The increase in the processing power of computers in recent years has enabled humble desktop and laptop computers to perform business functions that would have required massive mainframe computers in past years. As helpful as this development has been for productivity, along with it has come an added danger of IT security breaches from hackers using these same machines for malicious purposes. This executive summary describes a number of steps you can take to help reduce the chance of a security breach and keep your IT system functioning as smoothly as possible.
Decide on a security policy
To draw up a security policy it is helpful to first ask yourself a variety of questions relating to your goals for the policy and how they can best be communicated. These questions can include:
- What is the purpose of the policy? How will it add value to the company’s operations?
- What are the IT-related assets that need to be covered by these policies and how can they best be protected?
- Are the proposed policies in agreement with the company’s business strategy and objectives?
- Is the policy designed to meet regulatory requirements and objectives, or is the focus best practices within your organisation, or a mix of both?
- Who will the policy be communicated to?
- How much of the information being communicated is essential for them to know?
- How can this information best be communicated – what is the best format to use?
Establish policies for acceptable technology usage
These guidelines should clearly identify which devices can be used for company business and which cannot. The guidelines should cover all devices suitable for business use, including:
- Fax machines
- Land line telephones
- VOIP phones
- Data storage devices
In addition, polices relating to the use of various communication mediums accessible by these devices should be enacted. Such mediums include:
- The Internet
- VPNs (virtual private networks)
- Internet chat and relay systems
It should be stressed that all software solutions used for business purposes should be updated to the latest versions as soon as updates are released.
Provide detailed security guidelines
Your security protocols should specify the following:
Rules dealing with the creation and usage of passwords:
- The longer the password the better.
- Require multi-type password construction using a variety of types of symbols: numbers, letters, capitalisation, lower-case, special characters.
- Discourage the usage of proper names associated with an employee: hackers may be able to find the name of an employee’s spouse, children, or even pets.
- For maximum security, use password generator software.
- Password locker solutions can be utilized to invalidate a password after a certain number of unsuccessful login attempts have been made.
Access controls for your network, computers, and email
- Reset time periods for passwords (e.g. every 60, 90 or180 days)
- Mobile log-in guidelines
- Log-in log-out policies
- Password authentication
Controls for physical access to your IT assets
Establish controls to help prevent unauthorised individuals from gaining access to your IT system:
- If network services are located at your company premises, make sure they are encrypted and secured behind locked doors.
- If the data stored on your premises is highly sensitive, it may be worth looking into specialised security measures such as video monitoring, biometric, third party security, etc.
Regularly review your access controls
As employees leave the company, it is important to review your access roster to make sure they are no longer able to access company data.
Anti-virus and firewall protection specifications: Anti-virus software should be set to perform a scan after every software update or when a new solution is added to the network. Your firewall should ideally be business-class to provide as comprehensive a defense against outside penetration of the network as possible. You should also perform network security tests, including scanning your firewall for vulnerabilities, on a regular basis. A variety of programs are available for this purpose, including free ones such as OpenVAS.
Confidentiality guidelines: Your guidelines should detail whether and when data on the company network can be revealed to or used with parties outside of the firm.
Usage of data/encryption protocols: Specify how data can be used, for instance, whether it can be included in emails and whether encryption will be used to secure company data. Various programs to encrypt your data are available, including free ones like DiskCryptor or TrueCrypt. You can also encrypt data sent via email by using a solution such as MessageLock or PGP email encryption.
Mobile device usage criteria: Ensure that employees use robust password protection for any company business conducted on such devices, and look into using encryption for all data sent to your network over mobile devices to reduce the chances it will be acquired by unauthorised outsiders.
Monitor employee network usage activity
Establish criteria which can be used to monitor employee network usage. The following types of usage patterns can indicate a potential problem:
- Accessing the network from an unknown distant location
- Excessive downloading of company data
Set up business continuity procedures
IT security involves more than just protecting your IT assets from outside tampering or attack. It should also cover the measures necessary to protect and access your IT assets and data in the event of an outage or catastrophe of some sort. These procedures should cover policies for backing up data to preserve in case an event of this type occurs, as well as broader business continuity processes related to reestablishing your IT system in the event of an outage.
Document network policies and procedures
A good security policy will detail who has access to which levels of the company’s network. Such policies should include:
- How the network is configured
- How to add new employees to the network
- Permission levels for employees
- Licensing policies for software used on the network
Bringing in an outside IT services firm to perform a third party checkup at least once each year is also recommended.
Maintain IT services & training policies
Guidelines in regards to IT services should specify procedures for addressing technology needs and problems. They should also identify who at your company, or at a third party firm if you are outsourcing the process, is responsible for functions such as:
- Employee technical support
- Long-term strategic technology planning
Training should be conducted to familiarise employees with all aspects of the company’s IT security policies, including how to create strong passwords and rules associated with handling and protecting customer information and other important data.
The importance of establishing and maintaining a robust security policy, given the importance of your IT assets in today’s era of sophisticated and powerful computers (and a corresponding level of threat from malware of all types), cannot be overemphasised. The steps outlined above can help you devise and implement a variety of security policies to help protect your IT system from both malicious attacks and inadvertent exposure of your valuable data.