Maintaining Business Information Security
The security of your business’ information, systems, and networks may not have a high priority, but is crucial for your customers, employees, and trading partners. To optimize production environment, gain the trust of your customers, and reduce the risk of important information being handled incorrectly or lost, information security and data management processes must be carefully coordinated in all businesses. Applying the best practices will help your business cost-avoidance efforts, and will be useful as a tool to market your business.
What Is Information Security?
Information Security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Some Examples Of Information Used In Businesses Are:
- Emails
- Invoices
- Payrolls
- Employee Data
- Client Data
Why Is Information Security Management Important?
As your business grows, it would be increasingly complicated and more costly to manage the Information Security Management Processes without proper maintenance. Failure to properly protect such information, based on the required protections, can easily result in significant fines and penalties from the regulatory agencies involved. To grow and expand around a strong core, it is very important to think about the stored information being handled on a day to day basis, and to plan what information will needed in the future. By preparing this information, you are preparing your business well for future growth.
You Can Identify And Prioritize Your Company’s Information Types By:
- Thinking about the information used within and by your organization. Make a list of all the information types used.
- Listing and prioritizing the 5 most important types of information used in your business
- Identifying the system on which each information type is located
- Creating a complete table for all your business types – in priority order
Priority | Type of Information | Stored on which System? |
1 |
To ensure security, the data should be kept in a risk-free environment, where there are no chances of it being changed, lost, or leaked and where it can be easily attained. If something were to go wrong, your business’ reputation would be torn apart and be extremely difficult to build up again; especially for small businesses.
Data requires special protection for:
- Confidentiality– It must be ensured that only those who need to access that information to do their jobs actually have access to it, and the information was not tampered with or deleted by any external parties
- Integrity–Current or potential business partners want assurance that their information, systems, and networks are not put at risk when they connect to and do business with your company
- Availability–It is crucial that the information is available when it is needed by those who run the business
Note: Protecting information makes good business sense because it reduces your risk and allows you to do more business in a safer environment
Providing Good Information Security Is Evidence Of:
- Sound management – Increasing your business productivity and reducing your overall risks in a safe environment
- Sound Customer Service – Giving your customers confidence in doing business with you and respectfully keeping their information secure
- Sound Legal Protection – Taking the appropriate steps to ensure that your customer’s information doesn’t fall into the wrong hands
- Sound Economics – Your business will experience increased productivity, decreased labor costs, less legal liabilities, gain of confidence, and a positive reputation
How Can I Protect My Information, Systems, and Networks?
- Protect information/systems/networks from damage by viruses, spyware, malware, and adware
It is recommended to obtain the antivirus software that protects you in real-time mode.
Many Of These Malicious Code Programs Are Used By Organized Crime To:
- Access you and your client’s information to illegally make more money (i.e. Identity Theft)
- Access your money
- Access your Personally Identifiable Information (PII)
- Connect or include you on a botnet
- Connect or use your information for political reasons
Some Security Attacks To Watch Out For Are:
- Theft of data and resources
- Malicious codes and viruses
- Accessing your computer accounts
- Stealing your laptops and computers
- Intercepting your emails or internet transactions
- Spoofing
- Snooping
- Abuse of System Privileges
- Ransomware
- Stealing your computer files
- Denial of Service (DoS) Attacks
- Insider Threats
- PFishing
- Spear PFishing
- SPAM
- Compromised Web Pages
- Social Engineering
To Identify The Protection Needed By Business’ Priority Types, You Can:
- Think about the information used in/by your organization
- Enter the 5 highest priority information types in your organization into the table below
- Enter the protection required for each information type in the columns to the right (C – Confidentiality; I – Integrity; A – Availability) <”Y”-needed; “N”-not
needed> - Finally, finish a complete table for all your business information types
Priority Type of Info. C I A 1
**BE SURE TO SCAN AND UPDATE REGULARLY**
- Provide security for your Internet connection
- Most businesses use broadband to access the internet. This type of internet is always on! It is important to keep in mind that any network your computer is attached to is exposed to threats from the internet 24/7. To stay secure from these threats, it is critical to install and utilize an operational firewall between your internal network and your internet.
- Install and activate software firewalls on all your business systems
- It is necessary to have software firewalls on each computer, even if you have a hardware firewall protecting your network. If your hardware firewall is compromised by a hacker or by malicious code of some kind, you don’t want the intruder or malicious program to have unlimited access to your computers and the information on those computers.
- Patch your operating systems and applications
- All operating system vendors provide patches and updates to their products to correct security problems and to improve functionality. Also, office productivity products, such as Microsoft Office, should be patched and updated on a regular basis.
- Make backup copies of important business data
- It is necessary to back up your data because computers die, hard disks fail, employees make mistakes, and malicious programs can destroy data on computers. Please see Article Importance Of Having A Company Backup Plan for more information.
- Control physical access to your computers and network components
- Do not allow unauthorized persons to have physical access to or to use of any of your business computers! Controlling access to your systems and networks makes it easier to be aware who has access to the systems or networks in your business.
- To Help Ensure Only Authorized People Have Access To Your Business Computers, It Is Recommended To:
- Lock up laptops when you are not in use
- Position each computer’s display or use a privacy screen so that people walking by cannot see the information on the screen
- Be completely aware
- Note: Criminals often attempt to get jobs on cleaning crews for the purpose of breaking into computers for the sensitive information that they expect to find there. No one should be able to walk into your office space without being challenged by an employee!
- Secure your networks and wireless access point
- Steps To Take If You Are Using A Wireless Network:
- Set the wireless access point so it does not broadcast its Service Set Identifier (SSID)
- Change the administrative password that was on the device when you first receive it
- Use Strong Encryption so your data being transmitted between computers cannot be easily intercepted and read by electronic eavesdroppers. It is recommended to encrypt your WiFi with WPA-2 – using the Advanced Encryption Standard (AES) for secure encryption
- Steps To Take If You Are Using A Wireless Network:
- Train your employees in basic security principles
- Employees who use any computer programs containing sensitive information should be told about that information and must be taught how to properly use and protect that information. After this training, they should be requested to sign a statement that they understand these business policies, that they will follow your policies, and that they understand the penalties for not following your policies. Having your employees trained in the fundamentals of information, system, and network security is one of the most effective investments you can make to better secure your business information, systems, and networks.
- Require individual user accounts for each employee on business computers and for business applications
- Set up a separate account for each individual and require that good passwords be used for each account. Good passwords consist of a random sequence of letters, numbers, and special characters – and are at least 8 characters long. To better protect systems and information, ensure that all employees use computer accounts which do not have administrative privileges. This will stop any attempt – automated or not – to install unauthorized software. Passwords should be changed at least every 3 months.
- Limit employee access to data and information, and limit authority to install software
- It is very important not to:
- Provide access to all data to any employee
- Provide access to all systems to any employee. ONLY PROVIDE ACCESS TO ONLY THOSE SYSTEMS YOUR EMPLOYEES NEED TO DO THEIR JOB!
- Allow a single individual to both initiate and approve a transaction
- It is very important not to:
Note: Use good business practices to protect your information!
What Are Some Highly Recommended Practices?
- Security concerns about email attachments and emails requesting sensitive information
- Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. Calling the individual who “sent” the email and asking them what the attachment is about is a good practice to utilize.
- Security concerns about web links in email, instant messages, social media, or other means
- For business or personal email, do not click on links in email messages. Some scams are in the form of embedded links in emails.
- Security concerns about popup windows and other hacker tricks
- When connected to and using the Internet, do not respond to popup windows requesting that you to click “ok” for anything. Do not respond to popup windows informing you that you have to have a new codec, driver, or special program for something in the web page you are visiting. Close the popup window by selecting the X in the upper right corner of the popup window.
- Doing online business or banking more securely
- Online business/commerce/banking should only be done using a secure browser connection. This will normally be indicated by a small lock visible in the lower right corner of your web browser window. After any online commerce or banking session, erase your web browser cache, temporary internet files, cookies, and history.
- Recommended personnel practices in hiring employees
- When hiring new employees, conduct a comprehensive background check before making a job offer.
- Security considerations for web surfing
- No one should surf the web using a user account which has administrative privileges.
- Issues in downloading software from the Internet
- Do not download software from any unknown web page.
- How to get help with information security when you need it?
- No one is an expert in every business and technical area. Therefore, when you need specialized expertise in information/computer/network security, get help.
- How to dispose of old computers and media?
- When disposing of old business computers, remove the hard disks and destroy them. The destruction can be done by using a magnet, taking apart the disk and beating the hard disk platters with a hammer, or drilling the disk with a long drill bit to put several holes through the recording platters. Remember to destroy the electronics and connectors as part of this project. You can also take your hard disks to companies who specialize in destroying storage devices such as hard disks.
- How to protect against Social Engineering?
- To protect against social engineering techniques, employees must be taught to be helpful, but vigilant when someone calls in for help and asks for information or special system access. The employee must first authenticate the caller by asking for identification information that only the person who is in or associated with the organization would know. If the individual is not able to provide such information, then the employee should politely, but firmly refuse to provide what has been requested by the social engineer. The employee should then notify management of the attempt to obtain information or system access.
How Can I Keep My Data Secure?
Usually, businesses start out using a spreadsheet to maintain their data. This is very ineffective because the spreadsheet is not secure and can be accessed easily on your computer. To make your company more secure, it is a good idea to invest in a high-quality database, such as a Customer Relationship Management (CRM) System. A CRM System can be very useful because it will be easier to add data as you go, instead of doing a bulk upload from your spreadsheet. Also, CRM Systems keep your data more secure in a database with password restrictions.
Some examples of CRM Software are:
- Sales Force
- Oncontact
- Sage ACT!
- Prophet
- AllMcrm
Additionally, there are set information security management systems such as ISO 27001. ISO 27001 certifies your company has implemented the correct requirements for managing information in a certain way.
ISO 27001 requires that management:
- Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
- Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
The key benefits of ISO 27001 are:
- It can act as the extension of the current quality system to include security
- It provides an opportunity to identify and manage risks to key information and systems assets
- Provides confidence and assurance to trading partners and clients; acts as a marketing tool
- Allows an independent review and assurance to you on information security practices
A company may want to adopt ISO 27001 for the following reasons:
- It is suitable for protecting critical and sensitive information
- It provides a holistic, risked-based approach to secure information and compliance
- Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
- Demonstrates security status according to internationally accepted criteria
- Creates a market differentiation due to prestige, image and external goodwill
- If a company is certified once, it is accepted globally.
Policy statements for Asset Management, a systematic process of operating, maintaining, upgrading, and disposing of assets cost-effectively, include:
- All assets shall be clearly identified, documented and regularly updated in an asset register
- All assets of shall have designated owners and custodians listed in the asset register
- All assets will have the respective CIA (Confidentiality, Integrity and Availability) rating established in the asset register
- All employees shall use company assets according to the acceptable use of assets procedures
- All assets shall be classified according the asset classification guideline of the company
Policy statements can include:
- All users shall have a unique user ID based on a standard naming convention
- A formal authorization process shall be defined and followed for provisioning of user IDs.
- An audit trail shall be kept of all requests to add, modify or delete user accounts/IDs
- User accounts shall be reviewed at regular intervals
- Employee shall sign a privilege form acknowledging their access rights
- Access rights will be revoked for employee changes or leaving jobs
- Privileges shall be allocated to individuals on a ‘need-to-have’ basis.
- A record of all privilege accounts shall be maintained and updated on regular basis
Organizational password management policies include:
- Users shall be forced to change their passwords at the time of first use
- Passwords shall have a minimum length of eight characters
- Passwords for all users shall expire in 30/60 days
- A record of five previous passwords shall be maintained to prevent re-use of these passwords
- A maximum of three successive login failures shall result in a user’s account being locked out
- Passwords shall not be displayed in clear text when they are being keyed in
- Passwords must include at least one small character (a-z), one capital character (A-Z) and one numeric character (0 – 9) / one special character (@ # $ & / +)
- All password entry tries shall be logged along with date, time, IP address, machine name, application and user ID for successful, unsuccessful login attempts
Examples of clear work environment policies include:
- Critical information shall be protected when not required for use
- Only authorized users shall use the photocopier machines
- All loose documents from employee’s desks shall be confiscated at the end of business day
- A users desktop shall not contain reference to any document directly or indirectly
Sample operating system and application control policies include:
- All users in the organization shall have a unique ID
- No systems or application details shall be displayed before log-in
- In the condition of log-in failure, the error message shall not indicate which part of the credential is incorrect
- The number of unsuccessful log-in attempts shall be limited to 3/5/6 attempts
- During log-in process, all password entries shall be hidden by a symbol
- The use of system utility program shall be restricted e.g. password utility
- All operating systems and application shall time out due to inactivity in 5/10/15/30 minutes
- All applications shall have dedicated administrative menus to control access rights of users
Policy statements for Network Security include:
- Appropriate authentication mechanisms shall be used to control the access by remote users.
- Allocation of network access rights shall be provided as per the business and security requirements
- Two-factor authentication shall be used for authenticating users using mobile/remote systems
Many businesses are able to gain more clients and produce more efficiently by becoming certified because it helps you start out with the correct processes in place. Even if you only handle small amounts of information on a regular basis, you still need to think about where it may not be securely stored. The legal ramifications of mishandling or losing a clients’ data are long and complicated. BY HAVING A POLICY IN PLACE, YOU ARE COVERING YOUR BACK SHOULD THE WORST OCCUR!
What Is The Worst That Can Happen?
It can be very beneficial to estimate the costs from the possible bad things that can happen to your important business information.
It is recommended to:
- Think about the information used in/by your organization.
- Enter into the table below your highest priority information type.
- Enter estimated costs for each of the categories on the left. If it isn’t applicable, please enter NA. Total the costs in each column in the bottom cell.
- After doing the above three steps, finish a complete table for all your information types.
-
<data type name> Issue: Data Released <data type name> Issue: Data Modified <data type name> Issue: Data Missing Cost of Revelation Cost to Verify Information Cost Of Lost Availability Cost of Lost Work Legal Costs Loss of Confidence Costs Cost to Repair Problem Fines & Penalties Other costs- Notification, etc Total Cost Exposure for this data type & issue $ $ $
-
Glossary
- Adware: A software package which automatically renders advertisements in order to generate revenue for its author (also known as advertising-supported software)
- Asset Management: A systematic process of operating, maintaining, upgrading, and disposing of assets cost-effectively
- Compromised Web Pages: Invisible code which will attempt to download spyware to your computer
- Cost-Avoidance: An expense one has avoided incurring
- Customer Relationship Management (CRM): A model for managing a company’s interactions with current and future customers.
- Data: Values of qualitative or quantitative variables, belonging to a set of items
- Denial Of Services (DoS) Attacks: An attempt to make a machine or network resource unavailable to its intended users
- Firewall: Can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set.
- Identity Theft: Steal and misuse your identity $$$
- Information Security: The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability
- Insider Threats: Malicious actions, unintentional, non-business use
- ISO 27001: Certifies your company has implemented the correct requirements for managing information in a certain way.
- Malware: Software that is intended to damage or disable computers and computer systems
- Personally Identifiable Information (PII): Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in contest.
- PFishing: Email tricking you into giving personal information (think identity theft)
- Service Set Identify (SSID): Service Set means all the devices associated with a specific local or enterprise 802.11 wireless LAN(s)
- Social Engineering: A personal or electronic attempt to obtain unauthorized information or access to systems or sensitive areas by manipulating people. The social engineer researches the organization to learn names, titles, responsibilities, and publicly available personal identification information, Then the social engineer usually calls the organization’s receptionist or help desk with a believable, but made-up story designed to convince the person that the social engineer is someone in, or associated with, the organization and needs information or system access which the organization’s employee can provide and will feel obligated to provide.
- Spear PFishing: Email with specific company details to deceive you into responding
- Spam: Unsolicited and unwanted email
- Spyware: Software that self-installs on a computer, enabling information to be gathered covertly about a person’s Internet use, passwords, etc.
- Viruses: Computer programs that can replicate themselves and spread from one computer to another
Annotated Bibliographies
- http://www.selfemployedcafe.com/why-information-security-management-is-essential-for-small-businesses
- http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf
- http://csrc.nist.gov/groups/SMA/sbc/documents/sbc_workshop_presentation_2012_final.pdf
- http://www.cs.uwp.edu/Classes/Cs490/project/SecurityWorkBook.doc