Ultimately, information security is not information technology's responsibility but the manager's responsibility...generally the C-levels. There is a distinction here between information security and information technology security. Technical controls to control information security stored in and/or transmitted over IT resources would certainly be an example of technical controls but there are other control groups...maangerial and operational.
But getting back to the article, while management is responsible for information security, every single employee has information security responsibilities. There is no excuse for putting a password on a yellow sticky note on a monitor. Sure, maybe if IT relaxed a draconian password policy that would be less likely to happen but on the other hand whatever the password policy is...if it follows the businesses' security policy...must be followed, no excuses.
Ultimately, information
Ultimately, information security is not information technology's responsibility but the manager's responsibility...generally the C-levels. There is a distinction here between information security and information technology security. Technical controls to control information security stored in and/or transmitted over IT resources would certainly be an example of technical controls but there are other control groups...maangerial and operational.
But getting back to the article, while management is responsible for information security, every single employee has information security responsibilities. There is no excuse for putting a password on a yellow sticky note on a monitor. Sure, maybe if IT relaxed a draconian password policy that would be less likely to happen but on the other hand whatever the password policy is...if it follows the businesses' security policy...must be followed, no excuses.
Good write up, enjoyed the read.
Greg Schaffer, CISSP
newtnoise@comcast.net