Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Aug 30, 2014

New awareness module on change and security

The intersection between information security and change management is our awareness topic for September, covering issues such as: 
  • Many corporate changes deliver new or modified IT systems and business processes, and most of those have information security requirements - therefore information security risk analysis and security design should be a routine part of project management;
  • New and updated laws, regulations and compliance obligations (some of which are relevant to information security, risk, privacy and business continuity) push the organization into changing, as do changes in the information security threats, vulnerabilities and impacts affecting the corporation - in other words, apart from changes driven by the business, it needs to respond to changes in the external environment, including some that affect information security;
  • Change control and system security in general are all bar impossible without adequate IT security controls preventing unauthorized changes - so IT or cyber security is an essential element of change control;
  • Software patches often address security vulnerabilities, while the need to implement them quickly on vulnerable systems puts pressure on conventional test and release mechanisms - security patch management puts ordinary change management processes under stress [we provided a new template policy on patching and other awareness content about that];
  • Significant changes may create unacceptable risks to the organization unless those risks are recognized and treated - it is strongly linked to risk management;
  • Changes are often unsettling to employees, and if mismanaged may lead to resentment, resistance and perhaps even retribution against the organization that is perceived to be imposing them - which is a cue to pick up on the human aspects of corporate change.
This is an unusual information security awareness topic but it certainly has relevance, interest and value, making it a legitimate part of the program (at least that’s how we feel about it!).  It has been five years since we last covered it, and we probably won’t do so again for a few more years yet, so subscribers lap it up while you can.  Get in touch to subscribe to NoticeBored if you agree that this would be an interesting and worthwhile addition to your security awareness and training program ... or by all means invest your time and effort to research and write the awareness materials yourself from scratch.  You'll soon discover why a NoticeBored subscription is such great value!

Regards,
Gary (Gary@isect.com)