The road-map development process that comes after an audit or assessment can be daunting. I recently was asked to put together: “Seamus-sourced reccys on external resources for post-audit work that helps with prioritization and organization of actions, and if it has anything extra for low-resourced orgs or orgs in crisis, so much the better.”
Below is a Sunday morning link scrape from my personal notes. This does not cover personal security or inter-group/collaboration security practices. This is only resources relevant in some way to organizational road-map development for small organizations.
I did not choose resources for this list based upon their quality. In fact, I find some of these painfully simplistic and many of them are outdated. Even the worst of them provide a glimpse at a framework that was used to prioritize risks and then build a plan for implementation.
Many of the resources below have been helpful to me in my process of building my thoughts on road-map development for small organizations. Some because they were high-quality, others because they had interesting perspectives, others simply because they gave me new terms to use in online searches. I offer them here so that others can build their own opinions.
- Security-Awareness Culture
- Organizational Security Mitigation Guidance and Checklists
- Security Process Guidance
- Feeds, Lists, and Places to Learn
Road-map development is primarily a process where you compare your prioritized list of risk and the capacity of the organization to implement change. You are working with the organization to build a path forward that will contribute to their ability to continue to develop greater security. It is as much about developing a culture of security as it is fixing the specific problems.
Building an Information Technology Security Awareness and Training Program (NIST SP 800-50)
NIST Special Publication 800-50, Building An Information Technology Security Awareness and Training Program, provides guidance for building an effective information technology (IT) security program and supports requirements specified in the Federal Information Security Management Act (FISMA) of 2002 and the Office of Management and Budget (OMB) Circular A-130, Appendix III. A strong IT security program cannot be put in place without significant attention given to training agency IT users on security policy, procedures, and techniques, as well as the various management, operational, and technical controls necessary and available to secure IT resources. In addition, those in the agency who manage the IT infrastructure need to have the necessary skills to carry out their assigned duties effectively. Failure to give attention to the area of security training puts an enterprise at great risk because security of agency resources is as much a human issue as it is a technology issue.
Computer Security Education The Tool for Today
Security education, for a long time, has been seen as a thing reserved for security professionals. The Computer Security Act of 1987 put forward for the National Institute of Standards and Technology to create standards and guides for security awareness and training. This act was the first of a string of legislation that would place mandates around security education for non-security professionals. This trend illustrated newfound awareness in the community and in the world around computer security.
Cybersecurity Awareness Campaign Toolkit
This toolkit is designed to provide governments or organizations guidance and resources for developing a cybersecurity awareness campaign.
Developing a Security-Awareness Culture - Improving Security Decision Making
CIOs, managers and staff are faced with ever increasing levels of complexity in managing the security of their organizations and in preventing attacks that are increasingly sophisticated. As individuals we are subjected to enormous amounts of information across broad ranges of subjects, including security policies; new technologies, patches and threats; and, new sources of information. As the environment continues to become more dynamic the process of making good security decisions is becoming more and more challenging…
Making Security Awareness Efforts Work for You
The value of information security awareness education cannot be overestimated. As institutions of higher education, every college has the responsibility to educate its constituents on the importance of information security, thus enabling its faculty, staff and students to effectively participate in and contribute to our increasingly digital world. In addition, protecting a campus’ information assets requires taking responsibility for the education of our users.
Security Awareness Learning Tactics
This manual uses a guideline to create and manage an improved security culture and change
behaviors in people to be more security minded. This guide points out optimal changes, however it does not express precisely how to make these changes. In some cases, specific examples may be used for clarity, however examples should not be seen as required methods or narratives to be used. This leaves the execution of these guidelines flexible to the requirements and regulations of the user.
Security Awareness Training and Privacy
An organization’s security policy sets the standard for the way in which critical business information and systems will be protected from both internal and external threats. Security policy must adapt to changing needs within the organization. Personnel responsible for creating and maintaining the security policy must learn to recognize changes in technology that impact security and how those changes impact the organization and the people who work for the organization. A key concern in today’s society is the privacy of…
Security Awareness: Help the Users Understand
Part of any security policy, should be an accompanying security awareness program. There are many different ways to offer this type of program, including workshops. “Holding a workshop is an excellent way to provide interaction and a personal touch to your awareness program.” The purpose of this paper is to give you a guideline that you can use to put on a basic security awareness workshop. It can probably be done at a lunch hour, or two, and should be adapted to fit you…
The Human and Organisational Issues associated with network security
The report reviews some of the possible methods for raising security awareness. In particular awareness raising training sessions and a list of ‘ten personal action points’ are presented in some detail. The purpose of the study was to examine user behaviour and attitudes to computers and computer security with a view to discovering how far these were congruent with good and safe practice. The study looked at users’ sense of responsibility and what they saw as the greatest and most likely threats, their attitudes to viruses, policies, backups and passwords. The study also encompassed some enquiry into attitudes to plagiarism, and software piracy.
The Ultimate Defense of Depth: Security Awareness
Implementing successful security awareness in Your Company Implementing a successful Security Awareness Program at your company may seem like an impossible task. However, with the proper executive support, appropriate planning and an organized approach, the message of “I can make a difference to my company’s security” will ring loud and clear to your employees. By including the human factor in your security infrastructure via an effective Security Awareness Program, you will be implementing the ultimate defense of dep
Using Influence Strategies to Improve Security Awareness Programs
Even companies with extensive, well-funded security awareness programs fall victim to attacks involving phishing, weak passwords and SQL injection, presumably the primary targets of user education. Either their users don’t have the skills to avoid these pitfalls, or they lack the motivation to apply those skills. Psychologists and other social scientists have studied the roots of effective behavioral change and have solutions to offer. By exploring personal, social and environmental sources of motivation and abili..
Organizational Security Mitigation Guidance and Checklists
Existing guidance and checklists provide a decent baseline that you can use to check your prioritization of things to address. Many are focused on larger organizations and governments, so be mindful of the capacity required to carry out recommended mitigation’s when you are reading them.
Argentina: Preparing for a Security Violation
Argentina has recently been in the news, from spectacular court rulings to famous hackers. If there is very little justice, what can a small or medium-size company do for the eventuality of a computer crime? Regardless of whether a company is Argentine or an international organization with an Argentine presence, this paper addresses the fundamental need to understand the legal situation in Argentina, preparing the once-unprotected network, and knowing how to respond to a security violation.
Australian Signals Directorate’s (ASD) Strategies to Mitigate Targeted Cyber Intrusions
At least 85% of the targeted cyber intrusions that the Australian Signals Directorate (ASD) responds to could be prevented by following the Top 4 mitigation strategies listed in our Strategies to Mitigate
Targeted Cyber Intrusions:
- use application whitelisting to help prevent malicious software and unapproved programs from running
- patch applications such as Java, PDF viewers, Flash, web browsers and Microsoft Office
- patch operating system vulnerabilities
- restrict administrative privileges to operating systems and applications based on user duties.
The Strategies to Mitigate Targeted Cyber Intrusions are ranked in order of overall effectiveness. Rankings are based on ASD’s analysis of reported security incidents and vulnerabilities detected by ASD in testing the security of Australian government networks.
Baseline Organizational Policies and Practices
This is a draft of a resource that came out of envisioning the next iteration of the Responsible Data Forum’s Organizational Security Atomized Plan, and reframing it as a guide towards implementation within a group. In this reframing I have relied heavily on the content of the Organizational Security Atomized Plan itself, Internews’ SAFETAG organizational assessment framework, and other resources listed in the resources section.
Best Practices to Protect You, Your Network, and Your Information
The National Cybersecurity and Communications Integration Center (NCCIC) and its partners responded to a series of data breaches in the public and private sector over the last year, helping organizations through incident response actions, conducting damage assessments, and implementing restoration and mitigation actions. Cybersecurity is a risk management issue. Our experience demonstrates that individuals and organizations may reduce risk when they implement cybersecurity best practices. The following are examples of best practices you should consider implementing today as part of your cybersecurity strategy:
CESG Advice and Guidance
CESG is the National Technical Authority for Information Assurance within the UK.
CESG provides a trusted, expert, independent, research and intelligence-based service on Information Security on behalf of UK government. They have advice and guidance on a variety of topics including:
- Cloud Security Guidance
- A critical appraisal of risk methods and frameworks
- Managing Information Risk
- 10 Steps To Series (Network Security, Monitoring, Malware Prevention, Cyber Security, etc.)
- BYOD Guidance
CESG Obsolete platforms guidance
This guidance is intended to help organisations that are unable to fully migrate away from obsolete or unsupported platforms prior to the ‘end of support’ date by providing shortterm mitigation advice. Obsolete platforms will no longer receive security updates from the developer, and will lack many of the security technologies that are present in newer versions of the product (if available). This guidance does not provide a riskfree way of continuing to use these obsolete products, but will help reduce the risks of doing so.
CIS Consensus Security Metrics
Organizations struggle to make cost-effective security investment decisions, in part because information security professionals lack widely accepted, unambiguous metrics for supporting their decisions. To address the need for clear security metrics, CIS established a consensus group of industry experts. The result? A set of Consensus Security Metrics and data set definitions that can be used across organizations to collect and analyze data on security outcomes and process performance.
CIS Security Configuration Benchmarks
The Benchmarks are: - Recommended technical control rules/values for hardening operating systems, middle ware and software applications, and network devices; - Unique, because the recommendations are defined via consensus among hundreds of security professionals worldwide; - Downloaded several hundred thousand times per year; - Distributed free of charge by CIS in .PDF format (many benchmarks are also available to CIS Security Benchmarks Members in XCCDF, a machine-readable XML format for use with benchmark assessment tools and Members’ custom scripts); - Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.
Generally Accepted Principles and Practices for Securing Information Technology Systems
As more organizations share information electronically, a common understanding of what is needed and expected in securing information technology (IT) resources is required. This document provides a baseline that organizations can use to establish and review their IT security programs. The document gives a foundation that organizations can reference when conducting multi-organizational business as well as internal business. Management, internal auditors, users, system developers, and security practioners can use the guideline to gain an understanding of the basic security requirements most IT systems should contain. The foundation begins with generally accepted system security principles and continues with common practices that are used in securing IT systems.
How To Secure Your Small To Medium Size Microsoft
Based Network: A Generic Case Study If you run a business in today’s world undoubtedly you also run a network of computers, printers, and other devices as well. Though the network may not be the primary focus of your business it probably plays a key role in how it functions. That being said it is obviously just as important to protect your network from theft and damage as it is to protect the other property and assets of your business. In this paper I intend to explain the basic process of securing a small to medium sized network. I will create a make be…
IEcology Security Checklists
The documents in this repository comprise a set of digital security checklists for use by US based non-profit organizations with a focus on human practice and organizational management. One checklist is oriented towards assessing an organization’s readiness to take on this type of work. Additional documents represent framing information and a glossary.
They are not appropriate for use in other countries without a thorough review and update to reflect conditions in that environment. It is not our fault if you do not heed this important concern, but would be happy to discuss updating the content in this way. Contact us?
Information Security Policy Templates
Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You’ll find a great set of resources posted here already, including policy templates for twenty-seven important security requirements.
Information Security Primer
This document discusses fundamental security concepts and architectures applicable to TCP/IP networks. This document is a primer and is meant to convey a broad abstract of security in a networking environment. In instances where specific vendor products are mentioned, the reader should not interpret them as recommendations by me, the author. They are strictly for example purposes. As with any other network technology, one product does not fit all environments.
IT and Information Security Cheat Sheets
As much as we try to be proactive about information security, IT planning, or project management, we get distracted, or procrastinate. These information security cheat sheets, checklists and templates are designed to assist IT professionals in difficult situations, even if they find themselves unprepared.
IT Infrastructure Security-Step by Step
After having worked as a system/network administrator for couple of years, I was instrumental in the design and implementation of my organization’s System Networking and Communication Infrastructure. I had been given the responsibility for the installation, improvement and maintenance of security of the entire Information Technology Infrastructure of the organization. During this period, I realized the need for acquiring a high level of understanding of the critical issues of security and implementing the same in a rea…
Network Security- A Guide for Small and Mid-sized
Businesses The objective of this paper is to educate both IT staff and senior management for small-medium sized businesses (SMB’s) as to the network security threats that exist. The paper presents a digest of industry best practices for network security, which will hopefully assist SMB’s in setting priorities for securing the perimeter of a typical SMB network. The security industry does a good job of publicizing security threats on a continual basis. However, much of what we read in the press contains little if any context assoc…
NIST - Special Publications
They are not perfect by any means. They are great baselines for building your understanding of a specific topic and gleaning key-words that you can use to search for more up-to-date information on a topic. This is where I start many of my explorations into new topics. I would honestly recommend that you make a point of reading your way through the NIST Special Publications until you have skimmed all the ones that seem relevant.
Computer Security Publications (SP 800)
NIST’s primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials Includes publications such as: - Guidelines on Security and Privacy in Public Cloud Computing - Guidelines for Managing the Security of Mobile Devices in the Enterprise - Guide to General Server Security - Guide to Protecting the Confidentiality of Personally Identifiable Information (POI) - User’s Guide to Telework and Bring Your Own Device (BYOD) Security - Information Security Handbook: A Guide for Managers - National Checklist Program for IT Products – Guidelines for Checklist Users and Developers - Guide for Mapping Types of Information and Information Systems to Security Categories - Guide to Selecting Information Technology Security Products - Guide to Information Technology Security Services - Guide for Conducting Risk Assessments - Building an Information Technology Security Awareness and Training Program - Managing Information Security Risk Organization, Mission, and Information System View
NIST Cybersecurity Practice Guides (SP 1800)
A new subseries created to complement the SP 800s; targets specific cybersecurity challenges in the public and private sectors; practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity; Includes draft guides for topics including mobile device security and IT asset management.
Organizational Security Atomized Plan
This is an atomized security plan for organizational security. It is meant to be used to supplement security trainers planning process for supporting organizations who are interested in incrementally improving their security practices.
Security and coordination in a clandestine organization
We develop a model of an underground organization. The model is designed to highlight the tradeoff between the operational capacity and operational security of clandestine groups. The underground in this paper is defined by a collection of individual cells that are united by a network of internal communications. The attributes of this network, we show, have important implications for the vitality of an underground group in the face of regime efforts to identify and target its component cells. We examine the implications of various network designs for group performance in the short run, and the implications the group’s short run performance will have for its operational prospects in the long run. In the final section of the paper, we discuss the conditions under which a conflict between a regime and an underground organization will reach three alternative equilibria. The results of this paper will be useful to those interested in both the design and dismemberment of clandestine organizations.
The CIS Critical Security Controls for Effective Cyber Defense
The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. A principle benefit of the Controls is that they prioritize and focus a smaller number of actions with high pay-off results. The Controls are effective because they are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a very broad community of government and industry practitioners. They were created by the people who know how attacks work - NSA Red and Blue teams, the US Department of Energy nuclear energy labs, law enforcement organizations and some of the nation’s top forensics and incident response organizations - to answer the question, “what do we need to do to stop known attacks.” That group of experts reached consensus and today we have the most current Controls. The key to the continued value is that the Controls are updated based on new attacks that are identified and analyzed by groups from Verizon to Symantec so the Controls can stop or mitigate those attacks.
The Computer Security Threat to Small and Medium Sized Businesses - A Manager’s Primer
The business use of computers has evolved with the widespread introduction of high speed data access at relatively low cost. This evolution allows many companies that formerly used computers as stand alone word processors or for database storage to network the computers and attach that network to the Internet. While this concept provides many benefits to the company including telecommuting and support to a mobile sales force, it also brings with it the potential for the introduction of computer viruses and hacking.
The Consensus Assessments Working Group
Lack of security control transparency is a leading inhibitor to the adoption of cloud services. The Cloud Security Alliance Consensus Assessments Initiative (CAI) was launched to perform research, create tools and create industry partnerships to enable cloud computing assessments. We are focused on providing industry-accepted ways to document what security controls exist in IaaS, PaaS, and SaaS offerings, providing security control transparency. This effort by design is integrated with and will support other projects from our research partners.
The [Consensus Assessments Working Group](https://cloudsecurityalliance.org/group/consensus-assessments/#_overview) has produced cloud security & compliance resources including a [controls matrix](https://cloudsecurityalliance.org/download/cloud-controls-matrix-v3-0-1/), [an in-depth questionnaire about security controls that are needed for cloud services](https://cloudsecurityalliance.org/download/consensus-assessments-initiative-questionnaire-v3-0-1/), and [much more](https://cloudsecurityalliance.org/download/)
The European Union Agency for Network and Information Security (ENISA)
ENISA provides recommendations on cybersecurity, supports policy development and its implementation, and collaborates with operational teams throughout Europe.
Useful IT Policies
In this repository we provide generalized IT policies adapted from those used internally by our IT staff in hopes that they will come in handy for other organizations, and especially for open-source projects who rely on volunteer admin efforts to manage their infrastructure.
Security Process Guidance
At the average level of insecurity that international CSO’s have audit results will be out of date in 3 to 6 months. Their threat landscape and level of security is in constant flux and they don’t have the capacity to become security experts to fix it. They don’t even have the staff time to re-check a security practice and policy checklist every 6 months. Reading through the approaches and challenges to building security process’ will help you get an idea of how to help an organization put effective systems in place without making them so onerous that they are abandoned.
20 ways to achieve digital transformation
This poster pulls together insights from a number of the interviews about what techniques work best for delivering digital transformation. It’s still a draft but hopefully already useful.
3 Good Ways a Cybersecurity Capability Maturity Model Can Help Improve Small Business Security
It’s easy to throw such breach victims under the bus, but such lessons learned teach us that just about any sized company needs to consistently improve in it’s security measures. One such way to help organizations of all sizes is a Cybersecurity capabilities maturity model. We’ll describe this model and three good examples of how small businesses can easily put this model to immediate use.
68 Great Ideas for Running a Security Program
Looking for inspiration? Want to learn a few new ways to elevate your security game? Can you spare five minutes to think strategically and long-term instead of just putting out another fire? Then look no further. We’ve combed through our archives and come up with 67 of the best, most useful, most interesting ideas for running a great security program. Some are big ideas; some are very small. These tidbits come from security practitioners, industry experts, and some other allaround smart folks, covering new trends and age-old dilemmas. We present them to you here in bite-sized pieces, with topics intentionally intermingled to help get your creative juices flowing.
Beyond Security Requirements: Secure Requirements
Security requirements typically cover avoiding well-known vulnerabilities (such as the OWASP Top Ten), using security technologies (such as encryption or authorization) in specific contexts, and complying with regulations (such as HIPAA). If you are in an exceptionally security-conscious organization, they may even include overall security goals (two employees must work together to alter financial records, for example). There is just one problem: Many security issues — especially those pesky design issues that are so expensive to fix — are caused by defects in other requirements.
Data lurking: How to protect your company against overlooked insider threats
Enterprises often fear hackers as their number one security threat. However, they should be more scared of what happens internally. More often than not, data breaches come from employees or system errors, not outsiders.
Eight Keys for Developing a Data Breach Response Plan
A data breach response plan is a written document that outlines a company’s strategy for evaluating and responding to potential cyber security incidents. The response plan is tailored to the company’s specific structures, systems and goals. And if prepared appropriately, it provides the company not only with a roadmap for handling suspected incidents, but a device for training and honing its data breach response ahead of time.
Holistic Security Manual
Holistic Security is strategy manual to help human rights defenders maintain their wellbeing inaction. The holistic approach integrates selfcare, wellbeing, digital security, and information security into traditional security management practices.
How to Write an Information Security Policy
Jennifer Bayuk explains the critical first step, what to cover and how make your information security policy - and program - effective
Information Security For Churches and Small
Non-Profit Organizations In today’s ever changing, better, faster, cheaper world, connectivity to the Internet for churches and other small non-profit organizations is necessary. But, connectivity brings along with it a risk of vulnerability from the same threats that business and educational organizations face. Hackers and other harm-doers will not make an exception for these low budgeted and resource strapped organizations, and if an opportunity is found that can be exploited, you can bet someone, somewhere will exploit it. The potential rep…
Internet Freedom Needfinding Framework
Inspired by human-centered design research methodologies, the Internet Freedom Needfinding Framework provides a process for engaging with communities around the world to discover their communication and technology needs. This framework guides development of Internet Freedom tools while respecting people’s cultural diversity, security, and privacy.
Introducing Security to the Small Business
Enterprise A recent survey by American Express found that 71% of Small Business Enterprises (fewer than 100 employees) are now using the Internet for a wide variety of tasks . SBE’s are now implementing Internet enabling strategies for globalisation and to compete with larger competitors. They connect to the Internet via dedicated broadband services and enable clients to interact with business systems and use it for a variety or purchasing, marketing and administration functions. However, many SBE Internet strategies overlook …
Mentoring Programmes: Supporting Effective Technology Use in Transparency and Accountability Organisations
The global movement to hold governments and companies accountable is growing rapidly, and technology can play a vital role. Some actors harness this potential to brilliant effect. But many others waste precious money and staff time on technology that isn’t a good fit for their aims or capacity.
Mentorships can be a really effective way to provide support by addressing the realities of the kinds of problems organisations face in trying to use technology effectively, such as ‘not knowing what they don’t know’ and pressure to adopt technologies that might not match their real needs.
This guide aims to look at what it takes to run an effective mentoring programme and to build in learning/monitoring all the way from start to finish. It takes an honest look at the successes and failures of T/AI’s mentoring programme, and lays out lessons from that practical learning.
OK, So I Need Security. Where Do I Start?
This paper is not designed to be an end-all solution to your problems, but it can be used to begin identifying and fixing some of the glaring (i.e.. most easily compromised) security holes on your network and then what to do after that. There are numerous other papers on the SANS Reading Room website that can provide a more thorough examination of each topic in much greater deta
Outline for a Successful Security Program
Do you need a Security Program? As technology advances, companies are finding out they require a network security program. This paper is meant to give the reader an outline and high level view of security topics to examine when creating a network security program. This paper is broken into fifteen sections related to security. It has been my experience that most security programs will have to give some attention to each of these sections in order to be successful. Some of the topics I will discuss include: security pol…
Secure This: Organizational Buy-in (A communications approach)
In order for a security plan to be effective, it must enjoy full support from an organization’s executive leadership. Seems like a simple truth? It is, but securing that backing is not as simple. One of the roles the information security officer must fill is that of a salesman, not only to corporate leadership but also to rank and file staff. Top-to-bottom organizational buy-in is one of the most important elements that will dictate whether an information security plan, and its associated policies and procedures, are e.
Security - What is Enough?
Security” - this can be described as “freedom from risk, freedom from danger and, prevention.” “Security” should result in confidence in a system, service or person.1 The question to ask now is, are you ever free from risk or danger? The quick answer is no, as there will always be new attacks, new viruses and no system is 100% secure. Looking at it from a positive perspective a business can minimise the risk by deploying a detailed, comprehensive and active security policy, which will in turn reduce the risk and threat…
Security for Small and New IT Departments: Get Your Big Rocks In First
With today’s shortage of competent professionals in the information systems industry, many of us find ourselves wearing many hats in our company’s IS department. Often times we are faced with the challenge of having to fulfill roles of System and Network Administrator, DBA, hardware specialist, application specialist, helpdesk operator and security officer all in the space of a few hours within a single day. Others may find themselves working for a company that is increasing in size, and because they know more about co…
Security Lifecycle - Managing the Threat
This paper addresses the security elements that make up a lifecycle, categorized into three areas, Prevention, Detection and Response; what elements are needed to address all aspects of security, how often they should be addressed and how they apply to the overall security posture of the organization.
Selling Security To Management
One of the biggest complaints heard from security professionals is related to the fact that they feel that management does not understanding or properly appreciate the problems related to ensuring the security and privacy of their systems. As with all problems of this nature, this problem is the result of a failure to communicate with management. While I realize this is not your typical topic for a SANS discussion, it is important to our credibility as professionals because, if we cannot effectively communicate with th…
Starting Up Security
Your startup is growing fast. Customers are starting to ask tough questions about security. Your investors and board members have asked to prioritize security projects. The tradeoffs made for early speed and growth are no longer so far ahead of quality and security goals. But you don’t really know how to “do” this security thing.
The CISO’s Guide to Getting Stuff Done
So how do you change the cycle of beg, borrow and steal for resources? How do you make information security on the top of the list for priorities? The short answer is, you don’t if you think of information security as a separate line item in the budget. That’s because information security is a cost. It generates no revenue.
The Cost of Security Risk Management for NGOs
The Cost of Security Risk Management for NGOs explores the costs related to safety and security management for aid programmes. It aims to assist all aid practitioners to determine their risk management expenditure more accurately, and demonstrate an evidence-based approach when presenting this information to donors. The paper will be particularly relevant to those responsible for programme planning and management, donor proposal writing, as well as safety and security risk management.
The Malware Management Framework
The Malware Management Framework is the cyclical practice of identifying, classifying, remediating, and mitigating malware. Much like vulnerabilities are managed, malware must too be managed. Malware can no longer be ignored and time between compromise and discovery must be reduced from the average 200+ days to hours or days is crucial. You won’t find what you are not looking for and today’s malware is an ever increasing challenge and threat. Anti-Virus/Malware prevention is failing to keep up with today’s malware challenge, but the Malware Management Framework can significantly improve this condition and significantly reduce your costs.
What we’re learning about keeping organizational emails secure
We’ve been thinking a lot about how organizations implement secure communication practices across a team and work with groups to develop policies. We’ve also been applying these ideas to our own team, which has grown significantly over the past year (from 2, to 4, to 10). As we bring new staff on board, we have been re-evaluating and strengthening our own organizational communication practices.
We decided to start with our email. Securing an organizations’ emails isn’t a small feat. It requires thoughtful policies, significant staff buy-in, and ongoing support and training. But don’t be intimidated! It’s not only possible to secure your organizations’ emails – it is well worth the effort.
Why Small Businesses Need to Secure Their Computers (and How to Do it!)
I’m here to talk to you about computer security - and I don’t mean just locking it up in a closet! I’m talking about making sure that the information you keep on your computer(s) is safe, that the only people who see that information are your employees, and making sure that the information is available when they need it. I’m also talking about making sure that no one (make that no hacker) is using your computer to do things that you don’t know about. Things that might make you legally liable for someone else’s actions….
Feeds, Lists, and Places to Learn
This was literally two hours of going through my old notes and archive of links on a Sunday morning. This is FAR from comprehensive and there are many places that collect and share information and links like this.
CSO provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more.
Open Source Cyber Security Learning Center
Serving the Information Security Community
IronGeek has an amazing feed of information and organizational security videos from various conferences. I turn random ones on while I cook dinner. It is a great way to get insight into topics you otherwise would not have the time to build your expertise on.
I primarily use my twitter for collecting and sharing technology and information security resources, news, and projects.