Welcome to the SecAware blog

I spy with my beady eye ...

30 Sept 2015

"Permissions", another novel security awareness topic

When a customer suggested that NoticeBored ought to cover privileges, we thought "Great idea!" ... but when we got stuck into the research for the new module, we soon realized that we couldn't really discuss privileges without also dipping into access rights ... which takes us into rights ... and compliance ... and a whole stack of other stuff. From being a narrow and specific topic, it mushroomed into an enormous beast, a far more complicated, wide-ranging awareness subject than we originally anticipated, taking in more than thirty aspects: access controls; access rights; accountability; authorization; awareness, education and training (!); compliance; controls; disclaimers; enforcement; entitlement; escalation; ethics; exceptions; exemptions; forensics; governance; granting, denying and revoking permissions; groups and rĂ´les; identification and authentication; incident response and management; obligations and responsibilities; passes and ID cards; penetration and security testing; permits and licenses; policies, procedures and guidelines; privileges; prohibition; reinforcement; rights; risks; and trust.

We settled in the end for the innocuous, all-encompassing title "permissions". It would have been counterproductive to attempt to cover all those thirty-plus facets in great detail in one module so instead we picked out the few most relevant to each of the three awareness audience groups (staff, managers and professionals) and skimmed the rest ... for now, but then we've covered most if not all of them before and will do so again at some future point, thanks to picking a different infosec topic every month.

"Permissions" is the 57th topic in our bulging security awareness portfolio, and we're not finished yet! As far as we know*, no other commercial offering in this space is anything like as broad, nor indeed as deep. Concentrating on one topic at a time gives us the opportunity to explore things in some depth, gradually month-by-month completing the bigger picture. The monthly cycle also lets us reflect current issues and thinking, perhaps even advancing the field in our own little way. This month, for instance, we wrote a generic job description for a Permissions Manager, someone to take the lead on permissions, rights and privileges, coordinating and aligning the management of permission throughout the corporation. On reflection, how do large organizations get by without someone performing such an important role? Is this gap partly to blame for the Sony, Target, OPM and other recent headline incidents?  Hmmmm, makes you think, doesn't it?

If "awareness training" to you means an annual lecture to end-users about policies and passwords, you really should take a look at NoticeBored.com, drop me an email, or call the office. We'd love to help you take the next step.


* If you know different, do please let me know. I'm always interested in what our competitors are getting up to. We don't have a monopoly on innovation! 

No comments:

Post a Comment