Monday, November 09, 2009

Information Security Tip #3: Procedures

Policies and procedures help you meet your obligation to your customers, affiliates, and employees. Protect your electronic information with these simple steps:
  • Physical security. Network defenses can be critical, but when it comes to protecting personal information, don’t forget physical security. Ensure access to network servers is restricted to authorized personnel.
  • Encryption. Use encryption to protect sensitive data such as credit card numbers, social security numbers, driver’s license numbers, etc.
  • Viruses. Viruses, spyware, and other malware can compromise your systems and your data. Ensure your anti-virus and anti-spyware software is updated on a regular basis.
  • Passwords. Most organizations use an ID and password to grant access to your data. Ensure your passwords are long and complex and changed on a regular basis.
  • Education. Remind your employees that electronic security is everybody’s business. Hackers certainly pose a threat, but sometimes the biggest risk to a company’s security is an employee who hasn’t learned the basics.
  • Access. Provide access to sensitive information only on a “need to know” basis. Have a procedure in place for making sure that workers who leave your employ or move to another part of the business no longer have access to off-limits information.
  • Detection. Intrusion detection systems can alert you to breaches in your network security. IT should monitor incoming and outgoing traffic for higher-than-average use at unusual times of the day.
  • Patching. Check expert resources like www.sans.org and your software vendors’ websites for alerts about the latest vulnerabilities and vendor-approved patches.
  • Providers. Ensure security practices of your contractors and service providers. Before outsourcing business functions, ensure agreements define security requirements.
  • Documentation. Organization policies give direction and guidance but generally lack sufficient details to describe how things should be done. By documenting your detailed procedures, your organization can ensures consistent and sustainable protection of your information assets.
Not all risks are created equal and risk assessments help firms reduce their costs while increasing protection of their “information assets”.

Labels: , ,