Tag Archives: Policy

The Electronic Frontier Foundation issued a report on 18 web and technology companies that routinely handle data.  The study looked at the following six security policy and practice areas related to how the company responds to requests for user information. Does the company require a warrant before releasing information? Does the company inform users of requests for data? Are statistics published on how often data is provided to requesting agencies? Does the company have a policy outlining how they respond to information requests? Does the company stand firm when information…

Continue reading

Gerald Wilde had a theory called risk homeostasis.  This theory hypothesizes that people have a level of acceptable risk.  When they perceive that there is less risk, they will take more risky actions to bring them to an acceptable level and when they perceive more risk, they will be more cautious.  Information security is very concerned with managing risk and reducing it to an organizationally acceptable level.  However, an organization is made up of many people and they may have a different level of acceptable risk than the organization does. …

Continue reading

Information security policies and security awareness go hand in hand. Frankly, a policy is worthless if it sits on someone's desk. Information security policies find value when they are understood, adhered to, and enforced. To do this, employees must be made aware of the policy, the policy's reason for being, and how it impacts them. This article outlines the problem of enacting security policies without associated awareness programs. It also cites recent research on harmful user activities that could be mitigated through implementing awareness training following policy enactment. The problem with policies alone…

Continue reading

Since many organizations are rapidly virtualizing servers and even desktops, there needs to be direction and guidance from top management in regards to information security. Organizations will need to develop a virtualization security policy that establishes the requirements for securely deploying, migrating, administering, and retiring virtual machines. In this way, a proper information security framework can be followed in implementing a secure environment for hosts, virtual machines, and virtual management tools. This article is part two of a series on virtualization. As with other policies, the security policy should not specify technologies to…

Continue reading