Information Security Policy
Businesses that do not have clearly written Information
Technology security policies and practices in place run the risk
of being named in legal actions in the very near future.
Although no current court cases exist, many security experts are
warning that if you lose or expose confidential business or
customer data, unknowingly distribute viruses or experience a
breach of your systems that results in loss of service to your
customers, you could be found liable. Computer and network
security used to be the concern of only the largest
corporations. Now, however, with the high availability of
networks, web hosting and Internet applications to even the
smallest office, the tide is turning. Today, a small business
with two employees can construct an economical network, share a
cable modem and purchase a firewall, which enables remote access
using a Virtual Private Network (VPN). This is also a
double-edged sword. This new "high availability" has also born a
vast breed of crackers.* These individuals can find ways to
access, steal and/or destroy data residing on public and private
networks. Starting th Process The key to establishing these
policies and practices is to not be overwhelmed by the
complexity of the process. Start by taking inventory of your
systems, connections to the Internet and external providers, the
method in which you store data and the method in which you
secure and backup data. During this documentation process, you
can identify clear procedures for the handling and transfer of
this data, as well as new security measures you can use to show
due diligence in addressing any potential security risks. The
Basics Even the smallest network should adhere to the following:
Never use a computer system for both personal and business
use (i.e. family uses for fun, but business is also processed on
the machine). This is an immediate risk to public disclosure of
confidential information and accidental loss of data. Back to
TopA daily and monthly data backup process should exist
which also provides for off-site or fireproof storage of the
backup data in a non-editable format (i.e. offline magnetic tape
or CD-R (not CD-RW)). Any connection to the Internet, from
a shared 56 K modem to a broadband (DSL, Cable or T1)
connection, should be behind a software or hardware-based
firewall. If not, this is an immediate and gaping hole through
which crackers can access your private network or use your
computer for an attack on a larger public or private network
(often called a DDOS or Distributed Denial of Service attack).
Use a password to login to your computer even if it is not
on a network. Passwords should be at least eight characters and
changed as often as tolerable (90 days is a satisfactory time
period). Use and update daily an anti-virus software suite,
which can protect your individual computers as well as any
servers you use. By taking these steps, you are dramatically
reducing your exposure to uninvited intrusions. The inventory
you established earlier can then be reviewed and a plan can be
developed by your business and your technology staff/consultant
to ensure your office network and data is a fortress with a
little risk as possible. Learn More About Securing Your
Computer, Data and Network
Security Tracker This site tracks all known vulnerabilities and
threats in Internet and network technology.
http://securitytracker.com Microsoft Security Micorsoft's site
dedicated to their own applications, including software patches
and alerts to newly discovered security issues.
http://www.microsoft.com/security/default.asp TinHat The ABCs of
web and Internet Security. http://www.tinhat.com/