Security Manager's Journal: Security training on the cheap
With no budget, our manager has to devise a security awareness and training program on his own.
With no budget, our manager has to devise a security awareness and training program on his own.
Our manager seeks a way to protect information on a network whose perimeter is blurring in the age of SaaS.
A flood of mobile devices into the enterprise is exhausting available licenses for mobile-device security. But there are great options available today that didn't exist two years ago.
In my last column, I talked about how time-consuming SOX compliance is for companies like mine. Unfortunately, it's about to get worse.
Today is the last day of the quarter in my company's financial calendar, and that means it's SOX time. I'm wrapping up four quarterly Sarbanes-Oxley Act controls that have to be completed by the end of the day -- reviewing security settings on our financial servers, reviewing the activities of system administrators on those servers, checking for inactive accounts that haven't been logged into in over 90 days, and checking the vulnerability report. SOX activities are remarkably time-consuming.
What do you do when your company's executives insist on special treatment that violates your security policy? This week, I ran into this problem.
I've always wanted to be responsible for physical security. I never understood why the <a href="http://www.computerworld.com/s/topic/17/Security">security</a> of computers, networks and data is managed by a different department than the security of doors, windows and cameras. The same principles apply in both worlds. And let's face it: Physical security is actually run on computers. So I think it's perfectly natural for information security to own it.
The end of the year was busy for me and my team. Already swamped with <a href="http://www.computerworld.com/s/article/94956/IT_Managers_Brace_to_Meet_Ongoing_Sarbanes_Oxley_Compliance_Demands">Sarbanes-Oxley audit activities</a> and end-of-year project deadlines, even more <a href="http://www.computerworld.com/s/topic/17/Security">security</a> work came our way after a new round of <a href="http://www.computerworld.com/s/article/9126955/IT_Layoff_Tracker">layoffs</a>.
Cadillac or Kia? How much <a href="http://www.computerworld.com/s/topic/17/Security">security</a> is enough, and how much is too much? Can you even have too much security?
With only a skeleton crew, and no budget for consultants, I've been borrowing IT staff from other departments to get things done. That's been helpful, but none of them has the specific skills to analyze complex firewall and NAT rules.
Last Friday, as I was tying up loose ends at the office, preparing to wind down in anticipation of the weekend, I made a terrifying discovery.
If you've been watching the stock market this month, you know that, economically speaking, things are going the wrong way. We seemed to be in a period of economic recovery, but now, whatever recovery we might have been having seems to have fallen right through, like piping-hot coffee melting the bottom of a cheap cup. Whether or not you consider stock market activity as a representation of the overall economy, I can tell you that my company seems to be falling on hard times as well.
Can you believe it? As I sat down this morning to write this column, I got hit by a drive-by download of FakeAV.
This week I found out that my company is developing software in-house. Until now I hadn't known that we were a software development shop, but I guess I shouldn't be surprised. Most companies that I've been with have developed their own software for one purpose or another. I only learned about this software development project when one of the programmers approached me to ask about the best way to store usernames and passwords in the application's database. Yes, that's right -- they built the authentication right inside the application, instead of calling out to an external authentication source.
I was on the road last week, attending the RSA security conference in San Francisco, which is a great place to run into colleagues. Afterwards, I visited Disneyland, which, despite being in the same state, is surprisingly far away. What do these places have in common? Security.