Practical Information Security

So first off, I think awareness and education is an important part of any comprehensive security program. BUT you can't think that just by talking about security or training people on what to do to reduce the chance they are a victim of an ID theft, phishing, or other attack that you have significantly changed the risk profile of your company! I've recently seen a couple of Senior security leaders expound on the fact that they just need to bring the knowledge to the company, and leave the rest to the operational people (Sysadmins, network admins, etc.) to actually implement any controls, etc. This fails on many levels. Without proper leadership, oversight, and guidance, the IT Operational teams won't know if they've met the requirements of the policies, best practices, etc. Someone needs to tell them to do more, do less, or they've hit the mark. This needs to be consistent and comply with all appropriate regulations, compliance requirements, etc. The basic contr

Saw this on Slashdot http://www.washingtonpost.com/wp-dyn/content/article/2008/04/03/AR2008040304052.html Looks like some ISP's are starting to do "deep packet inspection" mostly it seems to profile customers and to see where they go, and possibly to sell that information to other companies. I thought that this type of inspection would be covered by the wiretap act? I will look up specifics regarding the laws that I'm aware of and post more during the coming week. Not a lawyer, and this isn't intended as legal advise or guidance, just interested in understanding my rights and what implications this activity by ISP's may have on privacy. ->Pierre