Protecting company information – this is a topic that may never enter in to the average employee’s mind. In fact, if you were to ask most employees to react to the concept, their first thought would likely be related to protection from external sources, such as cyber criminals (‘hackers’). However, if you were to ask a Chief Information Officer (CIO), Chief Security Officer (CSO), or any member of the IT security team, this would almost definitely be at the top of their lists of concern. So, what is it really that is of such a concern? Furthermore, what can be done to address the concerns and protect the company?
There are many areas that need to be examined when developing an overall information security plan. Two of the most obvious of these are protecting intellectual property, which is any innovation, unique name, symbol, logo, or design used commercially, and protecting trade secrets, which include any formula, pattern, compilation, program, device, method, technique or process that is used in one’s business.[i] However, other factors that may be somewhat less obvious at first glance need to be addressed as well, such as data/backup storage, mobile devices, external storage devices, email, customer and employee information, and more.
Knowing the many facets of this issue, companies are still left wondering, how do I fix the problem? Unfortunately, the answer can end up being almost as complex as the question. Many organizations look at technology as a fix, others feel that policies can address the issue, and some, though often times a smaller number, will address the issue through training. The best approach, though, is not to look for a single solution that will address all concerns; companies need to focus on all three options, policy, training, and technology.
Policy
Policies should form a foundation for the company’s information security plan. There is a delicate line, though, on the number of polices that should be written – it becomes almost a balancing act of having enough to be effective, but not so many that employees begin to ignore them. Though there are many policies that could make sense in individual business settings, there are ten core policies that most businesses should evaluate. The first of these is the Acceptable Use Policy, which broadly discusses appropriate employee security measures for using and protecting company data. The second is an Antivirus Policy, which makes it mandatory to have updated antivirus software on any computer that connects to the company network. Third is an Audit Policy, which clearly gives authority to the security team to perform routine audits. A Backup Policy will define the approved ways to backup data, the frequency of backups, and even the retention period. A fifth policy, which is often overlooked but can add a lot of value, is the Data Classification Policy, which classifies data in a manner that clearly lets employees know the confidentiality level of documents and files. The sixth policy a company should consider is the Electronic Communications Policy, which addresses items such as discussing company matters on social sites. An Email Policy is absolutely essential, as it describes appropriate use of email, forwarding of emails, and may also discuss retention periods. The eighth policy, an Information Security Policy, is somewhat generic, but can be written to cover many topics related to security of company data. Ninth, the Password Policy, may seem like common sense, but enforces strong passwords and good practices. Finally, the tenth policy that companies should consider is a Remote Access Policy, which describes who should access the intranet remotely and the method for gaining access. [ii] While this is not a comprehensive list, these ten policies will form a solid foundation and provide guidance on some of the most critical aspects of data protection.
Training
Personnel training is one of the most critical, and most often overlooked, aspects of information security.[iii] A lack of training, or poorly implemented training program, is a large and growing threat to security. According to CompTIA’s 7th Annual Trends in Information Security survey, human error is the primary cause of the most severe security breaches, yet significantly fewer organizations (45%) provided security training for their non-IT staff in 2008 compared to 53% in 2007. [iv] Providing a solid, and mandatory, training program is essential for ensuring that the company’s goals, and policies, are understood and implemented. Training will help ensure users understand their roles and responsibilities, understand policies, procedures, and practices, and have at least a base understanding of the tools and technology available to them. [v] New hire orientation is a perfect time to initiate training; however, it is important that employees have recurring training throughout their career.
Technology
No information security plan would be complete without addressing technology. Often, especially in the past, companies rely on technology alone to keep their information safe. This had a better chance at success in the past, when companies were less complex and attacks were usually external to the company. However, now, internal users are as much of a risk, if not more, than external users. In addition, businesses are much more complex than they were in the past. Companies now have to worry about emails, mobile devices, remote data storage, external storage devices, and more, which makes simply protecting the perimeter less effective.[vi] That being said, technology is definitely a crucial aspect of the plan. Intrusion detection/prevention systems, firewalls, antivirus software, desktop monitoring software, internet monitoring software, and more should be implemented and used to ensure the safety of the corporate network and data.
In conclusion, a company must address data protection in many ways in order to provide a comprehensive information security program. Three key aspects of a security plan include policies, training, and technology; however, companies need to continue to consider other items, such as physical barriers and other access controls. In addition to creating a solid foundation, it is just as important to keep the training, policies, and technology up to date and to always evolve as threats to information change.
cmu95752 
Leave a comment