The DTI's recent Information Security Breaches Survey found that
three out of four UK businesses have no security policy. Danny
Bradbury offers a policy template for secure businesses culled from
sources including a 1998 study from the US General Accounting
Office, and from UK security consultancy Tech-Connect
General
Map risks to business resources:
First, evaluate some of the potential risks, such as denial of
service attacks, hacking, and theft of information by employees.
You can only begin to develop a coherent security policy if you
understand how different risks will affect your business.
Assess the potential impact of attacks
Evaluate the
different areas of your business and analyse the impact to them
should the various risks occur. Resources are limited, and many
companies spend only a tiny percentage of their IT budget on
security so it is important to understand which areas of the
business are most exposed so that you can intelligently allocate
funds. Many project managers address risk assessment by creating a
grid with two axes - one measuring the probability of a risk
occurring, and the other measuring the potential damage it could
cause. You could apply this method to different business units or
processes.
Establish a chain of responsibility
Define a central
group to control and enforce security procedures. Consistency
across the organisation is the key to a good security policy.
Establish a central authority for all aspects of security within
your company including data security and physical protection. It is
also important that you give the group the support and attention of
senior management, ideally at board level. If the team is to be
effective, proper funding is necessary. Changes to corporate policy
could be unpopular so they need to be endorsed from the top.
Use an emergency response team
Create emergency
response positions in the central group so that troubleshooters
will be able to limit the damage and fix the problem in the event
of a security flaw.
Make business line managers accountable
Make it clear
that your line-of-business managers are directly responsible for
implementing and maintaining security procedures in their business
units. This will make it easier to enforce any security procedures
that your central control unit subsequently defines.
Encourage end-user responsibility
Put the onus on
employees to manage their own security. Make sure that they are
educated about security risks, and give them a clear set of
guidelines to follow, spelling out the disciplinary implications
should they fail to do so.
Enforce common security procedures
Different companies
will doubtless have their own security needs, but they are
nonetheless some common requirements that should be in effect, no
matter what sector you work in.
Make back-ups
Take regular back-ups that are verified
and tested on a regular basis. Ideally, take them off-site in case
of physical damage to the building, or burglary.
Conduct regular network scans
Make sure that you scan
your network regularly, using a tool such as the popular Satan (
www.fish.com/satan).
Better still, pay for your network to be scanned by a security
consultancy such as Internet Security Systems.
Proactively manage accounts
Make sure that passwords
are changed on a regular basis, and that they are not immediately
obvious. Insert random numbers in them, for example, and ensure
that a minimum number of characters are used. Reject user names and
common words.
Manage staff departures
Allocate the responsibility of
global password termination to a particular individual or group.
Better still, employ a network directory system that can be used to
manage employee lifecycles in a structured manner. When people join
an organisation, accounts and passwords are created. When they
leave, some can be left operational if no one is in charge of
termination. Such loopholes in the system can be exploited by
former staff. If employees leave under a cloud, this can be
particularly dangerous.
Hardware and software configuration
Ensure that your
firewalls are configured properly, with the right ports open and
closed. Make sure that they log incoming and outgoing access.
Switch on security options in hardware and software. Most wireless
Lans come with the Wep security protocol disabled, for example.
Often, software is configured with security options off to make it
more user-friendly. Turn it on.
Use security auditors to evaluate the configuration of your
hardware and software, and assess possible security flaws in your
infrastructure.
Monitor your security policy
Change your policy as
necessary. Above all, your security policy must be iterative.
Review the potential risks, and their impact on your business, on a
regular basis.
Evaluate success
Evaluate the success of your security
procedures and use them to hold staff accountable. Also, keep track
of new techniques and tools for monitoring your system security,
because outside attackers certainly will. Include security in
employee and manager performance reviews.
Users
Educate your users
Enforce a rule that if anyone's
password is found written down anywhere in the office, everyone in
the company will change their passwords. It will hammer home the
importance of protecting passwords.
Make sure that users are briefed about social engineering attacks.
Warn them never to give passwords to anyone in the organisation,
even if they claim to be from the systems department.
Make your policy on the use of e-mail and Web surfing clear, detail
the types of information that may not be sent online, and the types
of Web site that may not be visited. Put it all in the employee
handbook and induction sessions.
Reinforce security policies by distributing them to employees via
media such as start-up screens.
Physical security
Lock away servers and restrict access
to the IT room.
Strip workstations to their bare essentials - remove disc drives
from those systems that do not need them.
Protect potentially sensitive corporate information by making sure
that it is well secured, and render unreadable any physical
equipment that is being discarded. Make sure that computer hard
drives are erased before disposal using specialist software (a
high-level reformat will not be enough), and shred or otherwise
destroy any paper-based information that you throw out, including
equipment manuals.
Change control procedures
When any change to hardware
or software is made, security-test it first.
Check for patches to operating systems and applications on a
regular basis. Be sure that they have been tested first, ideally by
contacting other customers via newsgroups, for example - patches
have been known to introduce system problems as well as solve
them.
Separate Web servers from the network
Web servers with
publicly accessible content should be placed in a zone that is not
directly connected to the Internet network. Ideally, information
needed from databases should be accessed using server-side
scripts.
Protect e-mail from attachments and scripts
Either
configure client e-mail systems to reject attachments and embedded
scripts, or configure a server to monitor incoming and outgoing
e-mails for these risks.
Protect mobile data
Protect data held on laptops and
personal digital assistants by encrypting it, and by instructing
users in basic security techniques such as not leaving laptops
unattended in public places. If possible, minimise the amount of
sensitive information stored on laptop computers.