Information security policies, procedures and guidelines
Browse the articles and tips in this section for the latest information on how to create, manage and implement effective information security policies, procedures and guidelines, such as acceptable use, device and remote access policies.
Top Stories
-
Tip
29 Mar 2024
5 tips for building a cybersecurity culture at your company
As a company's cyber-risks evolve, so must its culture. Here are five tips for creating a cybersecurity culture that protects the business and is meaningful for employees. Continue Reading
-
Tip
01 Feb 2024
10 cybersecurity best practices and tips for businesses
Looking to improve your business's cybersecurity program? Study these 10 cybersecurity best practices and tips. Continue Reading
-
Definition
28 Sep 2018
CAIQ (Consensus Assessments Initiative Questionnaire)
The Consensus Assessments Initiative Questionnaire (CAIQ) is a survey provided by the Cloud Security Alliance (CSA) for cloud consumers and auditors to assess the security capabilities of a cloud service provider. Continue Reading
-
Opinion
25 Sep 2018
Why a unified local government security program is crucial
When considering a local government cybersecurity program, companies must understand the dangers of not having one. Matt Pascucci explains why a program designed to monitor the public sector is crucial. Continue Reading
-
Podcast
23 Aug 2018
Risk & Repeat: Meltdown and Spectre disclosure in review
In this week's Risk & Repeat podcast, SearchSecurity editors discuss new insights -- and questions -- regarding the coordinated disclosure effort for Meltdown and Spectre. Continue Reading
-
News
13 Aug 2018
Lessons learned from Meltdown and Spectre disclosure process
During a Black Hat 2018 session, Google, Microsoft and Red Hat offered a behind-the-scenes look at the disclosure and response effort for Meltdown and Spectre. Continue Reading
-
News
09 Aug 2018
Meltdown and Spectre disclosure suffered "extraordinary miscommunication"
During a panel discussion at Black Hat 2018 on Meltdown and Spectre, Google explained how miscommunication left the company's incident response out of the early disclosure process. Continue Reading
-
Tip
07 Aug 2018
What to do when IPv4 and IPv6 policies disagree
Unfortunately for enterprises, IPv4 and IPv6 policies don't always agree. Fernando Gont examines the differences between these two security policies, as well as some filtering rules. Continue Reading
-
News
03 Aug 2018
Disclose.io launches vulnerability disclosure 'safe harbor'
News roundup: Disclose.io offers legal bug bounty framework to give researchers safe harbor from legal action for vulnerability disclosures. Plus, Stamos exits Facebook, and more. Continue Reading
-
Opinion
01 Aug 2018
Why third-party access to data may come at a price
Google and other platform companies dangled not only APIs but access to user data from unwitting customers to attract third-party developers and other partners. Continue Reading
-
Feature
31 Jul 2018
Bugcrowd CTO on the need for responsible disclosure policy, 'good faith'
Bugcrowd founder and CTO Casey Ellis talks about his concerns that the era of 'good faith' between security researchers and enterprises is in jeopardy. Continue Reading
-
Feature
18 Jun 2018
Accenture's Tammy Moskites explains how the CISO position is changing
Accenture's Tammy Moskites spoke with SearchSecurity at RSA Conference 2018 about the daunting challenges CISOs face today and how the position may be changing. Continue Reading
-
Feature
30 May 2018
McAfee CISO explains why diversity in cybersecurity matters
Improving diversity in cybersecurity teams can help improve their ability to address cybersecurity challenges through diversity of thought, suggests McAfee CISO Grant Bourzikas. Continue Reading
-
Tip
17 May 2018
How security operations centers work to benefit enterprises
One key support system for enterprises is security operations centers. Expert Ernie Hayden reviews the basic SOC framework and the purposes they can serve. Continue Reading
-
Podcast
26 Apr 2018
Risk & Repeat: Hacking back, GDPR and more from RSAC
In this week's Risk & Repeat podcast, SearchSecurity editors discuss some of the major themes and debates from RSA Conference, from hacking back to GDPR compliance. Continue Reading
-
News
26 Apr 2018
IXPs asked to mind their 'MANRS' to improve routing security
The Internet Society expands its Mutually Agreed Norms for Routing Security, or MANRS, to IXPs as a means to protect the internet from route hijacking, leaks and IP address spoofing. Continue Reading
-
Conference Coverage
11 Apr 2018
RSAC 2018: Special conference coverage
Find out what's happening at the information security industry's biggest event with breaking news and analysis by the SearchSecurity team at the RSA Conference 2018 in San Francisco. Continue Reading
-
Tip
30 Mar 2018
Imran Awan case shows lax security controls for IT staff
Investigations into the conduct of the IT staff of the House of Representatives raised alarms. Kevin McDonald explains what we can learn from the case of Imran Awan. Continue Reading
-
News
30 Mar 2018
IBM Security looks to incident response services for growth
While IBM has made significant investments in acquiring cybersecurity vendors in recent years, the company now is turning its attention to security services like incident response. Continue Reading
-
Feature
23 Mar 2018
Cybersecurity skills gap: Get creative about cyber hiring
Hiring candidates from disciplines beyond infosec can go a long way to address the widening cybersecurity skills gap, says industry veteran Javvad Malik. Continue Reading
-
News
22 Mar 2018
Watson's Law: IBM preaches data stewardship as A.I. advances
At IBM's Think conference, executives discussed the importance of protecting and managing data as artificial intelligence offerings like Watson grow and touch more information. Continue Reading
-
Guide
20 Mar 2018
GDPR compliance requirements and how to best fulfill them
Learn the details of the European Union's new regulations for data security and what your company needs to do now to meet them and avoid expensive penalties. Continue Reading
-
Tip
06 Mar 2018
Patch management programs: Who should run them?
Patch management is a crucial part of enterprise security defenses, but should security teams be in charge of it? Charles Kao explains how to make patching programs successful. Continue Reading
-
Tip
22 Feb 2018
Web vulnerability scanners: What you won't learn from vendors
Web security flaws are a serious issue that web vulnerability scanners can manage. Discover your best fit scanner as expert Kevin Beaver shares tips that vendors won't tell you. Continue Reading
-
Answer
20 Feb 2018
GD library: How did it open the Junos OS to attacks?
The GD library used in the Junos operating system has opened Junos up to attacks. Nick Lewis explains how it happened and what it means for companies using open source software. Continue Reading
-
Answer
13 Feb 2018
How should BGP route hijacking be addressed?
A new report from NIST shows how BGP route hijacking can threaten the internet. Expert Judith Myerson reviews the guidance for improving BGP security. Continue Reading
-
Tip
08 Feb 2018
Perfecting the patch management process within enterprises
Patching enterprise systems and software can be a daunting challenge. Charles Kao explains how the patch management process should work and what pitfalls to avoid. Continue Reading
-
News
07 Feb 2018
Cybersecurity insurance breaks coming for Apple, Cisco customers
Apple and Cisco customers could get lucrative terms for cybersecurity insurance under a new partnership with insurance giant Allianz and global services firm Aon. Continue Reading
-
E-Zine
01 Feb 2018
Cybersecurity roadmap: What's driving CISOs' agendas for 2018
Omar F. Khawaja, CISO at Highmark Health, has five areas of focus on his cybersecurity roadmap, and technology is not at the top of the list. Instead, he is prioritizing organizational change management and building an effective decision-making framework for the security leaders of the national healthcare provider and insurer.
While Khawaja's cybersecurity roadmap may sound ambitious, his focus on risk management and team decision-making to align the security program with the healthcare organization's business strategy is far from unique. Studies show that executives increasingly recognize that a cyberattack could cripple their operations and mean millions in lost business and reputational damage as well as in cleanup costs.
"CISOs are now charged with defending this digital infrastructure, and that includes software everywhere and data as a resource, and that's a massive change at a time when the attack surface keeps expanding," says Jeff Pollard, an analyst at Forrester Research.
In this issue of Information Security magazine, security professionals detail the process of developing effective one-year plans. Why do companies struggle to strengthen their cybersecurity roadmap? We look at effective planning, what could go wrong and how to get support for your strategy.
Continue Reading -
News
05 Jan 2018
Huge coordinated vulnerability disclosure needed for Meltdown
Unprecedented Spectre and Meltdown CPU flaws required a vast coordinated vulnerability disclosure effort over six months and across dozens of organizations. Continue Reading
-
Blog Post
28 Dec 2017
After 2017, data breach fatigue should be a thing of the past
Data breach fatigue should be put on hold after the Equifax data breach and Uber hack taught us painful lessons about enterprise security shortcomings. Continue Reading
-
Podcast
07 Dec 2017
Risk & Repeat: Analyzing the accidental data breach
In this week's Risk & Repeat podcast, SearchSecurity editors discuss the rise of accidental data breaches following a series of enterprise exposures of user data online. Continue Reading
-
Tip
28 Nov 2017
How a technology advisory group can benefit organizations
A technology advisory group can have an irreplaceable impact on an organization. Kevin McDonald explains how volunteer advisors can aid law enforcement and other organizations. Continue Reading
-
Tip
20 Nov 2017
How to prevent password attacks and other exploits
Prevention is essential to protection against various types of password attacks, unauthorized access and related threats. Expert Adam Gordon outlines how to proactively bolster your defenses. Continue Reading
-
Tip
09 Nov 2017
Why threat models are crucial for secure software development
Threat modeling is an important component of the secure software development process. Steve Lipner of SafeCode explains how threat models benefit software security. Continue Reading
-
Definition
07 Nov 2017
cryptogram
A cryptogram is a word puzzle featuring encrypted text that the user decrypts to reveal a message of some sort. Continue Reading
-
Definition
31 Oct 2017
cyber attribution
Cyber attribution is the process of tracking, identifying and laying blame on the perpetrator of a cyberattack or other hacking exploit. Continue Reading
-
Feature
30 Oct 2017
Grossman: Cyberinsurance market is like the 'Wild West'
Jeremiah Grossman, chief of security strategy at SentinelOne, talks with SearchSecurity about the value of cyberinsurance and why the rapidly growing market needs to mature. Continue Reading
-
Podcast
26 Oct 2017
Risk & Repeat: Is vulnerability marketing problematic?
In this week's Risk & Repeat podcast, SearchSecurity editors discuss vulnerability marketing and compare how the recent KRACK attack and ROCA flaw were publicized and promoted. Continue Reading
-
Podcast
05 Oct 2017
Risk & Repeat: Are hacking victims taking too much blame?
In this week's Risk & Repeat podcast, SearchSecurity editors discuss comments from the FBI's Donald Freese on the practice of blaming and shaming hacking victims and its effects. Continue Reading
-
Blog Post
29 Sep 2017
FBI's Freese: It's time to stop blaming hacking victims
The FBI's Don Freese spoke at the (ISC)2 Security Congress this week about the need to end the practice of blaming hacking victims. But will infosec professionals listen? Continue Reading
-
Tip
19 Sep 2017
How to balance organizational productivity and enterprise security
It's no secret that enterprise security and organizational productivity can often conflict. Peter Sullivan looks at the root causes and how to address the friction. Continue Reading
-
Answer
04 Sep 2017
What should you do when third-party compliance is failing?
Third-party compliance is a necessary part of securing your organization's data. Expert Matthew Pascucci discusses what to do if you suspect a business partner isn't compliant. Continue Reading
-
Tip
29 Aug 2017
What to do when cybersecurity breaches seem inevitable
The current threat landscape makes cybersecurity breaches seem unavoidable. Expert Peter Sullivan discusses some simple ways enterprises can reduce the risk of a breach. Continue Reading
-
Feature
28 Aug 2017
Electronic voting systems in the U.S. need post-election audits
Colorado will implement a new system for auditing electronic voting systems. Post-election audits have been proven to help, but are they enough to boost public trust in the systems? Continue Reading
-
Guide
21 Aug 2017
How to attack DDoS threats with a solid defense plan
An anti-DDoS program requires solid understanding of the threat and a clearly thought-out strategy. This guide will help you define and implement a solid DDoS defense plan. Continue Reading
-
Tip
10 Aug 2017
Applying a hacker mindset to application security
It can be beneficial to think like a black hat. Expert Kevin Beaver explains why enterprise security teams should apply a hacker mindset to their work and how it can help. Continue Reading
-
News
04 Aug 2017
Ransomware recovery goes beyond data loss for enterprises
Enterprises may see paying up as a quick path to ransomware recovery, but experts said there are many issues to consider when making that choice. Continue Reading
-
Tip
03 Aug 2017
What you need to know about setting up a SOC
Setting up a SOC is different for every enterprise, but there are some fundamental steps with which to start. Expert Steven Weil outlines the basics for a security operations center. Continue Reading
-
News
26 Jul 2017
Stamos preaches defensive security research in Black Hat keynote
Facebook's Alex Stamos used his Black Hat 2017 keynote to address a wide variety of issues, including defensive security research and diversity in the infosec community. Continue Reading
-
Tip
20 Jul 2017
Applying cybersecurity readiness to today's enterprises
How prepared is your organization for a cyberattack? Expert Peter Sullivan outlines the seven steps enterprises need to take in order to achieve cybersecurity readiness. Continue Reading
-
Tip
18 Jul 2017
Why security incident management is paramount for enterprises
Enterprises aren't truly prepared for cyber threats unless they have proper security incident management in place. Expert Peter Sullivan explains what enterprises need to know. Continue Reading
-
Tip
28 Jun 2017
IT security governance fosters a culture of shared responsibility
Effective information security governance programs require a partnership between executive leadership and IT. All parties work toward a common goal of protecting the enterprise. Continue Reading
-
Tip
15 Jun 2017
Information privacy and security requires a balancing act
Maintaining information privacy and security seem to be separate challenges, but in reality, each is integral to the other. Expert Kevin Beaver explains how to work toward both. Continue Reading
-
Feature
01 Jun 2017
Acquiring cybersecurity insurance: Why collaboration is key
Cybersecurity insurance is becoming more important to enterprises as threats increase. Sean Martin explains why enterprise departments need to work together to acquire it. Continue Reading
-
Answer
15 May 2017
What is NIST's guidance on lightweight cryptography?
NIST released a report on lightweight cryptography. Expert Judith Myerson reviews what the report covers and what NIST recommends for standardization. Continue Reading
-
Podcast
11 May 2017
Risk & Repeat: Critical Windows bug triggers disclosure debate
This week's Risk & Repeat podcast looks at how a simple tweet about a Windows bug from Project Zero researcher Tavis Ormandy sparked a debate about vulnerability disclosure. Continue Reading
-
Tip
11 May 2017
Applying the new FDA medical device guidance to infosec programs
New FDA medical device guidance demonstrates the need for better cybersecurity during manufacturing and use. Expert Nick Lewis explains how enterprises can use the recommendations. Continue Reading
-
Podcast
04 May 2017
Risk & Repeat: Symantec offers plan to restore certificate trust
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss Symantec's continued struggles with certificate trust, and what Mozilla and Google are doing about it. Continue Reading
-
Answer
21 Apr 2017
How does USB Killer v3 damage devices through their USB connections?
USB Killer devices, with the ability to destroy systems via a USB input, are available and inexpensive. Expert Nick Lewis explains how they work and how to defend against this threat. Continue Reading
-
Podcast
19 Apr 2017
Risk & Repeat: Mozilla joins the Symantec certificate authority debate
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss mounting pressure on the Symantec certificate authority business to provide answers about its practices. Continue Reading
-
Definition
10 Apr 2017
non-disclosure agreement (NDA)
A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), is a signed legally binding contract in which one party agrees to give a second party confidential information about its business or products and the second party agrees not to share this information with anyone else for a specified period of time. Continue Reading
-
Answer
07 Apr 2017
What should be included in a social media security policy?
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media policies. Continue Reading
-
Tip
09 Mar 2017
IoT development and implementation: Managing enterprise security
The CSA's guidelines for secure IoT development can give enterprises an idea of how to evaluate IoT products. Expert Nick Lewis explains the steps enterprises should take. Continue Reading
-
Podcast
09 Mar 2017
Risk & Repeat: Does the Amazon S3 outage raise security flags?
In this episode of SearchSecurity's Risk & Repeat podcast, editors discuss the recent Amazon Simple Storage Service outage and why the incident may have security implications. Continue Reading
-
News
16 Feb 2017
Connected medical devices spark debate at RSA Conference session
An RSA Conference session on a new attack on connected medical devices led to a spirited debate on vulnerability disclosure and manufacturer responsibility. Continue Reading
-
News
16 Feb 2017
Experts debate national cybersecurity policy suggestions at RSAC 2017
Experts at RSAC 2017 discussed national cybersecurity policy suggestions for the new presidential administration, including what to do about encryption and the DHS mission. Continue Reading
-
Answer
10 Feb 2017
What caused the ClixSense privacy breach that exposed user data?
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held accountable for their security practices. Continue Reading
-
Answer
20 Jan 2017
How serious are the flaws in St. Jude Medical's IoT medical devices?
MedSec and Muddy Waters Capital revealed serious flaws in IoT medical devices manufactured by St. Jude Medical. Expert Nick Lewis explains the severity of these vulnerabilities. Continue Reading
-
Answer
17 Jan 2017
How does USBee turn USB storage devices into covert channels?
USB storage devices can be turned into covert channels with a software tool called USBee. Expert Nick Lewis explains how to protect your enterprise data from this attack. Continue Reading
-
Security School
10 Jan 2017
Privileged access management and security in the enterprise
This Security School explores the important steps enterprises need to take when managing privileged access accounts to prevent credential abuse and security incidents. Continue Reading
-
Answer
09 Jan 2017
Are investigations crucial to data breach protection?
SWIFT banking has a team dedicated to data breach investigations. Expert Mike O. Villegas discusses why this is necessary and whether other organizations should follow suit. Continue Reading
-
Tip
05 Jan 2017
The dangers of using security policy templates in the enterprise
Among other drawbacks, using security policy templates can make compliance audits and breach assessments harder for enterprises. Expert Joseph Granneman explains why they're risky. Continue Reading
-
Tip
04 Nov 2016
Information security risk management: Understanding the components
An enterprise has to know what risks it is facing. Expert Peter Sullivan explains why an information security risk management plan is crucial for cybersecurity readiness. Continue Reading
-
Feature
09 Sep 2016
When to take a bug bounty program public -- and how to do it
Bug-finding programs are valuable to enterprises, but they require a lot of planning and effort to be effective. Sean Martin looks at what goes into taking a bug bounty program public. Continue Reading
-
Tip
15 Aug 2016
Achieving cybersecurity readiness: What enterprises should know
Enterprises need to be ready to act in the face of security incidents and cyberattacks. Expert Peter Sullivan outlines seven elements of proper cybersecurity readiness. Continue Reading
-
Feature
14 Jul 2016
Cybersecurity blind spots: Mitigating risks and vulnerabilities
Cybersecurity blind spots based in risk and vulnerabilities can be difficult to spot and address. Sean Martin talks with security experts on how to overcome that challenge. Continue Reading
-
Tip
17 Jun 2016
How CMMI models compare and map to the COBIT framework
Following ISACA's recent acquisition of the CMMI Institute, expert Judith Myerson takes a closer look at COBIT and CMMI models and how they compare to one another. Continue Reading
-
Feature
01 Apr 2016
Integrated Security Systems Design
In this excerpt of Integrated Security Systems Design, author Thomas L. Norman explains the tools of security system design, the place of electronics in the process, how to establish electronic security program objectives and the types of design efforts. Continue Reading
-
Feature
01 Apr 2016
Information Governance and Security: Protecting and Managing Your Company's Proprietary
In this excerpt of Information Governance and Security, authors John G. Iannarelli and Michael O'Shaughnessy offer tips for establishing guidelines for all departments or sectors of a business. Continue Reading
-
Answer
11 Mar 2016
What are the latest SEC Risk Alert findings?
The latest SEC Risk Alert from the OCIE has important updates for financial services firms. Expert Mike Chapple reviews the report. Continue Reading
-
Tip
24 Feb 2016
Cybersecurity products: When is it time to change them?
Enterprises should assess their cybersecurity products to make sure they're as effective as possible. Expert Mike O. Villegas discusses how to evaluate cybersecurity tools. Continue Reading
-
Tip
21 Dec 2015
Why relying on network perimeter security alone is a failure
A network perimeter security strategy alone can no longer protect enterprises. Expert Paul Henry explains why organizations must adapt. Continue Reading
-
Tip
17 Nov 2015
Life after the Safe Harbor agreement: How to stay compliant
Now that the Safe Harbor agreement is invalid, U.S. and EU organizations need to find new ways to securely handle data so they can stay in business. Continue Reading
-
Answer
20 Oct 2015
Why did Anthem resist government vulnerability assessments?
Vulnerability assessments are often a requirement for organizations that have suffered a data breach and the assessors' results can be invaluable to protect a business. Continue Reading
-
Tip
26 Aug 2015
Managed security service providers: Weighing the pros and cons
Using a managed security service provider can be an appealing option to enterprises, but there are many factors to consider before making the move to outsourcing. Continue Reading
-
Answer
04 May 2015
The CEO refuses cybersecurity best practices: Now what?
Some executives don't think cybersecurity best practices apply to them. Expert Mike O. Villegas explains how to handle that situation. Continue Reading
-
Opinion
02 Mar 2015
Q&A: Marcus Ranum chats with AT&T's CSO Ed Amoroso
There's no shortage of new security technology, but enterprise integration is still a major hang-up, says AT&T's chief of security. Continue Reading
-
Video
13 May 2014
NIST cybersecurity framework: Assessing the strengths and weaknesses
Video: Securicon executive consultant Ernie Hayden discusses what the NIST cybersecurity framework got right, and how the document can be improved. Continue Reading
-
Tip
15 Aug 2013
Security incident response procedures: When to do a system shutdown
At times, security incident response procedures require drastic measures. Expert Nick Lewis explains when and how to perform a system shutdown. Continue Reading
-
Tip
10 Feb 2012
SEC disclosure rules: Public company reporting requirements explained
Learn the public company reporting requirements necessary to comply with CF Disclosure Guidance Topic No. 2, the SEC's cybersecurity reporting rules. Continue Reading
-
Tutorial
29 Jun 2011
Developing a defense-in-depth strategy for antimalware defense: Interactive classroom
In our integrated resource center, experience our exclusive video and podcast, plus other learning materials on antimalware defense in depth. Continue Reading
-
Definition
21 Mar 2011
Common Weakness Enumeration (CWE)
Common Weakness Enumeration (CWE) is a universal online dictionary of weaknesses that have been found in computer software... (Continued) Continue Reading
-
Tip
08 Mar 2011
Identity and access management concepts and predictions to watch in 2011
Forrester's Andras Cser discusses the emerging identity and access management concepts and market predictions enterprises should be prepared for in 2011. Continue Reading
-
Answer
03 Feb 2009
What are the ethical issues when consulting for two competing companies?
Security consulting is a job in which privacy is paramount. Leaking security strategies to the wrong people -- especially a company's competition -- could lead to breaches or break ins. In this expert response, David Mortman gives best practices for handling consulting ethically. Continue Reading
-
Tip
22 Aug 2007
Enterprise risk management frameworks: Controls for people, processes, technology
Once responsibilities and requirements are defined, the next stage in developing a successful risk management framework involves developing controls. As Khalid Kark explains, that includes developing a culture of security, using technology in the right places and implementing processes to execute on policies. Continue Reading
-
Answer
30 May 2007
How secure are document scanners and other 'scan to email' appliances?
Copiers and document scanners have always posed challenges for information security teams. In this SearchSecurity.com Q&A, Michael Cobb reveals how the right policies can control the use (and abuse) of these devices. Continue Reading
-
Tip
25 Oct 2006
Steps in the information security program life cycle
This article from our series on information security governance describes the essential steps to take when developing a security program life cycle. Continue Reading
- Answer 02 Jan 2002