Site icon Liquidmatrix Security Digest

How To Suck At Information Security

This isn’t so much a “how to” as a “how not to”. There are good ways and bad ways to do things in your job. The folks at SANS have a list of things to avoid so as to not suck out loud at your job.

Enjoy.

From SANS Internet Storm Center:

Security Policy and Compliance

  • Ignore regulatory compliance requirements.
  • Assume the users will read the security policy because you’ve asked them to.
  • Use security templates without customizing them.
  • Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you’re ready.
  • Create security policies you cannot enforce.
  • Enforce policies that are not properly approved.
  • Blindly follow compliance requirements without creating overall security architecture.
  • Create a security policy just to mark a checkbox.
  • Pay someone to write your security policy without any knowledge of your business or processes.
  • Translate policies in a multi-language environment without consistent meaning across the languages.
  • Make sure none of the employees finds the policies.
  • Assume that if the policies worked for you last year, they’ll be valid for the next year.
  • Assume that being compliant means you’re secure.
  • Assume that policies don’t apply to executives.
  • Hide from the auditors.

Nothing was said about avoiding bedazzler related jacket disasters.

🙂

For the full list read on.

Article Link

Exit mobile version