|
|
Advanced
How To Guides
eSecurity
5.0
How do I determine which data is most important?
Companies
often have 'information classification' rules. These
rules differentiate between information that is sensitive
and needs high security attention, such as employee
details, and data that is less sensitive, such as price
lists, product lists, or supplier contacts. Data classification
will play a big part in the success of your security
awareness. The problem is that many people find classifications
too confusing or difficult to use. A simple but effective
approach would be to colour code data according to sensitivity.
Adoption of the following guidelines should help:
-
If disclosure of certain types of information would cost your company money, then
label that information as 'restricted' or 'confidential.' Remember that the impact
to your company's reputation may be many times the actual cost of disclosure itself.
- If
disclosure or loss of information would cost enough to threaten your company,
then use a higher classification for that type of information. Examples are 'Company
Secret' or 'Competition Sensitive.'
-
Limit the number of security classifications used. Use terms that people can relate
to distinguish different classifications. The old saying - simple is best - definitely
works here.
6.0
Who will administer?
Administration means the day-to-day management of
your IT systems. If administration of security and access
is not performed regularly, then unauthorised users
may gain access to the systems and assets. This could
include using your machines as a medium to disrupt your
suppliers' systems. Hackers consistently use "Trojan
Horses"; this is the process of using your computer
to hack into someone else's. When the victim traces
back, they will arrive on your doorstep. The key for
security administration is well-defined roles and responsibilities
for ALL users and administrators.
Administrators have access to all files and data. Therefore,
one must be mindful of who is guarding the guards. Roles
for security should be defined, documented, and implemented
for both your company and the contractors employed by
you.
Remember that security is everybody's responsibility
and it should be everybody's responsibility to implement
security correctly. That said, it is not enough to have
policies and procedures documented. Security content
needs to be communicated and understood by the target
audience for it to be of any use.
Guidelines:
-
Establish a security awareness program for all users. Content should be communicated
in non-technical terms. This could include briefings, posters, clauses in employee
contracts, security awareness days etc.
-
Implement security training for technical staff that is focused on the security
controls for their particular technical areas.
-
Set-up processes to review security controls regularly, such as at the end of
week/month or quarter.
Areas
to consider include reviewing:
-
system records that note who was using the system,
when, for how long, deletions etc.
-
system user roles and privileges for both new and
promoted employees
-
account removal when no longer needed, such as when
people leave the company.
-
Review the security architecture whenever the business
and its strategies have changed and these changes
have changed your network. It is good practice to
review your company's security architecture.
| |
