|Select a topic >
From Nation's Business,
scanners, antivirus software and other types of
security technology aren't enough to prevent
high-tech crime. Real prevention begins by
formulating a company security policy that
details -- among other matters -- what
information is valuable and how to protect it.
"A lot of companies
don't have a policy in place," says Patrice
Rapalus of the Computer Security Institute in
San Francisco. "It's still an area where
needs to be a lot of awareness. Companies don't
believe it's a problem."
A good security policy
shouldn't be just a list of stringent rules
imposed upon employees, according to Ira Winkler
of the National Computer Security Association in
Carlisle, PA. In his book, "Corporate
Espionage" (Prima Publishing, $26), Winkler
recommends that employees be involved in
establishing the policy because they can suggest
areas where the company is vulnerable based on
their on-the-job experience.
Besides setting rules for
users, the policy should spell out manager's
responsibilities. Computer-security experts and
products vendors recommend that a company's
policy include the following items:
Managers Must Do
Monitor employees' use of
PCs, computer networks and the Internet. Inform
employees that monitoring will occur.
Classify information based
on its importance and assign security clearances
to employees based on their need for access to
Record serial numbers of
technology equipment such as personal computers,
notebook computers and printers.
Limit visitors' access to
Assign a person whom service
providers can call if they discover unusual
computer or telephone-call activity that
suggests a break-in during evening or on
Periodically assess the
vulnerability of computers and networks and of
security devices such as alarms and locks.
Keep up with new security
vulnerabilities by consulting sources such as
the Computer Emergency Response Team at Carnegie
Mellon University (www.cert.org),
the National Computer Security Association (www.ncsa.com)
and the SANS Institute (www.sans.org).
Remove modems from individual PCs and cut down
on the number of modem lines that go out of the
Supervisors Must Do
Assign passwords to
employees and instruct them to keep them
confidential. Employees should not reveal
passwords to others or write them down where
they could be found.
Instruct employees not to
give out sensitive information over the
telephone. Employees should verify a request for
information with a supervisor if they are unsure
about the sensitivity.
screen savers that prevent people from seeing
what is displayed when the user has stepped away
from the computer.
Have employees log off the
network and shut down their PCs at the end of
the day or when they go to lunch. Don't allow
employees to install their own software on PCs.
Require employees to encrypt
sensitive files that they send via the Internet.
- Conduct regular property
and equipment audits, record missing items.
- Allocate responsibility
for equipment to individuals.
- Establish measures to
control use and movement of equipment.
- Mark your equipment -
brand the exterior shell of equipment and
mark exterior and interior where safe and
- Consider the use of
electronic marking devices.
- Record details of
equipment serial numbers/identification
marks. Details need to be readily available
in the event of theft.
- Anchor equipment to solid
furniture, floors or nearby walls using
- User intruder alarm
equipment to monitor building or room entry.
- Use alarms to monitor
movement of individual computer equipment.
- Consider tagging
equipment using electrical article
- Store computer equipment
within secure rooms/cabinets when buildings
or departments are unoccupied.
- Use CCTV and audio
recording equipment to monitor buildings and
areas where computers are in use.
- Introduce appropriate
access control for the building and for
serving areas where computers are used.
- Ensure mobile and laptop
computers are properly secured when used
away from the office.
- Review existing security
- Make Security part of
[ Next ]