Collaborate Disseminate
We would like to implement SAML based SSO for our organization. We do not want employees to be able to access specific accounts outsides of specific hours and IP ranges. (We do not want to setup a VPN for that use-case for multiple reasons… Continue reading SSO Log Users Out Based on IP Address
I have a password policy which states that users must not write and store their passwords down in plaintext. How can I ensure that they haven’t done so by writing their password in emails, scripts, documents or files?
Continue reading How do I check that users don’t write down their passwords?
Some things in policies can be good controls, but the same controls can open up vulnerabilities or can be contradicted by other controls and conditions in other policies.
What can be a good measure to prevent this?
Example:… Continue reading How to prevent contradictions in policies
A young tech company which operates on sensitive data has employees that fall victim to phishing/porting scams despite its best efforts to instill security fobs, vpn, password managers, non-sms 2FA, limited email access and s… Continue reading Is it a good security practice to force employees hide their employer to avoid being targeted?
Our company is implementing a BYOD policy. I am working with management to draft end user training guidelines / standards as senior member of the Information Security team. Our company is in a regulated industry and works rou… Continue reading How should security user training be provided when implementing a company BYOD strategy?
I was asked this question:
What are the basic things that need to be explained to every employee
about a security policy? At what point in their employment? Why? (List
at least 4 things).
Would the basic things be h… Continue reading Basic things that need to be explained to employees about a security policy and at what point in their employment
Our Antivirus software caught illegal exe file from my office PC. What ste the possible actions from my organization, if the illegal exe was installed during non working ours? Will I get a note from my employer, what are poss… Continue reading Caught with illegal software on office PC [on hold]
What is the ideal way to structure InfoSec policies: have one big policy with subsections based on the type of controls (networking, password, etc.) or one main InfoSec policy (and what would you include in that document) and… Continue reading Structuring Information Security Policy(s) [on hold]
I currently work in the Information Security team at my company. I have been requested by company management to assist in reviewing and revising our current IT security policies. I am a trusted, respected member of the IT Sec… Continue reading Should security policy acknowledgements in a company be customized for IT vs non IT users?
I work in the Information Security team at my workplace. We work in the insurance and healthcare industry and work frequently with customer credit card, financial, and private health data.
Today I was meeting with security m… Continue reading Should corporate security training be tailored based on a users’ job role?