Intro…
Hello all,
welcome to my blog. My name is Chris Daigrepont, 33 years old and
currently residing in Anchorage, AK. I married
my high school sweetheart with whom I now spend a majority of my waking hours herding
our three children. We love to be
outdoors, and do so as often as is possible with a young family. I also love golfing, home brewing and
crossfitting. I completed the final
class for my BS degree the day my last daughter was born. She is quickly approaching 4 now, so I figured
it was time to saddle back up. I have
just begun my graduate degree at Bellevue University in Cybersecurity.
I am a 15
year Air Force service member, the only job I have ever had. I have had a wonderful career that has truly
molded me into who I am today, and allowed me to serve on each continent. I have been in an IT career field the whole
time which has given me a broad understanding of technology and how it is used for
the Department of Defense. Until
recently I was strictly on the operational side of IT; helpdesk, system admin,
engineering…around a year ago I got the opportunity to attend a CISSP bootcamp,
which truly peaked my interest and caused me to refocus on a new future in the
IT field. My current job takes me away
from any serious IT or security work, another driving factor in going back to
school.
Seeing as
this is a security blog, I wanted to share some quick thoughts from a recent
inspection I recently went through that had many points of emphasis relevant to
the field. All businesses practice Operational
Security, or OPSEC by one name or another.
It all deals with protecting sensitive information from becoming
compromised. The information OPSEC is
concerned with isn’t necessarily your companies’ most confidential secrets,
rather it focuses on safeguarding what some may consider non-critical pieces of
information. This information such as
PII, proprietary business practices, or operational practices may not be
harmful on its own, but when aggregated it can paint a vivid picture of your
organizations activities. Critical in the DoD, we not only practice it, we
inspect it.
My
organization recently underwent an inspection, and the common theme brought to
our attention afterwards was the average company member not taking an active
ownership role in the information security process. IT security personnel can install the most
advanced firewalls, provide encryption mechanisms, perform dirty word scanning
on a mail server, but they cannot control everything the end users do. The employee must take on the challenge of
securing their data which means they must encrypt critical information, shred
documentation, and be mindful of who they are sending sensitive information to. Most negligent discharges of information I have
seen are a direct result of ignorance of policy and carelessness, not failure
of technical controls. Some members of
the organization did not know what data was critical, requiring protection
while others knew what was critical, but not how to safeguard it. To combat this we are becoming more involved
as OPSEC managers, which means more mass training, e-mails, presentations and
repetitions for the user…no fun for anyone. Hopefully some measurable results are shown. I suppose all InfoSec professionals struggle
with the concept of achieving buy-in to policy.
It is difficult to stress the importance of doing things the right way
over the quick and easy way.
No comments:
Post a Comment