A common feeling for established professionals is that an external standard should not be applied to their field - or at least not to them personally. Various reasons are given as to why they would not benefit from a standard; it would be needlessly bureaucratic, it focuses on triviality, it wouldn't be responsive to the latest changes and anyway, they know everything that needs doing. Underlying this can also be a nagging doubt that adopting external standards would be an admission of ignorance.
Thursday, 14 January 2010
Monday, 9 November 2009
Google Apps in the Real Office
Google Apps is a set of office productivity tools from the ever expanding Mountain View investment bank named Google. Google Apps comes with Gmail for email, Google Calendar for scheduling and Google Docs for writing documents, creating spreadsheets and making presentations. These can all be accessed online through any modern browser, although they work best through Google's Chrome browser. From an IT service delivery perspective the most interesting feature is Postini, a fully featured hosted spam filter which combines with Gmail to offer a full replacement to Microsoft Exchange. Postini allows all of the standard email controls to be put in place such as automatically adding footers to outgoing emails. The mail and calendar applications integrate with Blackberry Enterprise Servers meaning that existing Blackberry smart phones can be used without any degradation in security.
Monday, 2 November 2009
Structuring a Security Policy - Part 3
A final brief note to the discussion of IT security policies is to encourage the writers of policies to do something which could be seen as making a rod for their own backs - introducing specific, contractual penalties for infosec staff who fail to abide by the terms of the security policy by doing quick favours. Quick favours are generally requested by senior managers, are frequently for things which would not be allowed under the security policy anyway and are easily overlooked when they should be tidied up.
Saying to a (non-IT) manager that they cannot be given the password to a user account because that is poor practice won't be terribly effective - saying that giving them a password would result in automatic written warning is much more persuasive. Having a concrete example of a downside for IT staff can be a real advantage when it comes to negotiating with power.
Saying to a (non-IT) manager that they cannot be given the password to a user account because that is poor practice won't be terribly effective - saying that giving them a password would result in automatic written warning is much more persuasive. Having a concrete example of a downside for IT staff can be a real advantage when it comes to negotiating with power.
Monday, 19 October 2009
Structuring a Security Policy - Part 2
Following on from last week's post on security policy writing, below is a proposed XML template for IT security policies. It is designed to standardise policy production ensuring that no information is missed and that policies are easily located. A policy written in this framework would be stored on an intranet with different users given different levels of access. A simple set of rules applied by an XSLT parser would create automated numbering, links between policy, procedure and implementation, and the production of formatted documentation ready to print at the level of detail required, for the period required.
The XML is designed to be used for the bulk of the actual policies, but for documentation purposes these need to be bookended with administrative information at the front (such as scope descriptions and change control information) and appendicies at the back (containing forms, training documentation and other related documents). Full versions of the XML without comments are available at the end of the post.
The XML is designed to be used for the bulk of the actual policies, but for documentation purposes these need to be bookended with administrative information at the front (such as scope descriptions and change control information) and appendicies at the back (containing forms, training documentation and other related documents). Full versions of the XML without comments are available at the end of the post.
Monday, 12 October 2009
Structuring a Security Policy - Part 1
Rather than giving guidance on the production of an individual policy, this post is designed to describe a generic process for the production of security policies.
Writing a security policy can sometimes seem like an exercise in minutiae. Starting with a clear concept of the purpose and audience of the security policy will speed up the drafting process and result in a more concise, readable document. There are two competing tensions in all work policies, they must assist workers to make sound, sensible, legal decisions and they must describe the consequences for employees who fail to abide by the requirements. Any new security policy should aim to be a combination of both of these, putting the carrot and the stick into one document. IT security is a complex subject that is baffling to outsiders, some of whom will need guidance and some of whom will not follow any advice unless it comes with a threat.
Writing a security policy can sometimes seem like an exercise in minutiae. Starting with a clear concept of the purpose and audience of the security policy will speed up the drafting process and result in a more concise, readable document. There are two competing tensions in all work policies, they must assist workers to make sound, sensible, legal decisions and they must describe the consequences for employees who fail to abide by the requirements. Any new security policy should aim to be a combination of both of these, putting the carrot and the stick into one document. IT security is a complex subject that is baffling to outsiders, some of whom will need guidance and some of whom will not follow any advice unless it comes with a threat.
Monday, 14 September 2009
The Inevitability of Down Time
It's been a bad week for service providers, which knocks on to a bad week for the people who support their products in client organisations. Problems happen, but how a company handles problems and how it communicates what happened can display their real quality.
On Monday the 7th of September online payment processors SagePay (the rebranded Protx) suffered an outage affecting all 25,000 clients and untold end users. Late in the evening of Wednesday the 9th of September the mobile phone company Orange experienced an outage which affected some of their mobile data customers and their landline broadband customers. This combined with a reportedly unrelated Blackberry data service outage during the same period to leave users only able to access email from their computers.
On Monday the 7th of September online payment processors SagePay (the rebranded Protx) suffered an outage affecting all 25,000 clients and untold end users. Late in the evening of Wednesday the 9th of September the mobile phone company Orange experienced an outage which affected some of their mobile data customers and their landline broadband customers. This combined with a reportedly unrelated Blackberry data service outage during the same period to leave users only able to access email from their computers.
Subscribe to:
Posts (Atom)
