Security Policy: A Must Have
I know we all feel that we do our best when it comes to securing both the physical and tangible assets of our businesses. Most companies feel that by simply locking doors, controlling who has keys and alarm codes, changing passwords, and engaging in other basic security measures they are doing their best to protect the business. I am not a physical security officer, or loss prevention specialist, but I do know about "basic" IT policy and how it can help your business protect its "information" assets.
So here are the questions of the day: Does your company have an enforceable IT security policy? Who is directly responsible for the management and enforcement of this policy? How often is this policy reviewed and updated?
These are all very serious questions that every business must answer. In a lot of cases the "information" businesses possess is one of their most valuable assets.
Password Change Policy - The simplest form of security
End users need to keep their passwords secure, updated frequently (minimum 90 days), and have some form of complexity (minimum characters, upper/lower case, numbers, and symbols). Be vigilant about letting end users know not to share their password, or provide it to anyone for use on their behalf. You never know if a person that has been let go from your company can login remotely under another end user's identity and access data. Be vigilant!
Remote Access Policy
It's a mobile world and we want to ensure our teams have the ability to work remotely. However, we need to ensure that the data is secured and that you are aware of exactly what is being accessed. Our first recommendation is Terminal Services/Citrix, which simply gives you the ability to limit access to data from the server and prevent end users from pulling data locally to their remote device. If this is not a feasible option then we recommends using an SSL VPN connection that can integrate with Windows Active directory. This will allow end users to move data from the servers to their local PC/Laptop. Be sure you know exactly who has access remotely, what they have access to, and ensure that they are vigilant about protecting their credentials. Your information is leaving the confines of your business!
Remote Wipe Capabilities for All Mobile Devices (iPads included)
Make sure that your IT administrators fully understand how to remotely wipe a mobile device if you are using Exchange 2007/2010, it can come in handy in the event they lose their device. Let's face it, end users have their email, contacts, and calendar on their mobile devices. It helps make them more efficient. However, you need to ensure that in the event these devices are lost, or stolen, that they have the ability to be "wiped" of any sensitive information as to not compromise your clients, your client list or your company security. Also be sure you have control over who can have access to email, contacts, and calendars from their mobile device. You need to know who has this and why. Sometimes the answer is simple, but some end users simply do not need it and we would strongly encourage you to evaluate the situation.
These are three very basic security "headings" to start your IT Security Policy Manual. We have a very detailed and thorough policy to protect our client data and we are ready to work with you on creating such a policy. We realize this creates more work for HR but this information is critical. We spend a lot of money every month to ensure information is backed up, and now it is time to be vigilant about making sure we are doing everything to protect one of your most critical assets: YOUR DATA.