This is not NoticeBored.com

An Information Security Manager’s
security awareness diary

Week 1Security awareness diary

Monday: Realize there is almost certainly a problem with viruses and decide to do something about it. 

Tuesday: Go to a security trade show. Sign an order for a smart-looking Security Appliance to deal with the tidal wave of viruses. Enter seventeen free prize draws and a competition to win an “antispam solution”. Waste valuable drinking time trying to find out what an “antispam solution” actually does and finally leave the stand with a colorful pack of post-it pads, none the wiser.

Wednesday: Find a free security awareness poster on the web - one with a cute cartoon and a corny message about viruses and SPAM. Print it out on an old dot-matrix printer and make 200 A4 monochrome photocopies. Stick them up on HR noticeboards all over HQ after removing a few two- and three-year-old HR Memoranda to make space.

Thursday: Get the Head of Security to send a message to HQ staff telling them they must comply with the corporate security guidelines. Spend the afternoon clearing spam out of the inbox.

Friday: Take delivery of the Security Appliance. Re-read the sales glossy. Crack open the installation manual then put the box under the desk for later. Finish clearing spam out of the inbox, accidentally deleting a message from the Head of Security. Oh well.

 

Week 2

Monday: Decide not to waste any more time planning but to make a start on a security awareness project. Publish a page on the corporate intranet warning about viruses. Unable to get immediate access to the IT intranet section without going through the intranet Gestapo, put the page on HR’s website, six clicks from the home page. Add a message inviting visitors to ‘Check back soon for more!’. 

Tuesday: Agree with HR that information security posters can be put on HR noticeboards after all, provided there is some free space. Lose patience with the email system and decide to just let the spam mount up for now. Call the Head of Security to find out why the message to HQ staff has not gone out - discover it was sent by email on Friday. Get a fresh copy.

Wednesday: Photocopy another 1,000 posters and send them to a secretary in HR to distribute to other company locations. Call the Head of Security to suggest that, on reflection, ‘Comply or face the sack!’ was perhaps not the ideal form of words with which to close the email to HQ staff. 

Thursday: Speak to Public Relations about using the corporate font on future posters. Open another five spam messages to see what they contain. Start reading about the wonderful things one can do with a Security Appliance. Write “KILL SPAM!!!” on a post-it note.

Friday: Get fed up kicking the Security Appliance box, pull it from under the desk and blow the dust off. Speak to Network Operations about installing it. Show them the glossy. Tell them the Head of Security insists it must be installed immediately. Leave it in their capable hands.

 

Week 3

Monday: Mention SPAM on the intranet page. Tell staff never to open SPAM messages. 

Tuesday: Take a look at the shiny new Security Appliance in its rack. Ask Network Operations why the pretty LEDs aren’t flickering like a cheap hi-fi on volume 43. Take a look at the manual together. Turn on “Demo mode” and marvel at the light display. Make a note to show the Head of IT later.

Wednesday: Speak to the Head of IT about why the emToo busy to do awareness??ail system crashed yesterday. Persuade Network Operations to fix the Security Appliance configuration sharpish.

Thursday: Apologize to the IT Help Desk Manager about the amount of verbal aggravation her staff suffered yesterday as a result of the email systems being down. Blame Network Operations. Steer clear of IT staff for the rest of the day. Think about putting a message on the intranet but make some tea instead and start looking for the corporate security guidelines.

Friday: Get the Head of HR to compose an electronic mail message to staff telling them they absolutely must comply with the security guidelines or face instant dismissal. Suggest it should be a formal memo. 

Saturday: Plug a portable PC into the shiny new Security Appliance’s configuration port. Spend 2 hours odifying the configuration files. Crash the system. Send Network Operations an urgent email to restore the configuration backup by first thing Monday morning. 

 

Week 4

Monday: Respectfully suggests that Network Operations should have maintained a backup if they were operating in a professional manner. Threaten to speak to the Head of IT about the lack of professionalism in Network Operations. Leave them to cool off for a bit.

Tuesday: Keep on adding warnings to the intranet security page when I have a moment. Invite anyone in IT or HR to add more. Encourage a wide diversity of styles and topics. Agree with the Head of Network Ops that nobody should be reconfiguring network equipment without a change control record.

Wednesday: Pull a sickie. The stress is getting me down.

Thursday: Speak to the Head of IT about the latest virus infection. Explain that “everyone got hit” but promise not to let it happen again. Resolve to have another word with Network Operations when things quieten down a bit.

Friday: Ask HR why nobody at the remote offices has seen the security posters I sent them. Send another 1,000 photocopies to HR, this time to a Personnel Administrator with a list of remote offices lifted from the HR intranet website.

Sunday: Draft the security guideline. Rename it a Security Awareness Instruction. In it, warn staff about viruses and SPAM. Include dire predictions of doom and despondency verbatim from the sales glossy that came with the Security Appliance. Order another four Security Appliances by email.

 

Week 5

Monday: Speak to Network Operations about why users mailboxes are filling with SPAM. Tell them to read the Security Appliance Configuration Manual, reconfigure the filters and this time take an off-line backup of the configuration.

Tuesday: Draft a Security Memorandum to reinforce the Information Security Awareness Instruction, and ask HR to publish it in the Staff Handbook (page 332, appendix 13). Refer throughout to end-users and threaten dismissal if people don’t comply.

Wednesday: Attend a management meeting. Agree to stop calling SPAM SPAM. Re-draft the Security Memorandum to refer to spam not SPAM. Send an email to all subscribers confirming that SPAM is now spam but nothing else has changed. End users must still NEVER open SPAM!

Thursday: Take delivery of four new Security Appliances and a golf practice machine for the office. Arrange with Network Operations to get two of Appliances installed as soon as possible. 

Friday: Take back from Network Operations the first Network Appliance which, it appears, is not compatible with the new management framework bus, and resolve to sell it on eBay. Tell Network Operations to transfer the configuration from the old box to the new ones. Offer to complete the change request later.

 

Week 6

Monday: Explain patiently to the Head of IT why he missed an important email from the CEO talking about SPAM. Show him the flickering LEDs on the Security Appliances. Tell Network Operations to turn on the “Turbo” LED and stop messing around with the configuration. Ignore their complaints that the new systems are not compatible with the old and tell them to read the Configuration Manual. Wipe the dust and footprints from the manual retrieved from under the desk, try to straighten the dog-eared corners and send it to Network Ops in the internal post.

Tuesday: Speak to the Head of HR about the Staff Handbook. Agree to write something on SPAM for the next employee induction course.

Wednesday: Send the draft Information Security Awareness Instruction to the Head of HR for management approval. Spend the rest of the day in management meetings to discuss the deteriorating security environment.

Thursday: Deal with another virus incident. Ask Network Operations to check with the manufacturer of the Security Appliance whether it can handle virus protection at the same time as blocking SPAM. Tell HR they really need to sack someone to reinforce the Information Security Awareness Instruction.

Friday: Compose a 27-page SPAM Guideline. Post it as an Excel spreadsheet on a wiki hiding under the IT area of the intranet.

Saturday: Pop in to the office to take a proper look at the intranet. Spend five tedious hours tracking down six different Virus Memos, three staff handbooks (all DRAFTs, none updated in at least two years) and a clutch of spam pages. Start drawing the links on a post-it note but lose the thread and go home instead.

 

Week 7

Monday: Chase-up the Head of HR to see whether the Information Security Awareness Instruction has been issued. Agree to speak to Legal about the wording - write a note on a scrap pad next to the usual shopping list and random doodles.

Tuesday: Speak to Legal. Speak to HR. Call a joint meeting on the SpaM issue. Agree to settle once and for all how to write sPAm.

Wednesday: Speak to Legal again. Persuade the Head of Legal to send a Memorandum to all staff warning them not to refer to SPAM because it is a trademark. Resolve only to use “spam”. Remind HR to send the posters.

Thusday: Agree with the Head of IT that, despite the trademark issue, spam is still causing problems. Say that Legal and HR are on the case. Ask Network Operations to install the other two Security Appliances.

Friday: Re-write the 27-page SPAM Guideline to refer to “spam”. Spend half a day rearranging words so that no sentence starts with the word “spam” to avoid the capitalization issue. Send the updated Staff Guideline For the Prevention of “spam” to Legal for approval.

 

Week 8

Monday: day off. Reconfigure the company laptop on a whim whilst watching football on TV.

Tuesday: Ask HR to liaise with Legal on the “spam” guideline and hunt in vain for the scrap pad note about the wording changes. Tell the Head of IT that “the spam issue” is in hand.

Wednesday: Ask HR to pull all the posters that refer to SPAM. Decide that perhaps posters aren’t worth the effort but browse the web for another source of security posters, and order more cheap copy paper.

Thursday: Discuss the Security Appliances with Network Operations. Agree that the new Management Framework needs to be on a separate LAN. Spend the rest of the week and most of the weekend preparing a business case to buy 3 management consoles and a dual redundant LAN for the Security Appliances. Write a change request for the Security Appliances.

 

Week 9

Monday: Send a humorous email about CAN-SPAM to IT and Legal. Agree with Legal that perhaps it was not such a bright idea to include a picture pulled from Hormel Foods’ website. Resolve to write something about copyright, and start making notes on one of the five post-it pads brought back from the security trade show.

Tuesday: Tour HQ forlornly, removing SPAM posters.

Wednesday: Attend a disciplinary hearing concerning someone who (allegedly) introduced a virus into the network. Accept that the antivirus policy statement in the Security Guideline could have been clearer. Resolve privately to write an actual antivirus policy. Reluctantly agree that the (alleged) virus person can have their userID re-activated. 

Thursday: Speak to Security Administration about why the (alleged) virus person’s userID was never deactivated in the first place. Resolve to find someone to review all active userIDs.

Friday: Add an antivirus policy to the security website, and a cheerful Memo about software copyright containing an attractive pirate graphic from a cover disk on a computer magazine.

 Is security awareness just another thing on your to-do list?

Week 10

Monday: Discuss the virus and spam situation with Internal Audit. Agree to help them gather statistics. Speak to Network Operations about the log files for the Security Appliances. Accept that they could have provided this information if only they had the Management Framework working properly. Send the business case to the Head of IT.

Tuesday: Plead with the Head of IT to find some budget for the Management Framework Server. Mention Internal Audit’s involvement. Call the Security Appliance vendor to place the order and ask them once again about the virus-spam issue and network performance.

Wednesday: Take lunch with the Security Appliance vendor salesman. Agree to look at the new High Security Blade. Finish the meal with a fine vintage port, some French cheese and some of those nice black seedless grapes I had meant to buy when I went shopping last week.

Thursday: Arrived at work this morning, slightly the worse for wear, to find some stern words from the Head of IT in a private email. He was unable to get hold of me all yesterday afternoon - seems I missed a major worm incident. Send a lame reply about a technical problem with my Crackberry and agree to get right onto it. Call the troops together to see what happened, only hardly anyone is around. Eventually get an explanation from the Head of Network Ops who tells me his boys have been up all night patching systems. None of the remote sites is back on the corporate network yet but he assures me the matter is in hand. The “forensics team” (a spotty-faced geek from PC Support) is ploughing through logs looking for the source of the incident as we speak.

Friday: The team gradually reassembles for our weekly team meeting and the full horror of Wednesday’s incident starts to emerge. A networked PC with an out-of-date antivirus signature picked up the worm which then spread to all the NT machines on the network in a matter of seconds. The NT systems were known to be vulnerable but as we don’t have an extended support contract, patches were not forthcoming from M$. The forensic analysis continues but it’s business as usual for the rest of us. At least the remote sites are back on the net now and catching up on 2 days lost work.

 

... to be continued (as soon as I find that darned post-it pad) ...

 

You see back when computers were new

 

If this fictional diary seems even remotely realistic to you, visit our
information security awareness website, NoticeBored.com
to explore a genuine alternative