|
by Howard Pierpont and James I. Nelson
Traditionally, the focus of
Information Security efforts
has centered on virus
detection and prevention,
hacking into systems and
securing networks from
unintended intrusions.
While these are still admirable areas to
work on and provide measurable goals
for internal reporting, they are just the
tip of the iceberg. The weakest links in
our information security protocols are
employees.
People are a critical factor in ensuring
the security of computer systems
and information resources. Information
security needs to begin on the desk PC
or the laptop that travels between work
and home. The role of the business
continuity professional is to be aware
of threats, make all employees aware of
threats, and to work with the information
security professionals to ensure that
policies and procedures are in place to
protect the organization.
System Security Plan
Every organization should have a system
security plan as part of their overall business
continuity, disaster recovery and
resilience program. The plan delineates
responsibilities and expected behavior
of all individuals who access the system.
The plan should include a comprehensive
IT Information Security policy that
adequately addresses all major areas of
IT operations. At a minimum the policy
should address the terms and conditions
covering the use of the network, network
etiquette, sanctions for noncompliance,
and passwords.
Policies should prohibit use of office
computers for personal purposes unrelated
to the operation of the organization.
The policy should be followed up with
regular inspections to monitor computer
and laptop usage.
Personnel Security
Many important issues in computer
security involve human users, designers,
implementers, and managers. A broad
range of security issues relates to how
individuals interact with computers,
and the access and authorities needed to
do their jobs.
It is important to include the following
policies and procedures when
evaluating personnel security:
- Personnel screening
- Personnel termination
- Personnel transfer
- Access agreements
- Third-party personnel security
- Personnel sanctions
IT policies should include procedures
for acceptable computer, internet and
email use, data and virus protection,
password security, remote access and
internet privacy.
PC or Laptop Security
A key area where many organizations
struggle is on the corporate laptop issue.
A huge potential benefit to the BC
program is providing laptops to key
personnel that are taken home each and
every evening. This positions BCP team
members and key staff with the ability
to work remotely if their primary work
area is not available.
However, the data on laptops needs
to be kept safe, backed up and synchronized.
While the mean time between
failures is significantly longer than in
the past, this can give the end user a false
sense of security. The reality is the data
can be compromised by viruses, hacking,
hardware failure or environmental
issues. Laptops can also be lost or stolen,
and the plan should reflect these risks.
Laptops are cheap, data are not.
Account Access
as Part of Information Security
Organizations should have some type
of account naming scheme. When a
new end user is identified, he should
be issued an account based on company
policies. This would include access to
the network, mail systems, data bases,
applications and information sources. Each of the access rights granted should
be on a need to use basis.
Account access for production systems
should only have accounts that are directly
traceable back to an owner. There is a
need for system accounts, batch or other
processing accounts, but they need to
have an owner that is responsible for
that account. As an application migrates
from development to test and then to
production, all the earlier accounts and
capabilities should be deleted and only
those required accounts reset into the
system with proper authorizations.
The following combinations of functions
should not be performed by the
same individual:
- Data entry and verification of data
- Data entry and its reconciliation of
output
- Input of transactions for incompatible
processing functions
- Data entry and supervisory authorization
functions
Conclusion
An often overlooked issue in information
security involves human users. To protect
your organization, it is essential that an
Information Security Plan be included as
part of the plans to address the resiliency
of the organization. This plan should
include a broad range of security issues
such as how individuals interact with
computers, policies for laptop use, and
the access and authorities needed to do
their jobs. Business continuity professionals
should collaborate with information
security professionals to raise awareness
of security and to provide training for all
employees with the goal to reduce the
risks to the organization.
About the Authors
Howard Pierpont has almost 20 years of BC
background along with extensive IT management
and security experience. Howard is also a
Charter Member and Instructor for The International
Consortium for Organizational Resilience
(ICOR), an international non-profit education,
certification, and credentialing organization.
www.theicor.org or (866) 765-8321.
James I. Nelson is the President of
Business Continuity Services, Inc.
( www.BusinessContinuitySvcs.com )
a consulting firm with a focus on business
continuity, crisis management, and disaster
recovery. He also serves as President of the
Board of Directors for the ICOR. |
