Tom Olzak, CISSP's Latest Articles

SkyRecon's StormShield suite is an innovative approach to end-point and server security, providing administrators with tools granular enough to block unsafe user and application behavior while allowing incremental approval of business productivity tools, like smartphones and USB storage device.

User awareness is an essential part of information security. The existence of policies, standards, and guidelines must be known to the employees that handle your data and manage your infrastructure. This article explores the basics of user awareness training. (This article is updated content from the book, "Just Enough Security.")

Policies state management intent and define security outcomes. Standards, guidelines, procedures, and baselines from the operational framework for achieving those outcomes. In this article, we define these security framework elements and their relationship to policies. (This article is updated content from the book, "Just Enough Security.")

Security planning consists of three steps: assigning data owners and data classification, understanding how sensitive information is used, and developing a security strategy and controls design. In this article, we step through the initial planning step: data ownership and classification.

The framework around which administrative, technical, and physical controls are built is the security program. This article walks through building a program, including policies. (This article is updated content from the book, "Just Enough Security.")

Policies are the heart of a security program. They are management's statement of support and expected outcomes from security controls. In this article, we examine the various components of a policy. (This article is updated content from the book, "Just Enough Security.")

In Part 1 of this two part series, I examined administrative controls that help prevent security incidents. In this article, I conclude our look at administrative controls by exploring controls designed to detect security incidents in progress or after they've occurred. (This article is updated content from the book "Just Enough Security.")

Access controls prevent unauthorized people from viewing or stealing information assets and employees from accessing sensitive information and systems not required for day-to-day tasks. They fall into three general categories: administrative, logical (technical), and physical. This is the first in a series of articles that examines preventive administrative access controls. We begin with a definition and overview of security access controls. (This article is updated content from the book "Just Enough Security.")

In Part 1, I discussed controls for preventing physical access to controlled areas. In this article, we look at detective controls, safeguards to identify when an intruder is attempting or has successfully circumvented one or more barriers.

In this series, I examine the preventive and detective capabilities of various types of physical security controls, including biometrics, fences, locks, and data backups. In Part 1, I start with a description and purpose of physical controls, followed by a discussion of preventive safeguards.