CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [244]
CertCities CertCities is an online magazine that covers the broad field of certification. It also does features on the pros and cons of various certifications, and it contains articles related to the computer profession. The website is http://www.certcities.com.
CIO CIO is a monthly publication that specializes in IT management issues and periodically offers security-related articles that tend to be high level. The website is http://www.cio.com.
CSO Magazine CSO is a monthly magazine that focuses on issues of interest to security executives. The website is http://www.csoonline.com.
Hackin9 Hackin9 is a bimonthly publication aimed at those with an interest in “hard core IT security”. The website is http://www.en.hakin9.org/.
Information Security Magazine Information Security Magazine is a monthly publication that focuses on computer security issues. The website is http://informationsecurity.techtarget.com.
InformationWeek InformationWeek addresses management and other IT issues. This magazine provides updates in the field of technology. The website is http://www.informationweek.com.
InfoWorld InfoWorld deals with PC issues from an IT management perspective. This magazine offers regular articles on security and related topics. The website is http://www.infoworld.com.
Real World Scenario
Security-Awareness Program
You’ve just been appointed to the security department of your IT organization. The organization needs to implement a new set of plans and standards for computer security. You’ve been asked to create a way to communicate this information to the organization. What could you recommend to accomplish this?
You might consider creating a security-awareness seminar for everyone in the organization. This seminar would ideally address the following areas:
■ Importance of security
■ Responsibilities of people in the organization
■ Policies and procedures
■ Usage policies
■ Account and password-selection criteria
■ Social engineering prevention
If a seminar is not possible, training can also be done using an intranet site that is updated regularly. The site should require employees to log in to document that they have reviewed the latest security information. Disseminating the information this way gives the employee more latitude but still gets the job done in the absence of a seminar.
Additionally, you would want to develop training programs for management to address the needs of the department heads and managers. Your organization may need to determine if additional training is needed for network administrators and development personnel.
Regulating Privacy and Security
An organization’s security management policies don’t exist in a vacuum. Regulatory and governmental agencies are key components of a security management policy. These agencies have made large improvements over the last several years to ensure the privacy of information; several laws have been passed to help ensure that information isn’t disclosed to unauthorized parties. The following sections provide a brief overview of a few of these regulations. As a security professional, you must stay current with these laws because you’re one of the primary agents to ensure compliance.
In addition to the federal laws, most states have laws on computer crime as well. Check http://nsi.org/Library/Compsec/computerlaw/statelaws.html for information on your state.
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) is a relatively new regulation that mandates national standards and procedures for the storage, use, and transmission of personal medical information. Passed into law in 1996, HIPAA has caused a great deal of change in healthcare record keeping.
HIPAA covers three areas—confidentiality, privacy, and security of patient records—and it’s being implemented in phases to make the transition easier. Confidentiality and privacy of patient records had to be implemented by a set date, followed by security of patient records.