SlideShare a Scribd company logo

Writing Security Policies That People Can Actually Read

S
SecureITExperts

Writing information security policies that people will actually read.

Technology
1 of 28
Download to read offline
Writing Security Policies That People Can Actually Read!!! With Your Host: Brad Bemis (CISSP, CISA, and Known Troublemaker) © 2011 Network Computing Architects, all rights reserved
Shameless Self-Promotion • Brad Bemis, CISSP, CISA, ABCDEGFHIJKLMNOP… – Senior Security Consultant with NCA in Bellevue WA – 20+ years in the information security industry – AAS in Personnel Management (i.e. HR) – BS in Information Technology – MS in Education (Underway) – + Business & Psychology – Highly opinionated – But mostly right ;-) © 2011 Network Computing Architects, all rights reserved
The Standard Disclaimers • I am not a lawyer, nor do I play one on TV • Policy development is a subjective topic • There are several different approaches • Lots of policy presentations out there • This one will be a little different • Non-traditional approach • Everything is changing • Gotta keep up!!! © 2011 Network Computing Architects, all rights reserved
Here‟s The Challenge Turning This: Into This: © 2011 Network Computing Architects, all rights reserved
Where we‟re at Today • How many of your employees: – Know where your policies are? – Have spent time reading them? – Know what they say? – Understand what they mean? – Make an effort to comply with them? – Help make sure that others comply with them? • The numbers usually start low with the first question • They tend to get lower as you move down the list! © 2011 Network Computing Architects, all rights reserved
Conventional Wisdom • For a security policy to be successful: – Must have management support – Must have an assigned owner – Must establish clear roles and responsibilities – Must be relevant to the organization – Must be focused, realistic, and enforceable – Must adequately address security needs – Must align with risk management principles – …and so on. Sure, but what else? © 2011 Network Computing Architects, all rights reserved
Traditional Approach Policies Standards/Guidelines Processes/Procedures © 2011 Network Computing Architects, all rights reserved
Why It‟s Not Working • First of all – users don‟t care what we call things! – They just want to get stuff done – their stuff!! • We tend to write for the wrong audience – Auditors, legal types, technical people • There‟s usually way too much material – 30 different documents, 300 pages of „stuff‟ • They‟re not really put together very well – Intro, applicability, scope, purpose, etc. – More words used to describe than to state them! © 2011 Network Computing Architects, all rights reserved
A Couple of Other Key Issues • We often use the wrong kind of language – Formal vs. informal – directive vs. conversational – Punitive vs. positive – stick vs. carrot • We don‟t make them very easy to find – Most policies are buried on some obscure site – They‟re usually just collections of „stuff‟ • We try to bridge an enormous gap ineffectively – Thinking that „awareness‟ is the answer – Great campaign points to bad policy © 2011 Network Computing Architects, all rights reserved
Let‟s Talk Basics • What a security policy is: – A statement of intent or commitment – A principle or rule to guide decision making – A description of organizational expectations • What a security policy is not: – A legally binding contract – A document written for auditors – A vehicle for placing blame elsewhere © 2011 Network Computing Architects, all rights reserved
A Compliance View • What PCI says about policies: – Have one! Make sure it covers PCI topics! Maintain it! – You can read requirement 12 if you want the details • What HIPAA says about policies: – Implement policies to avoid/manage security violations! – Check out section 164.308 for additional information • What SOX says about policies: – Or rather, what‟s your auditors interpretation of SOX? – Policies are pretty much a given no matter who you talk to © 2011 Network Computing Architects, all rights reserved
Here Comes the „But‟ • Not a single one of these requirements says: – Policies need to be a long, drawn-out affair – Policies need to be written like legal documents – Policies should be filled with contractual language – Policies have to address every possible eventuality – Policies exist for the sole purpose of making auditors happy • Why then do we see so many policies written this way? • What can we do differently as an industry to change this? • How do we write security policies people can actually read? © 2011 Network Computing Architects, all rights reserved
There IS a Way… • Understand the purpose and context • Define and analyze your audience • Frame up your overall message • Use conversational language • Leverage visuals if you can • Educate and entertain • Simplify everything • Make it a tool!!! © 2011 Network Computing Architects, all rights reserved
Purpose and Context • What is it that you are trying to accomplish? • Is a policy the right tool for the job? • How will a policy help the situation? • How will you share/communicate it? • Who will own, maintain, and enforce it? • What about exceptions and violations? • What‟s the organizational culture like? • What can you get away with? © 2011 Network Computing Architects, all rights reserved
Audience Analysis • Who is your intended audience? • Any similarities between audience members? • Any differences between audience members? • What do the audience members do? • What‟s important to this audience? • How busy is this audience? • What is expected of them? • What else? © 2011 Network Computing Architects, all rights reserved
Message Framing • Think about the purpose and context… • Think about the audience members… • What‟s the behavior you want to influence? • How would you describe the desired behavior? • How will you measure a shift in that behavior? • What‟s the basic message you need to convey? • What‟s the long form of that message – details? • How can you boil it down to 3 to 5 sentences? © 2011 Network Computing Architects, all rights reserved
Using The Right Language • Still keeping all of the former steps in mind… • How would you convey your message to: – Your child, your grandparents, your clueless uncle Bob • How would you TALK to someone about it? • Rewrite your message to be conversational • Write for the „lowest common denominator‟ • Keep it short, sweet, and to the point! • Engage the audience with your message! © 2011 Network Computing Architects, all rights reserved
Leverage Visuals • Visuals are not typical in most policy documents • These are usually reserved for „awareness‟ efforts • “A picture paints a thousand words” though • Do you want to write a thousand words? • Do you expect people to read a thousand words? • Good visuals can really help – even in policies! • Make sure they are relevant and appropriate • Don‟t go overboard… © 2011 Network Computing Architects, all rights reserved
Educate and Entertain • Try inserting some levity and irreverence… • Your audience is more likely to read your policies • People learn better when they are entertained • Levity inspires confidence, trust, and creativity • Companies that use levity outperform others • It really all depends on your corporate culture • You don‟t need to be a comedian – just fun • Like visuals, keep it relevant and appropriate © 2011 Network Computing Architects, all rights reserved
Simplify Everything • Only write policies that need to be written • Get rid of all the „fluff‟ – it‟s unnecessary! • Create a [fun] security handbook to use • Put a memorable title on your handbook • Organize it by what people need to DO! • Remember, employees are busy people • Security is NOT their top priority – accept it! • Blur the lines between policies and awareness © 2011 Network Computing Architects, all rights reserved
Give Them a Tool • The policy document isn‟t your end-point • Your handbook is just one way to move forward • Add quick references, cheat sheets, check lists • Anything that can make security easier for folks • The BEST tool is a well done website – easily found • Simple screen „What Are You Trying to Do?‟ • Take a „nested‟ approach to „navigation‟ • Get feedback and make improvements!!! © 2011 Network Computing Architects, all rights reserved
An Example for Dummies • Look at the success of the „for Dummies‟ series • Their books embody everything here (and more) – “From the start, For Dummies was a simple, yet powerful concept: Relate to the anxiety and frustration that people feel about technology by poking fun at it with books that are insightful and educational and make difficult material interesting and easy. Add a strong dose of personality, a dash of comic relief with entertaining cartoons, and — voilá — you have a For Dummies book.” • An invaluable approach to security policies © 2011 Network Computing Architects, all rights reserved
The Parts of Tens • The last section of any „for Dummies‟ book • Essentially a „top 10 list‟ on a particular topic • Each item has an entertaining title • Includes a brief, amusing summary • Often closes out with a „tip‟ • Probably the single best model to follow • Imagine if security policies were written this way • Hmmm… People might actually read them!!! © 2011 Network Computing Architects, all rights reserved
“I Object” • What are some common objections? – Security is serious business – You can‟t write funny policies – You can‟t hold people accountable using these – You can‟t meet compliance requirements using these – Auditors/legal departments/executives may not like them • Getting past these objections – First, who are you really writing these policies for? – You want people to read and understand them, right? © 2011 Network Computing Architects, all rights reserved
The End Justifies the Means • In the end, policies are about setting expectations • They‟re put in place to help (not hinder) people • We can do more – we can do better!!! • Remember: – A GOOD policy is one that people READ! – A GOOD policy is one that people UNDERSTAND! – A GOOD policy is one that people FOLLOW! © 2011 Network Computing Architects, all rights reserved
Questions??? © 2011 Network Computing Architects, all rights reserved
About the Author: Brad Bemis is the Principle Security Consultant for Network Computing Architects (NCA) in Bellevue WA, and has over 20 years of practical experience in IT and information security. He is also a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Associate Business Continuity Planner (ABCP), and Lean Six Sigma Greenbelt; with several additional technology-centric certifications from Cisco, Microsoft, and CompTIA. Brad holds associate degrees in both Personnel Management and in Information Systems Technology, a Bachelors of Science in Information Technology, and is currently pursuing a Masters of Science in Education. He has also engaged in graduate level course-work towards a Masters of Business Administration and a Masters of Science in Clinical Psychology. Brad has worked with multiple Fortune 500 companies, military organizations, and government agencies around the world; in roles ranging from Systems Security Administrator to Chief Information Security Officer (and everything in-between). Although highly skilled across multiple security disciplines, his main passion is information security awareness and training – evangelizing the message and engaging others. He is also very active in the security community, including: contributions to the Cloud Security Alliance (CSA), board positions with the Greater Seattle Area Chapter of the Cloud Security Alliance and the Pacific Northwest Chapter of the Information Systems Security Association (ISSA), participation in several other professional associations, sharing insights and experience across a number of on-line security forums, and much much more. Additional information can be found on Brad's professional blog at www.secureitexpert.com. © 2011 Network Computing Architects, all rights reserved
About NCA’s Information Security Practice: NCA’s Information Security Practice is an ISO 27001 Certified Professional Security Services Consultancy with offices in Bellevue WA, Portland OR, and Las Gatos CA. We offer a wide range of professional security services that can be scaled and customized to meet the business needs of any organization. Our major core competencies include: • Program Management: Building and managing a holistic information security program. • Governance: Incorporating security into enterprise or IT governance frameworks. • Risk Management: Measuring and managing information security and other related risks. • Compliance: Ensuring that all internal and external requirements are being met. • Identity & Access Management: Managing identities and permissions for systems and users. • Perimeter Defense & Firewall Management: Defending the borders between networks. • Traditional & Mobile End-Point Protection: Securing fixed and mobile end-point devices. • Virtualization & Cloud Computing: Migrating customers to the cloud safely and securely. • Event Management & Incident Response: Detecting and responding to security incidents. • Awareness & Training: Engaging people in the process of security on a daily basis. Through a number of strategic partnerships we can also deliver additional services in the areas of: • Managed Services: Managing the day-to-day operational security of information systems. • Application Security & Penetration Testing: Validating controls for business applications. • Business Continuity & Disaster Recovery: Sustaining the business during emergencies. Learn more today at http://ncanet.com Or call 877-KNOW NCA (877-566-9622) © 2011 Network Computing Architects, all rights reserved

Recommended

How to Write Technical Social Media Copy
How to Write Technical Social Media CopyHow to Write Technical Social Media Copy
How to Write Technical Social Media CopyAmber Kaplan
 
Webinar: How to Write Technical Social Copy
Webinar: How to Write Technical Social CopyWebinar: How to Write Technical Social Copy
Webinar: How to Write Technical Social CopyLEWIS Global Communications
 
Crisis to calm - An eLearning experience - Vesa Pekkarinen
Crisis to calm - An eLearning experience - Vesa PekkarinenCrisis to calm - An eLearning experience - Vesa Pekkarinen
Crisis to calm - An eLearning experience - Vesa PekkarinenConnecting Up
 
Contiuously Deploying Culture 2.0 - Agile Ísland
Contiuously Deploying Culture 2.0 - Agile ÍslandContiuously Deploying Culture 2.0 - Agile Ísland
Contiuously Deploying Culture 2.0 - Agile ÍslandRich Smith
 
BA Masterclass - Top IT trends that can impact your role - SLIDES
BA Masterclass - Top IT trends that can impact your role - SLIDESBA Masterclass - Top IT trends that can impact your role - SLIDES
BA Masterclass - Top IT trends that can impact your role - SLIDESPete Clouston
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Florida Security Training - Report Writing & Observation Class
Florida Security Training - Report Writing & Observation Class Florida Security Training - Report Writing & Observation Class
Florida Security Training - Report Writing & Observation Class Invictus Security & Firearms Training
 
Security Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptSecurity Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptFaheem Ul Hasan
 

Recommended

How to Write Technical Social Media Copy
How to Write Technical Social Media CopyHow to Write Technical Social Media Copy
How to Write Technical Social Media CopyAmber Kaplan
 
Webinar: How to Write Technical Social Copy
Webinar: How to Write Technical Social CopyWebinar: How to Write Technical Social Copy
Webinar: How to Write Technical Social CopyLEWIS Global Communications
 
Crisis to calm - An eLearning experience - Vesa Pekkarinen
Crisis to calm - An eLearning experience - Vesa PekkarinenCrisis to calm - An eLearning experience - Vesa Pekkarinen
Crisis to calm - An eLearning experience - Vesa PekkarinenConnecting Up
 
Contiuously Deploying Culture 2.0 - Agile Ísland
Contiuously Deploying Culture 2.0 - Agile ÍslandContiuously Deploying Culture 2.0 - Agile Ísland
Contiuously Deploying Culture 2.0 - Agile ÍslandRich Smith
 
BA Masterclass - Top IT trends that can impact your role - SLIDES
BA Masterclass - Top IT trends that can impact your role - SLIDESBA Masterclass - Top IT trends that can impact your role - SLIDES
BA Masterclass - Top IT trends that can impact your role - SLIDESPete Clouston
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Florida Security Training - Report Writing & Observation Class
Florida Security Training - Report Writing & Observation Class Florida Security Training - Report Writing & Observation Class
Florida Security Training - Report Writing & Observation Class Invictus Security & Firearms Training
 
Security Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptSecurity Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptFaheem Ul Hasan
 
The Politics of Designing a Large University Website
The Politics of Designing a Large University WebsiteThe Politics of Designing a Large University Website
The Politics of Designing a Large University Websitetamuwww
 
Implementing Licensing— A Journey
Implementing Licensing— A JourneyImplementing Licensing— A Journey
Implementing Licensing— A JourneyFlexera
 
Demystifying digital accessibility webinar
Demystifying digital accessibility webinarDemystifying digital accessibility webinar
Demystifying digital accessibility webinarAssociation for Project Management
 
Human computer interaction -Design and software process
Human computer interaction -Design and software processHuman computer interaction -Design and software process
Human computer interaction -Design and software processN.Jagadish Kumar
 
In-House Content Strategy - MinneWebCon April 2013
In-House Content Strategy - MinneWebCon April 2013In-House Content Strategy - MinneWebCon April 2013
In-House Content Strategy - MinneWebCon April 2013m3ggiesue
 
IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.Todd Shyres, MBA, PMP
 
TCUK 2012, Bryan Lade, How to sell yourself as a Technical Author
TCUK 2012, Bryan Lade, How to sell yourself as a Technical AuthorTCUK 2012, Bryan Lade, How to sell yourself as a Technical Author
TCUK 2012, Bryan Lade, How to sell yourself as a Technical AuthorTCUK Conference
 
Data Mining & Engineering
Data Mining & EngineeringData Mining & Engineering
Data Mining & EngineeringVisible Technologies
 
CMU Business & Technology Club - A Rewarding Career in Technology Consulting
CMU Business & Technology Club - A Rewarding Career in Technology ConsultingCMU Business & Technology Club - A Rewarding Career in Technology Consulting
CMU Business & Technology Club - A Rewarding Career in Technology ConsultingLarry Gioia
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Kimberley Dray
 
SharePoint Governance. Stop features thinking,
SharePoint Governance. Stop features thinking, SharePoint Governance. Stop features thinking,
SharePoint Governance. Stop features thinking, Patrick Sledz
 
Human Factor in Project Management
Human Factor in Project Management Human Factor in Project Management
Human Factor in Project Management Organizational Development & Change Management
 
CSA Fall Summit 2017
CSA Fall Summit 2017CSA Fall Summit 2017
CSA Fall Summit 2017Chad Hoffmann
 
internet usage and limitations, presentation styles
internet usage and limitations, presentation stylesinternet usage and limitations, presentation styles
internet usage and limitations, presentation stylesAnjaliBiyani4
 
Workplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowWorkplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowAggregage
 
Workplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowWorkplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowNaba Ahmed
 
Opening up Open Source
Opening up Open SourceOpening up Open Source
Opening up Open SourceDerek Buitenhuis
 
SenseMaker TSC slides.pdf
SenseMaker TSC slides.pdfSenseMaker TSC slides.pdf
SenseMaker TSC slides.pdfTechSoupConnectLondo
 
Implementing Modernization by Trevor Perry
Implementing Modernization by Trevor PerryImplementing Modernization by Trevor Perry
Implementing Modernization by Trevor PerryFresche Solutions
 
"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)
"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)
"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)Marcin Kokott
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 

More Related Content

Similar to Writing Security Policies That People Can Actually Read

The Politics of Designing a Large University Website
The Politics of Designing a Large University WebsiteThe Politics of Designing a Large University Website
The Politics of Designing a Large University Websitetamuwww
 
Implementing Licensing— A Journey
Implementing Licensing— A JourneyImplementing Licensing— A Journey
Implementing Licensing— A JourneyFlexera
 
Human computer interaction -Design and software process
Human computer interaction -Design and software processHuman computer interaction -Design and software process
Human computer interaction -Design and software processN.Jagadish Kumar
 
In-House Content Strategy - MinneWebCon April 2013
In-House Content Strategy - MinneWebCon April 2013In-House Content Strategy - MinneWebCon April 2013
In-House Content Strategy - MinneWebCon April 2013m3ggiesue
 
IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.Todd Shyres, MBA, PMP
 
TCUK 2012, Bryan Lade, How to sell yourself as a Technical Author
TCUK 2012, Bryan Lade, How to sell yourself as a Technical AuthorTCUK 2012, Bryan Lade, How to sell yourself as a Technical Author
TCUK 2012, Bryan Lade, How to sell yourself as a Technical AuthorTCUK Conference
 
CMU Business & Technology Club - A Rewarding Career in Technology Consulting
CMU Business & Technology Club - A Rewarding Career in Technology ConsultingCMU Business & Technology Club - A Rewarding Career in Technology Consulting
CMU Business & Technology Club - A Rewarding Career in Technology ConsultingLarry Gioia
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Kimberley Dray
 
SharePoint Governance. Stop features thinking,
SharePoint Governance. Stop features thinking, SharePoint Governance. Stop features thinking,
SharePoint Governance. Stop features thinking, Patrick Sledz
 
CSA Fall Summit 2017
CSA Fall Summit 2017CSA Fall Summit 2017
CSA Fall Summit 2017Chad Hoffmann
 
internet usage and limitations, presentation styles
internet usage and limitations, presentation stylesinternet usage and limitations, presentation styles
internet usage and limitations, presentation stylesAnjaliBiyani4
 
Workplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowWorkplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowAggregage
 
Workplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowWorkplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowNaba Ahmed
 
Implementing Modernization by Trevor Perry
Implementing Modernization by Trevor PerryImplementing Modernization by Trevor Perry
Implementing Modernization by Trevor PerryFresche Solutions
 
"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)
"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)
"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)Marcin Kokott
 

Similar to Writing Security Policies That People Can Actually Read (20)

The Politics of Designing a Large University Website
The Politics of Designing a Large University WebsiteThe Politics of Designing a Large University Website
The Politics of Designing a Large University Website
 
Implementing Licensing— A Journey
Implementing Licensing— A JourneyImplementing Licensing— A Journey
Implementing Licensing— A Journey
 
Demystifying digital accessibility webinar
Demystifying digital accessibility webinarDemystifying digital accessibility webinar
Demystifying digital accessibility webinar
 
Human computer interaction -Design and software process
Human computer interaction -Design and software processHuman computer interaction -Design and software process
Human computer interaction -Design and software process
 
In-House Content Strategy - MinneWebCon April 2013
In-House Content Strategy - MinneWebCon April 2013In-House Content Strategy - MinneWebCon April 2013
In-House Content Strategy - MinneWebCon April 2013
 
IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.IT Project Management by Todd Shyres.
IT Project Management by Todd Shyres.
 
TCUK 2012, Bryan Lade, How to sell yourself as a Technical Author
TCUK 2012, Bryan Lade, How to sell yourself as a Technical AuthorTCUK 2012, Bryan Lade, How to sell yourself as a Technical Author
TCUK 2012, Bryan Lade, How to sell yourself as a Technical Author
 
Data Mining & Engineering
Data Mining & EngineeringData Mining & Engineering
Data Mining & Engineering
 
CMU Business & Technology Club - A Rewarding Career in Technology Consulting
CMU Business & Technology Club - A Rewarding Career in Technology ConsultingCMU Business & Technology Club - A Rewarding Career in Technology Consulting
CMU Business & Technology Club - A Rewarding Career in Technology Consulting
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
 
SharePoint Governance. Stop features thinking,
SharePoint Governance. Stop features thinking, SharePoint Governance. Stop features thinking,
SharePoint Governance. Stop features thinking,
 
Human Factor in Project Management
Human Factor in Project Management Human Factor in Project Management
Human Factor in Project Management
 
CSA Fall Summit 2017
CSA Fall Summit 2017CSA Fall Summit 2017
CSA Fall Summit 2017
 
internet usage and limitations, presentation styles
internet usage and limitations, presentation stylesinternet usage and limitations, presentation styles
internet usage and limitations, presentation styles
 
Workplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowWorkplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To Know
 
Workplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To KnowWorkplace Wellness: Financial Wellness - What Your Managers Need To Know
Workplace Wellness: Financial Wellness - What Your Managers Need To Know
 
Opening up Open Source
Opening up Open SourceOpening up Open Source
Opening up Open Source
 
SenseMaker TSC slides.pdf
SenseMaker TSC slides.pdfSenseMaker TSC slides.pdf
SenseMaker TSC slides.pdf
 
Implementing Modernization by Trevor Perry
Implementing Modernization by Trevor PerryImplementing Modernization by Trevor Perry
Implementing Modernization by Trevor Perry
 
"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)
"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)
"A3 Language as the glue for Lean Transformation" (LESS 2011, Stockholm)
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 

Writing Security Policies That People Can Actually Read

  • 1. Writing Security Policies That People Can Actually Read!!! With Your Host: Brad Bemis (CISSP, CISA, and Known Troublemaker) © 2011 Network Computing Architects, all rights reserved
  • 2. Shameless Self-Promotion • Brad Bemis, CISSP, CISA, ABCDEGFHIJKLMNOP… – Senior Security Consultant with NCA in Bellevue WA – 20+ years in the information security industry – AAS in Personnel Management (i.e. HR) – BS in Information Technology – MS in Education (Underway) – + Business & Psychology – Highly opinionated – But mostly right ;-) © 2011 Network Computing Architects, all rights reserved
  • 3. The Standard Disclaimers • I am not a lawyer, nor do I play one on TV • Policy development is a subjective topic • There are several different approaches • Lots of policy presentations out there • This one will be a little different • Non-traditional approach • Everything is changing • Gotta keep up!!! © 2011 Network Computing Architects, all rights reserved
  • 4. Here‟s The Challenge Turning This: Into This: © 2011 Network Computing Architects, all rights reserved
  • 5. Where we‟re at Today • How many of your employees: – Know where your policies are? – Have spent time reading them? – Know what they say? – Understand what they mean? – Make an effort to comply with them? – Help make sure that others comply with them? • The numbers usually start low with the first question • They tend to get lower as you move down the list! © 2011 Network Computing Architects, all rights reserved
  • 6. Conventional Wisdom • For a security policy to be successful: – Must have management support – Must have an assigned owner – Must establish clear roles and responsibilities – Must be relevant to the organization – Must be focused, realistic, and enforceable – Must adequately address security needs – Must align with risk management principles – …and so on. Sure, but what else? © 2011 Network Computing Architects, all rights reserved
  • 7. Traditional Approach Policies Standards/Guidelines Processes/Procedures © 2011 Network Computing Architects, all rights reserved
  • 8. Why It‟s Not Working • First of all – users don‟t care what we call things! – They just want to get stuff done – their stuff!! • We tend to write for the wrong audience – Auditors, legal types, technical people • There‟s usually way too much material – 30 different documents, 300 pages of „stuff‟ • They‟re not really put together very well – Intro, applicability, scope, purpose, etc. – More words used to describe than to state them! © 2011 Network Computing Architects, all rights reserved
  • 9. A Couple of Other Key Issues • We often use the wrong kind of language – Formal vs. informal – directive vs. conversational – Punitive vs. positive – stick vs. carrot • We don‟t make them very easy to find – Most policies are buried on some obscure site – They‟re usually just collections of „stuff‟ • We try to bridge an enormous gap ineffectively – Thinking that „awareness‟ is the answer – Great campaign points to bad policy © 2011 Network Computing Architects, all rights reserved
  • 10. Let‟s Talk Basics • What a security policy is: – A statement of intent or commitment – A principle or rule to guide decision making – A description of organizational expectations • What a security policy is not: – A legally binding contract – A document written for auditors – A vehicle for placing blame elsewhere © 2011 Network Computing Architects, all rights reserved
  • 11. A Compliance View • What PCI says about policies: – Have one! Make sure it covers PCI topics! Maintain it! – You can read requirement 12 if you want the details • What HIPAA says about policies: – Implement policies to avoid/manage security violations! – Check out section 164.308 for additional information • What SOX says about policies: – Or rather, what‟s your auditors interpretation of SOX? – Policies are pretty much a given no matter who you talk to © 2011 Network Computing Architects, all rights reserved
  • 12. Here Comes the „But‟ • Not a single one of these requirements says: – Policies need to be a long, drawn-out affair – Policies need to be written like legal documents – Policies should be filled with contractual language – Policies have to address every possible eventuality – Policies exist for the sole purpose of making auditors happy • Why then do we see so many policies written this way? • What can we do differently as an industry to change this? • How do we write security policies people can actually read? © 2011 Network Computing Architects, all rights reserved
  • 13. There IS a Way… • Understand the purpose and context • Define and analyze your audience • Frame up your overall message • Use conversational language • Leverage visuals if you can • Educate and entertain • Simplify everything • Make it a tool!!! © 2011 Network Computing Architects, all rights reserved
  • 14. Purpose and Context • What is it that you are trying to accomplish? • Is a policy the right tool for the job? • How will a policy help the situation? • How will you share/communicate it? • Who will own, maintain, and enforce it? • What about exceptions and violations? • What‟s the organizational culture like? • What can you get away with? © 2011 Network Computing Architects, all rights reserved
  • 15. Audience Analysis • Who is your intended audience? • Any similarities between audience members? • Any differences between audience members? • What do the audience members do? • What‟s important to this audience? • How busy is this audience? • What is expected of them? • What else? © 2011 Network Computing Architects, all rights reserved
  • 16. Message Framing • Think about the purpose and context… • Think about the audience members… • What‟s the behavior you want to influence? • How would you describe the desired behavior? • How will you measure a shift in that behavior? • What‟s the basic message you need to convey? • What‟s the long form of that message – details? • How can you boil it down to 3 to 5 sentences? © 2011 Network Computing Architects, all rights reserved
  • 17. Using The Right Language • Still keeping all of the former steps in mind… • How would you convey your message to: – Your child, your grandparents, your clueless uncle Bob • How would you TALK to someone about it? • Rewrite your message to be conversational • Write for the „lowest common denominator‟ • Keep it short, sweet, and to the point! • Engage the audience with your message! © 2011 Network Computing Architects, all rights reserved
  • 18. Leverage Visuals • Visuals are not typical in most policy documents • These are usually reserved for „awareness‟ efforts • “A picture paints a thousand words” though • Do you want to write a thousand words? • Do you expect people to read a thousand words? • Good visuals can really help – even in policies! • Make sure they are relevant and appropriate • Don‟t go overboard… © 2011 Network Computing Architects, all rights reserved
  • 19. Educate and Entertain • Try inserting some levity and irreverence… • Your audience is more likely to read your policies • People learn better when they are entertained • Levity inspires confidence, trust, and creativity • Companies that use levity outperform others • It really all depends on your corporate culture • You don‟t need to be a comedian – just fun • Like visuals, keep it relevant and appropriate © 2011 Network Computing Architects, all rights reserved
  • 20. Simplify Everything • Only write policies that need to be written • Get rid of all the „fluff‟ – it‟s unnecessary! • Create a [fun] security handbook to use • Put a memorable title on your handbook • Organize it by what people need to DO! • Remember, employees are busy people • Security is NOT their top priority – accept it! • Blur the lines between policies and awareness © 2011 Network Computing Architects, all rights reserved
  • 21. Give Them a Tool • The policy document isn‟t your end-point • Your handbook is just one way to move forward • Add quick references, cheat sheets, check lists • Anything that can make security easier for folks • The BEST tool is a well done website – easily found • Simple screen „What Are You Trying to Do?‟ • Take a „nested‟ approach to „navigation‟ • Get feedback and make improvements!!! © 2011 Network Computing Architects, all rights reserved
  • 22. An Example for Dummies • Look at the success of the „for Dummies‟ series • Their books embody everything here (and more) – “From the start, For Dummies was a simple, yet powerful concept: Relate to the anxiety and frustration that people feel about technology by poking fun at it with books that are insightful and educational and make difficult material interesting and easy. Add a strong dose of personality, a dash of comic relief with entertaining cartoons, and — voilá — you have a For Dummies book.” • An invaluable approach to security policies © 2011 Network Computing Architects, all rights reserved
  • 23. The Parts of Tens • The last section of any „for Dummies‟ book • Essentially a „top 10 list‟ on a particular topic • Each item has an entertaining title • Includes a brief, amusing summary • Often closes out with a „tip‟ • Probably the single best model to follow • Imagine if security policies were written this way • Hmmm… People might actually read them!!! © 2011 Network Computing Architects, all rights reserved
  • 24. “I Object” • What are some common objections? – Security is serious business – You can‟t write funny policies – You can‟t hold people accountable using these – You can‟t meet compliance requirements using these – Auditors/legal departments/executives may not like them • Getting past these objections – First, who are you really writing these policies for? – You want people to read and understand them, right? © 2011 Network Computing Architects, all rights reserved
  • 25. The End Justifies the Means • In the end, policies are about setting expectations • They‟re put in place to help (not hinder) people • We can do more – we can do better!!! • Remember: – A GOOD policy is one that people READ! – A GOOD policy is one that people UNDERSTAND! – A GOOD policy is one that people FOLLOW! © 2011 Network Computing Architects, all rights reserved
  • 26. Questions??? © 2011 Network Computing Architects, all rights reserved
  • 27. About the Author: Brad Bemis is the Principle Security Consultant for Network Computing Architects (NCA) in Bellevue WA, and has over 20 years of practical experience in IT and information security. He is also a Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Associate Business Continuity Planner (ABCP), and Lean Six Sigma Greenbelt; with several additional technology-centric certifications from Cisco, Microsoft, and CompTIA. Brad holds associate degrees in both Personnel Management and in Information Systems Technology, a Bachelors of Science in Information Technology, and is currently pursuing a Masters of Science in Education. He has also engaged in graduate level course-work towards a Masters of Business Administration and a Masters of Science in Clinical Psychology. Brad has worked with multiple Fortune 500 companies, military organizations, and government agencies around the world; in roles ranging from Systems Security Administrator to Chief Information Security Officer (and everything in-between). Although highly skilled across multiple security disciplines, his main passion is information security awareness and training – evangelizing the message and engaging others. He is also very active in the security community, including: contributions to the Cloud Security Alliance (CSA), board positions with the Greater Seattle Area Chapter of the Cloud Security Alliance and the Pacific Northwest Chapter of the Information Systems Security Association (ISSA), participation in several other professional associations, sharing insights and experience across a number of on-line security forums, and much much more. Additional information can be found on Brad's professional blog at www.secureitexpert.com. © 2011 Network Computing Architects, all rights reserved
  • 28. About NCA’s Information Security Practice: NCA’s Information Security Practice is an ISO 27001 Certified Professional Security Services Consultancy with offices in Bellevue WA, Portland OR, and Las Gatos CA. We offer a wide range of professional security services that can be scaled and customized to meet the business needs of any organization. Our major core competencies include: • Program Management: Building and managing a holistic information security program. • Governance: Incorporating security into enterprise or IT governance frameworks. • Risk Management: Measuring and managing information security and other related risks. • Compliance: Ensuring that all internal and external requirements are being met. • Identity & Access Management: Managing identities and permissions for systems and users. • Perimeter Defense & Firewall Management: Defending the borders between networks. • Traditional & Mobile End-Point Protection: Securing fixed and mobile end-point devices. • Virtualization & Cloud Computing: Migrating customers to the cloud safely and securely. • Event Management & Incident Response: Detecting and responding to security incidents. • Awareness & Training: Engaging people in the process of security on a daily basis. Through a number of strategic partnerships we can also deliver additional services in the areas of: • Managed Services: Managing the day-to-day operational security of information systems. • Application Security & Penetration Testing: Validating controls for business applications. • Business Continuity & Disaster Recovery: Sustaining the business during emergencies. Learn more today at http://ncanet.com Or call 877-KNOW NCA (877-566-9622) © 2011 Network Computing Architects, all rights reserved