Success Plan of Company
One of the principal responsibilities of an executive is to plan and execute the activities that drive your company to success. You need a plan to execute your strategy.
Plans are designs or detailed proposals for accomplishing an anticipated operation. As an executive, you may not be the one writing the plans, but you are responsible to see that they are created, that they are done right, that they are executed well and, in the event they prove to be heading in the wrong direction, to steer the organization back to the right direction.
How detailed your plans depend on the complexity of the desired operation and the experience of the subordinates who will execute it. It also is important to remember that your plan should evolve continuously to adapt to situations while guiding your subordinates throughout an operation. Such planning flexibility is critical concerning cybersecurity.
The measure of a great plan is not whether its execution transpires exactly as planned, but rather whether the plan produces the desired results in the face of unforeseen circumstances.
Policies complement plans.
They are the business rules and guidelines of an organization that ensure consistency and compliance with the organization’s strategic direction.
Policies tell you why you have the policy, its classification, and who is responsible for the execution and enforcement of the policy. They are the “rules of the road” that all employees must follow and are congruent with your strategic vision, your mission, and your core values.
Defining policies that govern cybersecurity best practices is essential to the health and well-being of your organization.
Having a plan is critical. How many times have you worked with or for people who don’t have a plan and fly by the seat of their pants? Were they successful? If they were, could they sustain that success? We submit that those who don’t have a plan are destined to “crash and burn” and often take others down with them. To paraphrase the Boy Scouts and Herb Kelleher, “Be prepared”; have a plan and do things!
Planning for Excellence
Plans are designs or detailed proposals for accomplishing anticipated operations. As an executive, you may not be the one writing the plans, but you are responsible to see that they are created, that they are done right, that they are executed well and, in the event they prove to be heading in the wrong direction, to steer the organization back to the right one.
They are the means by which you, the executive, envision the future, layout creative and innovative ways to achieve it, and communicate to your subordinates your vision, your intent, decisions you’ve made, and the results you expect to achieve. Your plan answers these questions:
What will be done?
Who is responsible?
How will it be done?
What resources will be required?
How detailed your plans depend upon the complexity of the desired operation and the experience of the subordinates who will execute it. Plans can be articulated in a very formal document or through an informal outline. Regardless of what format is used, great plans have common characteristics:
The intent of senior leadership and the purpose of the plan are made perfectly clear.
Relevant facts and assumptions are stated up front to provide context.
Great plans are simple and put into positive terms (i.e., “This is what we will do” rather than “We won’t do this.”)
Great plans also are precise and avoid ambiguous language or phrasing that can confuse their readers. They are brief and clear.
They are complete and contain all the information needed to execute the plan.
They show what will be done, who will do it, and when they will do it.
They synchronize activities to ensure there are no resource or organizational conflicts.
They are flexible and allow for adjustments to counter the unexpected and provide measures of progress.
They define timelines for getting things done.
There are plenty of plan formats and styles that are effective when tailored to the right task and organization. Some are based on the time-phased sequence of activities. Others are based on the fusion of different functions working in concert to achieve a common goal. Use what works for you and your organization! Remember, though, whatever format you choose, make it consistent throughout your organization. Consistency in format yields consistency in understanding, performance, and results.
Such planning flexibility is critical concerning cybersecurity. New IT products emerge on the market every week and often their vulnerabilities are revealed shortly thereafter. As they age, venerable and trusted technologies become increasingly susceptible to penetration and exploitation.
Your plan needs to include provisions for preplanned improvements to keep you, your policies, your procedures, and (especially) your people hardened against the emerging cyber threats that inevitably will threaten you and your organization. The measure of a great plan is not whether execution of the plan transpires exactly as planned but rather whether the plan produces the desired results in the face of unforeseen circumstances.
POLICIES COMPLEMENT PLANS
Policies are the business rules and guidelines of an organization that ensure consistency and compliance with the organization’s strategic direction. Policies tell you why you have the policy, its classification, and who is responsible for the execution and enforcement of the policy. They are the “rules of the road” that all employees must follow and are congruent with your strategic vision, your mission, and your core values.
Does your organization have policies? Do you have a formal process to document them, educate and train your employees to understand and follow them, and modify them as required?
Are they simple to read, remember, and follow? Do your employees know where to find the policies when they need to refer to them for guidance? Are your policies consistent across the organization? Are they viewed as logical constructs that guide the business or roadblocks that impede progress? Do you have policies that address cybersecurity best practices?
Defining policies that govern cybersecurity best practices is essential to the health and well-being of your organization. Due to the complexity of the cyberspace environment and the tight coupling of IT with business processes, there are literally dozens of policies you can and perhaps should have that address best practice “rules of the road” to best protect your business and its information.
Regardless of whether you are an executive in a large multinational corporation with a wide variety of operating divisions and product lines or an executive in a small start-up business (or anything in between!), you need to define clearly the policies that direct your employees regarding what needs to be done to secure your business and its information.
Rather than detail all the possible permutations of policies available, we provide in Appendix A a list of recommended cybersecurity policies covering a wide range of subjects that you and your leadership team should review to see which ones fit your organization and its mission and subsequently should be defined and implemented.
While there are a plethora of potential cybersecurity policies, which ones are the “must-have” policies that every organization should have? We submit the following 15 policies that are the starting points to a great cybersecurity program and ought to be a part of every company’s policy collection.
Great cybersecurity Policies for Everyone
No matter whether you are running a business, an organization, or even a household, you need to secure your information. The following policies can help protect you and your interests against cyber exploitation.
Acceptable Use Policy.
An acceptable use policy establishes rules that a user must agree to follow in order to be provided with access to a network or to the Internet. These policies have become common practice for many businesses, educational institutions, and government entities and require that all users physically sign an acceptable use policy before being granted network access.
Most acceptable use policies have some common attributes, requiring that the user agrees to adhere to specific guidance on what is acceptable use as well as clearly defined unacceptable use guidance. Sample attributes include the user agreeing to:
Not use the service to violate any law
Not use the service to attempt to violate the security of any computer network or user
That the user acknowledges that the provider retains ownership over the service and the user has no reasonable expectation of privacy as the provider will monitor usage
Only use the service for official uses specifically granted by the service provider
To report any attempt to break into their accounts
To protect their passwords and not grant access to unauthorized users
Adhere to the network owner’s security policies
Not to use the service to send threatening messages, sexually explicit material, or otherwise unlawful materials or images
Not to use the service to impersonate another individual
Not attack the service through malicious or irresponsible activity including port scanning, spamming, and unauthorized network monitoring activities
Not to introduce unauthorized software into the network or service (which could include malware!)
Not circumvent any of the provider’s security controls
Not to install or download computer software, programs, or executable files contrary to policy
Accept that if you violate the policy and unlawful activity is suspected, that your user information will be disclosed to law enforcement authorities in accordance with legal guidance
Accept that if you violate the policy that your access will be terminated
You probably have signed numerous acceptable use policies over the years and may not have even noticed. You often see them when you log in to a Wi-Fi connection at your favorite restaurant, coffee shop, hotel, and now even airplanes. Many people don’t even read them and just click the “Accept” or “Yes” button to access the service. We don’t.
We read them, not just for professional curiosity, but because after decades of business and government service, we abhor signing any agreement we haven’t read. When you agree to the acceptable use policy, you are entering into a conscious agreement (read that to mean a contract) between you and the vendor. Recall the character “Radar O’Reilly” on the movie and television show M*A*S*H and how he would tell his colonel just to sign the reports without reading them? Be careful and take the time to read your agreements. You never know what some folks will slip into them!
Likewise, carefully review the agreement your organization has with its employees (including you!). Make certain it covers what is important to you and your business. Sit down with your general counsel to ensure it is legally sufficient and clearly communicates your expectations and consequences if the policy is violated. Many businesses include in their acceptable use policy clear notification that violation of the policy will result in disciplinary action depending on the severity of the violation with sanctions up to and including termination of the employee.
Many companies and organizations have found that having a strong acceptable use policy is essential to maintaining good order and discipline in their workplace.
We have found the best acceptable use policies are created as a team effort by your business units and marketing professionals, general counsel, risk managers, cybersecurity professionals, and HR department. Your business units and marketing professionals can identify what capabilities and requirements are needed with your automated systems. Your general counsel can identify what behaviors and activities need to be avoided and can help establish guidelines for consequences.
Your cybersecurity professionals can identify the threats and vulnerabilities of proposed configurations, services, or capabilities. Your risk managers will identify acceptable levels of risk based on the corporate risk appetite, general counsel guidance, and technical risk factors. Your HR department contributes as well to ensure that any consequences proposed for employees who violate the policy are proportionate to the violation and its impact.
Finally, while a team may create your business or organization’s acceptable use policy, it is management’s responsibility to ensure it is correct, complete, coherent with the corporate vision and core values, and can be monitored and controlled. Regrettably, executives often do not even read their organization’s acceptable use policy. The policy is a management responsibility. Make sure you read and approve of your organization’s acceptable use policy.
Computer Ethics Policy.
Ethics are moral principles that guide an individual’s or group’s behavior. We believe it is important that you and your organization clearly state your policy regarding the ethical use of computers in your organization.
Some people will argue that you can embed your ethics into your acceptable use policy by identifying prohibited activities. While this is a valid argument, we believe it is shortsighted and dilutes the importance of clearly identifying your ethical posture in support of your core values. After all, ethics prepare you to do the right thing when confronted by questionable circumstances. As an organization with integrity, you want your employees to be the best postured to do the right thing, even in ambiguous situations.
Your Computer Ethics Policy should be a reflection of your corporate ethics and core values. They should clearly state what you believe and how your employees should act when using computer resources. The policy should be clear, succinct, and easy to remember.
The Computer Ethics Institute publishes what they call the “Ten Commandments of Computer Ethics.” We believe they are an outstanding starting point for you to create your computer ethics policy. We are including them here (in bold print) along with our commentary (in regular typeface) to show you how you can reinforce your company’s core values with clear statements of what ethical behavior is expected of you and your employees when using computer resources:
The Ten Commandments of Computer Ethics
1. Thou shalt not use a computer to harm other people.
Computers can hurt people if not used properly. For example, a malicious person could create a “logic bomb” that could destroy your data and information with devastating impact. Stealing, tampering with or destroying another person’s computer, smartphone, mobile device, or information is harmful and should be identified as clearly unacceptable behavior.
2. Thou shalt not interfere with other people’s computer work.
Have you heard the story about the employee who was working on a proposal with a short time-line who got up to go to lunch and left their computers unlocked? If the company won the proposal the employee was certain to be promoted. Unfortunately, another employee who was up for the same promotion saw his competitor (who should have been viewed as a teammate) leave the computer unlocked and went to the workstation where he deleted critical files.
Fortunately, another employee who practiced proper ethics witnessed the act, the files were recovered, and the unethical perpetrator was dismissed.
3. Thou shalt not snoop around in other people’s computer files.
Do you go to your neighbor’s house, open up their mailbox and read their mail? Of course not! Then why would you want to read their emails? Sadly, some unethical people do just that. Locking computers, encrypting data, and setting strong access control procedures can help thwart unethical behavior, yet your policy should be clear to set boundaries on what information people should have access to.
4. Thou shalt not use a computer to steal.
Your information has value. Using a computer to break into a company’s accounts and transferring money or information to an unauthorized account is robbery. Don’t tolerate it, and if you discover an instance that you suspect is an example of computer theft, report it to law enforcement officials.
5. Thou shalt not use a computer to bear false witness.
Sadly, the Internet can be used to besmirch the reputation of individuals or organizations in seconds. Your good name or brand reputation can be ruined by false information. Once false information is published on the Internet, it is exceedingly difficult to correct and eradicate.
If you or one of your employees posts false or misleading information on the Internet, you expose yourself or your organization to expensive litigation, probable embarrassment, and ruining of your reputation. Ensure everyone is trained on appropriate communications and consequences. When you find an instance where your ethical standards have been violated, act decisively and quickly to remedy the situation.
6. Thou shalt not copy or use proprietary software for which you have not paid.
This is important and you need to pay attention to this in your company. With the advent of digital media, copyrighted material is now widespread. Music, pictures, videos, software programs, and digital books are all examples of intellectual property that are protected under the law as proprietary.
Your company can (and perhaps should) be sued if you host illegal copies of proprietary software on your network or its storage devices. The penalties can be severe including fines and damages. There are means to scan for some instances of illegal proprietary software, yet your best defense is a well-trained and ethical workforce.
7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
Despite best efforts to secure passwords, some people still write them down and expose them to compromise. The author had an experience where an unethical employee found the username and password of another employee and used them to access the other employee’s account. Once logged in using the other employee’s credentials, the unethical employee viewed files he was not authorized to access. Fortunately for the organization, he did not tamper with them.
He was discovered when the other employee tried logging in and could not gain access as the network was configured to only allow one access instance at a time. Quick work by the help desk and network administrators found that the unethical employee had logged in from his workstation using the credentials of the other employee.
A visit by his supervisor confirmed it. In this case, both employees were disciplined. The first for not properly securing their credentials and the unethical employee was dismissed for using the resources without authorization.
8. Thou shalt not appropriate other people’s intellectual output.
This is a lot like the sixth commandment regarding proprietary software. Software piracy is illegal and is theft of intellectual property. You expect your employees to protect your intellectual property and trade secrets. Your ethics program should reciprocate in protecting the rights of others as well.
9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
Tim Berners-Lee, the creator of the HyperText Mark-Up Language that launched the Internet, is quoted as saying, “The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect.”18 Is your fancy web page usable by people with hearing or visual impairments? Have you ever thought about how those who have some form of physical impairment or challenge may be affected by how you display your information? What about the content of your information?
Because anyone with Internet access can access publicly exposed information, is the information you expose appropriate for all audiences? Frankly, there is a lot of information, imagery, video, and other items on the Internet the author finds morally reprehensible. Do you want your organization to be viewed as socially responsible in how it interacts on the Internet and internally? We hope so and recommend you include social responsibility in your computer ethics policy.
10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.
This is reminiscent of the Golden Rule: “Do unto others as you would have them do unto you.” While it should go without saying that your organization’s computer ethics policy includes using the computer in ways that treat others with dignity and respect, it is appropriate and recommended to reinforce this commandment.
Training people on proper etiquette in information correspondence is important. For example, many people still do not realize that typing in all capital letters is considered SHOUTING and may be considered offensive.
Your ethics policy can have a powerful motivating effect on your employees. We seek ethical organizations to work for and with and are not alone in doing so. Your employees expect their organization to act in a responsible and ethical manner. So do your shareholders and potential investors as do your business partners and those with whom you have relationships. Nobody wants to work with or for somebody or something that is not ethical.
As an executive, ethics begins and ends with you. Your leadership sets the ethical environment that your employees, peers, partners, prospective investors will scrutinize. If you do not follow ethical behavior when using computer resources, you will be discovered and will be held accountable—even if you are the boss. You must always ensure you maintain your integrity and practice and enforce your organization’s standards of ethical behavior.
It is important that your policy clearly states that it is applicable to everyone in the organization: directors, management, and employees. It also should clearly state that your organization has “zero tolerance” for unethical behavior and that any employee found to have violated the policy will be subject to disciplinary action up to and including termination.
It is easy to spell out how not following the policy will be dealt with, but it is important to continually promote ethical behavior when using computers and reward your employees. Many companies now include ethics as a performance measure for their employees.
Others have incorporated ethics into non-cash rewards programs, where demonstrated excellence in ethical behavior is rewarded with special recognition before their peers such as earning “rights” to the boss’s parking space for a week, a free lunch served by the executive team, a certificate or plaque, or even a paid day off.
The need for corporate ethics is strong.
An organization that conducts its business in an ethical manner engenders respect from within the organization and well as from outside. To nobody’s surprise, people prefer to work for an organization that promotes ethical behavior. As a result, those organizations enjoy high rates of employee retention. Likewise, consumers demonstrate brand loyalty to companies that exhibit a strong sense of corporate responsibility and stewardship.
Your computer ethics policy can give you a competitive edge in today’s contested marketplace. You’ll find that your computer ethics policy establishes your organization as placing a premium on “doing things right” with a clear sense of purpose and social responsibility. It can inspire powerful uses of technology to further your strategic vision while deterring inappropriate and wasteful activities as well. Your computer ethics policy is a great investment.
Password Protection Policy.
Passwords are the keys to your organization’s information. They arguably are the keys to your organization’s survival, your personal finances, your treasured family records, or (perhaps) even your identity. How good is your password? Are you willing to risk life as you know it on the strength of your password?
Password Best Practices
Try to make your password something you can and will remember.
Don’t store your password on a sticky note by your computer, in your wallet, or on your phone. Keep it as secure as the information it protects.
Don’t make your password easy to figure out (e.g., P@$$W0rd), your spouse’s or child’s name (e.g., M0mm@of2), or favorite sports team (e.g., $t33LeR$#1). Bad actors run password cracking programs that have thousands of passwords like these already stored in their tables. They also research you and can quickly find the names of your family members and figure out your favorite sports mascots.
Passwords of 14 characters or more are statistically most secure. Use the maximum strength password that your system will allow.
Never share your password with anyone.
Never reuse your username and or password on other accounts.
Make sure your password has at least two uppercase, two lower case, two special characters (e.g., @,#,$,%), and two numbers in it.
Avoid using typical character substitution (such as @ for ‘a’, ! or 1 for ‘l’, and 0 for O) in lieu of letters.
Change your passwords often. Change your passwords at least every quarter. Now, with automated reminders you can load in your phone, you have no excuse for forgetting to do it.
Passphrases are another form of passwords that many people use to create complex and lengthy passwords that are easier to remember than scrambled and difficult to remember passwords. For example, we prefer to create our password based on a song title, affirmation, or another phrase. We can remember the following phrase, “In 1979 Pittsburgh was the ‘City of Champions’ because the Steelers won the Super Bowl and the Pirates won the World Series.” We are able to use that phrase to give us the following password:
This password is statistically complex with a whopping 27 characters and meets the best practice objectives of a minimum two upper and lower case letters, two numbers, and two special characters. Still, think you can’t remember a long password? We bet you can when you use this technique.
When it comes to your password policy, in addition to the best practices we already identified, there are several other best practices you should incorporate into your policy:
Password Policy “Must-Haves”
Use a “three strikes and you are out” policy to lock accounts after successive unsuccessful log-in attempts. While an attacker can create a denial of service by deliberately creating three failed log-ins, the risk of a hacker cracking your password by repeatedly attempting all possible password combinations is not worth leaving your system unprotected. Make sure your procedure to unlock is secure and as convenient as possible.
Separate administrative and user passwords:
System and network administrators are among the most powerful people in your organization. They have access to your organization’s most valuable information and treasured resources. Make it your policy that they must use separate passwords for their system and network administration duties than they use for their standard user functions (such as email and office duties.) There have been several occurrences where bad actors launched spearphishing attacks directed at system administrators in an effort to expose or compromise their passwords.
Once the bad actor gained control of the system administrator’s system they gained root access and had complete control over everything the administrator controlled. In contrast, if the bad actor compromises the administrator’s standard user account, he has standard user access, which should minimize the potential for damage. When you separate the administrative and user accounts, you reduce your threat exposure.
Force password expiration:
Executives hate having to change their passwords every 90 days. Everybody does. Nonetheless, you need to do it as it is the right thing to do to protect your information. Ensure your policy mandates password changes and enforce it. You’ll find many senior managers will attempt to get waivers and keep their passwords constant.
Hackers love that! Since they seek to compromise the “Big Fish” presenting a static target like a password that doesn’t change often just makes the hacker’s job easier. Leaders ensure the policies apply to everyone, especially them, and enforce the policy across the organization.
Don’t recycle passwords:
Let’s see, it is October and we are in the fall quarter so we are going to reset our passwords to my usual autumnal passwords. Good idea, right? Think again. Hackers like to bank passwords and one of the first things they do when trying to access your account is use passwords you’ve previously used to access your accounts. Many organizations have adopted the best practice of not allowing previous passwords to be used again. Consider making it your policy not to accept any password that has been used in the past 10 passwords.
Avoid transmitting passwords via email:
This should be obvious but isn’t as many organizations send their passwords out via nonsecure email systems. If you have to send a password to someone by email, make it your policy that the next log-in forces a password reset by the individual.
Don’t make things easy for hackers by allowing weak passwords. Your password policy should be one of the strongest and most enforced cybersecurity policies you have. It also can be one of the most difficult to gain support for across the organization. Your leadership is essential.
Make sure your password policy follows best practices and everyone, including senior leadership, follows it throughout your organization. Finally, make sure you follow these same password best practices at home as well as in the office. Strong at work and strong at home keeps you strong all the time.
Clean Desk Policy.
Could the following situation happen in your organization?
In 2012, a New Orleans hospital janitor and his girlfriend pleaded guilty in federal court involving the theft of information from the hospital where he worked. According to the FBI, the janitor stole computer printouts containing confidential patient information such as names, social security numbers, dates of birth, phone numbers, home addresses, and other personal information that was intended to be shredded.
The hospital is covered by the Health Insurance Portability and Accountability Act (HIPAA) which protects patient information collected by a health care provider. The janitor took the information to his girlfriend, who used the information to create online accounts with companies using the names of the hospital patients contained on the printouts.
Once the girlfriend had created the accounts, she ordered merchandise that she had shipped to her residence for her use and for others. The girlfriend subsequently was sentenced to 27 months in prison while the janitor received three years probation with a special condition of six months community confinement followed by six months home incarceration.
Could a janitor or other unauthorized individual steal hard copy records off of a desk or trash can in your organization? Could they use that information to potentially harm you, your business, or your clients? What type of litigation would you face from those claiming damages due to the exposure of their personal information and how much would it cost you? What would happen to your brand reputation? How do you thwart such potential bad actors? You need a clean desk policy!
You and your organization need a clean desk policy that specifies that during periods when the desk is unattended, such as after work hours or during extended lunch breaks, all work papers, including sticky notes, notepads, and digital media (e.g., diskettes, thumb drives, SD cards, etc.) need to be cleared from the desktop and secured in locked drawers.
You may be wondering why a book on cybersecurity says you need a clean desk policy. It is because cybersecurity is about risk management and the papers on your desk contain valuable information that you don’t want to put at risk of theft, exposure, unauthorized access, tampering, or damage.
Clean desk policies help organizations comply with important information security regulations such as the ISO 27001/17999 standards, and legislation such as the Privacy Act and HIPAA. In addition to presenting a positive and professional impression of the work-place, it also fosters and encourages the better organization of information as employees deliberately have to manage all of their information.
This can pay off for you and your organization as employees are likely to be more efficient in retrieving paper documentation, will be more likely to use digital documentation rather than more expensive paper-based documents, and be less frustrated in searching for information. Besides, auditors love it too.
Your clean desk policy should include your computer monitors. Your policy should include logging off of the network and turning off monitors. Many organizations push computer patches to workstations after normal work hours; so turning off the computers themselves may not be practical, but there is no reason why your computer monitors should not be blank and turned off to save precious power.
Clean desk policies should be short and unambiguous. Your policy should include such items as follows:
Always clear your desk before leaving your workspace for meetings, meals, and at the conclusion of your work day.
Always lock your computer using a password-protected screensaver when away from your desk during the workday.
Allocate time in your calendar to secure your paperwork properly.
If in doubt, throw it out. Because of the increasing number of incidents where valued information is harvested from dumpsters and recycling bins, your policy should dictate that all discarded paper must be shredded.
Consider scanning paper items and filing them electronically incorporate electronic files in accordance with your corporate information management plan, which may include “cloud storage.”
Lock your computer, desk, and filing cabinets at the end of the day and when you are away from your desk.
Log off your computer at the end of the day and turn off your monitor.
Lock away portable computing devices such as laptops, tablets, smartphones, or other mobile devices.
Treat mass storage devices such as CDROM, DVD, or USB drives as sensitive and secure them in a locked drawer.
Enforcement of the policy needs to be clear and unambiguous too. It doesn’t matter if you’ve written the best policy document in the world if you don’t enforce it. Walk through the workspaces of your employees to do spot checks. When you see instances of noncompliance, use your chain of command to ensure that it is fixed and follow-up randomly and often. Follow the policy yourself. Be clear that violation of the policy will result in disciplinary actions up to potential termination.
Use of the Internet Policy.
Do you have employees who violate copyright laws? Perhaps you do and don’t even know it. Perhaps they don’t know it themselves. Let’s say you have an employee who is building a briefing about innovation and wants to include the clip from the movie Apollo 13. They find a site hosted in Eastern Europe that has the clip, they download it and embed the file in their PowerPoint briefing. The briefing looks great and presents your organization’s message on innovation extremely well. Success! Right?
Wrong. The employee’s actions present two problems. First, movies, music, images, and other intellectual property are valuable commodities and you must obtain the rights from the actual owner to use them. Without appropriate rights and permissions to the digital content, your employee just broke the law and put you and your company at risk.
What’s the worst that can happen? Under federal law, if company computers were used in the commission of a crime, law enforcement officials can seize the computers as evidence. How long can you and your organization survive without its IT infrastructure?
Second, because the employee used your corporate computers to acquire copyrighted material, your company is liable and potentially exposed to a lawsuit from the party that legitimately owns the rights to the material. Thirdly, many (if not most) sites that host bootleg or otherwise illegal media are known to have poisoned the files with embedded malware that surreptitiously inserts malware such as backdoors into your system.
Not only may you be fighting criminal action or intellectual property lawsuits, but also you may be fighting with bad actors over control of your own network.
Downloading files from the Internet may not be your only problem. What happens to your organization’s productivity if employees misuse Internet resources? The author was the CIO of a large organization and noticed that network performance was dropping. Personnel were complaining about slow email delivery times and having to wait excessive amounts of time for web pages to load. The problem was creating serious productivity losses.
Analysis of metrics found that over 75% of web searches were landing at websites that specialized in sports. Further research indicated that over 80% of our available bandwidth was being used by bandwidth-intensive streaming video. It was apparent that our employees were using their Internet connections to stream their favorite games (and potentially movies) over the Internet to their desktops.
When the data was presented to the head of the organization and his directors, they ordered a policy to limit web-surfing and to block streaming video. Not surprisingly, productivity soared, network performance improved dramatically, and the boss and directors were delighted.
The Internet is a great tool that gives you and your employees access to the world’s information. You want to use it to enhance your operations, not hinder them. Your employees should be using it to their advantage and that of your business. You need a policy that addresses the appropriate use of the Internet in your organization.
What should your Internet use policy say? While every organization is different, there are several common items we believe are important to include in your policy:
Purpose: Tell your employees why you have an Internet use policy. Most companies remind their employees that access to the Internet is a privilege required for business, not a right. Do any of your employees need that kind of reminder?
Applicability: It applies to everybody.
It is important to remind your employees that the Internet can be a risky place, and sometimes is a haven for bad people with malevolent intent. Remind them not only about the risks presented by malicious code, but also risks presented by copyright violations and lack of productivity if access is misused. Some employees may be surprised by the obvious, so clearly state the threats using explicit examples of policy violations.
Tell your employees what Internet use is permitted. Examples include email, web access, and electronic data exchange (e.g., file transfer protocol used to exchange large files). Clearly, state that use of the Internet is only for official business use. If you allow use for personal reasons (such as to receive emails from your children’s school), clearly spell out under what conditions you will allow your corporate resources to be used.
What’s not allowed:
This is a critical part of your policy. You need to define not only what is not allowed, but also why it is not allowed. Common examples of prohibited Internet use include:
Clearly, state you will not tolerate illegal activity such as copyright infringement or child pornography. Such actions will result in severe disciplinary action including termination and notification to law enforcement officials.
Clearly state that you will not tolerate immoral activity such as using the Internet to view, acquire, or disseminate pornography or material which negatively represents race, creed, sexual orientation, or genders. You own the network and its liability.
Make sure your employees know that they are to focus on their work and the information they need to accomplish it. Using corporate resources to access unauthorized information not needed for the performance of their duties will subject the employee to disciplinary action.
Your information has great value. You need and want it treated right. Not using it for its designed purpose, disclosing it without authorization, or tampering with it will not be tolerated.
Make it clear that you will not tolerate the disclosure, exposure, or transmission of your organization’s intellectual property and trade secrets, including information considered confidential, proprietary or otherwise sensitive, without proper authorities. Identify what those authorities and controls are.
Clearly state that you will not tolerate the creation, posting, transmission, or voluntary receipt of any information that is considered threatening, harassing, offensive, hateful, libelous, or otherwise unlawful. You own all the information on your network. Make sure it is the type of information you want, need, and is relevant to your business.
Does your company endorse your competitors? Does it endorse organizations whose values conflict with your core values and interests? If you permit employees to embed hyperlinks to non-approved organizations or sites in their email correspondence or on the web pages of your corporate network, you may just be seen as endorsing that site and embracing all it stands for.
Similarly, because nearly all websites collect “cookies” that identify users, even a visit by one of your employees to a website that contains controversial or offensive material may be considered a tacit endorsement of that site and its content. You need to control your partnerships. Be careful when writing public-facing copy and tightly control with whom you link using the Internet.
You could place this under the immoral activity, but we believe it deserves a special notation on its own in your policy. Any form of gambling needs to be specifically prohibited in your policy. There are numerous statistics that demonstrate that online gambling adversely affects business productivity and often leads employees to theft, embezzlement, and fraud as they seek additional resources to fritter away. Don’t be a statistic. Clearly prohibit gambling using your corporate resources.
Employee Internet Use Monitoring and Filtering Policy.
How do you ensure that your employees follow your Internet use policy?
Many employees are under the impression that they have the right to privacy while at work. They believe their emails are private communication protected under law. They believe they should have free and unfettered access to Internet resources.
Similarly, they believe that if they want to visit their Facebook, Twitter, or other social media site, they should be able to do so as long as it doesn’t interfere with their work duties. Moreover, these same employees often believe that they have a reasonable expectation of privacy when they use their work computer to do their personal email using a Gmail, Yahoo, Hotmail, or similar commercial web-based email service.
Are they right?
They could be if you don’t give them adequate formal notice that you monitor all Internet traffic entering or exiting the organization, that the employee has no reasonable expectation of privacy, and that you filter Internet traffic to block sites and protocols that you deem inappropriate and/or noncongruent with your business and its objectives. You need a policy that clearly defines the following:
Any information that is created or resides on your corporate network or its devices becomes the property of the organization.
The organization will monitor all communications, including emails, Internet web browsing, mobile devices, fax machines, and telephony, to ensure that employees use the services in a safe and responsible manner. The employee does not have a reasonable expectation of privacy when using corporate resources.
Such a policy can be controversial and the legal implications vary from state to state, country to country. Your general counsel should be part of the team that creates and scrutinizes your proposed policy before you make it official. The general counsel should be able to identify any weaknesses in your proposed policy’s language as well as identify areas you may have missed in your draft. We’ve had great success when we include our best legal minds early in the process.
Revealing that you monitor and filter Internet use is important. Some employees have challenged corporate policies on monitoring and filtering citing the Fourth Amendment’s prohibition against unreasonable searches and seizures. The courts have long held that employers indeed can monitor their employees’ use of the Internet and email provided that the employees are notified in advance that such monitoring is conducted. Once you’ve made the appropriate notification, such as in your
Employee Internet Use and Monitoring Policy, the courts have ruled that the employee no longer can claim a reasonable expectation of privacy when using their employers’ computer systems.
Your policy should include the following:
Your policy establishes how you will monitor Internet use in your organization. The policy is intended to ensure employees use the Internet in a safe and responsible manner, and that employee web use can be appropriately monitored or reviewed.
As usual, it is applicable to everyone who uses your corporate network. This is crucial on legal grounds. Nobody who uses your corporate resources can be exempt from this policy. That includes directors, officers, management, employees, contractors, vendors, or even visitors. Everyone is subject to monitoring. Put it on your log-in screen to remind everyone of that fact.
Who will conduct monitoring:
Most companies use their IT department and automated tools to conduct their monitoring, although some out-source it to a third-party vendor. Regardless of who conducts your monitoring, clearly identify who will conduct the monitoring, what their charter is, and what they do with their findings. Actions based on the findings should be reserved for management and not delegated to the IT staff or proxies.
This is important as it specifies types of reporting, to whom, and when reporting will be accomplished. For example, when the author was the CIO of a large organization, we had a policy that stated we would provide continual Internet monitoring.
My staff used automated tools and could quickly prepare usage reports upon demand, although I found that quarterly reports were a good fit for our business rhythm. If the staff detected aberrations during the quarter, the policy called for them to bring it to my attention immediately for a management review. On more than one occasion, I took the findings to our board with a recommendation to change our policy due to emerging threats.
This is important too. You want your employees to know that you are keeping records that clearly identify who did what, when they did it, and how they did it. This provides a powerful deterrent for those tempted to violate your acceptable use and Internet use policies. Your policy also should stipulate how long you retain your monitoring records.
The length of record retention depends on the type of organization you have. While many organizations retain monitoring records for up to 180 days, the author was in an organization that retained records for over seven years, which coincided with the period of a large and highly competitive contract. Select the record keeping duration that best fits your needs. Make sure it is a corporate decision involving your general counsel, not one delegated to the IT staff.
What will be filtered:
A security best practice is to “Deny All, Permit by Exception.” Using this technique, all Internet sites and protocols will be blocked except those specifically allowed by the organization. This is initially a painful policy to implement, yet extremely effective in reducing your threat exposure. Educating your workforce about it in advance is crucial and is key to its success.
Your policy must include the means for employees to request access to certain websites, services, and protocols and receive quick action (which can be measured via your metrics program). The following are typical things that are filtered by rule in most organizations:
Adult/sexually explicit material
Video gaming sites Hacking websites
Chat and instant messaging
Anything dealing with illegal drugs Intimate apparel and swimwear
Peer to peer file sharing
Personals and dating services Social network services
Spam, phishing and fraud, and spyware
Tasteless and offensive content including violence, intolerance, and hate (aka dirty word search filtering)
How to change a filter rule:
This is an important item you need to address in your planning with procedures that provide quick and accurate results. For example, you may find that your business is considering acquiring a company in Africa that has access rights to strategic materials vital to a new manufacturing process.
The website for that company resides in an Internet address range that is currently blocked by your business because it previously was outside your market and is the home of some unsavory hackers. As a result of this emergent business relationship, you want the specific IP address for the company to be open for use as well as several other addresses are known to be the company’s suppliers.
As with all your other policies, clearly, state the consequences of not complying with this policy. Typically, noncompliance with this policy will be met with sanctions up to and including termination.
Does your organization monitor its Internet usage?
If so, when was the last time you reviewed the data found? Here’s a tip that may lead to revealing information you may never see from your IT staff: ask to see how many attempts were made to reach sites or services you are blocking based on the rules above. You may be surprised by the results.
You will be confronted by a situation where you have to discipline an employee for improper Internet use on corporate systems. Make sure your actions can hold up in court. Have a strong and unambiguous use monitoring policy. Clearly, communicate it to your employees and have them acknowledge the policy in writing, whenever possible.
Technology Disposal Policy.
What is your policy to deal with your old computers after you no longer need them? Some organizations merely do a simple disk wipe, if that, and then try to sell them. Be careful. That could be a recipe for disaster for you and or your business.
Is this an isolated occurrence? Sadly, no. According to a six-month study conducted by Kessler International, a New York computer forensics firm, over 40% of the computer hard drives they bought on eBay were found to contain “personal, private and sensitive information—everything from corporate financial data to the Web-surfing history and downloads of a man with a foot fetish.”
Of the information retrieved by Kessler International, researchers found personal and confidential documents, including financial information, emails, photos, corporate documents, Web browsing histories, DNS server information, and other miscellaneous data.
What happened to your last home computer? Who’s using it now and what personal information of yours might they have access to? What about your last work computer? Is there anything valuable on that drive?
Can you wipe hard drives sufficiently to erase information permanently so that it cannot be retrieved by the next owner of your computer (who could be overseas!)? Some people believe that using industrial strength tools that delete your files and overwrite them at least seven times are sufficient. These tools often are freely available on the Internet.
Frankly, most of these tools are very effective in wiping drives and making information retrieval increasingly difficult to achieve, but not impossible. That’s why all of the tools are distributed without a warranty. The only guaranteed way to prevent someone from retrieving your information from your old hard drives is to physically destroy it or degauss it.
What do we recommend you include in your technology disposal policy? While we remind the reader that every organization is unique and should tailor its policies to meet its organizational objectives, we have found that the following is a productive construct (model) to follow when developing your technology disposal policy:
1. Determine how you value information: This is critically important and governs your next steps. Consider placing your information into three categories:
This is information that is most sensitive and cannot fall into unauthorized hands under any circumstances. Loss or exposure of such information may result in an existential event for you or your business. Examples of this type of information may include your critical intellectual property and trade secrets; key financial information including account numbers and credentials; security information such as account names and stored passwords. Many people also associate a certain monetary threshold to delineate what information falls into this category.
For example, a small business may determine that the loss or exposure of information valued in excess of US $250,000 may make it a category 1 event.
This is information that is very sensitive and disclosure of which will cause significant harm to you or your business. Examples of this type of information may include business plans, architectures, designs, and confidential information. PII frequently falls into this category such as social security numbers. Using the monetary threshold example, the small business may determine that a potential information loss ranging from US $100,000 to US $250,000 would make this a category 2 event.
This is information that is valuable yet its disclosure will not cause appreciable harm to you or your business. Examples of this type of information would include routine correspondence, uncorrelated data, most photos and images, and replaceable or depreciated information. From a monetary threshold perspective, it is valued by our exemplary small business as having a value of less than US $100,000.
2.Determine how to dispose of technology by category:
There are several ways to dispose of your old technology. Your policy should help your staff identify the methodology consistent with your corporate risk strategy. Continuing our example, consider the following construct (model) when determining how to dispose of your old technology:
The IT staff will remove the hard drive from category 1 assets and destroy the hard drive through degaussing (magnets) or by physical destruction. Other media, such as thumb drives, containing category 1 material will be handled the same way. Two-person control (i.e., someone to destroy the drive and someone to witness it) is required along with documentation certifying the drive’s destruction. All other components of the system may be salvaged for resale in accordance with the corporate disposal policy.
The IT staff will use an “industrial strength” disk wiping program that meets the National Industrial Security Program Operating Manual (NISPOM) and DOD 5220.22-M standards. The IT staff will execute the program on three separate occasions on the drive to ensure that all information is reasonably expected to be erased and irretrievable. Upon completion of the disk wiping and its certification, all components of the system may be salvaged for resale in accordance with the corporate disposal policy.
The IT staff will use an “industrial strength” disk wiping program that meets the National Industrial Security Program Operating Manual (NISPOM) and DOD 5220.22-M standards. The IT staff will execute the program on the drive to ensure that all information is reasonably expected to be erased and irretrievable. Upon completion of the disk wiping and its certification, all components of the system may be salvaged for resale in accordance with the corporate disposal policy.
3.Printers and copiers: Modern printers and copiers all have storage devices on them that retain information on items you’ve copied or printed. They must be sanitized prior to disposal. In the event that your staff or a bonded consultant is not able to sanitize the device satisfactorily in accordance with the directions above, the device should be destroyed in accordance with this policy.
4.Determine who will dispose of the technology:
IT departments are not very good when it comes to getting a good return on your dollar in selling your excess technology. They are usually very busy just keeping up with the technology on hand let alone of disposing of the older stuff. That’s why it is important that you have someone else in your organization responsible to dispose of it.
Whether it is someone in your financial department or your logistics department (whom we prefer), make sure they are equipped with the requisite training and equipment to quickly check the out-going devices to ensure that all your information is sanitized from all digital media (i.e., hard drives, thumb drives, even CDs still left in their drives!)
As with all your other policies, clearly, state the consequences of not complying with this policy. Typically, noncompliance with this policy will be met with sanctions up to and including termination.
Your technology has value even when you no longer have a need for it. Monitors, computers, servers, network devices, peripherals, and printers all have value. It may be worth your effort to sell these items to someone who has a need for them but ensure that your organization has the right policy and controls in place to prevent your valued information from heading out the door with your obsolete technology.
Another method for transferring usable equipment is to give sanitized equipment to employees in recognition for exemplary efforts or as holiday or bonus gifts.
Physical Security Policy.
You may have the best boundary protection in the world for your information, but if you don’t have the right physical security controls, you may open yourself to actually make it fairly easy for bad actors to gain and exploit your information to their advantage. Ensuring your information is protected from physical attack is an important part of your cybersecurity risk management program.
Picture this scenario:
A maintenance worker arrives at your facility. This is not unusual as you often hire third-party vendors to perform a variety of tasks including janitorial services, facility, and equipment maintenance, and even reload your snack bars. The maintenance worker has what appears to be a printout of an email from one of your senior IT managers ordering that all computers be inspected for potentially faulty fans and random performance monitoring devices be installed on some machines.
Although that senior IT manager is on vacation, it appears to be legitimate. After all, your IT shop is very proactive to ensure that your IT systems always are available and he appears to have a legitimate work order. The maintenance worker is uninformed with his company golf shirt and khaki pants, is extremely polite and professional, and even shows you several websites that indicate problems with the fans that cool the processors in the computers.
Several of the sites show how failed fans caused processors to over-heat and computers to fail. You don’t need that headache. He explains that by inspecting the fans he can tell if the computer is at risk of catastrophic failure due to overheating.
The good news, he says, is that his company is a certified third-party vendor for the fan company and can replace them at no charge to your company. What do you do? What does your physical security policy say you should do?
Your policy should address visitor and contractor access and should guide you to deny entry and not give the maintenance worker access to your computer without you personally verifying through official channels that the maintenance worker is authorized to access your facility and your computer.
Think the scenario is far-fetched?
Regrettably, it isn’t. In fact, there are numerous incidents where bad actors brazenly have entered facilities with the intent to steal information. In many instances, rather than attempt to break into your systems by hacking into your computer, they find it easier and more effective to just gain access to your home or office and steal your computer, return to their lair with the purloined equipment, and harvest the information from it at their leisure.
If you don’t have your computer appropriately protected with a strong password or other user authentication technique and have your data on your hard drive encrypted, your information is now in the crook’s hands.
A bank in England recently dodged a bullet when confronted by a scenario similar to the one detailed above. According to press reports, a man posing as a third-party maintenance worker entered Santander Bank’s branch in the Surrey Quays Shopping Centre and attempted to fit a monitoring device on the back of a computer in the bank.
The device was a small box that plugged into one of the USB ports on the back of the computer, much like you use to plug in a mouse or keyboard. The box was equipped with a keyboard video monitoring device that would record what displayed on the monitor and transmit it to the bad actor’s control center, which could be in a car outside the facility or potentially in another country well beyond the reach of your law enforcement officials. The alleged perpetrators were apprehended and reportedly no Santander information was exposed, but the threat of a physical attack to your information is acute.
How do you prevent criminals, auditors, or perhaps even your own employees from just walking up and stealing your information? We suggest that the prescription starts with a comprehensive physical security policy that addresses such things as facility controls, visitor and contractor access, employee credentialing, equipment removal, and emergency procedures including evacuation.
Facility controls. If you are like most people, you lock up your valued possessions when they are unattended. Most people lock their houses when they leave for the day and many do at night when they are sleeping. You lock up “your stuff” to keep it out of the hands of those who don’t have your permission to use it.
Nowadays, many people put considerable thought and investment into protecting their assets. They install sophisticated sensors and alarms around their house to deter criminals and alert authorities when breaches occur. The normal front door lock largely is a thing of the past with augmentation from deadbolts providing an additional trusted layer of physical protection against intruders. You want to and need to feel secure in your home and not only are these measures prudent investments to make but also they may be essential.
Once inside the sanctity of the protected space you call the office or home, what other physical security controls do you have? What is your policy? What rules have you established to control your domain and the information in it?
We have found there are several easy-to-implement rules you ought to include in your physical security policy that can better secure your home and office. While some may not apply to everyone, they are pretty good rules to follow and include in your policies:
Don’t put your valuables in plain sight for everyone to see:
The temptation is a mighty bad thing. Would you place a Rodin statue worth US $10 million in your living room window and leave for vacation? Would you leave confidential information on your desk and leave for lunch? Your information has value. Protect it and limit its exposure.
Lock up things, not in use:
Your mom taught you to put your things away. Do as she said and secure your valuables when they aren’t in use. That goes for your valuable information too! Thumb drives, CDs, storage devices, and important papers all contain information that has value. My mom told me not to leave money lying around as my brothers would pick it up and spend it. She was right. Lock up your information when it is not in use, and when you have an asset of great value, invest in a big, steel, fire-proof safe.
Be vigilant and train your employees to be vigilant too. Things that are out of place ought to be investigated. For example, if you find a window, door, or other entry point unlocked that normally should be locked, notify authorities. If you see a desk is unattended and important papers are exposed or a computer is left unlocked and turned on, do something about it. Your policy should spell out what to do when you see something that is out of place or unusual.
Whenever we travel, my wife likes to check the room where we stayed before we leave to ensure we haven’t left anything behind. Then she insists I do the same in case she missed something. Having two people check important “can’t fail” items always is a good policy, especially when protecting your vital information.
Control who comes into your facility:
Do you freely permit strangers into your home? We don’t recommend it nor do we recommend you permit strangers into your workplace either. Control who enters your facilities and keep them under appropriate surveillance and control until they leave.
Check everything coming in and everything going out:
You may consider it important to check everything coming into your facility and everything going out. For example, if you are at the Centers for Disease Control, you want to make sure that all the samples coming in have the proper safety controls to prevent contamination and exposure and you definitely want proper safety controls on the way out as well!
Admittedly, it is not practical to check everyone in every facility, but for those facilities having very high-value information and operating in a high-risk profile environment, this type of policy is appropriate. Do you think that the U.S. Army regrets not implementing these types of controls at the facility where Private Bradley Manning worked?
Clutter is bad:
Not only does a cluttered workspace portray an unprofessional image, it makes it extremely difficult to manage and retrieve information. Despite the plaintive cries of those who revel in the joys of building nests of paper around them, allowing clutter to accumulate presents risk of theft, information loss, and decreased productivity. There are even some who would argue it presents a safety risk. Just like your language in church, you have to keep things clean. Articulate a clean desk the policy throughout your organization.
Train everyone to know and follow the rules:
Ignorance is not bliss. In fact, ignorance is the leading cause of inadvertent information disclosure as well-intentioned employees allow important information to escape control. As an executive, you need to ensure that you have the right policies in place to support your strategy and plans and align the right talent to execute them. Make sure your employees know the rules and follow them!
Visitor and Contractor Access Controls. Your employees have varying levels of access to information in your organization, hopefully, based on their roles and need to know. But how about visitors and contractors? How do you control their access to information while they are in your facilities?
Having a visitor and contractor access control policy is essential to protect your information. Your employees should know what your rules are for handling visitors from the moment they arrive on your property until the moment they leave. Similarly, while contractors may be important contributors to your team, they remain employees of other firms and require special handling and consideration.
What is your policy for visitors and contractors?
Do you allow them to roam freely throughout your organization? Do you insist your visitors be escorted? How can you tell the difference between employees, visitors, and contractors? If someone picks up a piece of paper on a desk or sits down to a computer terminal, how do you know whether they are on your team or potentially working against you? What’s your policy?
We’ve worked in a variety of organizations ranging from areas that handled highly classified material all the way down to nonprofit activities. Despite the wide variance in security controls that we’ve encountered, there are several best practices that you include should include in your visitor and contractor access control policy:
Designated parking for visitors:
Having designated parking spaces for your visitors not only is good form but also it makes good sense from a security standpoint. Providing parking in a controlled location permits your security personnel and greeting party to observe the activities of your visitors as they arrive. Include in your physical security policy provisions that will protect your facilities and personnel by placing bollards or barricades between your parking areas and facilities to provide protection from potential physical threats posed by vehicles and their cargo.
Greeting a visitor with a courteous reception should be part of every organization’s policy. If you want to “wow” a visitor, make it your policy to provide a professional and friendly reception, but don’t ignore the importance of security. Make it your policy to have your visitor sign-in and your receptionist verify the visitor’s identity through hands-on inspection of a government-issued photo identification card such as a driver’s license.
Getting their contact information and assigning someone to follow-up with them is always best. Finally, never let a visitor roam through your organization to meet with one of your employees. Always ensure that your employees meet the visitor in the reception area and escort them to the designated meeting location.
Many organizations include in their policy a requirement to have visitors sign a visitor agreement when they check-in to the facility. These agreements often require the visitor to agree to security provisions such as that they will stay with their escort at all times, that they will display their visitor badge at all times, that they agree not to record or photograph in the facility, etc. Have your general counsel review any and all agreements, including your visitor agreement, before they are presented to ensure that they are suitable, appropriate, and complete.
Badging and identification:
Many organizations recognize that it is difficult to tell the difference between visitors, contractors, and employees. That’s why many make it their policy to issue visitors special name tags or other devices to show that they are visiting the organization. Many organizations use color-coding to make it easier to distinguish who’s who.
Typically, visitors requiring an escort are coded “red,” those who can have access unescorted to select areas are coded “yellow” (be cautious), and those who are fully cleared are coded “green.” Furthermore, often a second color (usually on the bottom half of the badge) identifies the person’s affiliation, for example, visitor—black; contractor—blue; and employee—white.
A best practice is to issue the special visitor badge in exchange for the visitor’s photo identification card, which will be returned upon check-out and the turn-in of the visitor badge. In some organizations where highly sensitive information is handled, many organizations make it a policy to have the escort announce that there are visitors in the area and to secure sensitive material. Other organizations add onto that policy by illuminating flashing lights or other visible signals that indicate visitors are in the area.
The intent of these actions is not to embarrass the visitor but, rather, focus the workforce on their responsibilities to safeguard valued information. Nearly all visitors appreciate the disciplined approach to security and some even revel in the special attention they receive. Regarding contractors, providing special badging (see the color-coding discussion in the previous paragraph) to identify contractors is very appropriate and recommended.
We’ve often visited organizations for meetings where we couldn’t tell which attendee was a contractor and which was an employee. For clarity’s sake, we had to pointedly ask what roles the individuals were fulfilling. Some people believe that contractors are selected to join the team and therefore should be afforded the same privileges as full employees.
We disagree. While contractors almost always are highly valued teammates, they remain employees of other organizations and likely are not authorized to access the same level of information as your employees. Make your policy simple and provide special badging (as above) for visitors, contractors, and employees so that everyone can tell the difference and posture accordingly to protect your information.
The sensitivity and value of your information will dictate how you handle electronic devices in your workplace. In areas where highly sensitive or valuable information is handled, it is good policy to prohibit electronic devices such as cell phones, smart phones, music players, iPods, cameras, tablet computers, thumb drives, and other similar media—for everyone.
Be very careful to define your policy regarding what electronic devices you will allow visitors to bring into your workspaces. Many people forget that most phones have cameras built into them which can quickly and easily photograph unprotected information.
Likewise, smartphones can rest in one’s pocket unnoticed recording or transmit your conversations without your knowledge or permission. Regardless of the type of information in your organization, it is good policy to provide a secure locker in your reception area for your guests to leave their cell phones and other electronic devices while you are meeting with them. It also is good policy that you should be polite and have your own devices silenced or turned off and appropriately stored during the meeting as well.
Emergency procedures including evacuation:
It should be your policy that in the event of an emergency, all sponsoring employees are responsible for the safe evacuation and accountability of their visitors. Your policy should designate a location for visitors and their escorts to meet during evacuations and emergencies.
It also should assign responsibility to a designated individual to account for all visitors using the visitor log maintained at the reception location. Make it clear in your policy and the visitor agreement that visitors will not leave the premises without properly checking out in accordance with your policy, even in times of emergency.
We believe that bidding your visitor farewell is as important as your greeting them to your facility. Make sure your policy includes not only the exchange of credentials (i.e., the visitor returns their visitor badge in return for their identification card) but that they are asked how their visit was. Ensure too that the visitor is not leaving the facility with any unauthorized material, such as papers, thumb drives, or CDs. If a departure search is anticipated or is deemed necessary, then the visitor agreement should provide for this eventuality.
Network or System Access:
Contractors often are granted access to the networks of their host organization. In many cases, contractors actually operate the corporate networks serving in important functions such as the system administrators, network administrators, and help desk. Your policy should call for each contractor to adhere to all cybersecurity policies as do your employees.
From the acceptable use policy to the network management policy, contractors authorized to access and use your network in the performance of their contracted duties should follow your policies and be held accountable.
Your policy also should identify clearly that whoever in your organization sponsors the contractor (i.e., established the requirement for the contract) is responsible for monitoring and control of the contractor. This is critical. Failure to provide adequate positive control of contractors can result in information mishandling, breaches, disclosures, or worse.
Ensure that your policy clearly identifies your rules for network and system access and what permissions are authorized for contractors and visitors. Regarding visitors, a best practice is to establish a separate wireless network solely for visitors to access the Internet. Separate from your corporate network, this password-protected network provides your visitor the ability to access the Internet, yet insulates your critical information from unauthorized exposure.
Many organizations receive requests for tours or host them for clients. Your policy should identify who in your organization is responsible for tours, how they are to be managed and the security controls that will be implemented to ensure that your vital information is secured and protected. Best practices for tour management focus on having a plan for each and every tour that includes the following:
Purpose: Every tour has a purpose. Spell out what your objectives are for this tour.
Assignment of Responsibility: Be clear who will do what, when they will do it, and how success is measured.
Notification to Employees:
Ensure all employees know that there will be a tour, who will be visiting, what the purpose of the visit is, where it will be conducted, what areas it will visit, and what times the visitors will be there.
Security Instructions to Employees:
Clearly communicate to employees what their responsibilities are to ensure that safety protocols are taken to secure your information. For example, if visitors are in a particular area, you may instruct employees to remove all sensitive material and information from view prior to their arrival.
As with the other must-have policies we’ve identified, you need to spell out in your policy that fails to comply with this policy will result in disciplinary actions up to and including termination. For contractors and visitors, they should understand that violation of your security policies could subject them to legal action and criminal charges.
Your policy ought to include a caveat that holds the sponsoring employee responsible for the conduct of their visitor as well and clearly states that in the event that the visitor violates the policy the employee will be subject to disciplinary actions up to and including termination. Organizations with that caveat tend to have better control of their information, pay better attention to their visitors, and their sponsoring employees do a much better job in escorting their visitors.
Does your organization use badges or other means of identifying employees? Do you have uniforms (e.g., everyone in Target knows that the person wearing a red polo shirt and khakis slacks likely is an employee), name tags, or other identification? In today’s business environment, many companies include employee credentialing as part of the physical security posture and have specific policies governing employee credentialing.
Many companies use systems that combine an employee identification card with security controls to grant employees access only to the areas they have a need to enter. As an example, one of our clients has a manufacturing arm. They limit access to the manufacturing facility only to those employees who have a need to be there.
Administrative personnel and others who do not have a specific need to be in the manufacturing facility are denied access by the facility automated security card system, which is a standalone system not connected to the Internet. This is a good system and increasingly is becoming the norm for medium to large businesses.
Some of our friends in small business debate whether they need to invest in employee credentialing. In many instances, the answer is no. Depending on the size and type of your company, your business practices, and your security requirements, you may find there is no need to invest in credentialing. For those who do find they have a requirement to credential employees, here are several best practices to consider including in your security policy:
Make all employees sign an agreement approved by your general counsel detailing their responsibilities for their corporate credentials. They should be fully aware that credentialing identifies them as a representative of your organization, and that any misconduct by them will reflect unfavorably on the company. Tell them in no uncertain terms that you will react severely if they bring disgrace upon your organization.
Employees should display their credentials when they are in the workplace and carefully secure them when outside of the workplace. Wearing your employee credential in the parking lot or about town is an invitation for trouble. In fact, it is well known in the intelligence community that foreign intelligence sources look for individuals leaving sensitive facilities who continue to wear their employee credentials. These foreign agents would photograph the individual and craft false credentials using the photograph as a template. Industrial spies are no different.
Tail-gating on the highway is trouble and it is in sensitive facilities as well. If you have facilities that require badge access for everyone in the facility, make it your policy that everyone has to use their badge to enter the facility. Penetration testers routinely attempt to gain unauthorized access to facilities by entering right behind a legitimate employee while displaying (or not) falsified credentials. This tactic also is sometimes referred to as “drafting.”
Ensure your policy has provisions for employee termination. There are numerous examples of woes companies had when they failed to disable employee access to computer networks and facilities after the employee left the organization. Regardless of whether an employee resigns, retires, or is fired, you need to have a policy that immediately removes their access to corporate resources and disables their credentials upon termination. Your policy should assign specific responsibility to ensure that the credentials are disabled and physically collected (usually assigned to the HR department).
What is your policy for removing equipment from your facility? Do you have a policy that governs removing equipment from your facilities? During the course of his professional career, the author learned firsthand the importance of having an equipment removal policy and proper enforcement.
The employee operated the computer warehouse. As the depot and maintenance facility was slated for closure, he was responsible to receive all excess computers, wipe their hard drives with the approved software that would sanitize them of sensitive information, and processing them for reallocation, salvage, or resale.
Working with our general counsel and law enforcement officials, we permitted police investigators to establish video surveillance in our warehouse where the employee was observed putting our computers in his car trunk. Police in surveillance vehicles then followed him home where they filmed him transferring the computers into his garage. Later, an undercover agent was able to purchase one of the computers leading to the employee’s arrest.
We pressed charges and, in accordance with our collective bargaining agreement, suspended him pending conviction. He pled guilty and received a suspended sentence and probation. That didn’t save his job, however, as we immediately terminated his employment.
Emergency Procedures Including Evacuation.
People are more valuable than your information. In times of crisis and emergency, your policy should safeguard people as your first priority. Nonetheless, you should establish policies and procedures that ensure that your vital information is secured in emergencies.
Regrettably, theft during emergencies and evacuations is not unusual. Criminals have long sought to loot unattended properties during the evacuation. Typical theft targets have usually centered on tangible property easy to “fence” or resell. Now, in our digital marketplace, information has taken its place next to cash, jewelry, and electronics on the thief’s wish list of items to steal.
While many companies recommend you pack up your sensitive information and computers during periods of evacuation and crisis, your policy should clearly identify your priorities in guiding employees to make the right decisions when confronted by crises. Remember that information can always be replaced. People cannot. Therefore, the safety of employees should always come first.
Electronic Mail Policy.
We presented some important information in the Acceptable Use, Internet Use, and Employee Use Monitoring and Filtering policies that highlight recommended policies that govern the appropriate use of Internet-based resources including electronic mail (aka email).
Unfortunately, some people believe that the use of the Internet only applies to use their browser for web navigation and that email is a separate function distinct from “Internet use.” Because there are a significant number of people who fall into this category, we’ve found it important to reinforce the policies cited with a specific policy regarding email.
The purpose of your email policy is to preserve your organization’s professional image and brand reputation; moreover, it applies to every employee, including you!
Your email policy also helps to protect against threats. By making your staff aware of your rules regarding the proper handling of emails, you can reinforce your defenses against spear-phishing attacks, information breaches and disclosures, and other potentially dangerous threats. This will help to improve your compliance posture and reduce your liability.
For example, if an employee engages in misconduct involving your email system that violates your policy, the fact that you had taken steps to prevent inappropriate use may help to avoid legal liability and allow focus on the misconduct itself.
In your policy, clearly reinforce that the company owns any communication sent via email or that is stored on company equipment. You should state that corporate computer systems, including an email system, are provided for official use and that any other use must be approved in writing by management.
Even though it is stated in other policies, reiterate that management and authorized staff have the right to and will monitor email and other information on corporate resources and that the employee does not have a reasonable claim to privacy when using corporate resources. This is critically important in maintaining positive control over your corporate resources and is a legal best practice.
In addition to defining approved and prohibited use of email, your policy should include guidance on the personal use of the email system. You should be alert to the fact that personal use of your systems competes for corporate resources and clearly define what is acceptable and what is not.
Following best practice, reminding personnel that the email system is for official business and their emails will be monitored generally motivates employees to avoid the use of business email for personal use. Another best practice to include in this section of your policy is that any personal correspondence must be stored in a separate folder from work-related correspondence. This makes e-discovery easier and reinforces the distinction between official and personal use.
There are several other rules that your email policy should address that will improve your organization’s business functions. These are best practices that should be well-defined to support your operations:
Account creation and removal:
Define the rules about establishing accounts. Most organizations do not create accounts and permissions until the employee has completed all required training and in-processing through the HR department. Similarly, once an employee has retired, transferred, changed positions, or has been terminated, HR should be responsible to notify the IT department immediately to terminate access to corporate network assets including email.
Directories and personas:
Your policy should define the style of your screen name and what information will be shared in directories. For example, your policy may dictate that everyone in the company will use a first name.last name naming convention such as Abraham.Lincoln@ExecutiveMansion.Gov. Your policy also may define how your persona is displayed when shown in the receiver’s electronic inbox such as Abraham Lincoln, President.
The format of the email signature box also must be defined and should be consistent for all employees. Further, you may state that your organization will include names, titles, office symbols, desktop, and mobile telephone and fax numbers, and electronic mail address in its directory. Your policy needs to be consistent across the organization has access to this information increases the velocity and precision of your operations.
An important safety tip: consider avoiding publishing the desktop and mobile phone numbers of senior executives to all employees. As an alternative, provide the secretary’s number as the primary contact number. If the top brass wants their confidants to have access to their private numbers, they will control such access themselves (within the guidelines of corporate security).
Electronic mail forwarding:
Email forwarding is a leading cause of spam in organizations. It also is a leading cause of unauthorized information leakage. Use your policy to define what information can be forwarded. Deny by rule automatic forwarding of emails to accounts outside of your corporate domain. This means that any forwarding of electronic mails must be accomplished by the conscious decision of an employee rather than batch forwarding to accounts outside your control. This procedural “firebreak” better controls your information and protects it from inadvertent disclosure.
Electronic mail retention:
The author had a boss who used to say, “the ‘E’ in ‘Email’ stands for ‘evidence’.” Perhaps he was right. If you fail to retain electronic correspondence properly, you may be putting you and your company at risk. Consult with your general counsel to determine appropriate requirements for the retention and storage of information, including electronic mail. Clearly identify those requirements in your electronic mail policy.
Removable Media Policy.
Do you want your employees to infect your network with viruses and other malicious code? Of course not. But nonetheless, many organizations continue to allow uncontrolled access to network devices by removable media such as thumb drives. Recall from our previous discussions on the Stuxnet case that the attack vector supposedly was through an infected thumb drive.
Removable media not only is a concern regarding infections but also of exfiltration of information. Recall the cases of Private Bradley Manning and Edward Snowden, who used removable media to steal sensitive corporate information to the great detriment of their employers. Can you afford such an information breach?
To control the threat of infection and information breaches, many companies create policies that dictate how removable media is used in their businesses. Given the threat environment, if you do not already have such a policy, publish one, educate your workforce, and implement it as soon as possible.
As with most policies that we mention in this section, there are two factors that drive the relative strength of your policy. The first is the value of the information you wish to protect. That should be gauged by the highest valued information resident on your network. In general, the higher the value of the information to be protected, the higher the level of control.
The second factor is your risk appetite.
If you determine that your business process controls; employee training, loyalty, and discipline; and network segmentation provide adequate mitigation of unauthorized information exfiltration, you may decide to accept the risk of permitting removable media on your networks.
Many organizations have determined that the risk is too high and disable all Universal Serial Bus (USB) ports on their network. For example, the US military famously took such an action in November 2008 in the aftermath of a significant virus infection traced to an infected thumb drive. This is not practical for many businesses but it is effective.
Network administrators can disable USB ports by policy across all devices on the network and only open them up under carefully controlled and monitored circumstances. This is a very effective security technique unless your network administrator is like Edward Snowden and violates the policy.
As a practical alternative to disabling all USB ports, many organizations have come to adopt a removable media policy that features the following attributes that have become recognized as best practices. Consider adopting the following rules as part of your removable media policy:
The organization will provide employees with removable media:
Controlling what media is used imparts effectiveness, efficiency, and security. By limiting the variety of removable media used in the organization, your network defenders can focus their efforts.
Your security professionals can procure the media, wipe it of any potential dangerous code, and configure it to meet your security specifications before labeling it and issuing it to employees. Protect your information by maintaining positive control over the media it is contained on, including that which can be removed and migrated.
Do not plug any media not provided by the organization into USB ports:
You shouldn’t trust removable media that your security personnel hasn’t checked out. Nonapproved media should not be allowed on your network. With the cost to clean up viruses and other infections continuing to rise, this simple rule makes good business sense.
Some devices can be configured to automatically execute their programs as soon as they are plugged into the USB port. This is very bad if the program is a RAT kit, worm, zombie file, or other malicious code. To thwart this threat, most networks disable the ability to automatically play executable files. Common network management tools allow your network administrators to disable this capability across every device in your network. Include this rule in your policy.
Automatically scan anything connected to USB ports:
Wouldn’t it be great if every time someone plugged a removable media device in a USB port that it would be scanned by the network for compliance before allowing its connection? Fortunately, there are products on the market that allow your network administrators to implement such a rule set. Make it policy and invest in this capability.
Provide a removable media screening capability:
How many times have you been to a conference or meeting where you received a thumb drive or disk containing information? If you are like us, you have lost count. How do you know that the media is clean and free of malicious code? You don’t.
In fact, you should follow the adage famously linked to Ronald Reagan: “trust but verify.”32 Create an off-line capability where employees can bring media received by outside sources to one of your security professionals who can perform a deep scan to ensure it is safe of malicious code without putting your information at risk.
Upon clearance from your security team, you may consider allowing the media to connect to your network. This rule only works if you have the resources in place to provide this service quickly, so ensure that you address this through the lens of your risk management program.
Scan removable media that has been connected to non-organization sources:
Often your workforce, particularly sales and marketing personnel, will take their removable media to other locations and connect it to another computer. Many others may take removable media home and connect to their home computers to work at home.
To paraphrase virtually everyone’s mom, “you don’t know where that computer has been!” It could be infected with a nasty virus or comparable malicious code that could infect your removable media. When your employee plugs the newly infected media into your resources, that virus or malicious code now infects your network. Protect yourself, your business, and your valued information. Scan everything before allowing it on your network.
Train your workforce: Your workforce is your first line of defense when it comes to cybersecurity. Inculcating a culture of cybersecurity pays rich dividends. When your workforce recognizes and appreciates cybersecurity threats, vulnerabilities, and impacts they are more inclined to adhere to policies, enforce them, and not tolerate violations. Invest in educating and training your workforce as your investment will pay off in countless positive ways.
Remote Access Policy.
For years “road warriors” have traveled on business. After long days with clients, they return to their hotel rooms, connect to the hotel network, and remotely access your corporate network to deal with their electronic mail and access corporate information in preparation for the next day’s events.
Likewise, many employees would head home after a long day in the office, have supper with their families and, after getting the kids to bed, remotely access your corporate network to catch up on their electronic mail and get some additional work done in preparation for the next day. Remote access to your network has become a fact of life for many employees, including you.
Remote access policies have evolved over time and are very organization-specific.
Typical services addressed include electronic mail and file access. As you’ve been introduced to numerous cybersecurity principles in the context of risk management, now’s a good time to review your corporate remote access policy. Is it easy to understand? Is it written in a style directed at the remote user or toward the technician enabling the capability?
Your remote access policy should be written in a style that is easy to understand and is applicable to both the remote user as well as the technical team that will implement and maintain the technology that enables the capability. Your policy does not need to detail the technical procedures that underpin the implementation.
Those procedures are best documented in operating instructions maintained by your technical staff. Rather, your policy should focus on the broad rules needed to provide a useful capability to maximize the productivity of your workforce. Include the following best practice rules in your policy:
Tightly control who has remote access:
Not everyone needs remote access. Only grant remote access to your corporate resources to those who have a legitimate and vetted need. Make it clear that remote access to your corporate resources is solely for official business and is limited only to those who are specifically authorized to use the services.
Train those who have remote access:
“Road Warriors” and those who use remote access to your systems are more likely to expose your corporate resources to risks. As such, they need to have heightened awareness and understanding of risks and countermeasures. Make sure they are equipped to recognize risks, use the right tools and procedures to mitigate them in accordance with your policies and perform at the levels you expect.
Properly provision services:
While some companies only grant remote access through corporate-provided devices, most now allow access through corporate devices, home computers, or any Internet-connected device. This drives several security concerns. How do you ensure the person attempting access is a legitimate user and not a bad actor or imposter?
How do you know the remote device accessing your network isn’t infected with malicious code and will spread that infection when it connects to your network? Address through your policy what services you will provide, what security mechanisms will be employed, user responsibilities, and what rules you have regarding devices and procedures.
Use two-factor authentication access procedures whenever possible. As an example, mentioned earlier, the author’s bank allows me remote access to my online banking, but requires me to provide two forms of identification. First, I have my password, which I protect (something I know).
Secondly, I am provided a tool that generates a code specific to me which changes every 30 seconds (something I have). When I log-in, I provide both the something I have and the something I know to verify my identity. This technique has become a best practice to ensure that only authorized users access systems.
Use anti-virus and anti-malware software:
Include in your policy a statement that all devices remotely connected to your corporate resources must be configured in accordance with your policies using approved antivirus and antimalware software. This includes home computers and mobile devices, which are an ever-increasing preferred method of remote access for today’s dynamic workforce.
Mobile Device Policy.
Most of our clients rightfully are very concerned about the security risks posed by mobile devices used by their employees. The risks presented by ubiquitous tablet computers (such as Nexus 7s, Surfaces, and iPads) and smartphones (such as Android, Windows, and iPhones) are plentiful and cause many executives to pause when deciding how to invest and incorporate them into their business process.
These executives are wise to consider threats posed by mobile devices. There are many publicly available hacking procedures available on the Internet that can show “wanna-be” hackers how to intrude into unprotected mobile devices. News reports of criminals exploiting mobile devices heighten awareness of the threats and anxiety over them. What should you do?
Make mobile devices a key part of your business strategy and figure out a way to use them effectively, efficiently, and securely.
Mobile devices greatly enable and improve the productivity of your business and workforce. They improve the productivity by enabling greater connectivity and information sharing, nearly anyplace and nearly any time. They provide access to the world’s information and resources in a way that was unfathomable 20 years ago. They are redefining the business environment and are increasing the velocity and precision of business. You need to leverage the power of mobile devices while preserving the effectiveness, efficiency, and security of your business processes.
You likely are hearing a lot about BYOD. BYOD stands for “Bring Your Own Device” and refers to being able to use whatever mobile device you have to do your business.
Some companies anguish over mobile device policies and immerse themselves in technical gibberish that distracts from what the policy should be doing: that is, defining the rules that make your business more effective, efficient, and secure. Some erect horribly restrictive and technically complex policies that make using mobile devices a chore not a mission enhancement.
Others argue that small businesses don’t need a mobile device policy because they don’t have a lot of devices and likely don’t have a lot of infrastructures. Nonsense! Everyone in your organization who uses mobile devices in the execution of their duties needs to know what your business rules are for using these devices. Don’t make things too complicated. Stay away from focusing on the technology and focus on the business impacts and risk when building your policy.
Regardless of the size or focus of your business, your mobile device policy should address common themes that govern how the devices will be used, how your information should be protected, and how your risk is managed. Here are some best practice areas to consider in creating your policy:
What will mobile devices be supported? Only certain devices or whatever the employee wants? We’ve found that organizations with traditional IT departments seem to default to a position where they only will support a designated set of devices. These organizations often can’t demonstrate the agility that their constituents desire, and when the newest device hits the market, it causes a collision between business functions and the IT staff that you inevitably are called into the referee.
This friction is a distraction you and your business don’t need. The organization needs to expect that technology will change and new products will emerge. Your policy should allow for accommodation of new technologies and be device agnostic.
Information and risk:
Your risk appetite will drive most of your decisions regarding your mobile device policy. Understanding your information and the risks to its potential exposure, disclosure, tampering, or destruction is essential. Questions to answer include: What is the sensitivity of the information being handled by the devices?
Is sensitive information stored on the device? Should you allow storage of information on the device? What is the impact if the device and its information fall under the control of unauthorized persons? What is the risk and how much does it cost if this information falls into the wrong hands? What is the likelihood that this will happen?
Depending on the information on the device, you may find there are regulatory controls that govern how you must protect that information. Those regulations may drive you to implement specific controls. For example, the HIPAA requires native encryption on any device that holds data subject to the act.
That means you are required to use only devices that have the capability to encrypt files containing information covered under HIPAA. Your policy should address regulatory compliance requirements.
Your policy should clearly spell out your rules regarding acceptable use of mobile devices. Further, you should be equally clear in identifying prohibited activities. Your brand reputation may be compromised by those who misuse mobile devices. Ensure your policy spells out acceptable use and consequences for not following the policy.
Who pays for mobile device service? Will the organization pay for the data plan at all? Will you issue a monthly stipend or will you require the employee to submit expense reports? Who pays for these devices?
The answer to these questions depends on your corporate culture, its available resources and priorities, and even the duties of the employees. Some companies offer stipends to authorize mobile workers yet provide devices fully covered by corporate plans to those employees designated as “must-have” users. Your policy should define what your organization will pay for, how, and when.
Does your acceptable use policy apply to business conducted on mobile devices owned by your employees? What does your policy say regarding your rules for doing business on these devices? Can you monitor employee activity? If so, what are you monitoring and why? What privacy can the employee expect? What data is collected from the devices? Are your rules enforceable? Your policy should address the legal requirements you consider relevant to your mobile device users.
What corporate services and information can mobile device users access? Some businesses only offer electronic mail while others offer richer abilities, including access to office files and full user privileges. Other organizations are able to monitor the mobile devices remotely for troubleshooting and security purposes and push patches to keep them current.
Some even have the capability to remotely wipe or disable lost or stolen devices. The size, complexity, and resources available in your organization will drive what you can and cannot provide. Nonetheless, your policy should clearly state what services are provided.
There are a plethora of security questions your policy should answer. What are your policy’s security measures? Do you require all devices have password protection enabled? Do they need to have current antivirus software? If so, who is responsible to keep them updated? Do you require the device to automatically lock itself if it hasn’t been used in five minutes?
Do you require that any data on the device be encrypted? If so, what encryption software do you use, who manages the key, and how is it kept up to date? How do you back-up the data to ensure that it doesn’t get lost if the device is lost, stolen, or damaged? Is it your policy to configure the device to automatically wipe itself after ten failed login attempts?
If the device is lost or stolen, who is authorized to use tools to locate the device and or remotely wipe it? How do you know who is using your devices and what they are doing? Do you care? How do you enforce your security requirements? Do you allow connection to commercial Wi-Fi? There also are several security best practices you should consider such as directing that employees turning off Bluetooth and Wi-Fi when not in use as these transmission capabilities expose the devices to potential threats.
Another best practice is to prohibit the use of public computers when conducting corporate business as some public computers are known to host keylogging software and other agents that can be used to compromise your defenses. The security section of your mobile device policy should be comprehensive yet easy-to-understand and easy-to-follow.
Your policy should address the care and maintenance of mobile devices. What happens if your device malfunctions or a mobile user has a problem? What happens if an employee forgets their password and is locked out of their device? Who does your employee call when they need help (especially in a hurry)? In an era where employees may provide their own mobile device, this presents special challenges for your workforce as well as your IT staff. Your policy should make it clear who is responsible for what capabilities.
Your policy should include clear rules regarding business processes used to support mobile device usage. As an example, who is authorized to have the organization provide for or subsidize mobile devices? What is the process to request such support and who approves it? Who budgets for mobile devices and pays the bills?
Who is responsible to validate the bill before it gets paid? If an employee is terminated, how and when are their mobile services terminated as well? How is your inventory managed and accounted for? How and when do you audit to ensure that your policies are properly followed? Your policy should detail the key business processes that make your mobile device usage a true business enhancement.
There are literally thousands of applications available that can be installed on mobile devices. What is your policy for installing applications on the devices? What applications are permitted and which are forbidden?
In a BYOD environment where your organization subsidizes employees, the lines of authority and ownership are blurred, so not only do you need to be clear about what your rules are but also you must be within your rights. Best practices for mobile devices owned by the organization call for managers to only install applications that are essential to conducting their business on the device.
Back-up and recovery:
In a BYOD mobile device environment, back-up and recovery increasingly is an employee responsibility. Be sure to spell out roles and responsibilities on how important corporate information is managed on mobile devices including its back-up and recovery.
Many organizations use cloud-based services to host information generated on mobile devices and through a combination of automated and manual processes ensure that such information is pushed from the mobile devices to the secured storage locations. Ensure that your policy addresses how information is backed up and remains recoverable.
Mobile devices are great tools that can help your business regardless of its size and composition. Whether you have corporate-issued mobile devices, bring your own, or have a combination of the two, it is important that your organization identify its mobile device rules to ensure you remain effective, efficient, and secure.
Software Policy. Do you know that September 19th is International Talk Like a Pirate Day?
Did you also know that software piracy costs the software industry about US $59 billion per year? According to the Software and Information Industry Association (SIIA), the unauthorized copying of personal computer software for use in the office or at home or sharing of software among friends is the most pervasive form of piracy encountered abroad and in the United States.
How much can illegally copying software cost you?
Consider the case of End Corp. as reported by SIIA. “John” was the head of a new division of End Corp., a small company with about 45 PCs. John was hired to reduce expenses for the company, so he decided to cut corners on his software licenses. John would only authorize the purchase of one copy of each software program. His rationale was, “we bought it, and we can do what we want to do with it.” John’s plan seemed to work until the day that one of his employees called the software publisher for technical support for the pirated software.
Software piracy is not confined to the office. James Baxter of Wichita Falls, Texas, recently was sentenced to 57 months in prison and ordered to pay restitution in excess of US $400,000 as the result of his pirating and resale of software from his home. amount of resources to acquire, operate and maintain software. Your organization needs a strong policy with teeth to effectively manage the software that fuels your business. You and your company need to clearly define your software policy.
Your software policy should be succinct. Its purpose is to define the rules for the effective and efficient management of one of your most valuable assets (software) while protecting you and your business from the illegal or inappropriate use of the software.
Your software policy should include the following attributes:
Your policy is applicable to all employees, contractors, and anyone else who has access to your network and its devices.
Assign responsibility for budgeting for all software. Normally, this is a function assigned to the CIO. CIOs will look for opportunities to reduce software costs through the purchase of enterprise licensing agreements, which generally are less expensive on a per-user basis than list costs. Centralized budgeting also provides better visibility of software costs, something every executive team appreciates.
Centrally manage your software buys instead of distributing them across your organization. In addition to economies of scale and better visibility into software costs, channeling all software buys through the CIO has proven to yield improvements in business processes as the CIO optimizes the flow of information across the organization.
Licensing and registration:
Your policy needs to state explicitly that all software will be appropriately licensed and registered. Be clear that your organization respects copyrighted laws and will not tolerate any illegal or inappropriate instances of software on your network or its devices.
Define standards for auditing compliance with licensing and registration and assign responsibilities to ensure that your policy is carried out. This is important as a recent study by the International Data Corporation found that the vast majority of pirated software contains hidden malicious code that opens your computers and networks to attack and exploitation.37
Issue-specific guidance on how software will be installed on your network. Empower your CIO by assigning specific responsibility for the validation and approval of software to the CIO; no software is installed on your network or devices without the permission of the CIO.
Storage and documentation:
Master copies of your software licensing and registration materials, as well as software documentation, need to be maintained. Your policy should assign responsibilities to execute these tasks to a software licensing manager, who usually reports to the CIO.
Assign responsibility for the maintenance of the master software inventory to the CIO and provide the necessary resources that enable the CIO to execute these duties.
Normal procedure in today’s network environment is to conduct audit-ing by periodically scanning the network and devices and comparing the official inventory against the fielded software instances. If you have software field that you do not have sufficient licenses (or no licenses) for, you have trouble.
You can only upgrade what you own rights to. Include in your policy a statement that your organization will upgrade software through a deliberate process managed by the CIO but controlled through the corporate decision-making process. This is important as software upgrades often can be disruptive to business functions.
It is important to choreograph upgrades to maximize positive effects while minimizing negative ones. Strictly prohibit any upgrading of software packages outside of the official organizational process. This will provide better business continuity and reduce your exposure to software piracy.
Copying and distribution:
Don’t mess around with this item as failure to control copying and distribution of software is one of the leading causes of “inadvertent software piracy”. If your organization needs to copy or distribute software, it should only be done under the oversight of the software licensing manager and the CIO. Include that in your policy.
Shareware and freeware:
You may have employees who come to you and say they’ve found a great new software tool they want to install to enhance their ability to do their job. You may even have a teenager at home who says the same thing about a program he found that can help with his homework. They may even tell you the software is “free.” Be skeptical. While there indeed are numerous programs available, they all come with a cost. Shareware is intellectual property that is copyrighted.
Most owners of Shareware offer you a test-drive of their software and, if you like it, you pay them a fee. Freeware, on the other hand, is indeed free but often has no documentation and no path for any maintenance. cybersecurity professionals and CIOs are very cautious at the thought of installing Shareware and Freeware on their networks and devices as the quality and security of the software is rarely guaranteed and usually not as reliable as licensed and registered software.
If you are using Shareware or Freeware on your systems, be careful. If you are in a corporate environment, make sure both your CIO and general counsel have reviewed and approved of the software before you install and use it.
Using company software on home systems:
Your policy should strictly prohibit the copying and use of software licensed to the organization on home systems without the expressed written consent of senior executive management and the software license manager. While you have a strict policy, that doesn’t mean that you shouldn’t provide for employees to receive legally procured software sponsored by the organization.
For example, many companies recognize that employees often will perform work-related activities on their home computers. To mitigate the risk of infection from unprotected home systems, many organizations will provide their employees licensed and registered antivirus and antimalware software purchased under enterprise agreements.
Some companies go further by providing business applications that allow the employee to use their home computer much like they would at the office. These are good policies and pay off in enhancing productivity while minimizing risk to the business. While you may not want to invest in home productivity packages for all employees, considering licensing for home computers is increasingly become a great investment for companies that can afford it.
An easy-to-follow software policy can keep you out of big trouble. Make sure you effectively and correctly manage your software both at home and in the office.
A final suggestion on your software policy: review it annually to ensure it is up-to-date. We suggest every September 19th.
Access Control Policy.
Do you lock your doors at night? Most people do and practice physical security access controls to prevent unauthorized access to their homes and facilities.
What about your information? Do you have an access control policy that addresses who can have access to your information? Do you define who can see it, who can edit it, and who can delete (aka destroy) it? You need an access control policy. Access control for information is usually implemented in three ways:
Role-Base Access Control:
In Role-Based Access Control, access decisions are based on an individual’s roles and responsibilities within the organization or user base.
Discretionary Access Control:
Discretionary Access Control is a means of restricting access to information based on the identity of users and/or membership in certain groups.
Mandatory Access Control:
Mandatory Access Control secures information by assigning sensitivity labels to information and comparing this to the level of sensitivity at which a user is operating. It ensures the enforcement of organizational security policy without having to rely on voluntary web application user compliance. This frequently is used in systems such as in government where you have mandatory segregation of information such as Top Secret, Secret, Confidential, and unclassified information.
We recommend that as you create the information you determine who can use it, view it, modify it, or delete it. If those privileges are assigned to people performing certain roles, such as your internal auditors, implement a role-based access construct. If your scheme calls for all personnel in a group to have access, such as the HR department having access to personnel records, then implement a discretionary access control system. Finally, if you require tight controls over information, invest in a mandatory access control construct where the threat of human error is minimized.
Network Management Policy.
The final “must-have” policy governs how you manage your network. Many organizations have come to the startling realization that their network is the circulatory system of their business and their fortunes rise and fall with the efficiency, effectiveness, and availability of the network and the information access it provides. For nearly all businesses, denial of service means denial of income. You need a strong policy that ensures your network is professionally managed to deliver the capabilities and results in your organization needs.
Some organizations publish network management policies that only apply to the IT staff. We believe this is a mistake. Your network is used by everyone on your team.
Everyone who has network access has a stake in the effective management of your network. Everyone needs to understand “the rules of the road” for your network. Therefore, we believe it is essential that your network management policy clearly states that it is applicable to everyone in your organization.
There are numerous best practices for network management that enhance business productivity, maintain network integrity, and preserve information security. We highly recommend your policy should include the following best practice policy principles:
Deny all, permit by exception:
When you buy network devices such as firewalls, they may arrive out of the box configured to let everything through. Hackers know this and one of the first things they check is to scan your system to see what ports and protocols (think of these as the gates or doors into your system) are open so they can gain access.
Your policy should only allow what you need to enter or leave your network. Make it your rule that you will deny all traffic except that which you specifically give permission. Have procedures with management oversight that allow employees to request opening ports and protocols or visit websites to conduct official business.
This principle is commonly applied in many organizations and is synonymous with “need to know.” Least privilege means that you only grant privileges at the minimal level required to do the job assigned. You may ask why implementing the least privilege principle as part of your policy is a big deal. Let’s look at problems associated with administrator privileges on computers. Many employees demand administrator privileges on their client computers so they can configure their environment to fit their style, troubleshoot their own systems, or install their own software.
Granting administrator rights to noncertified personnel is a dangerous practice and is not recommended. A significant risk vector from malicious software comes from giving users administrative rights on their client computers. When a user or administrator logs on with administrative rights, any programs that they run, such as browsers, email clients, and instant messaging programs, also have administrative rights.
If these programs activate the malicious software, that malicious software can install itself, manipulate services such as antivirus programs, and even hide from the operating system. It can run through your entire network in milliseconds. Users can run malicious software unintentionally and unknowingly, for example, by visiting a compromised website or by clicking a link in an email message. Only grant privileges based on the legitimate need to perform the duties you’ve assigned. Direct the principle of least privilege as part of your network management policy.
Secure operating systems:
Using standard, security-focused guides to configure your operating systems is a best practice that can enhance your security and ensure your network is operating at optimum performance levels. We recommend that your policy call for secure operating system configurations that only install what is needed and turn off all unnecessary services. This ensures your system is best configured to withstand attack, reduces your attack surface, and reduces what needs to be maintained.
Whether you consider yourself one, you are a computer operator. Your applications are what you and your employees operate every day. Your policy should include rules regarding applications and their security. Implement least privilege to reduce the effectiveness of attacks that execute with the privilege of the current user.
Ensure you have a means of performing input validation to ensure only the right information is input into your applications. This reduces your risk of attacks (e.g., SQL injection) from malformed data input. Test applications in a segregated test environment before putting them on the live network.
Install only what you need to reduce your attack surface. Ensure use of secure protocols and block everything you don’t need. Use application “whitelisting” which means that you will only allow applications you have approved to operate to run on your network. Encrypt all data at rest to secure your information. Make sure your applications and data entry are as secure as possible.
Ensure your policy includes rules directing the continual auditing and self-inspection of your network for vulnerabilities. Vigilance is the watchword when monitoring your network and its devices for vulnerabilities. Your policy should call for vulnerability assessments on a regular basis, especially when new systems or applications are deployed or change the configuration. This ensures system vulnerabilities are detected and that systems are not placed into service with deficiencies that should be corrected.
Don’t let your network vulnerabilities hide in your IT organization! Your policy should direct a comprehensive vulnerability tracking and review process that is integrated into your corporate risk management process. Your policy should also call for the automated patching of software across your organization.
This is a best practice that not only decreases your exposure time to threats but also significantly reduces the cost of patching. If you are not already doing automated patching and verification, we suggest you do a business case analysis to see if it is the best fit for your organization (it usually is). If you aren’t scanning your network for vulnerabilities from the inside and outside, you are missing something that someone else will find and exploit. What they find may just put you out of business!
Why would you deliberately let malware enter your network and poison your information if you could stop it? The good news is that there are many network procedures and tools that can filter code that bears the tell-tale signatures of malicious code and stop it from entering (or exiting) your network.
Using such devices as proxy servers, you can filter mobile code such as ActiveX and Java scripting to provide a control mechanism to strip potentially malicious executable mobile content from entering your network. Your policy ought to include spam filtering as well to strip unwanted and potentially dangerous emails.
Many commercially available filters are increasingly sophisticated and can complement your efforts to thwart spearphishing by detecting and containing emails containing spearphishing markers. Finally, make sure your policy calls for the use of antivirus software protection. Ensure procedures for the installation, use, monitoring, and updating of antivirus software, and threat signatures are a core component of your policy.
Does your IT staff monitor what traffic is on your network? Do you have an intrusion detection system in your facility? How about on your network? The best-run networks make an investment in intrusion detection and protection systems. Many organizations find that monitoring network traffic through well-placed sensors (including the network devices themselves) can help them identify problems as they are occurring so that they can be appropriately addressed. They also can detect malicious activity.
For example, the ability to deploy threat-specific detection signatures that trigger immediate alarms when they detect traffic of interest is a key component of most intrusion detection systems. We recommend that your policy address how you will sense when “something’s not right” and what you will do about it.
Your network devices generate a lot of valuable information you may not even know that exists. Nearly all devices create files that record what the device did so that administrators can review these “logs” as part of their maintenance procedures. These are treasure troves of information that can be critical in performing threat and attack assessments. In fact, they have proven to be so valuable that hackers deliberately target them to erase any evidence they were in your system.
These “log files” are valuable and your policy should call for the transfer and storage of critical system logs to a centralized secure location with adequate back-up. It is important that you preserve these logs as official records as they often are requested by auditors and as part of legal discovery processes. Failure to produce the log files may be viewed as a sign of “network malpractice,” deliberate malfeasance, or incompetence. Include centralized logging and positive control over log files as part of your network management policy.
Regularly conducting threat and incident analysis should be a keystone of your network management policy and should complement your overall risk management plan. While your policy should call for continual monitoring by trained technical personnel, it should also call for the retrospective analysis of threats and incidents involving management to increase the organization’s effectiveness in responding to new and evolving threats.
We recommend your policy call for quarterly management level reviews of threats and incidents as well as minimum annual board level reviews of network threats and incidents.
Be Clear about Your Policies and Who Owns Them
Your policies govern your business and how it is run. Creation and enforcement of policies is an essential management function. Your cybersecurity policies are no different than any other policy in your organization. Do not fall victim to the trap that because many cybersecurity issues involve highly complex technical concepts that they fall into the realm of the IT staff. If you believe this, you and your organization will fail.
Your organization’s cybersecurity policies are not owned by your IT staff. They belong to management and should enhance business while accepting appropriate levels of risk approved by senior levels of management using the established corporate risk management processes.
Users in organizations that defer all cybersecurity policies to their IT staff often report frustration with what they view to be an overly cautious and restrictive network environment that stifles the introduction of new and potentially highly productive capabilities denies access to desired products and services and presents a “Just Say No” attitude.
Meanwhile, in these same organizations, the beleaguered IT staff is frustrated as well. Charged with defending the network and its information “against all enemies, foreign, and domestic” they are measured by management by how well they defend the network and its information, not necessarily by how effectively their network enables the organization to thrive, grow, and be profitable. This is a management failure. Don’t punt your management responsibilities to the IT staff!
Your policies need to be well documented and coordinated through your general counsel. They should be easy to understand and complete. They may be the best policies the world has ever seen, but if your employees don’t read and follow them, they are worthless. Therefore, we recommend that you insist that your employees read your policies and sign that they acknowledge and understand them.
The fact that it is so important that they must acknowledge receipt and sign an agreement that they understand the policy is an effective measure that protects the organization against certain liabilities and reinforces to the employee the need to pay attention to the policy.
A final discussion on policies regards your partners, prospective mergers, and possibly clients. Many of us have partnerships and other relationships where we share information to enhance our business posture. When it comes to cybersecurity, the policies of your partners and those you with whom you share information are very important and warrant your focused attention to ensure your information is well protected.
Make certain your partners and those with whom you share information have the right policies and procedures in place to adequately safeguard your information. Before you make any commitments, ensure you clearly define your information management and security requirements. Perform the due diligence and exercise due care to ensure that your information is adequately managed and protected, even when it is in the care of your prospective partners.
Involve your general counsel throughout to ensure your surveys are complete and appropriate. Review your prospective partner’s policies and procedures to make certain they provide the adequate controls necessary to meet your organization’s standards (you may find they exceed your standards or present a better way of doing things!) In the event they do not meet your standards, ensure your management knows this and understands the implications so they may determine next steps.
Policies complement your strategy and its plans. They are the business rules and guidelines of an organization that define consistency and compliance with the organization’s strategic direction. Policies address what the policy is and its classification, specify who is responsible for the execution and enforcement of the policy, and articulate why the policy is required.
They are the “rules of the road” that all employees must follow and are congruent with your strategic vision, your mission, and your core values. With the right plans and policies in place, you and your organization are well postured to implement your plans with the tactical level procedures that convert your vision into reality.
PROCEDURES IMPLEMENT PLANS
Procedures define the specific instructions necessary to perform a task or part of a process. They are tactical level instructions that can take the form of a work instruction, a desktop procedure, a quick reference guide, a checklist, or a more detailed procedure. They detail who performs the procedure, what steps are performed when the steps are performed, and how the procedure is performed.
Procedures to implement your cybersecurity plans and policies are critically important. They should be precise, clear, and reliably and consistently produce the desired results. Procedures must be consistent with your policies and directly support your plans and objectives. As a manager, you are responsible to guarantee that your organization has the proper procedures to execute the tasks assigned by your plans. You are responsible to ensure that they effectively, efficiently, and securely produce the results your organization needs to succeed.
Because of the tactical nature of procedures, we will not delve deeply into them. However, there are numerous cybersecurity procedures you should be aware of and practice daily, both in the home and the office. Some of the more common include:
How to turn your computer on and off
Account creation and termination
Password creation and protection
Application use instructions
Use of the READ process when reviewing emails (Relevant, Expected, Authenticated, Digitally Signed)
How to file electronic records (e.g., emails and electronic documents)
How to back-up and recover files
Procedures to secure your workstation and office space during absences
Procedures such as these fall into a category that many people refer to as “basic cyber hygiene.” They become so ingrained in our psyche and behavioral patterns that they become second nature and seemingly obvious. Following them almost becomes instinctive. At home you’d consider brushing your teeth, bathing, combing your hair, and putting on clean clothing before you leave home part of your daily hygiene ritual.
They are something everyone expects you to do and when they are not followed people notice—and not in a good way. Practicing basic cyber hygiene is something managers everywhere should practice and enforce throughout their organizations.
Do you follow your organization’s cybersecurity procedures? Do you enforce adherence to procedures? If you don’t, you are exposing you and your organization to risk and that may be a risk your shareholders don’t find acceptable. Do things right and follow procedures.
EXERCISE YOUR PLANS
The author recently met with a group of corporate directors during a conference on cybersecurity. All were distinguished executives who had long and distinguished careers in business. As we sat around the lunch table many reflected on how athletics in their youth had helped shape their leadership skills and gave them the stamina to excel in their careers. Each one of them said they regretted they had not maintained their level of fitness. They said that had if they kept up their exercise, they would be stronger, able to accomplish more and perform at higher levels.
Does this describe you too?
The famous Notre Dame head football coach Knute Rockne supposedly said, “Practice makes perfect” yet Hall of Fame coach Vince Lombardi added, “Practice doesn’t make perfect. Perfect practice makes perfect.” Whether you are maintaining your personal fitness level or your cybersecurity posture, you have to practice to achieve the level of perfection your organization and your shareholders expect.
Plans that sit on shelves just gather dust and are worthless. Regularly test them and your people to check proficiency and compliance!
Test your plans regularly. Plan for the worst and for the most likely and exercise those plans to gauge their effectiveness and the proficiency of your staff. Don’t tolerate noncompliance! There will be those who do not take exercises and testing seriously and fail to follow plans and procedures. Be clear about accountability and enforce discipline in support of your plans and procedures.
LEGAL COMPLIANCE CONCERNS
We always have our general counsel review our plans, policies, and procedures. Not only do lawyers have trained eyes for details but also they are keen to find weaknesses in how messages are conveyed and can provide valuable assistance and advice on how to make your plans, policies, and procedures better. If you don’t have your general counsel involved in developing your plans, policies, and procedures, you will not have the best products possible.
When creating your plans, policies, and procedures you should assign responsibility to your general counsel to ensure that you are compliant with all legal and regulatory requirements. In addition to national laws and regulations, many states and municipalities have specific laws, regulations, and ordinances that may affect how you do business there. Your general counsel should help you to navigate through the wide variety of legal issues to keep you compliant and competitive.
In addition to the disclosure requirements identified in the Security and Exchange Commission’s Corporate Finance Disclosure Guidance 2 (cybersecurity), there are several pieces of legislation that you ought to be aware of that affect your plans and procedures. They include:
The Sarbanes-Oxley (SOX) Act of 200239:
The SOX Act was created in the aftermath of several notorious corporate accounting and finance scandals and is intended to provide greater accounting and governance controls over publicly traded companies. While SOX drives many IT compliance and security initiatives, its cyber security requirements are vague at best.
Nonetheless, to pass a SOX audit, your company must implement security best practices for any system that touches anything related to your financial reporting and accounting systems. Many general counsels will tell you that may include your entire network infrastructure, including your network log files. The impact is that you cannot cut corners with your cybersecurity posture. Because SOX calls for executives and management to be held accountable, you should invest in best practices to protect your information, your business, and yourself.
HIPAA of 199640:
HIPAA was created to achieve three objectives: protect health insurance for individuals when they change or lose their jobs, protect the healthcare privacy for youths 12–18 (even from their parents), and provide for the security and privacy of healthcare records. From a cybersecurity standpoint, the last objective is the most groundbreaking, as the Act requires a host of security requirements that drive significant investments to achieve compliance with the Act’s provisions.
For example, the Act specifies that all systems that possess Personal Health Information (PHI) must have intrusion protection systems. All PHI must be encrypted and the integrity of the data must be ensured. When PHI data is exchanged between medical providers, two-way authentication is required to ensure information is exchanged only with trusted and authorized partners. There are significant documentation requirements under the act that have a cyber-security impact.
For example, all system documentation must be available for audits and include all configurations and system setting information (in writing!) Also, you must document all risk analysis and risk management programs that may be audited by regulators. HIPAA cybersecurity provisions are not inconsequential.
If you have or even think you may have PHI data on your systems (and your HR department may and not even know it), then you are well advised to have your general counsel and internal auditors perform a comprehensive review to determine your liability under this law. You may be surprised by the results and have to adjust your plans accordingly.
The Gramm–Leach–Bliley Act (GLB), also known as the Financial Services Modernization Act of 199941:
The Act calls for systems containing nonpublic personal information (such as your name, account number, and balance) to have an information security plan, a thorough risk analysis, and demonstration of the ability to monitor and test the plan to ensure its effectiveness. The intent is to protect the clients and their privacy. Is your organization the custodian of information protected under the GLB Act? If so, do you have sufficient cybersecurity controls in place to achieve compliance?
The Privacy Act of 197442:
The Privacy Act of 1974 defines what information is personally identifiable and governs the collection, maintenance, use, and dissemination of PII in federal information systems. It is a groundbreaking piece of legislation that many states have adopted as well with some passing laws that direct the protection of PII on information systems operated and maintained by public and private organizations as well.
You likely have PII information either in your own HR department’s records, your pay system, or perhaps in your client records. Ask your general counsel to research what your responsibilities are regarding PII. Where you do business and with whom (including state and federal governments) may drive cybersecurity costs above and beyond what you originally anticipated. Ensure that you have all the bases covered and perform your due diligence and due care regarding private information.
Don’t just take your CIO’s word that everything is under control; audit your organization.
In addition to traditional auditors, who check your compliance with rules, regulations, and your policies and procedures, there are other cybersecurity-specific auditing capabilities you ought to add to your methods to ensure you have an accurate and unbiased view of your current cybersecurity posture.
The first is to include Certified Information System Auditors (CISAs) to your staff. Individuals with this certification have completed a comprehensive examination, have demonstrated over five years experience of professional information systems auditing, control or security experience, follow a code of ethics for information system auditors, maintain their proficiency through continuing professional education (minimum 20 hours per year and 120 hours every three years), and adhere to the Information Systems Auditing Standards maintained by ISACA.
Adding CISAs to your internal auditing team can present an in-house capability to provide a thorough analysis of your information systems and their ability to comply with plans, policies, procedures, and regulatory guidance.
A second capability is to hire independent Penetration Testers (aka Pen-testers) to attempt to penetrate your networks or specific information systems. Many organizations retain Pen-testers to deliberately test new capabilities and configurations by attempting to penetrate them. Look for Pen-testers who maintain the Certified Ethical Hacker certification as they too have undergone a recognized disciplined process to achieve their skills and operate under an international code of ethics.
Pen-testers also ought to enter into a specific agreement with your organization that they will do no harm to your system or its information. Your general counsel should be part of every negotiation and contract involving Pen-testers to ensure that your organization’s best interests are preserved. We recommend you run a penetration test annually or every time you have a major system upgrade or a new configuration.
A third capability is to hire multi-disciplinary “red teams.” These teams often include Pen-testers yet supplement them with other skilled professionals who evaluate other aspects of your security posture, including your physical security, corporate culture, communications security, administrative procedures, and contracting. They are sneaky and devious (on purpose) and often are very successful in finding problems
ISACA, formerly known as the Information Systems Auditing and Control Association, is a professional organization that establishes and maintains cybersecurity-related professional certifications. Another noted organization that certifies cybersecurity professionals is the International Information Systems Security Certification Consortium (ISC2), which maintains similar credentialing programs. Look for certification from one of these organizations when interviewing candidates for your cybersecurity positions.
We recommend you consider hiring a multi-disciplinary red team every couple of years or whenever you have a major change in personnel, policies, products, or information systems. When you do hire them, we recommend they report directly to senior management such as the CRO, Chief Security Officer, Chief Operating Officer, or CEO.
When to audit is a decision involving the board of directors and senior executive management. We recommend you audit your organization at least annually when you make a major system or configuration changes when you introduce new products or capabilities, and after major adverse events. Remember Sun Tzu’s adage to “Know Yourself.” Use auditors whenever possible to better “know yourself” and improve your cybersecurity posture.