information security mag online

I didn’t realize the Information Security magazine was available online (pdf). Some highlights:

Schneier and Ranum go point/counterpoint on the topic of social networking and the workplace. Schneier has an excellently polished point, and I think Ranum has some good points, too, and properly attacked Schneier’s weak point on CEP transparency.

The 2009 Priorities Survey section wasn’t too interesting other than 75% reporting the Data Leak Prevention was a must-have. To me, this is like saying you need a complex man-trap…when there are plenty of open side doors and windows with nary a lock on them. DLP is definitely a conversation-starter whether you like it or not! The article continues on into access control, an equally twisted term. Are you talking issuing playful tokens or are you talking actually getting into who has access to what and how to limit that? Two very different ballgames..

I like the spirit of David Storms’ 10 tips to protect your company in a down economy (if you get the eEye newsletter, this is the story that didn’t get linked!). With the economy stagnating (or going down), I think many companies have put new projects on indefinite hold. At least in the tech area, I’ve not heard of huge swaths of layoffs unless the company is already bloated. So this might mean staff levels are frozen, but staff still need to get things done. With possibly less projects, it might be worthwhile to take on some free/open tools and leverage them instead of some bloated, expensive big-box that doesn’t really confer much true security knowledge. #8 about properly terminating employee accounts should really be #1 this year. With remote access and layoffs, many people will have knee-jerk thoughts of revenge or fear and may act on those ideas before access is properly terminated. Just this week we had 11 layoffs and those of us who hold those access keys learned about them all at the time of or after the fact. Gambling with fire!