Computer Ethics Policy 2019
Ethics are moral principles that guide an individual’s or group’s behavior. We believe it is important that you and your organization clearly state your policy regarding the ethical use of computers in your organization.
Computer Ethics Policy is the reflection of corporate ethics and core values. This blog explains 20+ computer ethics that used in any company or organization.
Some people will argue that you can embed your ethics into your acceptable use policy by identifying prohibited activities. While this is a valid argument, we believe it is shortsighted and dilutes the importance of clearly identifying your ethical posture in support of your core values.
After all, ethics prepare you to do the right thing when confronted by questionable circumstances. As an organization with integrity, you want your employees to be the best postured to do the right thing, even in ambiguous situations.
Your Computer Ethics Policy should be a reflection of your corporate ethics and core values. They should clearly state what you believe and how your employees should act when using computer resources. The policy should be clear, succinct, and easy to remember.
The Computer Ethics Institute publishes what they call the “Ten Commandments of Computer Ethics.” We believe they are an outstanding starting point for you to create your computer ethics policy.
We are including them here (in bold print) along with our commentary (in regular typeface) to show you how you can reinforce your company’s core values with clear statements of what ethical behavior is expected of you and your employees when using computer resources:
The Ten Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people.
Computers can hurt people if not used properly. For example, a malicious person could create a “logic bomb” that could destroy your data and information with devastating impact.
Stealing, tampering with or destroying another person’s computer, smartphone, mobile device, or information is harmful and should be identified as clearly unacceptable behavior.
2. Thou shalt not interfere with other people’s computer work.
Have you heard the story about the employee who was working on a proposal with a short time-line who got up to go to lunch and left their computers unlocked? If the company won the proposal the employee was certain to be promoted.
Unfortunately, another employee who was up for the same promotion saw his competitor (who should have been viewed as a teammate) leave the computer unlocked and went to the workstation where he deleted critical files.
Fortunately, another employee who practiced proper ethics witnessed the act, the files were recovered, and the unethical perpetrator was dismissed.
3. Thou shalt not snoop around in other people’s computer files.
Do you go to your neighbor’s house, open up their mailbox and read their mail? Of course not! Then why would you want to read their emails? Sadly, some unethical people do just that.
Locking computers, encrypting data, and setting strong access control procedures can help thwart unethical behavior, yet your policy should be clear to set boundaries on what information people should have access to.
4. Thou shalt not use a computer to steal.
Your information has value. Using a computer to break into a company’s accounts and transferring money or information to an unauthorized account is robbery. Don’t tolerate it, and if you discover an instance that you suspect is an example of computer theft, report it to law enforcement officials.
5. Thou shalt not use a computer to bear false witness.
Sadly, the Internet can be used to besmirch the reputation of individuals or organizations in seconds. Your good name or brand reputation can be ruined by false information. Once false information is published on the Internet, it is exceedingly difficult to correct and eradicate.
If you or one of your employees posts false or misleading information on the Internet, you expose yourself or your organization to expensive litigation, probable embarrassment, and ruining of your reputation.
Ensure everyone is trained on appropriate communications and consequences. When you find an instance where your ethical standards have been violated, act decisively and quickly to remedy the situation.
6. Thou shalt not copy or use proprietary software for which you have not paid.
This is important and you need to pay attention to this in your company. With the advent of digital media, copyrighted material is now widespread.
Music, pictures, videos, software programs, and digital books are all examples of intellectual property that are protected under the law as proprietary.
Your company can (and perhaps should) be sued if you host illegal copies of proprietary software on your network or its storage devices. The penalties can be severe including fines and damages.
There are means to scan for some instances of illegal proprietary software, yet your best defense is a well-trained and ethical workforce.
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
Despite best efforts to secure passwords, some people still write them down and expose them to compromise. The author had an experience where an unethical employee found the username and password of another employee and used them to access the other employee’s account.
Once logged in using the other employee’s credentials, the unethical employee viewed files he was not authorized to access. Fortunately for the organization, he did not tamper with them.
He was discovered when the other employee tried logging in and could not gain access as the network was configured to only allow one access instance at a time. Quick work by the help desk and network administrators found that the unethical employee had logged in from his workstation using the credentials of the other employee.
A visit by his supervisor confirmed it. In this case, both employees were disciplined. The first for not properly securing their credentials and the unethical employee was dismissed for using the resources without authorization.
8. Thou shalt not appropriate other people’s intellectual output.
This is a lot like the sixth commandment regarding proprietary software. Software piracy is illegal and is theft of intellectual property.
You expect your employees to protect your intellectual property and trade secrets. Your ethics program should reciprocate in protecting the rights of others as well.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Tim Berners-Lee, the creator of the HyperText Mark-Up Language that launched the Internet, is quoted as saying, “The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect.”
Is your fancy web page usable by people with hearing or visual impairments? Have you ever thought about how those who have some form of physical impairment or challenge may be affected by how you display your information? What about the content of your information?
Because anyone with Internet access can access publicly exposed information, is the information you expose appropriate for all audiences? Frankly, there is a lot of information, imagery, video, and other items on the Internet the author finds morally reprehensible.
Do you want your organization to be viewed as socially responsible in how it interacts on the Internet and internally? We hope so and recommend you include social responsibility in your computer ethics policy.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
This is reminiscent of the Golden Rule: “Do unto others as you would have them do unto you.”
While it should go without saying that your organization’s computer ethics policy includes using the computer in ways that treat others with dignity and respect, it is appropriate and recommended to reinforce this commandment.
Training people on proper etiquette in information correspondence is important. For example, many people still do not realize that typing in all capital letters is considered SHOUTING and may be considered offensive.
Your ethics policy can have a powerful motivating effect on your employees. We seek ethical organizations to work for and with and are not alone in doing so. Your employees expect their organization to act in a responsible and ethical manner.
So do your shareholders and potential investors as do your business partners and those with whom you have relationships. Nobody wants to work with or for somebody or something that is not ethical.
As an executive, ethics begins and ends with you. Your leadership sets the ethical environment that your employees, peers, partners, prospective investors will scrutinize.
If you do not follow ethical behavior when using computer resources, you will be discovered and will be held accountable—even if you are the boss. You must always ensure you maintain your integrity and practice and enforce your organization’s standards of ethical behavior.
It is important that your policy clearly states that it is applicable to everyone in the organization: directors, management, and employees.
It also should clearly state that your organization has “zero tolerance” for unethical behavior and that any employee found to have violated the policy will be subject to disciplinary action up to and including termination.
It is easy to spell out how not following the policy will be dealt with, but it is important to continually promote ethical behavior when using computers and reward your employees. Many companies now include ethics as a performance measure for their employees.
Others have incorporated ethics into non-cash rewards programs, where demonstrated excellence in ethical behavior is rewarded with special recognition before their peers such as earning “rights” to the boss’s parking space for a week, a free lunch served by the executive team, a certificate or plaque, or even a paid day off.
The need for corporate ethics is strong.
An organization that conducts its business in an ethical manner engenders respect from within the organization and well as from outside. To nobody’s surprise, people prefer to work for an organization that promotes ethical behavior.
As a result, those organizations enjoy high rates of employee retention. Likewise, consumers demonstrate brand loyalty to companies that exhibit a strong sense of corporate responsibility and stewardship.
Your computer ethics policy can give you a competitive edge in today’s contested marketplace. You’ll find that your computer ethics policy establishes your organization as placing a premium on “doing things right” with a clear sense of purpose and social responsibility.
It can inspire powerful uses of technology to further your strategic vision while deterring inappropriate and wasteful activities as well. Your computer ethics policy is a great investment.
Password Protection Policy
Passwords are the keys to your organization’s information. They arguably are the keys to your organization’s survival, your personal finances, your treasured family records, or (perhaps) even your identity. How good is your password? Are you willing to risk life as you know it on the strength of your password?
Password Best Practices
Try to make your password something you can and will remember.
Don’t store your password on a sticky note by your computer, in your wallet, or on your phone. Keep it as secure as the information it protects.
Bad actors run password cracking programs that have thousands of passwords like these already stored in their tables. They also research you and can quickly find the names of your family members and figure out your favorite sports mascots.
Change your passwords often. Change your passwords at least every quarter. Now, with automated reminders you can load in your phone, you have no excuse for forgetting to do it.
Passphrases are another form of passwords that many people use to create complex and lengthy passwords that are easier to remember than scrambled and difficult to remember passwords.
When it comes to your password policy, in addition to the best practices we already identified, there are several other best practices you should incorporate into your policy:
Password Policy “Must-Haves”
Use a “three strikes and you are out” policy to lock accounts after successive unsuccessful log-in attempts.
While an attacker can create a denial of service by deliberately creating three failed log-ins, the risk of a hacker cracking your password by repeatedly attempting all possible password combinations is not worth leaving your system unprotected. Make sure your procedure to unlock is secure and as convenient as possible.
Separate administrative and user passwords:
System and network administrators are among the most powerful people in your organization. They have access to your organization’s most valuable information and treasured resources.
Make it your policy that they must use separate passwords for their system and network administration duties than they use for their standard user functions (such as email and office duties.)
There have been several occurrences where bad actors launched spearphishing attacks directed at system administrators in an effort to expose or compromise their passwords.
Once the bad actor gained control of the system administrator’s system they gained root access and had complete control over everything the administrator controlled.
In contrast, if the bad actor compromises the administrator’s standard user account, he has standard user access, which should minimize the potential for damage. When you separate the administrative and user accounts, you reduce your threat exposure.
Force password expiration:
Executives hate having to change their passwords every 90 days. Everybody does. Nonetheless, you need to do it as it is the right thing to do to protect your information.
Ensure your policy mandates password changes and enforce it. You’ll find many senior managers will attempt to get waivers and keep their passwords constant.
Hackers love that! Since they seek to compromise the “Big Fish” presenting a static target like a password that doesn’t change often just makes the hacker’s job easier. Leaders ensure the policies apply to everyone, especially them, and enforce the policy across the organization.
Don’t recycle passwords:
Let’s see, it is October and we are in the fall quarter so we are going to reset our passwords to my usual autumnal passwords. Good idea, right?
Think again. Hackers like to bank passwords and one of the first things they do when trying to access your account is use passwords you’ve previously used to access your accounts.
Many organizations have adopted the best practice of not allowing previous passwords to be used again. Consider making it your policy not to accept any password that has been used in the past 10 passwords.
Avoid transmitting passwords via email:
This should be obvious but isn’t as many organizations send their passwords out via nonsecure email systems. If you have to send a password to someone by email, make it your policy that the next log-in forces a password reset by the individual.
Don’t make things easy for hackers by allowing weak passwords. Your password policy should be one of the strongest and most enforced cybersecurity policies you have. It also can be one of the most difficult to gain support across the organization. Your leadership is essential.
Make sure your password policy follows best practices and everyone, including senior leadership, follows it throughout your organization. Finally, make sure you follow these same password best practices at home as well as in the office. Strong at work and strong at home keeps you strong all the time.
Technology Disposal Policy
What is your policy to deal with your old computers after you no longer need them? Some organizations merely do a simple disk wipe, if that, and then try to sell them. Be careful. That could be a recipe for disaster for you and or your business.
Is this an isolated occurrence? Sadly, no. According to a six-month study conducted by Kessler International, a New York computer forensics firm, over 40% of the computer hard drives they bought on eBay were found to contain “personal, private and sensitive information—everything from corporate financial data to the Web-surfing history and downloads of a man with a foot fetish.”
Of the information retrieved by Kessler International, researchers found personal and confidential documents, including financial information, emails, photos, corporate documents, Web browsing histories, DNS server information, and other miscellaneous data.
What happened to your last home computer? Who’s using it now and what personal information of yours might they have access to? What about your last work computer? Is there anything valuable on that drive?
Can you wipe hard drives sufficiently to erase information permanently so that it cannot be retrieved by the next owner of your computer (who could be overseas!)? Some people believe that using industrial strength tools that delete your files and overwrite them at least seven times are sufficient. These tools often are freely available on the Internet.
Frankly, most of these tools are very effective in wiping drives and making information retrieval increasingly difficult to achieve, but not impossible. That’s why all of the tools are distributed without a warranty.
The only guaranteed way to prevent someone from retrieving your information from your old hard drives is to physically destroy it or degauss it.
What do we recommend you include in your technology disposal policy? While we remind the reader that every organization is unique and should tailor its policies to meet its organizational objectives, we have found that the following is a productive construct (model) to follow when developing your technology disposal policy:
1. Determine how you value information: This is critically important and governs your next steps. Consider placing your information into three categories:
This is information that is most sensitive and cannot fall into unauthorized hands under any circumstances. Loss or exposure of such information may result in an existential event for you or your business.
Examples of this type of information may include your critical intellectual property and trade secrets; key financial information including account numbers and credentials; security information such as account names and stored passwords.
Many people also associate a certain monetary threshold to delineate what information falls into this category.
For example, a small business may determine that the loss or exposure of information valued in excess of US $250,000 may make it a category 1 event.
This is information that is very sensitive and disclosure of which will cause significant harm to you or your business. Examples of this type of information may include business plans, architectures, designs, and confidential information.
PII frequently falls into this category such as social security numbers. Using the monetary threshold example, the small business may determine that a potential information loss ranging from the US $100,000 to US $250,000 would make this a category 2 event.
This is information that is valuable yet its disclosure will not cause appreciable harm to you or your business.
Examples of this type of information would include routine correspondence, uncorrelated data, most photos and images, and replaceable or depreciated information.
From a monetary threshold perspective, it is valued by our exemplary small business as having a value of less than US $100,000.
2.Determine how to dispose of technology by category:
There are several ways to dispose of your old technology. Your policy should help your staff identify the methodology consistent with your corporate risk strategy. Continuing our example, consider the following construct (model) when determining how to dispose of your old technology:
The IT staff will remove the hard drive from category 1 assets and destroy the hard drive through degaussing (magnets) or by physical destruction. Other media, such as thumb drives, containing category 1 material will be handled the same way.
Two-person control (i.e., someone to destroy the drive and someone to witness it) is required along with documentation certifying the drive’s destruction. All other components of the system may be salvaged for resale in accordance with the corporate disposal policy.
The IT staff will use an “industrial strength” disk wiping program that meets the National Industrial Security Program Operating Manual (NISPOM) and DOD 5220.22-M standards.
The IT staff will execute the program on three separate occasions on the drive to ensure that all information is reasonably expected to be erased and irretrievable. Upon completion of the disk wiping and its certification, all components of the system may be salvaged for resale in accordance with the corporate disposal policy.
The IT staff will use an “industrial strength” disk wiping program that meets the National Industrial Security Program Operating Manual (NISPOM) and DOD 5220.22-M standards.
The IT staff will execute the program on the drive to ensure that all information is reasonably expected to be erased and irretrievable. Upon completion of the disk wiping and its certification, all components of the system may be salvaged for resale in accordance with the corporate disposal policy.
3.Printers and copiers: Modern printers and copiers all have storage devices on them that retain information on items you’ve copied or printed. They must be sanitized prior to disposal.
In the event that your staff or a bonded consultant is not able to sanitize the device satisfactorily in accordance with the directions above, the device should be destroyed in accordance with this policy.
4.Determine who will dispose of the technology:
IT departments are not very good when it comes to getting a good return on your dollar in selling your excess technology. They are usually very busy just keeping up with the technology on hand let alone of disposing of the older stuff.
That’s why it is important that you have someone else in your organization responsible to dispose of it.
Whether it is someone in your financial department or your logistics department (whom we prefer), make sure they are equipped with the requisite training and equipment to quickly check the out-going devices to ensure that all your information is sanitized from all digital media (i.e., hard drives, thumb drives, even CDs still left in their drives!)
As with all your other policies, clearly, state the consequences of not complying with this policy. Typically, noncompliance with this policy will be met with sanctions up to and including termination.
Your technology has value even when you no longer have a need for it. Monitors, computers, servers, network devices, peripherals, and printers all have value.
It may be worth your effort to sell these items to someone who has a need for them but ensure that your organization has the right policy and controls in place to prevent your valued information from heading out the door with your obsolete technology.
Another method for transferring usable equipment is to give sanitized equipment to employees in recognition for exemplary efforts or as holiday or bonus gifts.
Physical Security Policy
You may have the best boundary protection in the world for your information, but if you don’t have the right physical security controls, you may open yourself to actually make it fairly easy for bad actors to gain and exploit your information to their advantage.
Ensuring your information is protected from physical attack is an important part of your cybersecurity risk management program.
Picture this scenario:
A maintenance worker arrives at your facility. This is not unusual as you often hire third-party vendors to perform a variety of tasks including janitorial services, facility, and equipment maintenance, and even reload your snack bars.
The maintenance worker has what appears to be a printout of an email from one of your senior IT managers ordering that all computers be inspected for potentially faulty fans and random performance monitoring devices be installed on some machines.
Although that senior IT manager is on vacation, it appears to be legitimate. After all, your IT shop is very proactive to ensure that your IT systems always are available and he appears to have a legitimate work order.
The maintenance worker is uninformed with his company golf shirt and khaki pants, is extremely polite and professional, and even shows you several websites that indicate problems with the fans that cool the processors in the computers.
Several of the sites show how failed fans caused processors to over-heat and computers to fail. You don’t need that headache. He explains that by inspecting the fans he can tell if the computer is at risk of catastrophic failure due to overheating.
The good news, he says, is that his company is a certified third-party vendor for the fan company and can replace them at no charge to your company. What do you do? What does your physical security policy say you should do?
Your policy should address visitor and contractor access and should guide you to deny entry and not give the maintenance worker access to your computer without you personally verifying through official channels that the maintenance worker is authorized to access your facility and your computer.
Think the scenario is far-fetched?
Regrettably, it isn’t. In fact, there are numerous incidents where bad actors brazenly have entered facilities with the intent to steal information.
In many instances, rather than attempt to break into your systems by hacking into your computer, they find it easier and more effective to just gain access to your home or office and steal your computer, return to their lair with the purloined equipment, and harvest the information from it at their leisure.
If you don’t have your computer appropriately protected with a strong password or other user authentication technique and have your data on your hard drive encrypted, your information is now in the crook’s hands.
A bank in England recently dodged a bullet when confronted by a scenario similar to the one detailed above. According to press reports, a man posing as a third-party maintenance worker entered Santander Bank’s branch in the Surrey Quays Shopping Centre and attempted to fit a monitoring device on the back of a computer in the bank.
The device was a small box that plugged into one of the USB ports on the back of the computer, much like you use to plug in a mouse or keyboard.
The box was equipped with a keyboard video monitoring device that would record what displayed on the monitor and transmit it to the bad actor’s control center, which could be in a car outside the facility or potentially in another country well beyond the reach of your law enforcement officials.
The alleged perpetrators were apprehended and reportedly no Santander information was exposed, but the threat of a physical attack to your information is acute.
How do you prevent criminals, auditors, or perhaps even your own employees from just walking up and stealing your information?
We suggest that the prescription starts with a comprehensive physical security policy that addresses such things as facility controls, visitor and contractor access, employee credentialing, equipment removal, and emergency procedures including evacuation.
Facility controls. If you are like most people, you lock up your valued possessions when they are unattended. Most people lock their houses when they leave for the day and many do at night when they are sleeping. You lock up “your stuff” to keep it out of the hands of those who don’t have your permission to use it.
Nowadays, many people put considerable thought and investment into protecting their assets. They install sophisticated sensors and alarms around their house to deter criminals and alert authorities when breaches occur.
The normal front door lock largely is a thing of the past with augmentation from deadbolts providing an additional trusted layer of physical protection against intruders.
You want to and need to feel secure in your home and not only are these measures prudent investments to make but also they may be essential.
Once inside the sanctity of the protected space you call the office or home, what other physical security controls do you have? What is your policy? What rules have you established to control your domain and the information in it?
We have found there are several easy-to-implement rules you ought to include in your physical security policy that can better secure your home and office. While some may not apply to everyone, they are pretty good rules to follow and include in your policies:
Don’t put your valuables in plain sight for everyone to see:
The temptation is a mighty bad thing. Would you place a Rodin statue worth the US $10 million in your living room window and leave for vacation? Would you leave confidential information on your desk and leave for lunch? Your information has value. Protect it and limit its exposure
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
Mandatory Access Control:
Mandatory Access Control secures information by assigning sensitivity labels to information and comparing this to the level of sensitivity at which a user is operating.
It ensures the enforcement of organizational security policy without having to rely on voluntary web application user compliance. This frequently is used in systems such as in government where you have mandatory segregation of information such as Top Secret, Secret, Confidential, and unclassified information.
We recommend that as you create the information you determine who can use it, view it, modify it, or delete it. If those privileges are assigned to people performing certain roles, such as your internal auditors, implement a role-based access construct.
If your scheme calls for all personnel in a group to have access, such as the HR department having access to personnel records, then implement a discretionary access control system. Finally, if you require tight controls over information, invest in a mandatory access control construct where the threat of human error is minimized.
Network Management Policy.
The final “must-have” policy governs how you manage your network. Many organizations have come to the startling realization that their network is the circulatory system of their business and their fortunes rise and fall with the efficiency, effectiveness, and availability of the network and the information access it provides.
For nearly all businesses, denial of service means denial of income. You need a strong policy that ensures your network is professionally managed to deliver the capabilities and results in your organization needs.
Some organizations publish network management policies that only apply to the IT staff. We believe this is a mistake. Your network is used by everyone on your team.
Everyone who has network access has a stake in the effective management of your network. Everyone needs to understand “the rules of the road” for your network. Therefore, we believe it is essential that your network management policy clearly states that it is applicable to everyone in your organization.
There are numerous best practices for network management that enhance business productivity, maintain network integrity, and preserve information security. We highly recommend your policy should include the following best practice policy principles:
Deny all, permit by exception:
When you buy network devices such as firewalls, they may arrive out of the box configured to let everything through.
Hackers know this and one of the first things they check is to scan your system to see what ports and protocols (think of these as the gates or doors into your system) are open so they can gain access.
Your policy should only allow what you need to enter or leave your network. Make it your rule that you will deny all traffic except that which you specifically give permission.
Have procedures with management oversight that allow employees to request opening ports and protocols or visit websites to conduct official business.
This principle is commonly applied in many organizations and is synonymous with “need to know.” Least privilege means that you only grant privileges at the minimal level required to do the job assigned.
You may ask why implementing the least privilege principle as part of your policy is a big deal. Let’s look at problems associated with administrator privileges on computers.
Many employees demand administrator privileges on their client computers so they can configure their environment to fit their style, troubleshoot their own systems, or install their own software.
Granting administrator rights to noncertified personnel is a dangerous practice and is not recommended. A significant risk vector from malicious software comes from giving users administrative rights on their client computers.
When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, email clients, and instant messaging programs, also have administrative rights.
If these programs activate the malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system.
It can run through your entire network in milliseconds. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised website or by clicking a link in an email message.
Only grant privileges based on the legitimate need to perform the duties you’ve assigned. Direct the principle of least privilege as part of your network management policy.
Secure operating systems:
Using standard, security-focused guides to configure your operating systems is a best practice that can enhance your security and ensure your network is operating at optimum performance levels.
We recommend that your policy call for secure operating system configurations that only install what is needed and turn off all unnecessary services. This ensures your system is best configured to withstand attack, reduces your attack surface, and reduces what needs to be maintained.
Whether you consider yourself one, you are a computer operator. Your applications are what you and your employees operate every day. Your policy should include rules regarding applications and their security. Implement least privilege to reduce the effectiveness of attacks that execute with the privilege of the current user.
Ensure you have a means of performing input validation to ensure only the right information is input into your applications. This reduces your risk of attacks (e.g., SQL injection) from malformed data input. Test applications in a segregated test environment before putting them on the live network.
Install only what you need to reduce your attack surface. Ensure use of secure protocols and block everything you don’t need.
Use application “whitelisting” which means that you will only allow applications you have approved to operate to run on your network. Encrypt all data at rest to secure your information. Make sure your applications and data entry are as secure as possible.
Ensure your policy includes rules directing the continual auditing and self-inspection of your network for vulnerabilities. Vigilance is the watchword when monitoring your network and its devices for vulnerabilities.
Your policy should call for vulnerability assessments on a regular basis, especially when new systems or applications are deployed or change the configuration. This ensures system vulnerabilities are detected and that systems are not placed into service with deficiencies that should be corrected.
Don’t let your network vulnerabilities hide in your IT organization! Your policy should direct a comprehensive vulnerability tracking and review process that is integrated into your corporate risk management process. Your policy should also call for the automated patching of software across your organization.
This is a best practice that not only decreases your exposure time to threats but also significantly reduces the cost of patching.
If you are not already doing automated patching and verification, we suggest you do a business case analysis to see if it is the best fit for your organization (it usually is).
If you aren’t scanning your network for vulnerabilities from the inside and outside, you are missing something that someone else will find and exploit. What they find may just put you out of business!
Clean Desk Policy.
Could the following situation happen in your organization?
In 2012, a New Orleans hospital janitor and his girlfriend pleaded guilty in federal court involving the theft of information from the hospital where he worked.
According to the FBI, the janitor stole computer printouts containing confidential patient information such as names, social security numbers, dates of birth, phone numbers, home addresses, and other personal information that was intended to be shredded.
The hospital is covered by the Health Insurance Portability and Accountability Act (HIPAA) which protects patient information collected by a health care provider.
The janitor took the information to his girlfriend, who used the information to create online accounts with companies using the names of the hospital patients contained on the printouts.
Once the girlfriend had created the accounts, she ordered merchandise that she had shipped to her residence for her use and for others.
The girlfriend subsequently was sentenced to 27 months in prison while the janitor received three years probation with a special condition of six months community confinement followed by six months home incarceration.
Could a janitor or other unauthorized individual steal hard copy records off of a desk or trash can in your organization? Could they use that information to potentially harm you, your business, or your clients?
What type of litigation would you face from those claiming damages due to the exposure of their personal information and how much would it cost you? What would happen to your brand reputation? How do you thwart such potential bad actors? You need a clean desk policy!
You and your organization need a clean desk policy that specifies that during periods when the desk is unattended, such as after work hours or during extended lunch breaks, all work papers, including sticky notes, notepads, and digital media (e.g., diskettes, thumb drives, SD cards, etc.) need to be cleared from the desktop and secured in locked drawers.
You may be wondering why a book on cybersecurity says you need a clean desk policy. It is because cybersecurity is about risk management and the papers on your desk contain valuable information that you don’t want to put at risk of theft, exposure, unauthorized access, tampering, or damage.
Clean desk policies help organizations comply with important information security regulations such as the ISO 27001/17999 standards, and legislation such as the Privacy Act and HIPAA.
In addition to presenting a positive and professional impression of the work-place, it also fosters and encourages the better organization of information as employees deliberately have to manage all of their information.
This can pay off for you and your organization as employees are likely to be more efficient in retrieving paper documentation, will be more likely to use digital documentation rather than more expensive paper-based documents, and be less frustrated in searching for information. Besides, auditors love it too.
Your clean desk policy should include your computer monitors. Your policy should include logging off of the network and turning off monitors.
Many organizations push computer patches to workstations after normal work hours; so turning off the computers themselves may not be practical, but there is no reason why your computer monitors should not be blank and turned off to save precious power.
Clean desk policies should be short and unambiguous. Your policy should include such items as follows:
Always clear your desk before leaving your workspace for meetings, meals, and at the conclusion of your work day.
Always lock your computer using a password-protected screensaver when away from your desk during the workday.
Allocate time in your calendar to secure your paperwork properly.
If in doubt, throw it out. Because of the increasing number of incidents where valued information is harvested from dumpsters and recycling bins, your policy should dictate that all discarded paper must be shredded.
Consider scanning paper items and filing them electronically incorporate electronic files in accordance with your corporate information management plan, which may include “cloud storage.”
Lock your computer, desk, and filing cabinets at the end of the day and when you are away from your desk.
Log off your computer at the end of the day and turn off your monitor.
Lock away portable computing devices such as laptops, tablets, smartphones, or other mobile devices.
Treat mass storage devices such as CDROM, DVD, or USB drives as sensitive and secure them in a locked drawer.
Enforcement of the policy needs to be clear and unambiguous too. It doesn’t matter if you’ve written the best policy document in the world if you don’t enforce it. Walk through the workspaces of your employees to do spot checks.
When you see instances of noncompliance, use your chain of command to ensure that it is fixed and follow-up randomly and often. Follow the policy yourself. Be clear that violation of the policy will result in disciplinary actions up to potential termination.
Why would you deliberately let malware enter your network and poison your information if you could stop it?
The good news is that there are many network procedures and tools that can filter code that bears the tell-tale signatures of malicious code and stop it from entering (or exiting) your network.
Using such devices as proxy servers, you can filter mobile code such as ActiveX and Java scripting to provide a control mechanism to strip potentially malicious executable mobile content from entering your network. Your policy ought to include spam filtering as well to strip unwanted and potentially dangerous emails.
Many commercially available filters are increasingly sophisticated and can complement your efforts to thwart spearphishing by detecting and containing emails containing spearphishing markers.
Finally, make sure your policy calls for the use of antivirus software protection. Ensure procedures for the installation, use, monitoring, and updating of antivirus software, and threat signatures are a core component of your policy.
Does your IT staff monitor what traffic is on your network? Do you have an intrusion detection system in your facility? How about on your network? The best-run networks make an investment in intrusion detection and protection systems.
Many organizations find that monitoring network traffic through well-placed sensors (including the network devices themselves) can help them identify problems as they are occurring so that they can be appropriately addressed. They also can detect malicious activity.
For example, the ability to deploy threat-specific detection signatures that trigger immediate alarms when they detect traffic of interest is a key component of most intrusion detection systems. We recommend that your policy address how you will sense when “something’s not right” and what you will do about it.
Your network devices generate a lot of valuable information you may not even know that exists. Nearly all devices create files that record what the device did so that administrators can review these “logs” as part of their maintenance procedures.
These are treasure troves of information that can be critical in performing threat and attack assessments. In fact, they have proven to be so valuable that hackers deliberately target them to erase any evidence they were in your system.
These “log files” are valuable and your policy should call for the transfer and storage of critical system logs to a centralized secure location with adequate back-up. It is important that you preserve these logs as official records as they often are requested by auditors and as part of legal discovery processes.
Failure to produce the log files may be viewed as a sign of “network malpractice,” deliberate malfeasance, or incompetence. Include centralized logging and positive control over log files as part of your network management policy.
Regularly conducting threat and incident analysis should be a keystone of your network management policy and should complement your overall risk management plan.
While your policy should call for continual monitoring by trained technical personnel, it should also call for the retrospective analysis of threats and incidents involving management to increase the organization’s effectiveness in responding to new and evolving threats.
We recommend your policy call for quarterly management level reviews of threats and incidents as well as minimum annual board level reviews of network threats and incidents.
Be Clear about Your Policies and Who Owns Them
Your policies govern your business and how it is run. Creation and enforcement of policies is an essential management function. Your cybersecurity policies are no different than any other policy in your organization.
Do not fall victim to the trap that because many cybersecurity issues involve highly complex technical concepts that they fall into the realm of the IT staff. If you believe this, you and your organization will fail.
Your organization’s cybersecurity policies are not owned by your IT staff. They belong to management and should enhance business while accepting appropriate levels of risk approved by senior levels of management using the established corporate risk management processes.
Users in organizations that defer all cybersecurity policies to their IT staff often report frustration with what they view to be an overly cautious and restrictive network environment that stifles the introduction of new and potentially highly productive capabilities denies access to desired products and services and presents a “Just Say No” attitude.
Meanwhile, in these same organizations, the beleaguered IT staff is frustrated as well.
Charged with defending the network and its information “against all enemies, foreign, and domestic” they are measured by management by how well they defend the network and its information, not necessarily by how effectively their network enables the organization to thrive, grow, and be profitable.
This is a management failure. Don’t punt your management responsibilities to the IT staff!
Your policies need to be well documented and coordinated through your general counsel. They should be easy to understand and complete. They may be the best policies the world has ever seen, but if your employees don’t read and follow them, they are worthless.
Therefore, we recommend that you insist that your employees read your policies and sign that they acknowledge and understand them.
The fact that it is so important that they must acknowledge receipt and sign an agreement that they understand the policy is an effective measure that protects the organization against certain liabilities and reinforces to the employee the need to pay attention to the policy.
A final discussion on policies regards your partners, prospective mergers, and possibly clients. Many of us have partnerships and other relationships where we share information to enhance our business posture.
When it comes to cybersecurity, the policies of your partners and those you with whom you share information are very important and warrant your focused attention to ensure your information is well protected.
Make certain your partners and those with whom you share information have the right policies and procedures in place to adequately safeguard your information.
Before you make any commitments, ensure you clearly define your information management and security requirements. Perform the due diligence and exercise due care to ensure that your information is adequately managed and protected, even when it is in the care of your prospective partners.
Involve your general counsel throughout to ensure your surveys are complete and appropriate.
Review your prospective partner’s policies and procedures to make certain they provide the adequate controls necessary to meet your organization’s standards (you may find they exceed your standards or present a better way of doing things!)
In the event they do not meet your standards, ensure your management knows this and understands the implications so they may determine the next steps.
Policies complement your strategy and its plans. They are the business rules and guidelines of an organization that define consistency and compliance with the organization’s strategic direction.
Policies address what the policy is and its classification, specify who is responsible for the execution and enforcement of the policy, and articulate why the policy is required.
They are the “rules of the road” that all employees must follow and are congruent with your strategic vision, your mission, and your core values. With the right plans and policies in place, you and your organization are well postured to implement your plans with the tactical level procedures that convert your vision into reality.
Procedures to implement your cybersecurity plans
Procedures define the specific instructions necessary to perform a task or part of a process. They are tactical level instructions that can take the form of a work instruction, a desktop procedure, a quick reference guide, a checklist, or a more detailed procedure.
They detail who performs the procedure, what steps are performed when the steps are performed, and how the procedure is performed.
Procedures to implement your cybersecurity plans and policies are critically important. They should be precise, clear, and reliably and consistently produce the desired results. Procedures must be consistent with your policies and directly support your plans and objectives.
As a manager, you are responsible to guarantee that your organization has the proper procedures to execute the tasks assigned by your plans. You are responsible to ensure that they effectively, efficiently, and securely produce the results your organization needs to succeed.
Because of the tactical nature of procedures, we will not delve deeply into them. However, there are numerous cybersecurity procedures you should be aware of and practice daily, both in the home and the office. Some of the more common include:
How to turn your computer on and off
Account creation and termination
Password creation and protection
Application use instructions
Use of the READ process when reviewing emails (Relevant, Expected, Authenticated, Digitally Signed)
How to file electronic records (e.g., emails and electronic documents)
How to back-up and recover files
Procedures to secure your workstation and office space during absences
Procedures such as these fall into a category that many people refer to as “basic cyber hygiene.” They become so ingrained in our psyche and behavioral patterns that they become second nature and seemingly obvious.
Following them almost becomes instinctive. At home you’d consider brushing your teeth, bathing, combing your hair, and putting on clean clothing before you leave home part of your daily hygiene ritual.
They are something everyone expects you to do and when they are not followed people notice—and not in a good way. Practicing basic cyber hygiene is something managers everywhere should practice and enforce throughout their organizations.
Do you follow your organization’s cybersecurity procedures? Do you enforce adherence to procedures? If you don’t, you are exposing you and your organization to risk and that may be a risk your shareholders don’t find acceptable. Do things right and follow procedures.
Does this describe you too?
The famous Notre Dame head football coach Knute Rockne supposedly said, “Practice makes perfect” yet Hall of Fame coach Vince Lombardi added, “Practice doesn’t make perfect.
Perfect practice makes perfect.” Whether you are maintaining your personal fitness level or your cybersecurity posture, you have to practice to achieve the level of perfection your organization and your shareholders expect.
Plans that sit on shelves just gather dust and are worthless. Regularly test them and your people to check proficiency and compliance!
Test your plans regularly. Plan for the worst and for the most likely and exercise those plans to gauge their effectiveness and the proficiency of your staff. Don’t tolerate noncompliance!
There will be those who do not take exercises and testing seriously and fail to follow plans and procedures. Be clear about accountability and enforce discipline in support of your plans and procedures.
LEGAL COMPLIANCE CONCERNS
We always have our general counsel review our plans, policies, and procedures. Not only do lawyers have trained eyes for details but also they are keen to find weaknesses in how messages are conveyed and can provide valuable assistance and advice on how to make your plans, policies, and procedures better.
If you don’t have your general counsel involved in developing your plans, policies, and procedures, you will not have the best products possible.
When creating your plans, policies, and procedures you should assign responsibility to your general counsel to ensure that you are compliant with all legal and regulatory requirements.
In addition to national laws and regulations, many states and municipalities have specific laws, regulations, and ordinances that may affect how you do business there. Your general counsel should help you to navigate through the wide variety of legal issues to keep you compliant and competitive.
In addition to the disclosure requirements identified in the Security and Exchange Commission’s Corporate Finance Disclosure Guidance 2 (cybersecurity), there are several pieces of legislation that you ought to be aware of that affect your plans and procedures. They include:
The Sarbanes-Oxley (SOX) Act of 200239:
The SOX Act was created in the aftermath of several notorious corporate accounting and finance scandals and is intended to provide greater accounting and governance controls over publicly traded companies.
While SOX drives many IT compliance and security initiatives, its cyber security requirements are vague at best.
Nonetheless, to pass a SOX audit, your company must implement security best practices for any system that touches anything related to your financial reporting and accounting systems. Many general counsels will tell you that may include your entire network infrastructure, including your network log files.
The impact is that you cannot cut corners with your cybersecurity posture. Because SOX calls for executives and management to be held accountable, you should invest in best practices to protect your information, your business, and yourself.
HIPAA of 199640:
HIPAA was created to achieve three objectives: protect health insurance for individuals when they change or lose their jobs, protect the healthcare privacy for youths 12–18 (even from their parents), and provide for the security and privacy of healthcare records.
From a cybersecurity standpoint, the last objective is the most groundbreaking, as the Act requires a host of security requirements that drive significant investments to achieve compliance with the Act’s provisions.
For example, the Act specifies that all systems that possess Personal Health Information (PHI) must have intrusion protection systems. All PHI must be encrypted and the integrity of the data must be ensured.
When PHI data is exchanged between medical providers, two-way authentication is required to ensure information is exchanged only with trusted and authorized partners. There are significant documentation requirements under the act that have a cyber-security impact.
For example, all system documentation must be available for audits and include all configurations and system setting information (in writing!) Also, you must document all risk analysis and risk management programs that may be audited by regulators. HIPAA cybersecurity provisions are not inconsequential.
If you have or even think you may have PHI data on your systems (and your HR department may and not even know it), then you are well advised to have your general counsel and internal auditors perform a comprehensive review to determine your liability under this law. You may be surprised by the results and have to adjust your plans accordingly.
The Gramm–Leach–Bliley Act (GLB), also known as the Financial Services Modernization Act of 199941:
The GBLA set new laws regarding financial services. Like HIPAA, it established new rules and regulations regarding the privacy of financial information that has a significant cybersecurity impact.
The Act calls for systems containing nonpublic personal information (such as your name, account number, and balance) to have an information security plan, a thorough risk analysis, and demonstration of the ability to monitor and test the plan to ensure its effectiveness.
The intent is to protect the clients and their privacy. Is your organization the custodian of information protected under the GLB Act? If so, do you have sufficient cybersecurity controls in place to achieve compliance?
The Privacy Act of 197442:
The Privacy Act of 1974 defines what information is personally identifiable and governs the collection, maintenance, use, and dissemination of PII in federal information systems.
It is a groundbreaking piece of legislation that many states have adopted as well with some passing laws that direct the protection of PII on information systems operated and maintained by public and private organizations as well.
You likely have PII information either in your own HR department’s records, your pay system, or perhaps in your client records. Ask your general counsel to research what your responsibilities are regarding PII.
Where you do business and with whom (including state and federal governments) may drive cybersecurity costs above and beyond what you originally anticipated. Ensure that you have all the bases covered and perform your due diligence and due care regarding private information.
Don’t just take your CIO’s word that everything is under control; audit your organization.
In addition to traditional auditors, who check your compliance with rules, regulations, and your policies and procedures, there are other cybersecurity-specific auditing capabilities you ought to add to your methods to ensure you have an accurate and unbiased view of your current cybersecurity posture.
The first is to include Certified Information System Auditors (CISAs) to your staff. Individuals with this certification have completed a comprehensive examination, have demonstrated over five years experience of professional information systems auditing, control or security experience.
And follow a code of ethics for information system auditors, maintain their proficiency through continuing professional education (minimum 20 hours per year and 120 hours every three years), and adhere to the Information Systems Auditing Standards maintained by ISACA.
Adding CISAs to your internal auditing team can present an in-house capability to provide a thorough analysis of your information systems and their ability to comply with plans, policies, procedures, and regulatory guidance.
A second capability is to hire independent Penetration Testers (aka Pen-testers) to attempt to penetrate your networks or specific information systems. Many organizations retain Pen-testers to deliberately test new capabilities and configurations by attempting to penetrate them.
Look for Pen-testers who maintain the Certified Ethical Hacker certification as they too have undergone a recognized disciplined process to achieve their skills and operate under an international code of ethics.
Pen-testers also ought to enter into a specific agreement with your organization that they will do no harm to your system or its information. Your general counsel should be part of every negotiation and contract involving Pen-testers to ensure that your organization’s best interests are preserved.
We recommend you run a penetration test annually or every time you have a major system upgrade or a new configuration.
A third capability is to hire multi-disciplinary “red teams.” These teams often include Pen-testers yet supplement them with other skilled professionals who evaluate other aspects of your security posture, including your physical security, corporate culture, communications security, administrative procedures, and contracting. They are sneaky and devious (on purpose) and often are very successful in finding problems
ISACA, formerly known as the Information Systems Auditing and Control Association, is a professional organization that establishes and maintains cybersecurity-related professional certifications.
Another noted organization that certifies cybersecurity professionals is the International Information Systems Security Certification Consortium (ISC2), which maintains similar credentialing programs. Look for certification from one of these organizations when interviewing candidates for your cybersecurity positions.
We recommend you consider hiring a multi-disciplinary red team every couple of years or whenever you have a major change in personnel, policies, products, or information systems.
When you do hire them, we recommend they report directly to senior management such as the CRO, Chief Security Officer, Chief Operating Officer, or CEO.
When to audit is a decision involving the board of directors and senior executive management. We recommend you audit your organization at least annually when you make a major system or configuration changes when you introduce new products or capabilities, and after major adverse events.