Security Awareness Blog: Category - Security Awareness Planning

Security Awareness Blog:

Target: Healthcare Organization

Editor's Note: SANS & NH-ISAC have just released the whitepaper: The What, Where and How of Protecting Healthcare Data by authors James Tarala and Kelli K Tarala. Below is an excerpt, the full paper is available for download at:

A healthcare organization is responsible for protecting a patient's most private information; their medical record. A healthcare organization also maintains the patient's financial information, as well as the organization's own intellectual property and that of its vendors and affiliates. These are among the most highly sought-after pieces of protected information for a hacker. In conventional data breaches, an individual's credit card number, bank account number or even Social Security Numbercan be reissued. In healthcare data breaches, an individual's medical record cannot be changed and stolen intellectual property cannot be recovered. This makes stolen healthcare


Can't Patch Stupidity? Look in the Mirror

A theme I sometimes hear from people in the the security community is you can't patch stupid. That "End Users" are too dumb or ignorant to be secured. Wow, I can't think of a more unfounded, prejudice statement. First, "End Users" are people like you and me, so I suggest we start calling them that. Second, many of the people I see organizations trying to secure are very intelligent. These organizations include people such as engineers, accountants, scientists, lawyers, researchers, doctors and a myriad of other smart people. In one extreme example I know a security awareness officer whose organization is so highly educated that the average employee has 2.5 PhDs. Finally, most people I talk to are motivated, they want to do the right thing and be secure. So if we are working with people who are both smart and motivated, what is the problem?

I think we the security community need to take a long look in the mirror. You will quickly see that we are the problem.


Securing the Software Development Lifecycle


Editor's Note: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. In this post Eric replies to a question about what SDLC is and where people can learn more.

In a previous post, Beeker posted the comment, "What is a secure software development lifecycle"? This is an excellent question, and one that I receive quite often from organizations during an application security assessment. Let's quickly review the Software Development Lifecycle, also known as the SDLC. The goal of an SDLC is to


What Ideas do You Have to Secure Today's Kids?

STH-EndUser-Module19-ProtectingYourKidsOnlineFolks, I'm pumped to be part of something new at RSA this year, an event focusing on how the security community can best reach out to and help secure today's kids. I'll be part of a keynote panel with some absolutely amazing other folks to include Alicia Kozakiewicz (if you don't know who that is, stop reading this and take five minutes to read her story, its far more valuable then anything I can say here). In addition, RSA is hosting


Motivating Staff to Join the Awareness Cause

AngelaPappasEditors Note:Today's guest post is fromAngela Pappas. Angela helps lead the awareness program atThomson Reuters, a global organization with over 58,000 people. In this series of blogs Angela shares with us how she established their Security Ambassador Program.

Since the inception of my role in 2012 as a part of the information security training and awareness group at Thomson Reuters, it's often felt overwhelming to think of creative ways to educate every last employee about the role they play to help safeguard our assets, to keep us operationally effective and to ensure our reputation stays intact. Thomson Reuters employees approximately 58,000 staff and contractors in over 100 countries. Our size and