Requesting Tips on Establishing a Security Awareness Program: Targetting Unix

Whoa... it's a quite strict policy. I guess they must really hate you Tiger :D

Some comments about what we've got here in our company:

- 60% of our users use company laptops for business purpose (i.e. mobile users). So those "electronic devices" are pre-approved to be attached to the network.
- About 10% of them regularly install and test various software they download from the internet or from other sources, for the purpose of reviewing and recommending them to our clients. It's their job. So they are also pre-approved to "download and install software from the internet" or "from the any other media". (Yes, I know, we should do it in a private network, but sometimes we don't have luxury to do that and just use what we've readily got.)
- The key point is of course #1 in that list, and the one who define "business purposes" is the (upper) management. (No, not that kind of management, ALL of us get a proper education before recommending and implementing IT solutions for our clients.) So as long as a user can show a written approval from his/her manager, s/he's in. Ask one's manager to challenge the other manager if necessary.
- We make sure that once a year, by an "instruction" from top management, ALL users read and SIGN (electronically) the policy. (Note: top management, not the manager of IS.) It will make easier to enforce it this way.

Peace always,
<jdenny>

Yeah, it's strict... Mainly because my user base is utterly clueless. The only kind of security that interests them is the social kind.... :rolleyes:

Quote:

---

- 60% of our users use company laptops for business purpose (i.e. mobile users). So those "electronic devices" are pre-approved to be attached to the network.

---

Yep, my laptop users are allowed to connect to their home connection. The laptops are all firewalled and they do not bother the user with questions - it block not already allowed inbound or outbound. The laptops update virus defs when they start up and when connected to the network they are scanned for spyware and any is removed. They also understand that the policy applies to the laptop wherever they may connect to.

We do have a few, and I mean few, users that I give blanket permission to do things and elevate them to local administrator... but I can count them all on one hand out of 650 users.

I email this policy out to everyone every 3 months whether I need to or not, in fact I have a recurring calendar item to remind me. That way no-one can say they didn't get it... and even if they do I respond with "Ignorance of the law is no excuse.... :p "

I think the problem we and the Corporate Security and IT Security Department are facing, is that we seem to be "retro-fitting" security into a once wide-open regard IT area. There are things still in existence that embarrass me so much, I will not take the time to type them here and then hear heads pop across the globe. Seriously - heads would pop right off! Pffffftt!

I think the strict policy is best, (I like to call it - the "Iron Fist" approach) and the continual reminders and submissions to the user community. I think my group has to start off small however, because I and others have tried a "Fast and Furious" approach (my GOD did I just type that) and it was meant with disregard - from regular users, line/middle managers and the executive types.

It could also be due to the fact we are trying to reign in thousands of servers and tens of thousands of workstations and hundreds of applications - some 3rd party some home grown. What amazes me is that I can honestly say the intelligence of the people in our company is usually amazing - I mean a good portion of them get paid to invent stuff - but protecting their ideas through security eludes them in many cases - it requires brain juice that would normally be spent inventing stuff.

So with me converting from IT to Auditing (I have heard so many "Dark Side" jokes I was starting to volurp in my mouth, but now am starting to like jokes so much I wear a cloak every day) and working with Corporate and IT Security, I am hoping we can push forward and get to something like TigerShark has (BTW - TigerShark - great post)!

I will let you all know what happens as we roll along me'ah.

KuiXing-2005.