I don’t have a copy as I never keep client work once I’m done. It’s easy enough to develop your own – just think about the Top no more than 10 things you’d like staff to do well, take professional photos of them (or models) doing those tasks correctly (such as how best to take your laptop home so as not to get mugged or stolen from a car), and use a graphic design firm to pretty it up. The copy writes itself – keep it to one or two sentences that the CEO can understand and you’ll be fine.

Things I think should be included:

Monitor your computer’s health – keeping an eye on patches and virus updates
Keeping safe on the Internet – How to use the Internet productively for your work and avoid ID theft or phished
How to classify your work – do it right, and keep it simple!
Where to save your work – and describe backup procedures if they are required
Telecommuting do’s – how to set up your home office for best OHS compliance and productivity
Working on go – how best to work whilst travelling (plane, trains and in cafes)
Sending sensitive data – how to send sensitive documents to outsiders without compromising integrity and confidentiality
Taking your computer with you – how to avoid being mugged and where is the best place to leave your laptop in the car
When all else fails, here’s how to contact the help desk / security / other contacts

I really wouldn’t add too much else. There’s little reason to worry about stupid things like enforced desktop wall papers. No one cares. We don’t hand out pens and paper or a photocopier and make folks sign their lives away. Ditto IT.

Cheers

Martin

I appreciate how aggravating the vendor FUD sell based on a TLA is. APT refers to state supported cyber espionage, that gets in and stays in.

Unless your organisation has direct dealings with information of “national interest” APT is not something you should worry about.

If you are doing deals that affects the GDP of your nation, then maybe you should think about doing some pro-active additional monitoring of outbound end point communications and perhaps implementing integrity protection of your Desktop SOE, because signature based technology is not going to cut it against custom developed “real spyware”.

I have heard of organisations (i.e. absolutely massive conglomerates) that have had to implement their own encryption of their telco provided private WAN links due to industrial espionage.

Kind Regards,

Matt

Google offers GMail for free. It’s hard to justify the expense of creating a MILSPEC e-mail system for everyone just because a few worthy folks use it and have unrealistic security and privacy expectations of Google.

As SDLs and more secure languages / frameworks kick in, and the low hanging fruit of yesteryear go away, the cost of developing a workable zero day of any note goes through the roof. APT is simply the assumed state funding of attackers. These states (and you’re fooling yourself if you think it’s just China) can afford the immense cost, resources and time to develop attacks by paying those actually skilled enough to find these thought to impossible to exploit bugs and research new ideas and directions – i.e. a veritable army of state funded evil Halvar Flake clones.

I really don’t think it’s about doing MILSPEC for the average corporation. It’s just a waste of time and money, particularly if they haven’t got the basics done yet. And most places simply don’t have these basic, basic, basic, ancient, proven, IT security items in place. Let’s get the average corporate out of IT security diapers and into grown up trousers first.

I am surprised that there has not been much discussion about what would be required to prevent APT in terms of better defenses (eg. higher assurance sytems) or changing the security model. Any thoughts?

In terms of selling this stuff internally, unfortunately it needs to be kept (at an exec summary level) pithy and short. By all means have detail at drill down level, but KISS.

The most successful BCP I’ve ever been involved in was presented to the decision makers as 2 powerpoint slides.

BTW, have you ever thought that the writers of the Old Testament had base confusion? Maybe there were only two commandments, 1 per slab. After all, 10 == 2

Whilst security does get a presence in ITIL (and it is far more prominent in V3 than V2) it is still under-represented (in my view at least) in the theory and most definitely in the practice.

The ITSM people are going to be focusing on using the CMDB to build a map of their infrastructure to determine service level impacts. There is some implied security in this (eg identifying single points of failure), but precious little in terms of explicit execution of security policy.

Senior ITSM people tend to be good at governance. IT Security, for a large part, is about governance, so there is not too much disconnect there. Security guys, leverage it!

1. A Bank. The asterisk was that I was going to disclose that I worked on it with a visionary IT team, and along with a graphic designer it kicked arse and took names. Compliance was awesome.

2-3 Please if you can let us know good products, that would be good. ITIL is not my field.

4. Information Security done properly is a complex field like engineering or (building) architecture. It’s a field that doesn’t fit on a single piece of paper or on two tablets with ten points from a deity. But point taken that 11 points is more than 10.