Your written policy was great. After reading through it I liked that you included a “Lessons Learned” section, which explained your plan after the incident was resolved. There is a wealth of information and I could clearly follow the policy. However, I do have two light suggestions. The destruction portion of your policy should include the mechanism on how to destroy (e.g., cross shredder, or shred box). The second suggestion is the video was great. It was short and to the point, but it didn’t give enough information. However, I liked the idea of a youtube video it made it more lifelike and connectable.
I like what you guys did with Appendix A & B. For Appendix A, you guys listed all the scenarios where a possible compromise could happen, which i think was good because it gives the employees examples of situations that they might find themselves in. The actual acting in the video was good, I like how you guys played out the scenarios of what not to do.
Great job. I Agree with what Heiang had to say about the examples that you gave in Appendix A. I like how a user could reference this policy if they were confused and a lot of scenarios could be included in there. I also liked how you included a signature page in Appendix C. This way a user has to read and sign the policy and they have no excuse not to follow it because by singing the document they are agreeing to the terms.
Well done, folks. I think you handled the Definitions section very well – defining ‘Official’ seems like a smart move, as it helps all personnel, high or low, to understand who is in charge of the policy. I also like the minor details, such as having the footer “Internal Use Only” to really immerse the reader.
The use of appendices helps to flesh out the policy, much like we saw in the Special Publication 800-122 with the scenarios. It helps to ensure everyone is on the same page and can quickly refer to documentation for guidance, rather than crafting a solution on the fly. Again, well done, in your detail and style. And of course… video is great! Humor goes a long way with these things.
nice job guys – I thought that both the video and your policy is concise and to the point. In appendix A Controls around Social Security Numbers. On the Firewall control, I guess that would be an application level firewall that looks for (and blocks) SSN patterns in the data stream? Nice touch if so.
Hi Guys,
Nice policy, I like how you guys included a section for review and revision. Included was also a process and owner of the review. I would have added more than just the Chief Information Security Officer.
I would term my reaction to this as exciting because I really liked the way you have presented your appendix A and B. In Appendix A, you talked about different controls for SSN protection and the details you have used are really intuitive. In Appendix B, the ITACS Credit Union incident response strategies was amazing, especially during the end when you talked about how incident handling is usually reviewed by the CIRT to see improvement areas for any future incidents. I think all organizations should have a quality check on their own processes to be more efficient for any unforeseen incidents.
It was really interesting to see the short clip that you created on sharing SSN numbers on email and on print too. Nice work overall.
Your written policy document was fabulous! Very detailed and laid out very nicely. I liked the idea behind the video and how you presented real life scenarios which sometimes actually do occur in the offices. I remember once I got an email from another department where they attached the wrong document. Instead of sending me a design document for a new application, they attached an XLSX file with account numbers and SSN’s. It only takes one instance with sending to the wrong person to compromise data.
My only suggestion would be to add a voice-over to the video to better engage with the viewers.
Lezlie Jiles says
Good Evening ITACS CreditUnion Team,
Your written policy was great. After reading through it I liked that you included a “Lessons Learned” section, which explained your plan after the incident was resolved. There is a wealth of information and I could clearly follow the policy. However, I do have two light suggestions. The destruction portion of your policy should include the mechanism on how to destroy (e.g., cross shredder, or shred box). The second suggestion is the video was great. It was short and to the point, but it didn’t give enough information. However, I liked the idea of a youtube video it made it more lifelike and connectable.
Great Job!
Heiang Cheung says
I like what you guys did with Appendix A & B. For Appendix A, you guys listed all the scenarios where a possible compromise could happen, which i think was good because it gives the employees examples of situations that they might find themselves in. The actual acting in the video was good, I like how you guys played out the scenarios of what not to do.
Jonathan Duani says
Hey Guys!
Great job. I Agree with what Heiang had to say about the examples that you gave in Appendix A. I like how a user could reference this policy if they were confused and a lot of scenarios could be included in there. I also liked how you included a signature page in Appendix C. This way a user has to read and sign the policy and they have no excuse not to follow it because by singing the document they are agreeing to the terms.
Michelangelo C. Collura says
Well done, folks. I think you handled the Definitions section very well – defining ‘Official’ seems like a smart move, as it helps all personnel, high or low, to understand who is in charge of the policy. I also like the minor details, such as having the footer “Internal Use Only” to really immerse the reader.
The use of appendices helps to flesh out the policy, much like we saw in the Special Publication 800-122 with the scenarios. It helps to ensure everyone is on the same page and can quickly refer to documentation for guidance, rather than crafting a solution on the fly. Again, well done, in your detail and style. And of course… video is great! Humor goes a long way with these things.
Vince Kelly says
nice job guys – I thought that both the video and your policy is concise and to the point. In appendix A Controls around Social Security Numbers. On the Firewall control, I guess that would be an application level firewall that looks for (and blocks) SSN patterns in the data stream? Nice touch if so.
Duy Nguyen says
Hi Guys,
Nice policy, I like how you guys included a section for review and revision. Included was also a process and owner of the review. I would have added more than just the Chief Information Security Officer.
Donald Hoxhaj says
Dear Team,
I would term my reaction to this as exciting because I really liked the way you have presented your appendix A and B. In Appendix A, you talked about different controls for SSN protection and the details you have used are really intuitive. In Appendix B, the ITACS Credit Union incident response strategies was amazing, especially during the end when you talked about how incident handling is usually reviewed by the CIRT to see improvement areas for any future incidents. I think all organizations should have a quality check on their own processes to be more efficient for any unforeseen incidents.
It was really interesting to see the short clip that you created on sharing SSN numbers on email and on print too. Nice work overall.
Patrick DeStefano (tuc50677) says
Hi All,
Your written policy document was fabulous! Very detailed and laid out very nicely. I liked the idea behind the video and how you presented real life scenarios which sometimes actually do occur in the offices. I remember once I got an email from another department where they attached the wrong document. Instead of sending me a design document for a new application, they attached an XLSX file with account numbers and SSN’s. It only takes one instance with sending to the wrong person to compromise data.
My only suggestion would be to add a voice-over to the video to better engage with the viewers.