I had the great pleasure of watching someone else teach the Introduction to Security course a week ago. Steve Bibby – an excellent instructor from the UK – taught the course and I assisted him because we had a large number of online participants (Learning Tree courses can have both in-room and online participants in the same event at the same time.)
One valuable point Steve made early in the morning on the first day was the need to update security policies regularly. Many people think that a good security policy is something one develops and then reviews periodically to ensure the policies are working. That’s true, of course, but there’s more to it.
Consider BYOD (Bring Your Own Device) and cloud services. Just a few years these were not even on most security folks’s radars and now they’re front and center. Every organization is dealing with the security risks associated with these technologies, or planning to. That clearly means evaluating the existing policy, integrating the new technology and ensuring consistency.
I chose those two technologies for a reason. First, Learning Tree has a course on cloud computing security. It’s written by fellow contributor to the Cybersecurity blog, Bob Cromwell. Besides being a good friend, Bob knows the cloud security issues and his course reflects that. At first glance, many might think of cloud services as “just” an extension of the data center. It may be that to some extent, but it is more. Take that 1220 course to learn more about the issues. (I took it and found there were issues of which I had been unaware!)
Second, BYOD is a big deal, is not allowed everywhere and for years security pros advised against it. Most organizations can no longer do the latter and we now have to deal with it. Learning Tree Course 468 deals with many of the issues but some situations can be complex. One could, for instance, Put all user devices on a separate firewalled network. That might be a start but then the controlled separation between Sales and Engineering might not be so controlled. One could put the devices on separate networks in each department and that might solve the problem in many cases.
Then there’s malware. How does an organization enforce malware protection for personal devices? That can be tricky in some situations, and the policy needs to address it. Are “rooted” devices allowed? Can the company control versions of a mobile OS? What about prohibiting BYOD in some areas? Some organizations don’t allow cameras in some areas so phones and tablets would need to be stored outside the area in, say lockers. How is that enforced and verified?
Many organizations have dealt with these, of course, and there are different solutions for different circumstances. What are you doing for BYOD? How are you keeping your policy current? Share with us in the comments below.