AUBREY

What is the purpose of information security?

There are many reasons why you should protect the information you use on your computer, including:

· Ensuring that your information remains confidential and only those who should access that information, can

· Knowing that no one has been able to change your information, so you can depend on its accuracy (information integrity)

· Making sure that your information is available when you need it (by making back-up copies and, if appropriate, storing the back-up copies off-site)

source

What does a manager have to do if the information is not accurate, safe nor relevant?

If the information is not accurate, safe nor relevant, the manager has to send for it to be recollected and examine the process to see why it was not relevant. After getting the accurate information needed, a security policy should be established and maintained.

What are the stages in securing information?

1. Manage Your Technology Life Cycle

Old computer technology is less secure than new technology. Newer technology implements the latest tools (like intrusion protection), so one of the best things you can do to protect your business is to use the latest technology.

In fact, you should develop a technology lifecycle plan for all of your computer hardware and software assets. Consider replacing computers after four years; budget 25% each year for new technology to replace the old.

2. Establish a Password Policy

This one is really simple: make sure your computers, servers, wi-fi connections, etc., all have password protection. Adding open devices and connections to your network is just inviting trouble.

Close those connections now, using unique passwords for each user. Use strong, complex passwords, as many security professionals (and companies like Microsoft) have been recommending for some time. Require that passwords be replaced every month or every quarter. Lock out an account after “n” failed login attempts. Disable past employee accounts immediately.

3. Back Up Your Data Frequently

Everyone I talk to says they have a back-up plan and, of course, they perform backups. But are their servers backed up frequently enough? And what about individual PCs – do they have data or apps that aren’t on the servers? Are they backed up, ever? Should they be?

Are backups taken off-site? Have you tried to restore your backups to a computer that is NOT in the original location? Are you using cloud-based apps but wonder if your cloud-based data are backed up appropriately? (Bizmanualz new Onpolicy Procedure Management Software eliminates the need for backups at the user level.)

And have you tested your backup process lately? Trust me — when you’re trying to recover your system from an attack or a fatal system error is not when you want to find out your backup process doesn’t work.

4. Use Malware and Virus Protection

It happens — people inadvertently download something they shouldn’t (social engineering techniques are that effective). The next thing you know, that computer — even your whole network — is compromised.

You need to develop a computer security policy. Consider centralizing your anti-virus and anti-spyware management instead of having each user responsible for their own devices. Enable frequent virus scanning and frequent, automatic updates. Monitor your anti-virus subscriptions — you can’t afford to let them lapse.

5. Secure Your Mobile Devices

Your company may be facing increasing liability exposure from employees housing data in PDAs, laptops, or cellphones. If your employees have access to sensitive information (think “WikiLeaks”), you need to develop a Mobile Device Management Plan that addresses digital rights management, data loss prevention, data security, and other IT internal controls. Consider anti-virus device security and data protection that includes the ability to wipe a device, in case it’s misused.

And, if you don’t want employees using their personal devices to handle company information…what’s your policy on that and how do you enforce it?

6. Train Your Employees

Imagine you’ve created a new password policy, invested in anti-virus software, and developed a Mobile Device Management Plan but you haven’t told anyone. How useful will those measures be?

You must communicate your policies and train your employees how to implement computer security methods. You can’t just tell everyone in an email that “here’s our policy”, and leave it at that. You have to show everybody how important it is and how it’s done.

You have to ensure that all employees understand the new password policy, how anti-virus software keeps your computer safe, what “acceptable use” is, and the importance of protecting their mobile devices.

7. Restrict Access to Your Data

Microsoft Windows, Linux, and other operating systems have their own kind of user access controls. Using them means you have to identify what each user login requires for data, network, or peripheral access (e.g., read only, read/write, execute). If you allow too much freedom of access, you increase the risk of misuse, data loss, etc., but if you make restrictions too tight, you’ll get far too many user complaints. There’s a very fine line between too much and too little — that line often isn’t easy to find, and it moves around a lot.

8. Implement a Contingency Plan

A computer, IT, or data center disaster recovery plan is an important element of securing your computer data. There are more than hackers and trusting (or untrustworthy) employees — there are acts of nature that threaten your business’s continuity, too.

You never know when fire, flood, tornado, riots/uprisings, robbery, or other catastrophic events will occur but if one (or more) of them does strike…how long will it take you to get your business back online? Without a disaster plan in place, it will take too long.

Your plan should cover hardware and software replacement, data recovery, and key configuration, restoration, or installation details. It should include appropriate software license numbers, insurance numbers, and key contractor or supplier numbers. It should cover testing, validation, and performance criteria. Furthermore, you need to thoroughly test your recovery plan before you need it.

9. Block Would-Be Intruders from Your Network

First, you can’t do this perfectly but you can at least make it more difficult by installing a business-class firewall and updating it regularly. Close all the firewall ports you’re not using. Don’t use older WEP security (see #1, above) but invest in newer, stronger technology like WPA2. Always make sure you’re up on the latest threat prevention methods.

Restrict access to DNS zone transfers, which hackers can use to read your DNS records and obtain your server details. Add an Intrusion Protection System (IPS) that monitors network and system events for malicious activity.

10. Close Holes in Your Security

As we often say in the quality field, “You don’t know what you don’t know.” This is true for security, as well. To find the holes in your computer security system, perform some type of regular security audit and network inspection. Check your firewall and server logs for signs of threat.

See that you’ve implemented measures to address the first nine points above. Secure your computer network. Enable automatic updates. Deploy Windows Server Update Service (WSUS) and Windows Update for all PCs and workstations. Be sure your anti-virus and other malware prevention systems are being automatically and regularly updated.

I also recommend hiring an independent computer security expert to audit your information security system and conduct system tests (penetration testing, leak testing, etc.) from time to time. You can also look for software applications, like The Secunia Personal Software Inspector (free download), that scan your installed software to identify potentially unsafe (e.g., out-of-date) programs and offer downloads to the latest software patches.

source