CIS 608 Information Security Blog

Automated controls are a Godsend for Information Security departments. They can be universally applied, tracked, and easily accessible during an audit review. Today I am going to discuss one automated control specifically and that is our company’s external writable media policy.   Per policy, all non-approved writable media is prohibited from being read by any company device. This policy extends to servers too. Gone are the days where employees can put thumb drives or the occasional SD card into any laptop and transfer files. In recent times with the transition to Office 365 and cloud storage, such a policy is easily forgettable. 5 years  ago  however when the policy was put into place, it was a radical change that generated a lot of push back from our employees.   Here’s how it works: our antivirus software which is installed and configured on the base image of every laptop and desktop we use has a rule applied to it. When a writable device is detected...

Without a proper policy review process in place, companies can find themselves at a serious competitive disadvantage in the marketplace. In this post I will review how lacking to review and retire or update outdated policies can stifle innovation and slow productivity. I will focus mainly on one example that I’m certain many companies are behind the eight-ball on, and that is the move to the cloud.   The year is 2002. After a few years getting themselves established, building a modest customer-base, and looking to build out the technology infrastructure in their new office space, one of the founders decided it would be neat to name the company network drive after a cartoon character. Flash forward to 2019, and the year-long process of  retiring  the “ Tweety ” network drive is nearing its conclusion.    For nearly 20 years thousands of employees who have come and gone through the doors found themselves using the term “ Tweety ” in everyday context....

Security awareness is a critical aspect of any information security department. This often involves training, video modules, posters, email announcements, and various other communications.  Unfortunately  all this effort often falls on deaf ears. Employees represent the largest potential of risk to a company from an information security standpoint;  however,  it has been my experience that all the training in the world cannot make people disrupt their daily routine and make security a priority.   There is one technique that I have seen  work  however. Something that has always gotten people engaged, more recently upset, but always talking about information security. This technique involves sending fake spam emails from our Information Security Department to our end-users, and I would like to share how this process has evolved over the years.    Our InfoSec department has been using this technique for years now. They first starte...

I would like to build off last week’s post by sharing a real-world example of how no matter how many security controls you have in place, employee engagement and adherence to policy will inevitably determine their effectiveness.   The organization I work for have two separate departments, one for data security (think workstations, servers, etc.) and the other for physical security (think door/badge access, security cameras, etc.). Both departments are completely separated from each other and operate in their own silos. One day the security operations center who manages the physical security of our buildings decided to run a penetration test. They hired an outside contractor, gave him a “lost employee bade” with basic access, and told him to see what he can gain access to in a day before getting caught.    So  off this contractor went wearing a badge without his picture on it, no knowledge of the key combination to use with the badge, but simply followin...

Sometimes it's easy to dive deep into an IT department and get carried away with security regarding servers, ACLs, firewalls, antivirus programs, monitoring software, and all that technical jazz. There is another aspect to information security however that gets easily overlooked, and that is the physical security monitoring the people who make up an organization. From employees to vendors, from contractors to outside sales reps, any organization with physical office space or even physical server space needs to have detailed insights into who is accessing what, and when.    Technology and automated controls still play a big part in the physical security of people and data, and many organizations have combined the two aspects into one department. It’s been my experience however that the two aspects of information security have stayed relatively separate in the organizations I have worked for.    One project I worked on a couple years ago was to build out ...

"The only thing that is constant is change.” ( Heraclitus). As anyone who works in IT will tell you, this statement is especially true regarding technology. In a discipline where technology, processes, procedures, standards, and best practices change so frequently, it is important that organizations can adapt and evolve. Only organizations with proper change governance controls are properly equipped to adapt however, and only those who can identify the correct stakeholders for such governance can adapt  successfully .   Every week I sit on a change control governance meeting. The purpose of these meetings is to suggest needed changes within the technical infrastructure that may be business critical. To ensure no unintended issues arise from such changes we gather service matter experts (SMEs) from various departments together to review the request and raise potential concerns. The criteria for changes are a relatively low threshold:   Can the need for it be ...