Note: This is part two of a four-part series that identifies business information assets, helps business owners understand the value of their information and then explains how best to protect information as a valuable business asset.
Last month we began our journey though the vast world of information security. We talked about identifying the true value of a business’s information – the cost of acquiring the proper software and hardware; the cost of implementation and training, and staff hours needed to create and manage the data. We pondered the potential cost of information security breaches -time and money invested into it, lost production and sales during the downtime, cost of recovery or recreation, and overall customer loss of goodwill.
You may have heard of return on investment (ROI), and getting return on your security investment (ROSI) is very similar. Creating a secure, safe environment for your business information may seem like a daunting task but it can be done with a little planning and persistence. First, one needs to understand that security is not just a technical issue. According to the Computer Security Institute (CSI) 2004 report – in conjunction with the Cyber Crime Taskforce office of the FBI – 34.5% of all intrusions occurred from outside the organization; another 34% occurred from internal intrusions; and the balance of the intrusions were from unknown sources. What this tells us is that we are as much at risk from within our own organization as we are from outsiders. Because of this, every business should evaluate security from three points of view – organizational, technical and physical. In this article, we will examine the issue of business owners’ organizational security.
Organizational security begins with your overall attitudes about protecting assets within your organization. Do you know the true value of your information? Have you developed an information security plan with defined policies and procedures? Have these been communicated to your employees so that they understand their importance? Security implementation is no better than management’s commitment to these issues. Based on this, the organizational component of security is as important – if not more so – than the technical or physical components. Management is responsible for establishing best practices, making sure employees understand and agree with the practices, and ensuring that staff adheres to those practices.
Organizational security practices are standard processes that ensure ethical, safe operations. They establish who, what, where and how the business will operate. Their importance is most valued in the prevention of a disaster or loss of business operations. Best practices begin with policies.
The definition for policy is “a program of actions adopted or the set of principles on which they are based.” In an organization, this means a policy establishes the rules and processes employees must follow to ensure proper operational integrity. All good policies include:
— Purpose – A general statement of the policy, such as the rule or guideline to be applied.
— Scope – The who and what the policy applies to, i.e., all employees, all Internet users, etc.
— Acceptable and Unacceptable Use – An outline, if applicable, of what are acceptable and unacceptable practices.
— Audit – A plan for how the policy will be monitored for acceptable usage.
— Enforcement – A plan for how the policy will be enforced, what will happen if the policy is not followed or violations of the policy occur, including disciplinary actions if needed.
Once the policy is written, procedural actions should be outlined. Procedures generally explain which steps employees should follow on a regular basis. They should also include acceptable versus unacceptable alternative actions, as well as measures that will be taken should the policy be violated.
Policies and procedures, for example, are fundamental to hiring and termination practices within your organization. Chances are you have rules about employees working late or closing and locking up after business hours, but many times computer usage is overlooked. Remember 34% of intrusions come from within the organization, whether intentionally or unintentionally. Do you know who has access to important documents? Are your employees aware of what risks are involved with Internet usage? Coming back to hiring and termination practices, do you have policies in place to ensure information access is also terminated when an employee leaves the organization? Policies for computer use are just as important as your policies for handling money or inventory.
All policies and procedures require an implementation plan that includes auditing and enforcing. The audit process provides checks and balances for the whole policy and procedural system. An audit plan should include tactics for monitoring and reviewing the policy. The audit should define – through documentation and reporting – what constitutes a violation of the policy and which tools will be used to discover the violation, such as Internet usage tracking or routine assessments of physical security measures. Enforcement of the policy is essential to effective security. Some organizations choose to add logging software or filters to make enforcement easier. Upon identification of a policy violation, disciplinary or corrective actions need to be taken.
Investing in organizational security begins with managerial attitude. Managerial attitude is the beginning of ROSI. Enforced policies will give your physical and informational assets the best protection within your budget – within any budget. Security isn’t just a technical issue or a financial issue or just a physical control issue. It is a combination of organizational attitude and direction, good integrated and appropriate technical controls and good physical controls. Your organization’s security requires this holistic approach to ensure that your information assets – not just your physical space – are all properly protected.
— Alan Pemberton is the director of consulting services for 3D Computer in Bellingham.