Your security policies probably don’t cover this…

Most businesses create (if they have a security policy at all) security policies that may cover e-mail, Internet use, and passwords. However, some of the newest devices and services are not covered by security policies. By not dealing with these devices and services in a security policy may be causing your business harm. In addition, it is becoming increasing harder (and costlier) to penalize employees for something that is not addressed in a policy.

USB and PDA devices

USB or Universal Serial Bus storage devices are being used everywhere as the main media storage device. However, your important data could be walking out your door as we speak. In addition, an insider could be knowingly or unknowingly passing a virus or ‘bot’ onto your system. Likewise, a PDA or Personal Digital Device can be used to store data, usually without your knowledge.

top

Rogue wireless network connections

Some company’s are surprised to learn that their “technically astute” employees are setting up wireless connects in their office environments with notifying the network administrators. This may seem good for the department, with allowing mobility, and wireless file sharing and printing. In addition, the employees that implemented it are proud of their accomplishments and may feel like they have done the company a favor. However, there are severe security issues that may not have been addressed. For example, are the waves contained by some form of encryption and who is allowed to use the wireless connections? Again, important data could be leaking from these rogue connections.

top

Instant Messengers (IM)

Instant Messengers (IM) were one of the new crazes by allowing people to send messages instantly. However, many are not aware that data can be sent using instant messengers. Recently, there was an article published stating that several companies were removing IMs because they could not certify that the Instant Messengers were compliant with the Sarbanes Oxley act. Since they did not have tools to monitor what was sent on the Instant Messengers. In addition, you may be violating the HIPAA act, if you send personal information about someone, using the IM.

top

Blogs

A newcomer on the scene is “Blogs” (a.k.a. web log), which allows anyone to express him or herself, including your employees. Some people have created “Blogs” talking about their bosses or company. However, some companies have created “Blogs” themselves or encouraged their employees to create “Blogs” to reach out and interact to their clients. However, these companies usually have a written policy on “Blogs”.

top

General Media use outside of business hours.

Another newcomer is “Employee professionalism outside of the work place”. In the news recently, an employee was fired, because she posed in provocative clothing with her companies “Logos and trademarks”. This case is now in court, since the employee claims that other employees have similar photos. But she was singled out for being “female”. Some of this costly lawsuit could have been avoided by stating what the policy is for displaying company logo or the appearance of company logos or trademarks on websites, blogs and other media. In addition, the penalties should be the same, no matter we violates the policy.

top

Porn and other related materials on a PC, laptop or other devices

The Sarbanes Oxley act has also had some unexpected byproducts such as executives being fined or fired because of “Porn and other related materials” being found on a PC or laptop. In the past, these infractions may have been overlooked by the Information Security staff and the offending PC or laptop being cleaned up. However, per an article on this subject, that is no longer the case. Incriminating data can still be found on hard drives that have “wiped clean” using special software. Porn can be the downfall of your company.

Ideally, you would create a separate policy for each item, which would help to make sure that each item is reviewed by your employees. In addition, the new policies need to be added to your information security-training program.

top

See, our Security Policies web page for information on creating a security policy.

top

Overlooked Policies

Here is a listing of overlooked policies and what they should include.

Policy	Possible Threats	What you may want to include in your policy
USB devices and PDA devices	Trade secrets, company correspondences, private files and other data can be easily copied and removed from your premises without your knowledge. Viruses and “bots” can be introduced into your network.	If, when and where these devices can be used. What can be stored on them with and without written company consent. What to do if the device is lost or stolen. If encryption should be used. If the USB port should be closed on certain PCs.
Wireless Network Setups	Snoopers from inside and outside of your company listening in or stealing your data. Introduction of viruses and “bots” into your network environment.	A network security policy for adding new services or network connections. Determine who should maintain the network. Determine how the network will be secured, encryption, use of IP addresses, etc. Determine how someone can be added to the network. Determine if the network should be directly connected to the rest of the network or should it have its own firewall and / or router.
Instant Messengers (IM)	Trade secrets, company correspondences, private files and other data can be easily be transmitted from your location without your knowledge. May make you out of compliance with Sarbanes Oxley and or HIPAA.	Determine what can and cannot be sent using instant messaging. Determine how the data will be monitored and protected, spot-checking or use of IM monitoring software.
Blog use	Damaged Company reputation, resulting in loss earning, and lower stock values. Lawyer costs due to trying to remove the “blog” or shut down the site, “unjust” dismissal of the employee who created the “blog” or “freedom of speech” debates.	Outline what can and cannot be included in a “Blog” website that directly or indirectly involves your company. This may include images, language and trademarks. Make sure that the penalties include “up to voluntarily or involuntarily shutting down of the website that hosts the blog ”.
General Media use outside of business hours. (Employee professionalism outside of the work place.)	Damaged Company reputation, resulting in loss earning, and lower stock values. Lawyer costs due to trying to remove the “blog” or shut down the site, “unjust” dismissal of the employee who created the “blog” or “freedom of speech” debates.	Outline what can and cannot be included in a website that directly or indirectly involves your company. This may include images, language and trademarks. Make sure that the penalties include “up to voluntarily or involuntarily shutting down of the website”.
Porn and other related materials on a PC, laptop or other devices	Damaged Company reputation, resulting in loss earning, and lower stock values. Monetary penalties for violating the Sarbanes Oxley Act. Lawyer costs due to trying to shut down the site or “unjust” dismissal of the employee.	Outline what is permissible or acceptable for viewing and downloading on company’s property (PC’s, Laptops and other storage devices) during and after work hours. Determine who can use the Laptop and PCs. For example, are the PC’s and laptops only for employee use? Many laptops are used by family members, who may unwittingly download an unacceptable music video or game. Include ways to block, detect questionable content. Determine when outside authorities should be contacted and by whom. For example, if child Porn is found on an executive’s laptop, what steps should be taken.