Maintaining Business Information Security

Note: Use good business practices to protect your information!

What Are Some Highly Recommended Practices?

• Security concerns about email attachments and emails requesting sensitive information
  • Do not open email attachments unless you are expecting the email with the attachment and you trust the sender. Calling the individual who “sent” the email and asking them what the attachment is about is a good practice to utilize.
• Security concerns about web links in email, instant messages, social media, or other means
  • For business or personal email, do not click on links in email messages. Some scams are in the form of embedded links in emails.
• Security concerns about popup windows and other hacker tricks
  • When connected to and using the Internet, do not respond to popup windows requesting that you to click “ok” for anything. Do not respond to popup windows informing you that you have to have a new codec, driver, or special program for something in the web page you are visiting. Close the popup window by selecting the X in the upper right corner of the popup window.
• Doing online business or banking more securely
  • Online business/commerce/banking should only be done using a secure browser connection. This will normally be indicated by a small lock visible in the lower right corner of your web browser window. After any online commerce or banking session, erase your web browser cache, temporary internet files, cookies, and history.
• Recommended personnel practices in hiring employees
  • When hiring new employees, conduct a comprehensive background check before making a job offer.
• Security considerations for web surfing
  • No one should surf the web using a user account which has administrative privileges.
• Issues in downloading software from the Internet
  • Do not download software from any unknown web page.
• How to get help with information security when you need it?
  • No one is an expert in every business and technical area. Therefore, when you need specialized expertise in information/computer/network security, get help.
• How to dispose of old computers and media?
  • When disposing of old business computers, remove the hard disks and destroy them. The destruction can be done by using a magnet, taking apart the disk and beating the hard disk platters with a hammer, or drilling the disk with a long drill bit to put several holes through the recording platters. Remember to destroy the electronics and connectors as part of this project. You can also take your hard disks to companies who specialize in destroying storage devices such as hard disks.
• How to protect against Social Engineering?
  • To protect against social engineering techniques, employees must be taught to be helpful, but vigilant when someone calls in for help and asks for information or special system access. The employee must first authenticate the caller by asking for identification information that only the person who is in or associated with the organization would know. If the individual is not able to provide such information, then the employee should politely, but firmly refuse to provide what has been requested by the social engineer. The employee should then notify management of the attempt to obtain information or system access.

How Can I Keep My Data Secure?

Usually, businesses start out using a spreadsheet to maintain their data. This is very ineffective because the spreadsheet is not secure and can be accessed easily on your computer. To make your company more secure, it is a good idea to invest in a high-quality database, such as a Customer Relationship Management (CRM) System. A CRM System can be very useful because it will be easier to add data as you go, instead of doing a bulk upload from your spreadsheet. Also, CRM Systems keep your data more secure in a database with password restrictions.

Some examples of CRM Software are:

• Sales Force
• Oncontact
• Sage ACT!
• Prophet
• AllMcrm

Additionally, there are set information security management systems such as ISO 27001. ISO 27001 certifies your company has implemented the correct requirements for managing information in a certain way.

ISO 27001 requires that management:

• Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities, and impacts;
• Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
• Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.

The key benefits of ISO 27001 are:

• It can act as the extension of the current quality system to include security
• It provides an opportunity to identify and manage risks to key information and systems assets
• Provides confidence and assurance to trading partners and clients; acts as a marketing tool
• Allows an independent review and assurance to you on information security practices

A company may want to adopt ISO 27001 for the following reasons:

• It is suitable for protecting critical and sensitive information
• It provides a holistic, risked-based approach to secure information and compliance
• Demonstrates credibility, trust, satisfaction and confidence with stakeholders, partners, citizens and customers
• Demonstrates security status according to internationally accepted criteria
• Creates a market differentiation due to prestige, image and external goodwill
• If a company is certified once, it is accepted globally.

Policy statements for Asset Management, a systematic process of operating, maintaining, upgrading, and disposing of assets cost-effectively, include:

• All assets shall be clearly identified, documented and regularly updated in an asset register
• All assets of shall have designated owners and custodians listed in the asset register
• All assets will have the respective CIA (Confidentiality, Integrity and Availability) rating established in the asset register
• All employees shall use company assets according to the acceptable use of assets procedures
• All assets shall be classified according the asset classification guideline of the company

Policy statements can include:

• All users shall have a unique user ID based on a standard naming convention
• A formal authorization process shall be defined and followed for provisioning of user IDs.
• An audit trail shall be kept of all requests to add, modify or delete user accounts/IDs
• User accounts shall be reviewed at regular intervals
• Employee shall sign a privilege form acknowledging their access rights
• Access rights will be revoked for employee changes or leaving jobs
• Privileges shall be allocated to individuals on a ‘need-to-have’ basis.
• A record of all privilege accounts shall be maintained and updated on regular basis

Organizational password management policies include:

• Users shall be forced to change their passwords at the time of first use
• Passwords shall have a minimum length of eight characters
• Passwords for all users shall expire in 30/60 days
• A record of five previous passwords shall be maintained to prevent re-use of these passwords
• A maximum of three successive login failures shall result in a user’s account being locked out
• Passwords shall not be displayed in clear text when they are being keyed in
• Passwords must include at least one small character (a-z), one capital character (A-Z) and one numeric character (0 – 9) / one special character (@ # $ & / +)
• All password entry tries shall be logged along with date, time, IP address, machine name, application and user ID for successful, unsuccessful login attempts

Examples of clear work environment policies include:

• Critical information shall be protected when not required for use
• Only authorized users shall use the photocopier machines
• All loose documents from employee’s desks shall be confiscated at the end of business day
• A users desktop shall not contain reference to any document directly or indirectly

Sample operating system and application control policies include:

• All users in the organization shall have a unique ID
• No systems or application details shall be displayed before log-in
• In the condition of log-in failure, the error message shall not indicate which part of the credential is incorrect
• The number of unsuccessful log-in attempts shall be limited to 3/5/6 attempts
• During log-in process, all password entries shall be hidden by a symbol
• The use of system utility program shall be restricted e.g. password utility
• All operating systems and application shall time out due to inactivity in 5/10/15/30 minutes
• All applications shall have dedicated administrative menus to control access rights of users

Policy statements for Network Security include:

• Appropriate authentication mechanisms shall be used to control the access by remote users.
• Allocation of network access rights shall be provided as per the business and security requirements
• Two-factor authentication shall be used for authenticating users using mobile/remote systems

Many businesses are able to gain more clients and produce more efficiently by becoming certified because it helps you start out with the correct processes in place. Even if you only handle small amounts of information on a regular basis, you still need to think about where it may not be securely stored. The legal ramifications of mishandling or losing a clients’ data are long and complicated. BY HAVING A POLICY IN PLACE, YOU ARE COVERING YOUR BACK SHOULD THE WORST OCCUR!

What Is The Worst That Can Happen?

It can be very beneficial to estimate the costs from the possible bad things that can happen to your important business information.

It is recommended to:

• Think about the information used in/by your organization.
• Enter into the table below your highest priority information type.
• Enter estimated costs for each of the categories on the left. If it isn’t applicable, please enter NA. Total the costs in each column in the bottom cell.
• After doing the above three steps, finish a complete table for all your information types.

  • 	<data type name>  Issue: Data Released	<data type name>  Issue: Data Modified	<data type name>  Issue: Data Missing
    Cost of Revelation
    Cost to Verify Information
    Cost Of Lost Availability
    Cost of Lost Work
    Legal Costs
    Loss of Confidence Costs
    Cost to Repair Problem
    Fines & Penalties
    Other costs- Notification, etc
    Total Cost Exposure for this data type & issue	$	$	$

Glossary

• Adware:  A software package which automatically renders advertisements in order to generate revenue for its author (also known as advertising-supported software)
• Asset Management:  A systematic process of operating, maintaining, upgrading, and disposing of assets cost-effectively
• Compromised Web Pages:  Invisible code which will attempt to download spyware to your computer
• Cost-Avoidance:  An expense one has avoided incurring
• Customer Relationship Management (CRM):  A model for managing a company’s interactions with current and future customers.
• Data:  Values of qualitative or quantitative variables, belonging to a set of items
• Denial Of Services (DoS) Attacks:  An attempt to make a machine or network resource unavailable to its intended users
• Firewall:  Can either be software-based or hardware-based and is used to help keep a network secure. Its primary objective is to control the incoming and outgoing network traffic by analyzing the data packets and determining whether it should be allowed through or not, based on a predetermined rule set. 
• Identity Theft:  Steal and misuse your identity $$$
• Information Security:  The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability
• Insider Threats:  Malicious actions, unintentional, non-business use
• ISO 27001:  Certifies your company has implemented the correct requirements for managing information in a certain way.
• Malware:  Software that is intended to damage or disable computers and computer systems
  
• Personally Identifiable Information (PII):  Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in contest.
• PFishing:  Email tricking you into giving personal information (think identity theft)
• Service Set Identify (SSID):  Service Set means all the devices associated with a specific local or enterprise 802.11 wireless LAN(s)
• Social Engineering:  A personal or electronic attempt to obtain unauthorized information or access to systems or sensitive areas by manipulating people. The social engineer researches the organization to learn names, titles, responsibilities, and publicly available personal identification information,  Then the social engineer usually calls the organization’s receptionist or help desk with a believable, but made-up story designed to convince the person that the social engineer is someone in, or associated with, the organization and needs information or system access which the organization’s employee can provide and will feel obligated to provide.
• Spear PFishing:  Email with specific company details to deceive you into responding
• Spam:  Unsolicited and unwanted email
• Spyware:  Software that self-installs on a computer, enabling information to be gathered covertly about a person’s Internet use, passwords, etc.
• Viruses:  Computer programs that can replicate themselves and spread from one computer to another

Annotated Bibliographies

• http://www.selfemployedcafe.com/why-information-security-management-is-essential-for-small-businesses
  
• http://csrc.nist.gov/publications/nistir/ir7621/nistir-7621.pdf
• http://csrc.nist.gov/groups/SMA/sbc/documents/sbc_workshop_presentation_2012_final.pdf
  
• http://www.cs.uwp.edu/Classes/Cs490/project/SecurityWorkBook.doc