I have finally decided to use twitter to get information to our clients. Check us out at
http://twitter.com/#!/johnmstengel
Also remeber you can subscribe to this blog at the link to the right.
Archive for the 'User Awareness Training' Category
13
Oct
10
13
Oct
10
User Awareness Training
Do your users know how to handle information like credit cards and patient information? We have found that most companies don’t train their employees how to properly handle information. Employees are typically given a form on their first day to sign stating they understand the security policy. They are then thrown into the job. By the end of the first day the last thing they will remember is how you want information handled.
Formal training goes a long way to saving the information. And if you use an outside vendor they can use different language and tell stories to better make the points. This also frees the trainer up to be brutally honest. Training doesn’t have to be long, simple 1 hour sessions on a regular basis is all that is needed. Here are some training classes to consider offering to your employees by an outside vendor, like us:
- Properly Handling Information
- Safe Computing Practices
- Identity Theft Prevention (helps to understand the risks by seeing the other side)
- Properly Disposing of Information
01
Oct
10
Employee Monitoring
When discussing employee productivity the conversation can go one of two very different ways. Much like politics most people have a side that they fall into.
I fall strongly on the side of the pro category. I do not distrust my employees. What I am concerned about is protecting the company and all of its employees. If I were to make a bad hire, and we all have, and this problem employee was violating policy or procedure we need to be able to act on it.
Most people do not understand the risks employers have regarding protecting information. That doesn’t mean they are bad people, they are most likely very good at what they do and just have never considered the other side.
We have an obligation to create procedures and policies to protect our clients, employees, and partners. Not building these into your culture is more damaging than many would have guessed. Taking the time to explain and train the employees on the why will educate them and they will understand. People just don’t like to be surprised, that leads to feeling violated personally.
Ask Rite-Aid what happens when employees don’t follow procedures. Did the employees all chip in to cover the $1 Million fine?
17
Sep
10
Changes are Coming for CHD
The PCI Security Standards Council is ready to introduce new standards this October. A summary of the proposed changes was published recently on their site. The changes when enacted will take effect right away and companies need to prepare for them. The changes, while not major, clarify several points that are redundant or otherwise gray and add some more security.
What are you doing for ongoing security to maintain PCI? PCI is not a typical regulation, meaning it is actively enforced. Private industry has designed the standards and requires companies to be compliant. Noncompliance will result in revocation of your ability to process credit and debit transactions.
Protecting CHD is not hard. Basic security practices just need to be followed in a timely manner. Here is a summary of all 12, in regular terms.
- Build and Maintain a Secure Network – Have firewall, change passwords, etc.
- Protect Cardholder Data – Don’t store data in the open. CHD is the credit card numbers, Expiration, name, etc.
- Maintain a Vulnerability Management Program – This refers to having AV, malware protection, develop and maintain secure systems (i.e. don’t use the homemade application your cousin made for you 12 years ago).
- Implement Strong Access Control Measures – Keep people from accessing the information unless they need it.
- Regularly Monitor and Test Networks – You can’t set a network up and walk away. You should be assessing regularly and making sure nothing is out of the ordinary.
- Maintain an Information Security Policy – Maintain security policies so your data doesn’t walk off. All the products in the world will not keep you secure if you don’t use policies around them. Train your employees or hire someone too. They don’t think about these things like you do.
14
Sep
10
WatchGuard Training
We have two seats left for our WatchGuard XTM training class next week in Charlotte, NC. I think they will sell out this week. If you are interested email info@jstengel.net or visit our site . It promises to be a great class with a great group of people.
30
Aug
10
Be the Purple Cow of Security
As Seth Godin says so eloquently in his book Purple Cow, you need to make yourself into something truly different. Set yourself apart from your competition. Most organizations do this or that to try and maintain security. Doing the basics to give off the appearance they are serious. Maybe they have a strong password policy but no Two Factor Authentication.
But in their main business they don’t do the minimum. They try to outwit, outperform, and out market the competition.
What if your organization stood out from the competition as secure environment and they weren’t? What if all your employees handled information correctly? What if you were able to watch for sensitive data leaving? What if your users policed themselves?
Think of the two together. Nothing can kill a marketing plan faster than poor security. Even my Grandmother knows about TJ Maxx.
23
Aug
10
Email Encryption in Healthcare
I have written an executive whitepaper titled Email Encryption in Healthcare. This is an executive overview explaining the background and regulations around securing email transactions. If you would like a copy send an email to info@jstengel.net.
I am not breaking any news to anyone, I think, if I tell you that a new law in Massachusetts that lays out security for protecting private information. What I do want to write about is why I like this law.
The first thing is I like how the law says that anyone who does business with a resident of the commonwealth regardless of nexus is required to follow these guidelines, not just businesses in the commonwealth . This is good because they are setting a standard for the rest of the union. Too many laws are written in a form that requires a lawyer to decode them. I read and understood the law while I waited on my Cashew Chicken at PF Chang’s.
I also like that it is very specific. It names product segments and states exactly what needs to be done. They don’t use terms like “Reasonable Measures”, this just confuses people and leads to inaction. This one is clear.
I can tell you firsthand PII is handled poorly by most businesses. You can set your company apart just by following this law. If you become Mass 201 compliant the rest is easy, and this one is not hard.
14
Aug
10
Email Security in Healthcare
We will be hosting a webinar this week to educate executives and provide an overview of the compliance and risk mitigation benefits of email security. We will discuss what options are out there, what to look for and what to avoid.
This material will be presented in a non-technical form from a consultative perspective to give executives a brief overview of how to move forward.
Topic: Email Security in Healthcare
Date: Thursday, August 19, 2010
Time: 1:00 pm, Eastern Daylight Time (New York, GMT-04:00)
Go to https://freetrial.webex.com/freetrial/j.php?ED=136876647&RG=1&UID=0&RT=MiMxMQ%3D%3D and register for the event.
By simply purchasing a “Compliant” piece of technology doesn’t make you compliant. Some companies even advertise their products as PCI or HIPAA compliant. This is a dishonest statement as it gives the purchaser a false sense of security. As with all regulations, the legislation or rules do not dictate specific technologies or practices – rather, it states the desired outcome.
It is true that we need to have key products in place to meet compliance obligations it is actually what we do to those products that make us secure. For example I could sell you two top of the line WatchGuard firewalls. As part of the process I explain that they have web blocking and SPAM filtering built right in which meets your needs, great right? Yes if your IT department configures them correctly.
And how should they be configured? They should be based on your company procedures and guidelines. These procedures need to be laid out clearly and by someone with experience in the industry. Too often companies write procedures based on the IT departments recommendations and not with the guidance of a security assessor.
Thank you to WatchGuard for reminding us all of this recently in Seattle.
