Success Tips of Business
Every Businessman wants success in their business. This blog explains the 100+ best Business Success Tips and hacks. And also explores business rules and policies.
One of the principal responsibilities of an executive is to plan and execute the activities that drive your company to success. You need a plan to execute your strategy.
Plans are designs or detailed proposals for accomplishing an anticipated operation. As an executive, you may not be the one writing the plans, but you are responsible to see that they are created, that they are done right, that they are executed well.
How detailed your plans depend on the complexity of the desired operation and the experience of the subordinates who will execute it.
The measure of a great plan is not whether its execution transpires exactly as planned, but rather whether the plan produces the desired results in the face of unforeseen circumstances.
Policies complement plans.
They are the business rules and guidelines of an organization that ensure consistency and compliance with the organization’s strategic direction.
Policies tell you why you have the policy, its classification, and who is responsible for the execution and enforcement of the policy. They are the “rules of the road” that all employees must follow and are congruent with your strategic vision, your mission, and your core values.
Defining policies that govern cybersecurity best practices is essential to the health and well-being of your organization.
Having a plan is critical. How many times have you worked with or for people who don’t have a plan and fly by the seat of their pants? Were they successful? If they were, could they sustain that success?
Planning for Excellence
Plans are designs or detailed proposals for accomplishing anticipated operations. As an executive, you may not be the one writing the plans, but you are responsible to see that they are created, that they are done right, that they are executed well and, in the event they prove to be heading in the wrong direction, to steer the organization back to the right one.
They are the means by which you, the executive, envision the future, layout creative and innovative ways to achieve it, and communicate to your subordinates your vision, your intent, decisions you’ve made, and the results you expect to achieve. Your plan answers these questions:
What will be done?
Who is responsible?
How will it be done?
What resources will be required?
How detailed your plans depend upon the complexity of the desired operation and the experience of the subordinates who will execute it. Plans can be articulated in a very formal document or through an informal outline. Regardless of what format is used, great plans have common characteristics:
The intent of senior leadership and the purpose of the plan are made perfectly clear.
Relevant facts and assumptions are stated up front to provide context.
Great plans are simple and put into positive terms (i.e., “This is what we will do” rather than “We won’t do this.”)
Great plans also are precise and avoid ambiguous language or phrasing that can confuse their readers. They are brief and clear.
They are complete and contain all the information needed to execute the plan.
They show what will be done, who will do it, and when they will do it.
They synchronize activities to ensure there are no resource or organizational conflicts.
They are flexible and allow for adjustments to counter the unexpected and provide measures of progress.
They define timelines for getting things done.
There are plenty of plan formats and styles that are effective when tailored to the right task and organization. Some are based on the time-phased sequence of activities.
Others are based on the fusion of different functions working in concert to achieve a common goal.
Use what works for you and your organization! Remember, though, whatever format you choose, make it consistent throughout your organization. Consistency in format yields consistency in understanding, performance, and results.
Such planning flexibility is critical concerning cybersecurity. New IT products emerge on the market every week and often their vulnerabilities are revealed shortly thereafter. As they age, venerable and trusted technologies become increasingly susceptible to penetration and exploitation.
Your plan needs to include provisions for preplanned improvements to keep you, your policies, your procedures, and (especially) your people hardened against the emerging cyber threats that inevitably will threaten you and your organization.
The measure of a great plan is not whether the execution of the plan transpires exactly as planned but rather whether the plan produces the desired results in the face of unforeseen circumstances.
POLICIES COMPLEMENT PLANS
Policies are the business rules and guidelines of an organization that ensure consistency and compliance with the organization’s strategic direction. Policies tell you why you have the policy, its classification, and who is responsible for the execution and enforcement of the policy.
They are the “rules of the road” that all employees must follow and are congruent with your strategic vision, your mission, and your core values.
Does your organization have policies? Do you have a formal process to document them, educate and train your employees to understand and follow them, and modify them as required?
Are they simple to read, remember, and follow? Do your employees know where to find the policies when they need to refer to them for guidance? Are your policies consistent across the organization?
Are they viewed as logical constructs that guide the business or roadblocks that impede progress? Do you have policies that address cybersecurity best practices?
Defining policies that govern cybersecurity best practices is essential to the health and well-being of your organization.
Due to the complexity of the cyberspace environment and the tight coupling of IT with business processes, there are literally dozens of policies you can and perhaps should have that address best practice “rules of the road” to best protect your business and its information.
Regardless of whether you are an executive in a large multinational corporation with a wide variety of operating divisions and product lines or an executive in a small start-up business (or anything in between!), you need to define clearly the policies that direct your employees regarding what needs to be done to secure your business and its information.
Rather than detail all the possible permutations of policies available, we provide in Appendix A a list of recommended cybersecurity policies covering a wide range of subjects that you and your leadership team should review to see which ones fit your organization and its mission and subsequently should be defined and implemented.
While there are a plethora of potential cybersecurity policies, which ones are the “must-have” policies that every organization should have? We submit the following 15 policies that are the starting points to a great cybersecurity program and ought to be a part of every company’s policy collection.
Great cybersecurity Policies for Everyone
No matter whether you are running a business, an organization, or even a household, you need to secure your information. The following policies can help protect you and your interests against cyber exploitation.
Acceptable Use Policy.
An acceptable use policy establishes rules that a user must agree to follow in order to be provided with access to a network or to the Internet.
These policies have become common practice for many businesses, educational institutions, and government entities and require that all users physically sign an acceptable use policy before being granted network access.
Most acceptable use policies have some common attributes, requiring that the user agrees to adhere to specific guidance on what is acceptable use as well as clearly defined unacceptable use guidance. Sample attributes include the user agreeing to:
Not use the service to violate any law
Not use the service to attempt to violate the security of any computer network or user
That the user acknowledges that the provider retains ownership over the service and the user has no reasonable expectation of privacy as the provider will monitor usage
Only use the service for official uses specifically granted by the service provider
To report any attempt to break into their accounts
To protect their passwords and not grant access to unauthorized users
Adhere to the network owner’s security policies
Not to use the service to send threatening messages, sexually explicit material, or otherwise unlawful materials or images
Not to use the service to impersonate another individual
Not attack the service through malicious or irresponsible activity including port scanning, spamming, and unauthorized network monitoring activities
Not to introduce unauthorized software into the network or service (which could include malware!)
Not circumvent any of the provider’s security controls
Not to install or download computer software, programs, or executable files contrary to policy
Accept that if you violate the policy and unlawful activity is suspected, that your user information will be disclosed to law enforcement authorities in accordance with legal guidance
Accept that if you violate the policy that your access will be terminated
You probably have signed numerous acceptable use policies over the years and may not have even noticed. You often see them when you log in to a Wi-Fi connection at your favorite restaurant, coffee shop, hotel, and now even airplanes.
Many people don’t even read them and just click the “Accept” or “Yes” button to access the service. We don’t.
We read them, not just for professional curiosity, but because after decades of business and government service, we abhor signing any agreement we haven’t read. When you agree to the acceptable use policy, you are entering into a conscious agreement (read that to mean a contract) between you and the vendor.
Likewise, carefully review the agreement your organization has with its employees (including you!). Make certain it covers what is important to you and your business. Sit down with your general counsel to ensure it is legally sufficient and clearly communicates your expectations and consequences if the policy is violated.
Many businesses include in their acceptable use policy clear notification that violation of the policy will result in disciplinary action depending on the severity of the violation with sanctions up to and including termination of the employee.
Many companies and organizations have found that having a strong acceptable use policy is essential to maintaining good order and discipline in their workplace.
We have found the best acceptable use policies are created as a team effort by your business units and marketing professionals, general counsel, risk managers, cybersecurity professionals, and HR department.
Your business units and marketing professionals can identify what capabilities and requirements are needed with your automated systems.
Your general counsel can identify what behaviors and activities need to be avoided and can help establish guidelines for consequences.
Your cybersecurity professionals can identify the threats and vulnerabilities of proposed configurations, services, or capabilities. Your risk managers will identify acceptable levels of risk based on the corporate risk appetite, general counsel guidance, and technical risk factors.
Your HR department contributes as well to ensure that any consequences proposed for employees who violate the policy are proportionate to the violation and its impact.
Finally, while a team may create your business or organization’s acceptable use policy, it is management’s responsibility to ensure it is correct, complete, coherent with the corporate vision and core values, and can be monitored and controlled.
Regrettably, executives often do not even read their organization’s acceptable use policy. The policy is a management responsibility. Make sure you read and approve of your organization’s acceptable use policy.
Use of the Internet Policy.
Do you have employees who violate copyright laws? Perhaps you do and don’t even know it. Perhaps they don’t know it themselves. Let’s say you have an employee who is building a briefing about innovation and wants to include the clip from the movie Apollo 13.
They find a site hosted in Eastern Europe that has the clip, they download it and embed the file in their PowerPoint briefing. The briefing looks great and presents your organization’s message on innovation extremely well. Success! Right?
Wrong. The employee’s actions present two problems. First, movies, music, images, and other intellectual property are valuable commodities and you must obtain the rights from the actual owner to use them.
Without appropriate rights and permissions to the digital content, your employee just broke the law and put you and your company at risk.
What’s the worst that can happen? Under federal law, if company computers were used in the commission of a crime, law enforcement officials can seize the computers as evidence. How long can you and your organization survive without its IT infrastructure?
Second, because the employee used your corporate computers to acquire copyrighted material, your company is liable and potentially exposed to a lawsuit from the party that legitimately owns the rights to the material.
Thirdly, many (if not most) sites that host bootleg or otherwise illegal media are known to have poisoned the files with embedded malware that surreptitiously inserts malware such as backdoors into your system.
Not only may you be fighting criminal action or intellectual property lawsuits, but also you may be fighting with bad actors over control of your own network.
Downloading files from the Internet may not be your only problem. What happens to your organization’s productivity if employees misuse Internet resources?
The author was the CIO of a large organization and noticed that network performance was dropping. Personnel were complaining about slow email delivery times and having to wait excessive amounts of time for web pages to load. The problem was creating serious productivity losses.
Analysis of metrics found that over 75% of web searches were landing at websites that specialized in sports. Further research indicated that over 80% of our available bandwidth was being used by bandwidth-intensive streaming video.
It was apparent that our employees were using their Internet connections to stream their favorite games (and potentially movies) over the Internet to their desktops.
When the data was presented to the head of the organization and his directors, they ordered a policy to limit web-surfing and to block streaming video. Not surprisingly, productivity soared, network performance improved dramatically, and the boss and directors were delighted.
The Internet is a great tool that gives you and your employees access to the world’s information. You want to use it to enhance your operations, not hinder them. Your employees should be using it to their advantage and that of your business. You need a policy that addresses the appropriate use of the Internet in your organization.
What should your Internet use policy say? While every organization is different, there are several common items we believe are important to include in your policy:
Purpose: Tell your employees why you have an Internet use policy. Most companies remind their employees that access to the Internet is a privilege required for business, not a right. Do any of your employees need that kind of reminder?
Applicability: It applies to everybody.
It is important to remind your employees that the Internet can be a risky place, and sometimes is a haven for bad people with malevolent intent. Remind them not only about the risks presented by malicious code, but also risks presented by copyright violations and lack of productivity if access is misused.
Some employees may be surprised by the obvious, so clearly state the threats using explicit examples of policy violations.
Tell your employees what Internet use is permitted. Examples include email, web access, and electronic data exchange (e.g., file transfer protocol used to exchange large files).
Clearly, state that uses of the Internet is only for official business use. If you allow use for personal reasons (such as to receive emails from your children’s school), clearly spell out under what conditions you will allow your corporate resources to be used.
What’s not allowed:
This is a critical part of your policy. You need to define not only what is not allowed, but also why it is not allowed. Common examples of prohibited Internet use include:
Clearly, state you will not tolerate illegal activity such as copyright infringement or child pornography. Such actions will result in severe disciplinary action including termination and notification to law enforcement officials.
Clearly state that you will not tolerate immoral activity such as using the Internet to view, acquire, or disseminate pornography or material which negatively represents race, creed, sexual orientation, or genders. You own the network and its liability.
Make sure your employees know that they are to focus on their work and the information they need to accomplish it. Using corporate resources to access unauthorized information not needed for the performance of their duties will subject the employee to disciplinary action.
Your information has great value. You need and want it treated right. Not using it for its designed purpose, disclosing it without authorization, or tampering with it will not be tolerated.
Make it clear that you will not tolerate the disclosure, exposure, or transmission of your organization’s intellectual property and trade secrets, including information considered confidential, proprietary or otherwise sensitive, without proper authorities. Identify what those authorities and controls are.
Clearly state that you will not tolerate the creation, posting, transmission, or voluntary receipt of any information that is considered threatening, harassing, offensive, hateful, libelous, or otherwise unlawful. You own all the information on your network. Make sure it is the type of information you want, need, and is relevant to your business.
Does your company endorse your competitors? Does it endorse organizations whose values conflict with your core values and interests?
If you permit employees to embed hyperlinks to non-approved organizations or sites in their email correspondence or on the web pages of your corporate network, you may just be seen as endorsing that site and embracing all it stands for.
Similarly, because nearly all websites collect “cookies” that identify users, even a visit by one of your employees to a website that contains controversial or offensive material may be considered a tacit endorsement of that site and its content.
You need to control your partnerships. Be careful when writing public-facing copy and tightly control with whom you link using the Internet.
Employee Internet Use Monitoring and Filtering Policy.
How do you ensure that your employees follow your Internet use policy?
Many employees are under the impression that they have the right to privacy while at work. They believe their emails are private communication protected under law. They believe they should have free and unfettered access to Internet resources.
Similarly, they believe that if they want to visit their Facebook, Twitter, or other social media site, they should be able to do so as long as it doesn’t interfere with their work duties.
Moreover, these same employees often believe that they have a reasonable expectation of privacy when they use their work computer to do their personal email using a Gmail, Yahoo, Hotmail, or similar commercial web-based email service.
Are they right?
They could be if you don’t give them adequate formal notice that you monitor all Internet traffic entering or exiting the organization, that the employee has no reasonable expectation of privacy and that you filter Internet traffic to block sites.
And protocols that you deem inappropriate and/or noncongruent with your business and its objectives. You need a policy that clearly defines the following:
Any information that is created or resides on your corporate network or its devices becomes the property of the organization.
The organization will monitor all communications, including emails, Internet web browsing, mobile devices, fax machines, and telephony, to ensure that employees use the services in a safe and responsible manner. The employee does not have a reasonable expectation of privacy when using corporate resources.
Such a policy can be controversial and the legal implications vary from state to state, country to country. Your general counsel should be part of the team that creates and scrutinizes your proposed policy before you make it official.
The general counsel should be able to identify any weaknesses in your proposed policy’s language as well as identify areas you may have missed in your draft. We’ve had great success when we include our best legal minds early in the process.
Revealing that you monitor and filter Internet use is important. Some employees have challenged corporate policies on monitoring and filtering citing the Fourth Amendment’s prohibition against unreasonable searches and seizures.
The courts have long held that employers indeed can monitor their employees’ use of the Internet and email provided that the employees are notified in advance that such monitoring is conducted. Once you’ve made the appropriate notification, such as in your
Employee Internet Use and Monitoring Policy, the courts have ruled that the employee no longer can claim a reasonable expectation of privacy when using their employers’ computer systems.
Your policy should include the following:
Your policy establishes how you will monitor Internet use in your organization. The policy is intended to ensure employees use the Internet in a safe and responsible manner, and that employee web use can be appropriately monitored or reviewed.
As usual, it is applicable to everyone who uses your corporate network. This is crucial on legal grounds. Nobody who uses your corporate resources can be exempt from this policy.
That includes directors, officers, management, employees, contractors, vendors, or even visitors. Everyone is subject to monitoring. Put it on your log-in screen to remind everyone of that fact.
Who will conduct monitoring:
Most companies use their IT department and automated tools to conduct their monitoring, although some out-source it to a third-party vendor.
Regardless of who conducts your monitoring, clearly identify who will conduct the monitoring, what their charter is, and what they do with their findings. Actions based on the findings should be reserved for management and not delegated to the IT staff or proxies.
This is important as it specifies types of reporting, to whom, and when reporting will be accomplished. For example, when the author was the CIO of a large organization, we had a policy that stated we would provide continual Internet monitoring.
My staff used automated tools and could quickly prepare usage reports upon demand, although I found that quarterly reports were a good fit for our business rhythm.
If the staff detected aberrations during the quarter, the policy called for them to bring it to my attention immediately for a management review. On more than one occasion, I took the findings to our board with a recommendation to change our policy due to emerging threats.
This is important too. You want your employees to know that you are keeping records that clearly identify who did what, when they did it, and how they did it.
This provides a powerful deterrent for those tempted to violate your acceptable use and Internet use policies. Your policy also should stipulate how long you retain your monitoring records.
The length of record retention depends on the type of organization you have. While many organizations retain monitoring records for up to 180 days, the author was in an organization that retained records for over seven years, which coincided with the period of a large and highly competitive contract.
Select the record keeping duration that best fits your needs. Make sure it is a corporate decision involving your general counsel, not one delegated to the IT staff.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
What will be filtered:
A security best practice is to “Deny All, Permit by Exception.” Using this technique, all Internet sites and protocols will be blocked except those specifically allowed by the organization.
This is initially a painful policy to implement, yet extremely effective in reducing your threat exposure. Educating your workforce about it in advance is crucial and is key to its success.
Your policy must include the means for employees to request access to certain websites, services, and protocols and receive quick action (which can be measured via your metrics program). The following are typical things that are filtered by rule in most organizations:
Adult/sexually explicit material
Video gaming sites Hacking websites
Chat and instant messaging
Anything dealing with illegal drugs Intimate apparel and swimwear
Peer to peer file sharing
Personals and dating services Social network services
Spam, phishing and fraud, and spyware
Tasteless and offensive content including violence, intolerance, and hate (aka dirty word search filtering)
How to change a filter rule:
This is an important item you need to address in your planning with procedures that provide quick and accurate results. For example, you may find that your business is considering acquiring a company in Africa that has access rights to strategic materials vital to a new manufacturing process.
The website for that company resides in an Internet address range that is currently blocked by your business because it previously was outside your market and is the home of some unsavory hackers.
As a result of this emergent business relationship, you want the specific IP address for the company to be open for use as well as several other addresses are known to be the company’s suppliers.
As with all your other policies, clearly, state the consequences of not complying with this policy. Typically, noncompliance with this policy will be met with sanctions up to and including termination.
Does your organization monitor its Internet usage?
If so, when was the last time you reviewed the data found? Here’s a tip that may lead to revealing information you may never see from your IT staff: ask to see how many attempts were made to reach sites or services you are blocking based on the rules above. You may be surprised by the results.
You will be confronted by a situation where you have to discipline an employee for improper Internet use on corporate systems. Make sure your actions can hold up in court. Have a strong and unambiguous use monitoring policy. Clearly, communicate it to your employees and have them acknowledge the policy in writing, whenever possible.
Be vigilant and train your employees to be vigilant too. Things that are out of place ought to be investigated. For example, if you find a window, door, or other entry point unlocked that normally should be locked, notify authorities.
If you see a desk is unattended and important papers are exposed or a computer is left unlocked and turned on, do something about it. Your policy should spell out what to do when you see something that is out of place or unusual.
Whenever we travel, my wife likes to check the room where we stayed before we leave to ensure we haven’t left anything behind. Then she insists I do the same in case she missed something. Having two people check important “can’t fail” items always is a good policy, especially when protecting your vital information.
Control who comes into your facility:
Do you freely permit strangers into your home? We don’t recommend it nor do we recommend you permit strangers into your workplace either. Control who enters your facilities and keep them under appropriate surveillance and control until they leave.
Check everything coming in and everything going out:
You may consider it important to check everything coming into your facility and everything going out.
For example, if you are at the Centers for Disease Control, you want to make sure that all the samples coming in have the proper safety controls to prevent contamination and exposure and you definitely want proper safety controls on the way out as well!
Admittedly, it is not practical to check everyone in every facility, but for those facilities having very high-value information and operating in a high-risk profile environment, this type of policy is appropriate.
Do you think that the U.S. Army regrets not implementing these types of controls at the facility where Private Bradley Manning worked?
Clutter is bad:
Not only does a cluttered workspace portray an unprofessional image, but it also makes it extremely difficult to manage and retrieve information.
Despite the plaintive cries of those who revel in the joys of building nests of paper around them, allowing clutter to accumulate presents risk of theft, information loss, and decreased productivity.
There are even some who would argue it presents a safety risk. Just like your language in church, you have to keep things clean. Articulate a clean desk the policy throughout your organization.
Train everyone to know and follow the rules:
Ignorance is not bliss. In fact, ignorance is the leading cause of inadvertent information disclosure as well-intentioned employees allow important information to escape control.
As an executive, you need to ensure that you have the right policies in place to support your strategy and plans and align the right talent to execute them. Make sure your employees know the rules and follow them!
Visitor and Contractor Access Controls. Your employees have varying levels of access to information in your organization, hopefully, based on their roles and need to know. But how about visitors and contractors? How do you control their access to information while they are in your facilities?
Having a visitor and contractor access control policy is essential to protect your information. Your employees should know what your rules are for handling visitors from the moment they arrive on your property until the moment they leave.
Similarly, while contractors may be important contributors to your team, they remain employees of other firms and require special handling and consideration.
What is your policy for visitors and contractors?
Do you allow them to roam freely throughout your organization? Do you insist your visitors be escorted? How can you tell the difference between employees, visitors, and contractors?
If someone picks up a piece of paper on a desk or sits down to a computer terminal, how do you know whether they are on your team or potentially working against you? What’s your policy?
We’ve worked in a variety of organizations ranging from areas that handled highly classified material all the way down to nonprofit activities. Despite the wide variance in security controls that we’ve encountered, there are several best practices that you include should include in your visitor and contractor access control policy:
Designated parking for visitors:
Having designated parking spaces for your visitors not only is good form but also it makes good sense from a security standpoint. Providing parking in a controlled location permits your security personnel and greeting party to observe the activities of your visitors as they arrive.
Include in your physical security policy provisions that will protect your facilities and personnel by placing bollards or barricades between your parking areas and facilities to provide protection from potential physical threats posed by vehicles and their cargo.
Greeting a visitor with a courteous reception should be part of every organization’s policy. If you want to “wow” a visitor, make it your policy to provide a professional and friendly reception, but don’t ignore the importance of security.
Make it your policy to have your visitor sign-in and your receptionist verify the visitor’s identity through hands-on inspection of a government-issued photo identification card such as a driver’s license.
Getting their contact information and assigning someone to follow-up with them is always best. Finally, never let a visitor roam through your organization to meet with one of your employees. Always ensure that your employees meet the visitor in the reception area and escort them to the designated meeting location.
Many organizations include in their policy a requirement to have visitors sign a visitor agreement when they check-in to the facility.
These agreements often require the visitor to agree to security provisions such as that they will stay with their escort at all times, that they will display their visitor badge at all times, that they agree not to record or photograph in the facility, etc.
Have your general counsel review any and all agreements, including your visitor agreement, before they are presented to ensure that they are suitable, appropriate, and complete.
Badging and identification:
Many organizations recognize that it is difficult to tell the difference between visitors, contractors, and employees. That’s why many make it their policy to issue visitors special name tags or other devices to show that they are visiting the organization. Many organizations use color-coding to make it easier to distinguish who’s who.
Typically, visitors requiring an escort are coded “red,” those who can have access unescorted to select areas are coded “yellow” (be cautious), and those who are fully cleared are coded “green.”
Furthermore, often a second color (usually on the bottom half of the badge) identifies the person’s affiliation, for example, visitor—black; contractor—blue; and employee—white.
A best practice is to issue the special visitor badge in exchange for the visitor’s photo identification card, which will be returned upon check-out and the turn-in of the visitor badge.
In some organizations where highly sensitive information is handled, many organizations make it a policy to have the escort announce that there are visitors in the area and to secure sensitive material.
Other organizations add onto that policy by illuminating flashing lights or other visible signals that indicate visitors are in the area.
The intent of these actions is not to embarrass the visitor but, rather, focus the workforce on their responsibilities to safeguard valued information. Nearly all visitors appreciate the disciplined approach to security and some even revel in the special attention they receive.
Some people believe that contractors are selected to join the team and therefore should be afforded the same privileges as full employees.
We disagree. While contractors almost always are highly valued teammates, they remain employees of other organizations and likely are not authorized to access the same level of information as your employees.
Make your policy simple and provide special badging (as above) for visitors, contractors, and employees so that everyone can tell the difference and posture accordingly to protect your information.
The sensitivity and value of your information will dictate how you handle electronic devices in your workplace.
In areas where highly sensitive or valuable information is handled, it is good policy to prohibit electronic devices such as cell phones, smart phones, music players, iPods, cameras, tablet computers, thumb drives, and other similar media—for everyone.
Be very careful to define your policy regarding what electronic devices you will allow visitors to bring into your workspaces. Many people forget that most phones have cameras built into them which can quickly and easily photograph unprotected information.
Likewise, smartphones can rest in one’s pocket unnoticed recording or transmit your conversations without your knowledge or permission.
Regardless of the type of information in your organization, it is good policy to provide a secure locker in your reception area for your guests to leave their cell phones and other electronic devices while you are meeting with them.
It also is good policy that you should be polite and have your own devices silenced or turned off and appropriately stored during the meeting as well.
Emergency procedures including evacuation:
It should be your policy that in the event of an emergency, all sponsoring employees are responsible for the safe evacuation and accountability of their visitors. Your policy should designate a location for visitors and their escorts to meet during evacuations and emergencies.
It also should assign responsibility to a designated individual to account for all visitors using the visitor log maintained at the reception location. Make it clear in your policy and the visitor agreement that visitors will not leave the premises without properly checking out in accordance with your policy, even in times of emergency.
We believe that bidding your visitor farewell is as important as your greeting them to your facility.
Make sure your policy includes not only the exchange of credentials (i.e., the visitor returns their visitor badge in return for their identification card) but that they are asked how their visit was.
Ensure too that the visitor is not leaving the facility with any unauthorized material, such as papers, thumb drives, or CDs. If a departure search is anticipated or is deemed necessary, then the visitor agreement should provide for this eventuality.
Network or System Access:
Contractors often are granted access to the networks of their host organization. In many cases, contractors actually operate the corporate networks serving in important functions such as the system administrators, network administrators, and help desk. Your policy should call for each contractor to adhere to all cybersecurity policies as do your employees.
From the acceptable use policy to the network management policy, contractors authorized to access and use your network in the performance of their contracted duties should follow your policies and be held accountable.
Your policy also should identify clearly that whoever in your organization sponsors the contractor (i.e., established the requirement for the contract) is responsible for monitoring and control of the contractor.
This is critical. Failure to provide adequate positive control of contractors can result in information mishandling, breaches, disclosures, or worse.
Ensure that your policy clearly identifies your rules for network and system access and what permissions are authorized for contractors and visitors. Regarding visitors, a best practice is to establish a separate wireless network solely for visitors to access the Internet.
Separate from your corporate network, this password-protected network provides your visitor the ability to access the Internet, yet insulates your critical information from unauthorized exposure.
Many organizations receive requests for tours or host them for clients. Your policy should identify who in your organization is responsible for tours, how they are to be managed and the security controls that will be implemented to ensure that your vital information is secured and protected.
Best practices for tour management focus on having a plan for each and every tour that includes the following:
Purpose: Every tour has a purpose. Spell out what your objectives are for this tour.
Assignment of Responsibility: Be clear who will do what, when they will do it, and how success is measured.
Notification to Employees:
Ensure all employees know that there will be a tour, who will be visiting, what the purpose of the visit is, where it will be conducted, what areas it will visit, and what times the visitors will be there.
Security Instructions to Employees:
Clearly communicate to employees what their responsibilities are to ensure that safety protocols are taken to secure your information. For example, if visitors are in a particular area, you may instruct employees to remove all sensitive material and information from view prior to their arrival.
As with the other must-have policies we’ve identified, you need to spell out in your policy that fails to comply with this policy will result in disciplinary actions up to and including termination. For contractors and visitors, they should understand that violation of your security policies could subject them to legal action and criminal charges.
Your policy ought to include a caveat that holds the sponsoring employee responsible for the conduct of their visitor as well and clearly states that in the event that the visitor violates the policy the employee will be subject to disciplinary actions up to and including termination.
Organizations with that caveat tend to have better control of their information, pay better attention to their visitors, and their sponsoring employees do a much better job in escorting their visitors.
Does your organization use badges or other means of identifying employees? Do you have uniforms (e.g., everyone in Target knows that the person wearing a red polo shirt and khakis slacks likely is an employee), name tags, or other identification?
In today’s business environment, many companies include employee credentialing as part of the physical security posture and have specific policies governing employee credentialing.
Many companies use systems that combine an employee identification card with security controls to grant employees access only to the areas they have a need to enter. As an example, one of our clients has a manufacturing arm. They limit access to the manufacturing facility only to those employees who have a need to be there.
Administrative personnel and others who do not have a specific need to be in the manufacturing facility are denied access by the facility automated security card system, which is a standalone system not connected to the Internet. This is a good system and increasingly is becoming the norm for medium to large businesses.
Some of our friends in small business debate whether they need to invest in employee credentialing.
In many instances, the answer is no. Depending on the size and type of your company, your business practices, and your security requirements, you may find there is no need to invest in credentialing.
For those who do find they have a requirement to credential employees, here are several best practices to consider including in your security policy:
Make all employees sign an agreement approved by your general counsel detailing their responsibilities for their corporate credentials. They should be fully aware that credentialing identifies them as a representative of your organization, and that any misconduct by them will reflect unfavorably on the company.
Tell them in no uncertain terms that you will react severely if they bring disgrace upon your organization.
Employees should display their credentials when they are in the workplace and carefully secure them when outside of the workplace. Wearing your employee credential in the parking lot or about town is an invitation for trouble.
In fact, it is well known in the intelligence community that foreign intelligence sources look for individuals leaving sensitive facilities who continue to wear their employee credentials.
These foreign agents would photograph the individual and craft false credentials using the photograph as a template. Industrial spies are no different.
Tail-gating on the highway is trouble and it is in sensitive facilities as well. If you have facilities that require badge access for everyone in the facility, make it your policy that everyone has to use their badge to enter the facility.
Penetration testers routinely attempt to gain unauthorized access to facilities by entering right behind a legitimate employee while displaying (or not) falsified credentials. This tactic also is sometimes referred to as “drafting.”
Ensure your policy has provisions for employee termination. There are numerous examples of woes companies had when they failed to disable employee access to computer networks and facilities after the employee left the organization.
Regardless of whether an employee resigns, retires, or is fired, you need to have a policy that immediately removes their access to corporate resources and disables their credentials upon termination.
Your policy should assign specific responsibility to ensure that the credentials are disabled and physically collected (usually assigned to the HR department).
What is your policy for removing equipment from your facility? Do you have a policy that governs removing equipment from your facilities? During the course of his professional career, the author learned firsthand the importance of having an equipment removal policy and proper enforcement.
The employee operated the computer warehouse. As the depot and maintenance facility was slated for closure, he was responsible to receive all excess computers, wipe their hard drives with the approved software that would sanitize them of sensitive information, and processing them for reallocation, salvage, or resale.
Working with our general counsel and law enforcement officials, we permitted police investigators to establish video surveillance in our warehouse where the employee was observed putting our computers in his car trunk.
Police in surveillance vehicles then followed him home where they filmed him transferring the computers into his garage. Later, an undercover agent was able to purchase one of the computers leading to the employee’s arrest.
We pressed charges and, in accordance with our collective bargaining agreement, suspended him pending conviction. He pled guilty and received a suspended sentence and probation. That didn’t save his job, however, as we immediately terminated his employment.
Emergency Procedures Including Evacuation.
People are more valuable than your information. In times of crisis and emergency, your policy should safeguard people as your first priority. Nonetheless, you should establish policies and procedures that ensure that your vital information is secured in emergencies.
Regrettably, theft during emergencies and evacuations is not unusual. Criminals have long sought to loot unattended properties during the evacuation.
Typical theft targets have usually centered on tangible property easy to “fence” or resell. Now, in our digital marketplace, information has taken its place next to cash, jewelry, and electronics on the thief’s wish list of items to steal.
While many companies recommend you pack up your sensitive information and computers during periods of evacuation and crisis, your policy should clearly identify your priorities in guiding employees to make the right decisions when confronted by crises.
Remember that information can always be replaced. People cannot. Therefore, the safety of employees should always come first.
Electronic Mail Policy.
We presented some important information in the Acceptable Use, Internet Use, and Employee Use Monitoring and Filtering policies that highlight recommended policies that govern the appropriate use of Internet-based resources including electronic mail (aka email).
Unfortunately, some people believe that the use of the Internet only applies to use their browser for web navigation and that email is a separate function distinct from “Internet use.” Because there are a significant number of people who fall into this category, we’ve found it important to reinforce the policies cited with a specific policy regarding email.
The purpose of your email policy is to preserve your organization’s professional image and brand reputation; moreover, it applies to every employee, including you!
Your email policy also helps to protect against threats. By making your staff aware of your rules regarding the proper handling of emails, you can reinforce your defenses against spear-phishing attacks, information breaches and disclosures, and other potentially dangerous threats. This will help to improve your compliance posture and reduce your liability.
For example, if an employee engages in misconduct involving your email system that violates your policy, the fact that you had taken steps to prevent inappropriate use may help to avoid legal liability and allow focus on the misconduct itself.
In your policy, clearly reinforce that the company owns any communication sent via email or that is stored on company equipment. You should state that corporate computer systems, including an email system, are provided for official use and that any other use must be approved in writing by management.
Even though it is stated in other policies, reiterate that management and authorized staff have the right to and will monitor email and other information on corporate resources and that the employee does not have a reasonable claim to privacy when using corporate resources. This is critically important in maintaining positive control over your corporate resources and is a legal best practice.
In addition to defining approved and prohibited use of email, your policy should include guidance on the personal use of the email system. You should be alert to the fact that personal use of your systems competes for corporate resources and clearly define what is acceptable and what is not.
Following best practice, reminding personnel that the email system is for official business and their emails will be monitored generally motivates employees to avoid the use of business email for personal use.
Another best practice to include in this section of your policy is that any personal correspondence must be stored in a separate folder from work-related correspondence. This makes e-discovery easier and reinforces the distinction between official and personal use.
There are several other rules that your email policy should address that will improve your organization’s business functions. These are best practices that should be well-defined to support your operations:
Account creation and removal:
Define the rules about establishing accounts. Most organizations do not create accounts and permissions until the employee has completed all required training and in-processing through the HR department.
Similarly, once an employee has retired, transferred, changed positions, or has been terminated, HR should be responsible to notify the IT department immediately to terminate access to corporate network assets including email.
Directories and personas:
Your policy should define the style of your screen name and what information will be shared in directories.
For example, your policy may dictate that everyone in the company will use the first name. last name naming convention such as Abraham.Lincoln@ExecutiveMansion.Gov. Your policy also may define how your persona is displayed when shown in the receiver’s electronic inbox such as Abraham Lincoln, President.
The format of the email signature box also must be defined and should be consistent for all employees. Further, you may state that your organization will include names, titles, office symbols, desktop, and mobile telephone and fax numbers, and electronic mail address in its directory.
Your policy needs to be consistent across the organization has access to this information increases the velocity and precision of your operations.
An important safety tip: consider avoiding publishing the desktop and mobile phone numbers of senior executives to all employees. As an alternative, provide the secretary’s number as the primary contact number.
If the top brass wants their confidants to have access to their private numbers, they will control such access themselves (within the guidelines of corporate security).
Electronic mail forwarding:
Email forwarding is a leading cause of spam in organizations. It also is a leading cause of unauthorized information leakage. Use your policy to define what information can be forwarded. Deny by rule automatic forwarding of emails to accounts outside of your corporate domain.
This means that any forwarding of electronic mails must be accomplished by the conscious decision of an employee rather than batch forwarding to accounts outside your control. This procedural “firebreak” better controls your information and protects it from inadvertent disclosure.
Electronic mail retention:
The author had a boss who used to say, “the ‘E’ in ‘Email’ stands for ‘evidence’.” Perhaps he was right. If you fail to retain electronic correspondence properly, you may be putting you and your company at risk.
Consult with your general counsel to determine appropriate requirements for the retention and storage of information, including electronic mail. Clearly identify those requirements in your electronic mail policy.
Removable Media Policy.
Do you want your employees to infect your network with viruses and other malicious code? Of course not.
But nonetheless, many organizations continue to allow uncontrolled access to network devices by removable media such as thumb drives. Recall from our previous discussions on the Stuxnet case that the attack vector supposedly was through an infected thumb drive.
Removable media not only is a concern regarding infections but also of exfiltration of information. Recall the cases of Private Bradley Manning and Edward Snowden, who used removable media to steal sensitive corporate information to the great detriment of their employers. Can you afford such an information breach?
To control the threat of infection and information breaches, many companies create policies that dictate how removable media is used in their businesses. Given the threat environment, if you do not already have such a policy, publish one, educate your workforce, and implement it as soon as possible.
As with most policies that we mention in this section, there are two factors that drive the relative strength of your policy. The first is the value of the information you wish to protect.
That should be gauged by the highest valued information resident on your network. In general, the higher the value of the information to be protected, the higher the level of control.
The second factor is your risk appetite.
If you determine that your business process controls; employee training, loyalty, and discipline; and network segmentation provide adequate mitigation of unauthorized information exfiltration, you may decide to accept the risk of permitting removable media on your networks.
Many organizations have determined that the risk is too high and disable all Universal Serial Bus (USB) ports on their network. For example, the US military famously took such action in November 2008 in the aftermath of a significant virus infection traced to an infected thumb drive. This is not practical for many businesses but it is effective.
Network administrators can disable USB ports by policy across all devices on the network and only open them up under carefully controlled and monitored circumstances. This is a very effective security technique unless your network administrator is like Edward Snowden and violates the policy.
As a practical alternative to disabling all USB ports, many organizations have come to adopt a removable media policy that features the following attributes that have become recognized as best practices. Consider adopting the following rules as part of your removable media policy:
The organization will provide employees with removable media:
Controlling what media is used imparts effectiveness, efficiency, and security. By limiting the variety of removable media used in the organization, your network defenders can focus their efforts.
Your security professionals can procure the media, wipe it of any potential dangerous code, and configure it to meet your security specifications before labeling it and issuing it to employees. Protect your information by maintaining positive control over the media it is contained on, including that which can be removed and migrated.
Do not plug any media not provided by the organization into USB ports:
You shouldn’t trust removable media that your security personnel hasn’t checked out. Nonapproved media should not be allowed on your network. With the cost to clean up viruses and other infections continuing to rise, this simple rule makes good business sense.
Some devices can be configured to automatically execute their programs as soon as they are plugged into the USB port. This is very bad if the program is a RAT kit, worm, zombie file, or other malicious code.
To thwart this threat, most networks disable the ability to automatically play executable files. Common network management tools allow your network administrators to disable this capability across every device in your network. Include this rule in your policy.
Automatically scan anything connected to USB ports:
Wouldn’t it be great if every time someone plugged a removable media device in a USB port that it would be scanned by the network for compliance before allowing its connection?
Fortunately, there are products on the market that allow your network administrators to implement such a rule set. Make it policy and invest in this capability.
Provide a removable media screening capability:
How many times have you been to a conference or meeting where you received a thumb drive or disk containing information? If you are like us, you have lost count. How do you know that the media is clean and free of malicious code? You don’t.
In fact, you should follow the adage famously linked to Ronald Reagan: “trust but verify.”32 Create an off-line capability where employees can bring media received by outside sources to one of your security professionals who can perform a deep scan to ensure it is safe of malicious code without putting your information at risk.
Upon clearance from your security team, you may consider allowing the media to connect to your network. This rule only works if you have the resources in place to provide this service quickly, so ensure that you address this through the lens of your risk management program.
Scan removable media that has been connected to non-organization sources:
Often your workforce, particularly sales and marketing personnel, will take their removable media to other locations and connect it to another computer. Many others may take removable media home and connect to their home computers to work at home.
To paraphrase virtually everyone’s mom, “you don’t know where that computer has been!” It could be infected with a nasty virus or comparable malicious code that could infect your removable media.
When your employee plugs the newly infected media into your resources, that virus or malicious code now infects your network. Protect yourself, your business, and your valued information. Scan everything before allowing it on your network.
Train your workforce: Your workforce is your first line of defense when it comes to cybersecurity.
Inculcating a culture of cybersecurity pays rich dividends. When your workforce recognizes and appreciates cybersecurity threats, vulnerabilities, and impacts they are more inclined to adhere to policies, enforce them, and not tolerate violations.
Invest in educating and training your workforce as your investment will pay off in countless positive ways.
Remote Access Policy.
For years “road warriors” have traveled on business. After long days with clients, they return to their hotel rooms, connect to the hotel network, and remotely access your corporate network to deal with their electronic mail and access corporate information in preparation for the next day’s events.
Likewise, many employees would head home after a long day in the office, have supper with their families and, after getting the kids to bed, remotely access your corporate network to catch up on their electronic mail and get some additional work done in preparation for the next day. Remote access to your network has become a fact of life for many employees, including you.
Remote access policies have evolved over time and are very organization-specific.
Typical services addressed include electronic mail and file access. As you’ve been introduced to numerous cybersecurity principles in the context of risk management, now’s a good time to review your corporate remote access policy.
Is it easy to understand? Is it written in a style directed at the remote user or toward the technician enabling the capability?
Your remote access policy should be written in a style that is easy to understand and is applicable to both the remote user as well as the technical team that will implement and maintain the technology that enables the capability. Your policy does not need to detail the technical procedures that underpin the implementation.
Those procedures are best documented in operating instructions maintained by your technical staff. Rather, your policy should focus on the broad rules needed to provide a useful capability to maximize the productivity of your workforce. Include the following best practice rules in your policy:
Tightly control who has remote access:
Not everyone needs remote access. Only grant remote access to your corporate resources to those who have a legitimate and vetted need.
Make it clear that remote access to your corporate resources is solely for official business and is limited only to those who are specifically authorized to use the services.
Train those who have remote access:
“Road Warriors” and those who use remote access to your systems are more likely to expose your corporate resources to risks. As such, they need to have heightened awareness and understanding of risks and countermeasures.
Make sure they are equipped to recognize risks, use the right tools and procedures to mitigate them in accordance with your policies and perform at the levels you expect.
Properly provision services:
While some companies only grant remote access through corporate-provided devices, most now allow access through corporate devices, home computers, or any Internet-connected device.
This drives several security concerns. How do you ensure the person attempting access is a legitimate user and not a bad actor or imposter?
How do you know the remote device accessing your network isn’t infected with malicious code and will spread that infection when it connects to your network?
Address through your policy what services you will provide, what security mechanisms will be employed, user responsibilities, and what rules you have regarding devices and procedures.
Use two-factor authentication access procedures whenever possible. As an example, mentioned earlier, the author’s bank allows me remote access to my online banking, but requires me to provide two forms of identification. First, I have my password, which I protect (something I know).
Secondly, I am provided a tool that generates a code specific to me which changes every 30 seconds (something I have). When I log-in, I provide both the something I have and the something I know to verify my identity. This technique has become a best practice to ensure that only authorized users access systems.
Use anti-virus and anti-malware software:
Include in your policy a statement that all devices remotely connected to your corporate resources must be configured in accordance with your policies using approved antivirus and antimalware software.
This includes home computers and mobile devices, which are an ever-increasing preferred method of remote access for today’s dynamic workforce.
Mobile Device Policy.
Most of our clients rightfully are very concerned about the security risks posed by mobile devices used by their employees.
The risks presented by ubiquitous tablet computers (such as Nexus 7s, Surfaces, and iPads) and smartphones (such as Android, Windows, and iPhones) are plentiful and cause many executives to pause when deciding how to invest and incorporate them into their business process.
These executives are wise to consider threats posed by mobile devices. There are many publicly available hacking procedures available on the Internet that can show “wanna-be” hackers how to intrude into unprotected mobile devices. News reports of criminals exploiting mobile devices heighten awareness of the threats and anxiety over them. What should you do?
Make mobile devices a key part of your business strategy and figure out a way to use them effectively, efficiently, and securely.
Mobile devices greatly enable and improve the productivity of your business and workforce. They improve productivity by enabling greater connectivity and information sharing, nearly anyplace and nearly any time.
They provide access to the world’s information and resources in a way that was unfathomable 20 years ago. They are redefining the business environment and are increasing the velocity and precision of the business.
You need to leverage the power of mobile devices while preserving the effectiveness, efficiency, and security of your business processes.
You likely are hearing a lot about BYOD. BYOD stands for “Bring Your Own Device” and refers to being able to use whatever mobile device you have to do your business.
Some companies anguish over mobile device policies and immerse themselves in technical gibberish that distracts from what the policy should be doing: that is, defining the rules that make your business more effective, efficient, and secure.
Some erect horribly restrictive and technically complex policies that make using mobile devices a chore, not a mission enhancement.
Others argue that small businesses don’t need a mobile device policy because they don’t have a lot of devices and likely don’t have a lot of infrastructures.
Nonsense! Everyone in your organization who uses mobile devices in the execution of their duties needs to know what your business rules are for using these devices. Don’t make things too complicated. Stay away from focusing on the technology and focus on the business impacts and risk when building your policy.
Regardless of the size or focus of your business, your mobile device policy should address common themes that govern how the devices will be used, how your information should be protected, and how your risk is managed. Here are some best practice areas to consider in creating your policy:
What will mobile devices be supported? Only certain devices or whatever the employee wants? We’ve found that organizations with traditional IT departments seem to default to a position where they only will support a designated set of devices.
These organizations often can’t demonstrate the agility that their constituents desire, and when the newest device hits the market, it causes a collision between business functions and the IT staff that you inevitably are called into the referee.
This friction is a distraction you and your business don’t need. The organization needs to expect that technology will change and new products will emerge. Your policy should allow for accommodation of new technologies and be device agnostic.
Information and risk:
Your risk appetite will drive most of your decisions regarding your mobile device policy. Understanding your information and the risks to its potential exposure, disclosure, tampering, or destruction is essential. Questions to answer include: What is the sensitivity of the information being handled by the devices?
Is sensitive information stored on the device? Should you allow storage of information on the device? What is the impact if the device and its information fall under the control of unauthorized persons? What is the risk and how much does it cost if this information falls into the wrong hands? What is the likelihood that this will happen?
Depending on the information on the device, you may find there are regulatory controls that govern how you must protect that information. Those regulations may drive you to implement specific controls. For example, the HIPAA requires native encryption on any device that holds data subject to the act.
That means you are required to use only devices that have the capability to encrypt files containing information covered under HIPAA. Your policy should address regulatory compliance requirements.
Your policy should clearly spell out your rules regarding acceptable use of mobile devices. Further, you should be equally clear in identifying prohibited activities. Your brand reputation may be compromised by those who misuse mobile devices. Ensure your policy spells out acceptable use and consequences for not following the policy.
Who pays for mobile device service? Will the organization pay for the data plan at all? Will you issue a monthly stipend or will you require the employee to submit expense reports? Who pays for these devices?
The answer to these questions depends on your corporate culture, its available resources and priorities, and even the duties of the employees.
Some companies offer stipends to authorize mobile workers yet provide devices fully covered by corporate plans to those employees designated as “must-have” users. Your policy should define what your organization will pay for, how, and when.
Does your acceptable use policy apply to business conducted on mobile devices owned by your employees? What does your policy say regarding your rules for doing business on these devices? Can you monitor employee activity?
If so, what are you monitoring and why? What privacy can the employee expect? What data is collected from the devices? Are your rules enforceable? Your policy should address the legal requirements you consider relevant to your mobile device users.
What corporate services and information can mobile device users access? Some businesses only offer electronic mail while others offer richer abilities, including access to office files and full user privileges.
Other organizations are able to monitor the mobile devices remotely for troubleshooting and security purposes and push patches to keep them current.
Some even have the capability to remotely wipe or disable lost or stolen devices. The size, complexity, and resources available in your organization will drive what you can and cannot provide. Nonetheless, your policy should clearly state what services are provided.
There are a plethora of security questions your policy should answer. What are your policy’s security measures? Do you require all devices have password protection enabled? Do they need to have current antivirus software?
If so, who is responsible to keep them updated? Do you require the device to automatically lock itself if it hasn’t been used in five minutes?
Do you require that any data on the device be encrypted? If so, what encryption software do you use, who manages the key, and how is it kept up to date?
How do you back-up the data to ensure that it doesn’t get lost if the device is lost, stolen, or damaged? Is it your policy to configure the device to automatically wipe itself after ten failed login attempts?
If the device is lost or stolen, who is authorized to use tools to locate the device and or remotely wipe it? How do you know who is using your devices and what they are doing? Do you care?
How do you enforce your security requirements? Do you allow connection to commercial Wi-Fi?
There also are several security best practices you should consider such as directing that employees turning off Bluetooth and Wi-Fi when not in use as these transmission capabilities expose the devices to potential threats.
Another best practice is to prohibit the use of public computers when conducting corporate business as some public computers are known to host keylogging software and other agents that can be used to compromise your defenses. The security section of your mobile device policy should be comprehensive yet easy-to-understand and easy-to-follow.
Your policy should address the care and maintenance of mobile devices. What happens if your device malfunctions or a mobile user has a problem? What happens if an employee forgets their password and is locked out of their device? Who does your employee call when they need help (especially in a hurry)?
In an era where employees may provide their own mobile device, this presents special challenges for your workforce as well as your IT staff. Your policy should make it clear who is responsible for what capabilities.
Your policy should include clear rules regarding business processes used to support mobile device usage. As an example, who is authorized to have the organization provide for or subsidize mobile devices?
What is the process to request such support and who approves it? Who budgets for mobile devices and pays the bills?
Who is responsible to validate the bill before it gets paid? If an employee is terminated, how and when are their mobile services terminated as well? How is your inventory managed and accounted for?
How and when do you audit to ensure that your policies are properly followed? Your policy should detail the key business processes that make your mobile device using a true business enhancement.
There are literally thousands of applications available that can be installed on mobile devices. What is your policy for installing applications on the devices? What applications are permitted and which are forbidden?
In a BYOD environment where your organization subsidizes employees, the lines of authority and ownership are blurred, so not only do you need to be clear about what your rules are but also you must be within your rights.
Best practices for mobile devices owned by the organization call for managers to only install applications that are essential to conducting their business on the device.
Back-up and recovery:
In a BYOD mobile device environment, back-up and recovery increasingly is an employee responsibility. Be sure to spell out roles and responsibilities on how important corporate information is managed on mobile devices including its back-up and recovery.
Many organizations use cloud-based services to host information generated on mobile devices and through a combination of automated and manual processes ensure that such information is pushed from the mobile devices to the secured storage locations. Ensure that your policy addresses how information is backed up and remains recoverable.
Mobile devices are great tools that can help your business regardless of its size and composition. Whether you have corporate-issued mobile devices, bring your own, or have a combination of the two, it is important that your organization identify its mobile device rules to ensure you remain effective, efficient, and secure.
Do you know that September 19th is International Talk Like a Pirate Day?
Did you also know that software piracy costs the software industry about the US $59 billion per year?
According to the Software and Information Industry Association (SIIA), the unauthorized copying of personal computer software for use in the office or at home or sharing of software among friends is the most pervasive form of piracy encountered abroad and in the United States.
Your software policy should include the following attributes:
Your policy is applicable to all employees, contractors, and anyone else who has access to your network and its devices.
Assign responsibility for budgeting for all software. Normally, this is a function assigned to the CIO.
CIOs will look for opportunities to reduce software costs through the purchase of enterprise licensing agreements, which generally are less expensive on a per-user basis than list costs. Centralized budgeting also provides better visibility of software costs, something every executive team appreciates.
Centrally manage your software buys instead of distributing them across your organization. In addition to economies of scale and better visibility into software costs, channeling all software buys through the CIO has proven to yield improvements in business processes as the CIO optimizes the flow of information across the organization.
Licensing and registration:
Your policy needs to state explicitly that all software will be appropriately licensed and registered. Be clear that your organization respects copyrighted laws and will not tolerate any illegal or inappropriate instances of software on your network or its devices.
Define standards for auditing compliance with licensing and registration and assign responsibilities to ensure that your policy is carried out.
This is important as a recent study by the International Data Corporation found that the vast majority of pirated software contains hidden malicious code that opens your computers and networks to attack and exploitation.
Issue-specific guidance on how software will be installed on your network. Empower your CIO by assigning specific responsibility for the validation and approval of software to the CIO; no software is installed on your network or devices without the permission of the CIO.
Storage and documentation:
Master copies of your software licensing and registration materials, as well as software documentation, need to be maintained. Your policy should assign responsibilities to execute these tasks to a software licensing manager, who usually reports to the CIO.
Assign responsibility for the maintenance of the master software inventory to the CIO and provide the necessary resources that enable the CIO to execute these duties.
Normal procedure in today’s network environment is to conduct audit-ing by periodically scanning the network and devices and comparing the official inventory against the fielded software instances. If you have software field that you do not have sufficient licenses (or no licenses) for, you have trouble.
You can only upgrade what you own rights to. Include in your policy a statement that your organization will upgrade software through a deliberate process managed by the CIO but controlled through the corporate decision-making process. This is important as software upgrades often can be disruptive to business functions.
It is important to choreograph upgrades to maximize positive effects while minimizing negative ones. Strictly prohibit any upgrading of software packages outside of the official organizational process. This will provide better business continuity and reduce your exposure to software piracy.
Copying and distribution:
Don’t mess around with this item as failure to control copying and distribution of software is one of the leading causes of “inadvertent software piracy”.
If your organization needs to copy or distribute software, it should only be done under the oversight of the software licensing manager and the CIO. Include that in your policy.
Shareware and freeware:
You may have employees who come to you and say they’ve found a great new software tool they want to install to enhance their ability to do their job. You may even have a teenager at home who says the same thing about a program he found that can help with his homework.
They may even tell you the software is “free.” Be skeptical. While there indeed are numerous programs available, they all come with a cost. Shareware is intellectual property that is copyrighted.
Most owners of Shareware offer you a test-drive of their software and, if you like it, you pay them a fee. Freeware, on the other hand, is indeed free but often has no documentation and no path for any maintenance.
Cybersecurity professionals and CIOs are very cautious at the thought of installing Shareware and Freeware on their networks and devices as the quality and security of the software are rarely guaranteed and usually not as reliable as licensed and registered software.
If you are using Shareware or Freeware on your systems, be careful. If you are in a corporate environment, make sure both your CIO and general counsel have reviewed and approved of the software before you install and use it.
Using company software on home systems:
Your policy should strictly prohibit the copying and use of software licensed to the organization on home systems without the expressed written consent of senior executive management and the software license manager.
While you have a strict policy, that doesn’t mean that you shouldn’t provide for employees to receive legally procured software sponsored by the organization.
For example, many companies recognize that employees often will perform work-related activities on their home computers.
To mitigate the risk of infection from unprotected home systems, many organizations will provide their employees licensed and registered antivirus and antimalware software purchased under enterprise agreements.
Some companies go further by providing business applications that allow the employee to use their home computer much like they would at the office. These are good policies and pay off in enhancing productivity while minimizing risk to the business.
While you may not want to invest in home productivity packages for all employees, considering licensing for home computers is increasingly become a great investment for companies that can afford it.
An easy-to-follow software policy can keep you out of big trouble. Make sure you effectively and correctly manage your software both at home and in the office.
A final suggestion on your software policy: review it annually to ensure it is up-to-date. We suggest every September 19th.
Access Control Policy.
Do you lock your doors at night? Most people do and practice physical security access controls to prevent unauthorized access to their homes and facilities.
What about your information? Do you have an access control policy that addresses who can have access to your information? Do you define who can see it, who can edit it, and who can delete (aka destroy) it? You need an access control policy. Access control for information is usually implemented in three ways:
Role-Base Access Control:
In Role-Based Access Control, access decisions are based on an individual’s roles and responsibilities within the organization or user base.
Discretionary Access Control is a means of restricting access to information based on the identity of users and/or membership in certain groups.