Day 35 — Sprint #4 Close & HR Security
Looking internally for the answers
Today as I wrap up another week of work, I’m feeling equally happy with my progress and anxious with my lack of it. Each day this week I chewed off a big chunk of our information security work, but it turns out it takes a lot of bites to get this one down.
Here’s how it went.
Sprint #4 Retrospective:
I started this sprint looking to complete this list:
And boy, was I optimistic. Early in the week I abandoned using JIRA and resorted to daily piles of sticky notes and tackling whatever big challenge I thought would add value, so this list is a mixed bag of done, not started, and new work that’s been created from my work.
Highlights of the Week
- Completed our vendor analysis
- Inventoried all of our assets and identified security vulnerabilities in them
- New Years (thanks, KIA Sorento)!
- Established our information security governance
💡What I Learned
- Information security is a lot of work! Each day I’ve made meaningful progress but there’s still a lot to be done.
- Using external tools is a blessing and a curse: it’s never been easier to roll up a product, but it’s also probably never been less secure either. Doing this activity opened my eyes to considering how we’re working with 3rd party vendors. Nevertheless, it was a useful exercise and will greatly improve our security posture going forward.
👍 What Went Well
- Generally speaking, I feel MUCH more comfortable talking about and working on our information security controls. Practice makes perfect.
- Made a LOT of progress on BIG chunks of our administrative controls.
👎 Opportunities to Improve
- I continue to be completely unrealistic with my time. I was hoping to complete the list above, but it’s clear I’m at best 1/3 of the way down the list.
- I say “at best 1/3” because I don’t actually know. Early in the week I abandoned JIRA as a tracking tool and now have some cleanup work to go back and figure out exactly what’s left.
⏭️ Next Steps
- I hope to finish the rest of these this week, which means I probably still have 2–3 weeks left to go of this work. I’d like another week to continue momentum though, so I’ll pick it back up tomorrow.
Today’s Problem to Solve: Human Resources Security
Similar to our vendor and software asset analysis, another vector of risk is ourselves. All the policies and controls we’ve written go out the window if they’re not followed. Today we look internally.
01 — Security Responsibilities Awareness Policy
Our first control calls for outlining:
- the workforce member’s responsibilities with regard to the security of company information or information systems (which may continue after the end of the employment on contractual relationship); and
- that the workforce member may be investigated as part of a sanctions investigation resulting from a breach of the ISMS.
For this I found a confidentiality and security agreement template and customized it to our needs:
02 — Pre-Employment Requirements
Nothing to do here today, mainly just a policy to manage new hires and making sure system needs are communicated.
03 — Onboarding
A bunch of onboarding activities to make sure we’re hiring the right people and that those people take privacy & security seriously. No action needed for this today.
04 — Privacy & Security Training
Most of my work was building out our training. I relied on a mix of external resources and my own input based on the work so far.
Here’s the privacy & security training mountain to climb:
- Security Culture (Done): I added my flavor for why this matters and some key early steps we’re taking.
- Security Awareness (Done): Here I found an ISO:27001 Security Awareness course on Udemy.
- Info Security Policy: I found this really great article that boils complex security compliance into common sense for employees.
- Risk Management (Done): Mix of my input and risk management training from the NIH.
- Business Continuity Training (Not Started)
- Incident Response Training (Not Started)
Here’s the result:
Turn this list red: