The Company Newsletter article

As you will know, I have an issue with awareness in my Company. To that end, I agreed to write a short article for the company newsletter on me and InfoSec in general.

I remembered guidance I received from Rob Newby on keeping things short and sweet so as not to scare off the reader so the fir st article is exactly that. I'm going to write some follow up articles on InfoSec in general and PCI DSS in particular over the next few weeks in order to keep chipping away at the ignorance issue.

I've anonomised it somewhat as the original contained names of the innocent(!!), for now, this is the article, don't get too excited!!!

======================

“Who” and “what”, you may ask. Well, I joined the Company in November 2004 initially as a Project Manager in the Finance department dealing with projects about payment solutions and exciting stuff like that. However, after a while I began badgering my manager and his Boss about “information security”. So much so that they gave me the Information Security Manager job and maybe they thought that would quieten me down a bit.

I have been interested in Information Security throughout my 22 year career which has mostly been in and around the IT arena. I did a spell in sales (hated that!!) and then got into project management. However, InfoSec has always been a core interest.

What is Information Security all about anyway? Well, the textbook answer is that it is about “ensuring that the confidentiality, integrity and availability of the company’s information assets is maintained”. What that really means is making sure that the company’s information is used in the right way by the right people for the right purpose. And by “right”, I mean whatever the company decides is right. My job is to help the company decide what is “right” and then write the polices to back that up.

The InfoSec programme at [the Company] has yet to get truly off the ground. As is the case with most areas of the company, there is always something else more important, more urgent etc. etc. Currently, my focus is on the PCI DSS Compliance project which [the Project Manager] explains later in this newsletter.

======================

Spreading the word

Well, I’ve written the article for the company newsletter about me and what I do. I’ve kept it short and sweet on purpose so as not to:

a) bore people stupid
b) use up all my material at once

I intend to do further articles to elaborate on “what InfoSec is” and “how it works within the company”. That last item should be a short sentence!!!

My PCI DSS Project Manager has produced another article for the newsletter about the PCI DSS Project itself. At three A4 pages (!) I think it’s too much and will suffer from the “TLDR” (Too Long Didn’t Read (thanks Rob !!)) issue for a lot of people but he is adamant that as it contains a lot of pictures people will read it. I am happy for this to go forward as I want to gauge the response to this kind of approach for future “awareness” items.

Also on the awareness front, I’m finishing off a document aimed at the IT bods which summarises the PCI DSS Audit Procedures document into sections related to areas of functionality within the IT arena. (When I'm completely happy with it I might post it over on PCI Answers if it's considered of use) I’ve done this because:

a) To make it easier for people to appreciate the depth and density of the requirements
b) The IT function reckon we’ve “just thrown PCI at them and said get on with it”

"b)" isn't true, of course, but rather than have an argument about it, I've decided to remove the argument completely by giving them what they want, information, or rather, more information.

The danger with this approach which we will have to guard against is that they will read this document and not all the relevant PCI DSS documentation. It’s up to the project team to ensure that the people concerned appreciate that this is meant as an “addition to” rather than the “gospel” top live by.

We're going to present the document to the relevant IT bods together with a (or rather, "another") summary of PCI DSS project. Thereafter, individual areas of responsibility will be reviewed with the specific people to make sure they have understood the requirements, and for us to obtain feedback, questions etc.

It's leg work but necessary to get them on side. Hopefully then, we should be able to make progress.

Maybe some progress at last.....

Well, well.... Maybe we’re getting somewhere. If you’ve read my previous posts you’ll know that there isn’t much support at my company for InfoSec in general let alone any specific requirements and I’ve been trying to find alternative ways of getting educating people. It looks like some of it has struck home.

The HR bod in charge of the company’s weekly newsletter has asked me to write a piece on “that InfoSec stuff you keep going on about” for the newsletter. I’ve agreed (obviously) and have said I’ll do a personal profile as well. Most of the directors have written profiles in the last few weeks so I’m jumping on that bandwagon!!!

Next, the company recently employed a Service Delivery Manager (SDM) to work within the IT department. This was a major step in the right direction as far as I was concerned as under the previous IT Director, there was no understanding of “service” at all. In the past, the IT department appeared to have an attitude of “we’re allowing you to work” rather than “we’re enabling you to work”. The SDM have been making quite a number of good changes not least of which was the identification (after a little prompting from me) that our corporate data had no owners. Network directories and folders were used and abused by anyone and everyone. People were added to email distribution lists and given access to “restricted” folders etc. etc. without any sort or authorisation process.

So, the SDM has kicked off a process to review the way access permissions are requested, authorised and granted and has invited me and the Support Manager to a meeting to discuss it.

This is progress. Hurrahh!!

I just wonder why people have accepted his statements that such measure are necessary but rejected my previous statements along the same lines. I’m not going to complain about it, it just interests me why the difference in response.

I suspect it’s a question of him being on the “inside” of IT and me being on the “outside”. If that’s the case, I just have to find other “insiders” to educate with a view to them raising issues for me, without them realising it, of course.

Why, oh why, oh wireless…..

OK, so enough of bleating about how bad things are, on to some more topical issues.

This news item on Security Focus amused me. Basically, if true, it appears that a wireless network secured with WEP only encryption was the access channel for the TJX hackers.

The thing is, I have had a discussion with people here about wireless and the levels of protection used and suffice to say, I think they could be improved. The arguments against it have ranged from the “it’s good enough as it is” and “we haven’t got enough resources to change it” through to “well, even if they crack the code they can’t do anything anyway”.

From my previous posts, you will see a theme developing here.

OK, so, how do I use the TJX case to convince the naysayers that improvements are necessary? Well, in the past I would have sent the link with a summary and expected them to understand. That doesn’t work.

So, after a few more days to allow for any further information to come out on this particular aspect I will send the link, but with a far more descriptive summary and also liken it to our own situation. I will also then schedule a meeting with relevant parties to discuss.

I also need to have my arguments ready for the “yes but if they get in, they still can’t log on” response which will inevitably come.

As I said, it’s hard to work at this level where absolutely everything needs to be explained but if it’s necessary to make progress, so be it.

I'll let you know how it goes.