I need to answer these two posts and provide your thoughts on them, if you agree or have a different idea or want to add something.

RE: Q1 - Basic security measures/strategies

Establishing a minimum awareness level for all personnel can be the base of the security awareness program. Security awareness may be delivered in many ways, including formal training, computer-based training, e-mails and circulars, memos, notices, bulletins, posters, etc. The security awareness program should be delivered in a way that fits the overall culture of the organization and has the most impact on personnel (Standard: PCI Data Security Standard (PCI DSS) Best Practices for Implementing a Security Awareness Program, 2014).

People are the key to successful security; no matter what is being protected, having knowledgeable people is the key to protecting assets. For example, imagine a large business like Walmart; their number one security issue is and always will be shoplifters. If they just train two or three security guards, they are setting themselves up for failure, but if they train all their staff on signs to look out for, they are multiplying their chances of stopping shoplifters. Therefore, security and safety should always be a part of the onboarding process for new hires. Walmart trains everyone to look out for shoplifting, pay attention to unattended bags, etc... They train them to use code with each other when they see something that could be a theft issue. Things like "Have you seen BOB?" which means check the Bottom Of the Basket, or 'have you seen ALICE?" Meaning Always Look Inside when they suspect someone has hidden items in a different object (I once caught a woman with $2000 worth of merchandise hidden in a Rubbermaid tote). Having people on your team who understand the importance of security and safety is paramount to protect all assets. You could have the most technologically advanced security system in the world, but without human help and support, there is not much it can do for you. For example, at work, we train people on what to do during an active shooter event, what to do if they see a stranger in the warehouse, what to do if they find an unattended bag, and how to prevent theft and damage. This all helps ensure that our security team is not the only one's relied upon to protect the business and its employees in times of need (which is lucky for us because it is very rare that our guards are awake). It also helps prevent theft of products by staff and visitors.

Q2: Core elements of security

The security triad consists of three sides, physical security, information security, and personnel security for which all are equally important (Johnson & Ortmeier, 2018). Physical security is concerned with keep employees and tangible items safe. Included in this is lighting, surveillance, alarm systems, design of a perimeter or building, and security presence to name a few. Information security pertains to intellectual or proprietary information and keeping it safeguarded. This includes safeguarding information during it's creation, processing & storage, retrieval & transmission, dissemination & disposition (Johnson & Ortmeier, 2018). Personnel security is about protecting the institution from the inside out. This means keeping the institution safe from it's own employees, customers, or anyone associated with the organization. Personnel security can be a tricky one because it involves making sure you hire the right people to begin with, and then continue to have safeguards in place that prevents individuals from taking information and/or physical assets with them once they leave. Personnel security involves having policies and procedures for when people exit and how to prevent them from continuing to have access.

Wilcox & Brown identify policies and regulations regarding information access as a primary reason for security issues. This includes poorly written procedures, vaguely written rules so that people are given too high of access, or poor access termination procedures so individuals continue having access even after a change in status or leaving, (2005). Termination of access can take a great deal of time and depending on the size of the company and its efficiency the termination of access may greatly lag (I have old work badges from a few years ago and they still get me into the building). Aldhizer, (2008), identified that even when an audit of systems occurred and previous users that had not accessed the system in 60-90 days were identified, and access removed there was still a risk of an unauthorized person utilizing the dormant account within that timeframe and the incident go unnoticed. To help satisfy the issue, a link between HR and the identity and access management system was developed so as soon as HR placed the individual as gone, they lost access to systems as well.

References:

Aldhizer, G. R. (2008, April). The inside threat. In J. Roth & D. Espersen (Ed.). Internal Auditor, 71-73.

Johnson, B. R., & Ortmeier, P. J. (2018). Introduction to Security (5^th ed.). Pearson.

Answer rating: 100% (QA)

The Answer is in the image, click to view ... View the full answer