CALIFORNIA PART 2 ON COMPUTER SECURITY Accounting Software 411 Insider - How Secure is Your Security – Part 2
Feature Article:
How Secure is Your Security – Part 2
In Part 1 of this article we identified many of the threats and issues and concerns for the security surrounding the use of computer technology resources. There is little universal disagreement – risk exists in all phases of the use of technology. Criminals, hackers, hazards and other obstacles cannot stop the required implementation ofcomputers. There has to be a plan to do whatever is needed to protect the valuable assets of the firm.
Benjamin Franklin receives attribution for the following quote:
“The definition of insanity is doing the same thing over and over and expecting different results.”
For all of us who believe the wisdom of
Managing in our insecure world requires the firm and every member of the staff to get behind a plan for the protection of computer assets.
· Planning Requires Thinking
· Planning Requires Consistency
· Planning Requires Commitment
· Planning Requires Management
At the start and at the end of the day, planning requires planning. This means that each firm has to gather the resources and provide as much effort as needed. A security plan development should include the following steps:
1. Determine What Needs Protection
Take an inventory of computer technology resources. This includes hardware, software, data obtained from outside resources, data generated internally, accessories that support allcomputers. The other component, of course is people. This will be discussed later.
2. Do a Risk Assessment
Analyze the various risks that each of the computer resources can be subjected to. For example, is there a window nearby that can be broken letting rain and snow? Do you have storage in a basement or on a first floor that can be flooded? Where is the data stored and is it subject to off-premises back-ups? And so on.
3. Identify Strengths and Weaknesses
Through analysis, determine the weak links that need to be addressed and the sequence to address them.
4. Create Initial Plan
Create a written document that can be circulated within the firm to receive comments from all key personnel.
5. Evaluate Plan
Make a final determination for facts, opinions, value based decisions.
6. Create Security Action Plan
The plan needs to identify the sequence of steps that need to be done to overcome the weak links and keep the strong links in place and compatible with the new procedures.
7. Assign Dates and Responsibilities
Create an accountability roster of who is responsible for each task.
8. Manage Progress and Process
Maintain the schedule through appropriate project management.
9. Security Plan Development
Implement the plan, test the security processes and make sure that quality assurance is built into the implementation process.
10. Review Results
Review and assess the results. Make corrections as needed, especially if there are any inconsistencies that have been created.
11. Assess What Worked
If necessary, call in outside experts to assist with any assessment.
12. Evaluate What Did Not Work and Why
Disasters happen
One of computer security’s biggest threats are disasters. There is a difference between Hurricane Katrina and Chicken Little. A fake yell about a falling sky is very different from the terrible destruction caused by Katrina. Any possible event can be explored, reviewed and compared to your situation. Not every disaster will be as terrible as Katrina. However there are lessons to learn.
· Expected disasters include: snow, rain, wind, mudslide, and vehicle traffic.
· Surprise disasters include tsunami, terror attack, random violence, and key employee departure.
For each of the expected and surprise disasters, a written set of procedures are required. Nothing should be left to the guessing and last minute “fixes” that so often apply to technology. Three key procedures need to include:
· Copy of all information off premises – backups
o Backups have to be periodically tested to determine quality of backup process
· Ability to contact personnel
o There needs to be a roster of staff responsibilities and emergency contact info
· What and how much hardware needs to be used to continue operations
o This includes computers and network equipment
The AICPA website has information about recovery procedures at:
http://www.aicpa.org/news/2005/Disaster_Recovery_and_Business_Continuity.htm
Communications
The world of computer security has to include all of the equipment and processes surrounding communications and networking. Elements of this area include:
· Data Communications
· Voice Communications
· Networks
· Internal
· External
· Wired vs. Wireless
· Mobile Usage
· Home Networks
Within the communications arena, the most visible, of course, is email. It is mandatory that the company have a specific policy about the access to and the use of email programs. In addition, the firm needs to establish training for the staff about email issues:
· Beware unsolicited mail
· Never open unknown attachments
· Never open EXE, VBS, SCR
· Verify all clickable links
· Set up rules for junk, spam senders
· Web based email require security
Mobile Computing
The Gartner Group estimates 80% of all laptop thefts are the result of employee theft. The concern over laptops needs to be extended to the value of the hardware, the value of the data that is temporarily or permanently stored and the capability of internet access codes that include user name and passwords to connect with confidential data bases. Some procedures for controlling laptops include:
· Never leave a laptop unattended
· Back-up valuable data regularly
· Make sure that anti-virus software & firewalls current
· Implement a policy for data retention on laptops
· Use passwords to protect files
· Cable locks are useful as visual deterrents
When taking a laptop on the road consider where you will be going and where the risks may occur. For example, when traveling through an airport, sometimes laptops need to be checked as baggage. If this occurs, there is the potential for damage to the laptop case and consequently the functioning of thecomputer. One protection is the use of a better protective case. Check out the Otter Box from – www.otterbox.com.
When traveling around locally, a frequent stop is the local coffee bar and other sitting and meeting places. With wireless access being implemented in many locations, be concerned and be prepared for the need to have proper software protection on the laptop. Do NOT use a public wireless facility without a firewall and other security in place. Appropriate security software can be found from several vendors. For years I have included Symantec products to my computing environment. Check out Internet Security 2007 at www.symantecstore.com. Other security software can be reviewed at ZoneAlarm, Panda Software, and McAfee.
If you decide to take a short exit from your work area, do not take the risk of leaving your computer or other valuables unattended while you take the break. It does not take long for someone to pick up the computer and keep walking.
Back-Up
It may seem trite and repetitive, but to manage security issues, taking backups will go a very long way to protecting the firm from losses. To do this properly, backups are not just for data
For continuity of business there need to backups in place for:
· Facilities and resources – offices, computers, vehicles, client locations
· Equipment – computers, network, telephones
· Procedures – how tasks and applications get done
· People – staff, management
For effective backups, it is important to include the tasks as described before:
· Plan for what needs backup
· Implement
· Test the backup for usability
· Update procedures as new equipment and software are installed
· Train staff and other users
Recovery from any loss can also benefit from appropriate amounts of insurance. For insurance coverage over computer technology has to include specific identification of: Hardware, Software, Data, Premises, People, and Business Continuity.
When there is a loss of any resource, it is important to follow up and determine what exactly was lost, if there is any risk of confidentiality or privacy being compromised, notification of anyone that may be impacted by such loss, and how to recover the value of the property lost. Of course, this applies to the hardware and the data.
Going Forward
In the future, the issues surrounding computer security will grow in complexity and risk. Hopefully there are more good guys than bad guys. Make no mistake there a lot of bad guys that want to steal, destroy or just cause some chaos. In most cases there is no intent at making yourcomputers and you a victim. When given a chance bad guys will do random acts of harm.
Another issue going forward is recognizing that your computer technology use is dynamic not static. There are new computers, hardware upgrades, new software, software upgrades, new people and retrained people. The future will have all of these issues that must blend with all that exists. New stuff needs to be blended with company procedures and security.
Lastly, security is not free and does not come with an included warranty. As part of the business process, paying the fees for proper software applications that protect allcomputers is very important. Another point is to have the right amount of network protection, along with careful understanding that continuous access to the internet and being connected to most othercomputers in the world requires appropriate firewall implementation.
How you budget for computer security is part of your business management process. How much you spend depends on the type of computer operations and the firm risks. The more computers, the more people, the more internet activity results in a more dangerous and risk inclined environment. And never underestimate the need for appropriate staff to implement and manage thecomputer technology.
Posts
No comments:
Post a Comment