will come to those and then all the concepts apply equally at work.

Now, on to the social psychology tips.  Some of those included (more…)

Educause Security Conference 2012

I am recently back from the Educause Security conference 2012 — my first time going to that conference. I should note that I am the security officer for the campus so this was a great opportunity to connect with folks who have been doing this for a long time.

It was quite a good conference and, based on a few discussions with other attendees, one role of the conference is to leave you unsettled due to how many security threats there are.  I mean, there are a lot.  And hearing from large Universities (that have security departments of 3-5 staff) about how they need to manage multiple data breaches of personally identifiable information (PII) leaves one restless at night.  The challenge with large Universities is how distributed information and systems can be.  At a small College with a single central IT department there is more control over the systems housing institutional data (and clear accountability).

REN-ISAC (Research and Education Networking Information Sharing and Analysis Center) kept coming up and it clearly brings much value to its members.  First thing when I’m back in the office, join REN-ISAC.  One product I was very interested in was Cloudlock — enterprise control over your google docs domain.  You can retain docs after someone leaves, retain documents for legal discovery, audit access rights to comply with FERPA, HIPAA, PCI — just pick your abbreviation.  Of course it costs per user so this could offset any licensing savings you might be recouping with moving to google apps but it provides enterprise management tools that would make me rest easier at night.


Exploring PCI-DSS

One of the enjoyable aspects of this blog is using it to gather and process topics I’m involved in at work.  On my front burner right now: PCI-DSS.  One of my colleagues has been working on this mostly and now I’m joining in.

What is it you ask?  I’m sure you’re dying to know.  It’s a set of requirements that anyone who processes credit cards must adhere to so that personal information and card information is protected.  It was started in 2001 by Visa and Mastercard, then called Cardholder Information Security Program (CISP).  It’s since expanded and became PCI-DSS and in 2010 PCI-DSS v 2.0 came out.  One result of PCI-DSS is that receipts only should be showing the last 4 digits of your card number.


Powered by WordPress | Designed by Elegant Themes