Stage 0 - Passive

This particular IPC began with a relative "green field" for security. It had the creation of policies, guidelines and awareness initiative as its initial responsibilities. Most organisations will have some security group already in place handling policy and awareness programs.

Organisational and Departmental Policies: The IPC's activities in environmental scanning and VA give it a unique and integrated view of the organisation's security posture. The IPC will assist in policy formulation at both the departmental and organisation wide level.

• an HTML version of the draft of the Organisation's Security Policy document is on the IPC's intranet home page under Policies
• departments can add their own internal departmental policies to match their operational needs
• departmental policies that violate those of the overall policy must be explicitly documented, the risk assessed and the accountability for the residual risk formally accepted in writing and submitted to the Chief IT Security Officer (CITSO) by the Departmental IT Manager
• the IT Security Advisory Group is a cross-organisational body which meets to review policy and procedures and assists the CITSO in tuning policies and discussing new security strategies and policies

• Advisories
• Conference Presentations
• Workshop Presentations
• Panel Sessions
• Courses
• Security Audits and On-site Consulting

The following represent different mechanisms that will be used to educate and improve awareness.

• Advisories: Advisories are issued to alter the constituency of a single issue about computer security. These are normally long living document and will be used for future reference. Examples include the announcement of a vulnerability and solution, a suggestion on an administrative manner, or the announcement of tool kits. An advisory announcing a vulnerability will contain enough information on the scope of the vulnerability (version and platforms affected), a description of the severity of the problem (including any exploitation), and one or more solutions. This will give the constituent enough information to decide how to apply the solution to its computing resources.
• detail the format
• describe means of distribution
• Conference Presentations: Presentations serve as a mechanism to discuss the latest research and trends in computer security. This will be the forum to relate to the constituency information that affects them directly, such as the number and severity of incidents, and general trends that have been determined.
• Workshop Presentations: Workshops will be offered to give users and the information security chain hands-on exposure to security tools and auditing techniques.
• Panel Sessions: This type of session allows people with different backgrounds to come together allowing a broader content. This is usually an interactive session with comments and questions submitted by the audience.
• Exercises: A "security exercise" is a short 10 to 15 minute activity that can increase the security of the information system by having the systems administrators respond to a given attack scenario. The exercises would be held in conjunction with security classes.
• Courses: Traditional education involves classrooms, lectures, and tutorials. This is the most effective way to educate the constituency. On-line tutorials are also powerful tools and allow users to remain at their desk to take the training.