I believe that most people in the computer-using community (which now is just about everybody in the developed nations) want to do the right thing, and can do the right thing. They just need to know what the right things are, and how to do them.
Administrative controls are perhaps most important, because they most directly impact your people. On the one hand, they are the simplest, since all it takes is education. On the other hand, education about the hazards of smoking or the possibility that having sex causes pregnancy hasn’t done much to change behaviors in those realms. Well, rather than throw up our hands and give up, let’s tackle administrative controls anyhow…
There is a lot to talk about with regard to technical security controls, aka the “sexy stuff” like firewalls and IDS. So rather than bore you with technobabble (in Scrappy Information Security, I start with packets, headers, ports & MACs as a way of introducing how the Internet works), I will instead focus on an explanation of encryption.
I think most of us “get” physical security. Still, a few basic (and a few not-so-basic) physical security controls worth discussing include…
When teaching “InfoSec 101,” I reflect back on my early career as a reporter, and focus on answering the standard questions: who, what, why, where, when, and how. Since this is a Scrappy Book, let’s throw caution to the wind and take them out of order…
We’re adults, and we like to know “why.” I would like to share some of the whys of information security, so that you can understand why the infosec guys can be so darned stubborn.