Friday, 1 June 2007

Spreading the word

Well, I’ve written the article for the company newsletter about me and what I do. I’ve kept it short and sweet on purpose so as not to:

a) bore people stupid
b) use up all my material at once

I intend to do further articles to elaborate on “what InfoSec is” and “how it works within the company”. That last item should be a short sentence!!!

My PCI DSS Project Manager has produced another article for the newsletter about the PCI DSS Project itself. At three A4 pages (!) I think it’s too much and will suffer from the “TLDR” (Too Long Didn’t Read (thanks Rob !!)) issue for a lot of people but he is adamant that as it contains a lot of pictures people will read it. I am happy for this to go forward as I want to gauge the response to this kind of approach for future “awareness” items.

Also on the awareness front, I’m finishing off a document aimed at the IT bods which summarises the PCI DSS Audit Procedures document into sections related to areas of functionality within the IT arena. (When I'm completely happy with it I might post it over on PCI Answers if it's considered of use) I’ve done this because:

a) To make it easier for people to appreciate the depth and density of the requirements
b) The IT function reckon we’ve “just thrown PCI at them and said get on with it”

"b)" isn't true, of course, but rather than have an argument about it, I've decided to remove the argument completely by giving them what they want, information, or rather, more information.

The danger with this approach which we will have to guard against is that they will read this document and not all the relevant PCI DSS documentation. It’s up to the project team to ensure that the people concerned appreciate that this is meant as an “addition to” rather than the “gospel” top live by.

We're going to present the document to the relevant IT bods together with a (or rather, "another") summary of PCI DSS project. Thereafter, individual areas of responsibility will be reviewed with the specific people to make sure they have understood the requirements, and for us to obtain feedback, questions etc.

It's leg work but necessary to get them on side. Hopefully then, we should be able to make progress.

Posted by Andrew Mason at 09:08

Labels: ,

Subscribe to: Comment Feed (RSS)