« $10million supermarket scam | Main | Risk and control »

The 10 deadly sins of information security management

As the winter nights begin to close in, the family gathers around the fireplace for warmth and we'll tell each other stories. My current favorite is an old one entitled "the 10 deadly sins of information security management." This was written by Basie and Rossouw von Solms and published in Computers & Security Journal, July 2004.

Here are the ten sins as they are written...

1. Not realizing that information security is a corporate governance responsibility (the buck stops right at the top)

2. Not realizing that information security is a business issue and not a technical issue

3. Not realizing the fact that information security governance is a multi-dimensional discipline (information security governance is a complex issue, and there is no silver bullet or single ‘off the shelf’ solution)

4. Not realizing that an information security plan must be based on identified risks

5. Not realizing (and leveraging) the important role of international best practices for information security management

6. Not realizing that a corporate information security policy is absolutely essential

7. Not realizing that information security compliance enforcement and monitoring is absolutely essential

8. Not realizing that a proper information security governance structure (organization) is absolutely essential

9. Not realizing the core importance of information security awareness amongst users

10. Not empowering information security managers with the infrastructure, tools and supporting mechanisms to properly perform their responsibilities

Yes, the old ones are still often the best. How those long dark nights are going to just fly by!

Tags:

Posted by Stuart King on October 31, 2007 6:00 AM
| View blog reactions

TrackBack

TrackBack URL for this entry:
http://www.computerweekly.com/cgi-bin/mt/mt-tb.cgi/13881

Comments (1)

Thomas:

Nice article! The one additional thing I think many IT professionals forget about is the post-it at their desk or on the back of a napkin that has their database login or email password on it. Those things can take on legs and should be part of a good IT security policy as well.

I found this article on the Fellowes website about how shredding secure documents should be an additional part of an information security policy as well:here

Keep posting!
Thomas

Posted by Thomas | November 15, 2007 8:14 PM

Posted on November 15, 2007 20:14

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on October 31, 2007 6:00 AM.

The previous post in this blog was $10million supermarket scam.

The next post in this blog is Risk and control.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type Enterprise 4.1-en