From Nation’s Business, November 1997
Firewalls, security scanners, antivirus software and other types of security technology aren’t enough to prevent high-tech crime. Real prevention begins by formulating a company security policy that details — among other matters — what information is valuable and how to protect it.
“A lot of companies don’t have a policy in place,” says Patrice Rapalus of the Computer Security Institute in San Francisco. “It’s still an area where there
needs to be a lot of awareness. Companies don’t believe it’s a problem.”
A good security policy shouldn’t be just a list of stringent rules imposed upon employees, according to Ira Winkler of the National Computer Security Association in Carlisle, PA. In his book, “Corporate Espionage” (Prima Publishing, $26), Winkler recommends that employees be involved in establishing the policy because they can suggest areas where the company is vulnerable based on their on-the-job experience.
Besides setting rules for users, the policy should spell out manager’s responsibilities. Computer-security experts and products vendors recommend that a company’s policy include the following items:
What Computer-System Managers Must Do
Monitor employees’ use of PCs, computer networks and the Internet. Inform employees that monitoring will occur.
Classify information based on its importance and assign security clearances to employees based on their need for access to the data.
Record serial numbers of technology equipment such as personal computers, notebook computers and printers.
Limit visitors’ access to the facility.
Assign a person whom service providers can call if they discover unusual computer or telephone-call activity that suggests a break-in during evening or on weekends.
Periodically assess the vulnerability of computers and networks and of security devices such as alarms and locks.
Keep up with new security vulnerabilities by consulting sources such as the Computer Emergency Response Team at Carnegie Mellon University (www.cert.org), the National Computer Security Association (www.ncsa.net) and the SANS Institute (www.sans.org). Remove modems from individual PCs and cut down on the number of modem lines that go out of the building.
What Employees’ Supervisors Must Do
Assign passwords to employees and instruct them to keep them confidential. Employees should not reveal passwords to others or write them down where they could be found.
Instruct employees not to give out sensitive information over the telephone. Employees should verify a request for information with a supervisor if they are unsure about the sensitivity.
Install password-protected screen savers that prevent people from seeing what is displayed when the user has stepped away from the computer.
Have employees log off the network and shut down their PCs at the end of the day or when they go to lunch. Don’t allow employees to install their own software on PCs.
Require employees to encrypt sensitive files that they send via the Internet.