By David McCartney
If you that follow on me on twitter (twitter.com/iamthedavil), you may be aware that my Information Security (InfoSec) group is in a bit of a project holding pattern for the foreseeable future due to too many projects and not enough people or funds. Like many companies, we are being asked to “do more with less.” While this is an admirable goal, my personal objective is to be more effective with less, reducing the confusion between motion and progress.
One of my main concerns is the number of security-related emails our InfoSec area is sending out. Since there’s the common concern that frequent communications will be viewed as noise, I’ve been trying to figure out a way to increase the effectiveness and memorability of our alerts.
One of my first ideas was to “adopt and adapt” a color-code system for types of hospital-loudspeaker alerts similar to what the hospital currently uses:
- Â Â Â Â Â Bomb Threat – Code Black
- Â Â Â Â Â Fire – Code Red
- Â Â Â Â Â Missing Child – Code Adam
And so on.
Introduction to these codes begins on the first day of employment during new hire orientation. Additionally all staff, including non-medical personnel, must complete yearly CBTs that review the various colors and their meanings. Furthermore, these codes are printed on cards employees carry with them at all times, so they’re repeatedly emphasized to all hospital employees. I suppose you could even say these codes are imprinted on our DNA…
(I’ll pause for groans and laughter here.)
My idea was to adopt the current announcement method, designed to quickly initiate a response during an emergency, and adapt it for InfoSec purposes. With that goal in mind, I came up with the following potential list based upon the top communications I see the InfoSec team generating:
-      Malware/Virus Outbreak – Code Red
- Â Â Â Â Â Patch Required – Code Blue
- Â Â Â Â Â Disaster Recovery Engaged -Code Yellow
Instead of targeting medical personnel with the communications, Information Systems (IS) staff would be the primary recipients, as they are typically the initial audience for many of the situations mentioned above. By using a “color codes” approach to draw attention to the InfoSec announcements, IS staff will know when to respond to alerts we. Desktop Support would know increased workload may be coming during a Code Red, Server Administrators are informed of a patch through a Code Blue, and all of IS is quickly aware when a Disaster Recovery effort has begun.
Usage would be similar to the following in an email subject:
- Â Â Â Â Â InfoSec Code Blue – Emergency Patch Required
- Â Â Â Â Â InfoSec Code Yellow – No Power at Southwest Site
A slightly different way of using the system was suggested by Michael Santarcangelo, for an environment when response-time is critical. With his approach, the codes indicate less about the threat, and more about the timeframe with which people need to act:
- Â Â Â Â Â Code Red – Immediate (Within 24 Hours)
- Â Â Â Â Â Code Yellow – Urgent (Within 48 Hours)
- Â Â Â Â Â Code Green – Soon (72 Hours)
- Â Â Â Â Â Code Blue – Informational (No Action Taken)
- Â Â Â Â Â Code Gray – Personal (Do This At Home)
While the adopt-and-adapt concept seems simple, I do have a confession to make. In my zeal, I made the error of using the same colors as the hospital alerts. Marketing and upper management quickly informed me that the InfoSec Event colors needed to be different than those used by the hospital to minimize confusion and panic.  Keep this in mind in your environment.
This is an opportunity for us to work together. What exists in your environment that you can leverage to increase security awareness and visibility? What have you done that’s been successful? What’s failed? Let’s continue to share ideas and learn from each other, especially during these times of limited budgets and resources.
Engage with Michael Santarcangelo