Dear friends of NoticeBored, Digital forensics - the capture and analysis of digital evidence for use in court - is an increasingly important topic not just for law enforcement but for ordinary organizations and even individuals. The forensic investigation of computers, cellphones, PDAs, USB memory sticks etc. is a tedious, painstaking process involving the systematic collection, storage, examination, analysis and interpretation of the data they contain. Digital forensics is a completely new topic for NoticeBored, our 35th information security focus area so far. While we do not know of any competing security awareness products that cover forensics, it’s a fascinating topic for those who enjoy whodunnit thrillers or watch CSI Miami. Awareness of the procedures and issues involved in digital or computer forensics might just interest technical employees enough to take up the challenge and complete the training, and should give management the basic knowledge to be able to select and/or ...

Writing in Computerworld, author Jennifer Bayuk offered some innovative suggestions on how best to write information security policies that are effective and workable in practice. I particularly like the way she emphasized taking time to canvas management on their perspectives on the value and hence need to protect their information assets, drawing out management's control objectives as a prelude to drafting the actual policy statements. She talked about an implicit risk assessment approach, I guess: I have successfully used risk workshops and so forth to achieve essentially the same ends, namely explicit management understanding and support for information security. It works. Jennifer mentioned the use of standards such as ISO27k, COBIT and the ISF Standard of Good Practice, all of which I would agree form a sound basis for developing reasonably comprehensive policy sets - in fact, it could be argued that organizations should perhaps use a synthesis of all three, plus relevan...