Information Security 101 (#sec101)

Coincidently, this is a theme common to some of my previous posts. I believe it is a sign of the times – that as we continue to experience data breaches we find fundamental control failures are behind many of them, which is what prompted me to write my previous posts.

October is ‘Cyber Security Awareness Month’ over at the SANS ISC diary page.

Tom Liston has put together a post highlighting the concern mentioned above, and then in social networking style opened up the floor to the Twitter universe to see what we thought were some of the fundamental security basics the community (in general) needs a reminder about.

It’s a great little summary with real life context that is definitely worth a read. The post is at:

http://isc.sans.edu/diary/Security+101+Security+Basics+in+140+Characters+Or+Less/11725

Three suggestions I put forward (admittedly I was a little late for 2 of them), speak to where my thoughts and concerns are:

1. Writing a Policy & not implementing/monitoring doesnt constitute a control. Thats like buying the firewall and leaving it in the box

2. As pessimistic as it sounds, ‘TRUST’ is not a reliable information security model

3. Security teams that work in isolation and without transparency will fail. Collaborate with other risk mgmt – audit, ops risk, etc

There are plenty of great contributions on the site. Putting forward suggestions was a great excerise as it forces you to think in (very) succinct terms of key controls and basic security principles.

This content should be part of a training programme somewhere…