I have just completed the Information Security Breaches Survey 2010 . I was particularly annoyed with Question 36 which did not allow me to enter “none”. I had to claim that security was included in the ISP contract of the organisation for which I was responding or drop out of the survey. I have no more read that heap of gobbledeygook than any of your managers or staff have read that of your organisation.
And which of you have ever read your organisation’s Information Security policy – let alone understood what it meant in operational practice?
The most impressive security “policy” that I have came across was printed on one side of a postcard – which all staff (and contractors) had to read and sign before they got their password.
They then had to work through the inter-active training and assessment package before their password was activited. There were then posters and prompts to remind them.
I have no idea whether they have had any security breaches.
I do know that they have never had to admit to any.
Do complete the Infomraiton Security Breaches survey, even if some of the questions annoy you.
Do encourage others to do so.
And please do so honestly.
The more that such surveys come to reflect the situation as it really is – and not what the subset of humanity that cares about security thinks it is, the better.