Exec summary: This neat little booklet summarizing computer security for ordinary employees could usefully support a structured security awareness program, but do not rely on it alone.

Here are the '20 things every employee should know':
1. Phishing and spyware - don't click links requesting personal info or download programs from unfamiliar companies, and set browser security
2. Identity theft - be careful over phone and web, monitor finances 3. Responsibility - guard your 'access credentials' and follow policies
4. Passwords - choose wisely, don't write them down and don't share them
[...]
Read the full review on

Exec summary: This neat little booklet summarizing computer security for ordinary employees could usefully support a structured security awareness program, but do not rely on it alone.

Here are the '20 things every employee should know':
1. Phishing and spyware - don't click links requesting personal info or download programs from unfamiliar companies, and set browser security
2. Identity theft - be careful over phone and web, monitor finances
3. Responsibility - guard your 'access credentials' and follow policies
4. Passwords - choose wisely, don't write them down and don't share them
5. Malware - be aware of the threat, update anti-virus and anti-spyware, be careful with email attachments
6. Telecommuting/home working and remote access - use a personal firewall, encryption and physical security
7. Email - be cautious with attachments, update your antivirus software
8. Email hoaxes - spot them, check them and don't forward them
9. Web surfing - minimize personal use, avoid cookies and software downloads
10. Internet use - don't visit chat rooms at work, take care with IM
11. Instant Messaging - don't release secrets or illicit material, update IM software
12. Firewalls and patches - use a personal firewall, patch the system and update antivirus
13. PDAs - physically secure them, use passwords and encryption, and disable wireless autoconnection
14. Backups - schedule backups and store them securely
15. Classified data - respect classifications, log off or lock up the PC when not in use
16. Office IT security - apply the clear desk policy, physically protect PDAs/USB devices etc. and securely delete or shred sensitive information before disposal
17. Social engineering - be alert, don't disclose sensitive information without verifying the requester
18. Appropriate use of corporate IT equipment - limit personal use
19. Seek help - call the incident response team if a security incident occurs
20. Keep things in context - be alert, understand the risks and act intelligently

This is a good breadth of topics to cover, broadly resembling the security awareness topics we cover in NoticeBored Classic. There is some duplication and a few apparent gaps (see below) but overall, it's a good mix.

Each topic is covered in a double-page spread with about 400 words. That's actually quite a lot for an awareness booklet meaning that some employees may need 'gentle persuasion' to read it. Some case-study type real world examples and news stories might have spiced it up a bit.

Despite being promoted for use by non-technical employees, the language sometimes slips briefly into jargon (e.g. "Never share your information security credentials, whatever the circumstances" on page 5). The booklet ends with a reasonable 5-page information security glossary in which some of the explanations could have been further simplified, de-jargonized and put into plain English (e.g. "Security incident - Act that deviates from the requirements of security policy"). On the whole, though, the booklet should be reasonably accessible to the average computer-using reader.

In my opinion, the following are relatively weak:
- Security of USB devices and wireless networks should be covered in more depth - these are increasing threats that, to some extent, post-date the book;
- The backup section could usefully mention contingency planning;
- It would be good to advise employees not to mess with the security configuration settings of their desktop systems, perhaps in the context of change and configuration management;
- Compliance with legal and regulatory obligations might be mentioned in the same context as corporate policy compliance;
- There is nothing on software development or risk assessment: end users who develop spreadsheets and other desktop applications should be aware of the need to make them secure;
- It's a shame there is no quick summary (such as the list shown above). Perhaps the next edition might include a pull-out-and-keep reminder postcard?
- There are no obvious reference sources for those readers who might be interested enough to want more information.

[Ben tells me he's added these ideas to the to-do list for the 3rd edition :-)]

At just $8 per copy, it should be economic to purchase a pile of these to distribute around the company, hand out when people sign their acceptance of the corporate security policy and add to the goody-pack presented to new employees during the first day employee orientation/induction course. You *do* have a security slot in your induction course, don't you?

Dr Gary Hinson PhD MBA CISSP CISM CISA
CEO IsecT Ltd.
Phone: +64 634 22922
www.NoticeBored.com Creative security awareness
www.ISO27001security.com ISO 27000-series standards