How about: "Don't test the locks." Seriously, just start with a "Consent to Monitoring" and establish reoccurring security training. Make this a face-to-face class with a large Q and A portion. Not a powerpoint marathon.
Let me look through my feed list ... and find a few good places to steal class material from ... Symantec has an excellent security blog aimed at end-users: http://www.symantec.com/connect/symantec-blogs/sr Also trendmicro has some decent blog entries as well: http://blog.trendmicro.com/ If you have developers in your audience use OWASP: https://www.owasp.org/index.php/Main_Page Educate first; legislate later. On Fri, Jul 22, 2011 at 9:52 AM, Mark McCullough <[email protected]>wrote: > > On 2011 Jul 22, at 06:18, Tom Limoncelli wrote: > > > (asking for a friend) > > > > Suppose you have a very small site and do not yet have a written > > security policy. What is a good "starter policy"? Based on the > > philosophy that "something is better than nothing", what is a 3-5 > > sentence policy that can be put in place quickly? (rather than waiting > > to put together the ultimate perfect policy) > > Simple necessarily means broad statements that can't be read and understood > except by senior security policy types. As a security person, I can summary > a very large security policy into three sentences: > > Rule of least privilege must be followed. > Authentication, Authorization, Auditing (logging) must be used at all > times. > Known vulnerabilities must be addressed. > > But that doesn't explain what these entail, the literally pages of policies > that derive from these three statements. > > And I even managed to avoid the CIA acronym of CISSP. > > ---- > "The speed of communications is wondrous to behold. It is also true that > speed can multiply the distribution of information that we know to be > untrue." Edward R Murrow (1964) > > Mark McCullough > [email protected] > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
