When I blogged the other day about ways to prevent your data seeping out on flash drives I must confess I didn’t expect this to be the US Army’s response to its problem. It is buying up all the data and thereby creating a nice little market in its own stolen wares, so supply is presumably being upped! Hopefully the military is adopting some more lasting preventative measures too…
As we know from the countless surveys that flood the industry, the good news is that an increasing number of companies are adopting a professional approach to information security; the bad news is that there are still many, many organisations that have yet to put their house in order.
From my experience, many of these are small to mid-size businesses that believe they lack the management bandwidth to deal with IT security right now (sure – technology is only mission critical when it stops working) or think it will prove hugely costly to tackle. So, instead of safeguarding their livelihoods, these businesses procrastinate and, as with anything we put off, the challenge becomes perceived as bigger than it is.
Knowledge is the weapon to kill inertia and the place to start is the 14 Infosec Basics. These apply to organisations of any size and ownership, although larger organisations will want to go beyond these in layering on additional measures. However, for SMEs and SMBs this is what you need to know – basic, but nonetheless vital:
1. Have a policy: make it real, practical and true to your business strategy.
2. Insist on accountability and responsibility: a basic rule of good management.
3. Identify asset ownership and classification: a comprehensive study of what needs protecting.
4. Address information security in all contracts, including employment and third party: let people know where they stand and ensure they can’t shirk responsibility for their actions.
5. Provide for the physical security of information systems: it seems so obvious until items go missing or get damaged.
6. Have up-to-date anti-malware software: naturally.
7. Implement and enforce user access controls: as I’ve blogged elsewhere, keep the tightest rein on this or risk the consequences.
8. Implement and enforce system access controls: you wouldn’t give a 10 year-old the keys to your car, so why would you put your IT system in the hands of someone unqualified?
9. Manage vulnerabilities: look for the chinks in your armour and patch them.
10. Have an incident response process: quick and clear communication stops dramas from becoming crises.
11. Have basic continuity and disaster recovery plans: how will you keep your customers happy if the roof falls in?
12. Monitor compliance: policies are great, provided that they are being followed.
13. Document essential policies, processes and procedures: share the critical information that people need to know.
14. Ensure that users are trained and aware of their responsibilities: give people the skills and knowledge to act responsibly.
Many organisations will have a few in place, but that’s not enough. You need the full 14 to ensure that you are making a professional response to security threats. But when you think about the consequence of failing to act, it’s not so hard now, is it?
Coming on the heels of my most recent post about the security risk posed by USB storage devices, here’s a story to chill the bones. It seems that classified military information is leaking out of Afghanistan and offered for sale on those wonderful flash drives that we love so much.
I spend most of my time trying to get businesses, and particularly mid-size businesses, to grasp the security nettle and put in place a proper ISMS. The military hasn’t been much of a priority for me because, apart from anything else, you would sort of hope they understood these things better than many. I guess not.
For any organisation, a fundamental part of the solution has to be an appropriate system of usernames, rights and privileges. To the greatest extent possible, you need to confine access to sensitive information to those people who really need it. Properly mapping out access rights and keeping them up to date is critical. For example, if someone leaves an organisation or moves within it their username must be withdrawn or access rights amended immediately, not three months later. Similarly, if someone needs particular access rights to do a project, those should be curtailed again as soon as the project is finished.
That might not prove popular, but it is part of the ‘soft skills’ requirements of modern IT managers to be able to sell their policies as well as implement them. They need to be explain persuasively why security is good for the employee as well as the organisation. (However, this article indicates that there is still a long way to go before the IT function develops the necessary people management skills. Note to the CEO – investing in this area is not a ‘nice to have’ item, it is an urgent requirement if you expect your IT to remain secure.)
It is also essential to have in place clear user agreements and acceptable use policies, (a) to ensure that employees understand what is expected of them and (b) to provide a basis for taking legal action against them if they flout this. These measures should include explicit instructions not to remove data without authorization and various other measures to safeguard the integrity of the system.
I have written in considerably more detail about these issues in various books. However, in light of profusion of USB storage devices today, I am thinking of adding one more measure to my recommendations, based on an item I read somewhere recently. If you are still worried that best practice policies and procedures aren’t enough, seal up the USB ports on people’s machines with glue!
Building an Information Security Management System (ISMS) from scratch can be a daunting task, particularly for mid-size organisations who may not have the luxury of generous budgets. To help eliminate the uncertainties and headaches we’ve launched a new ISO 27001 Toolkit, which in a single box gives provides everything you need to build a world-class system efficiently and at a fraction of the cost of calling in outside experts.
The Toolkit is an all-in-one programme for building an ISMS compliant with global best practice, in respect of ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006. It is based on our definitive guide to ISMS development, ‘A Manager’s Guide to Data Security and BS7799/ISO17799’. In addition to the third edition of this book, the Toolkit includes the ISO/IEC 17799 2005, ISO/IEC 27001:2005 and BS7799-3:2006 standards and a CD-ROM with almost 400 densely packed pages of fit-for-purpose policies and procedures: a model Information Security Policy, a pre-written Information Security Manual, 110 pre-written policies, analysis tools, training materials and much more.
Since every organisation’s needs are different, purchasers benefit from our unique Drafting Support Service, which advises them on how to adapt the materials to their particular situation. They also receive our 12-month Automatic Update Service, which ensures that purchasers automatically benefit from any improvements to the Toolkit.
A robust ISMS is too important to be out of the reach of the middle market. We’ve deliberately priced this product at a significant discount to other options out there, so there can be no excuses!