Laptop and Modems
Select a topic >

Developing a Company Policy Against Computer Theft

From Nation's Business, November 1997

Firewalls, security scanners, antivirus software and other types of security technology aren't enough to prevent high-tech crime. Real prevention begins by formulating a company security policy that details -- among other matters -- what information is valuable and how to protect it.

"A lot of companies don't have a policy in place," says Patrice Rapalus of the Computer Security Institute in San Francisco. "It's still an area where there
needs to be a lot of awareness. Companies don't believe it's a problem."

A good security policy shouldn't be just a list of stringent rules imposed upon employees, according to Ira Winkler of the National Computer Security Association in Carlisle, PA. In his book, "Corporate Espionage" (Prima Publishing, $26), Winkler recommends that employees be involved in establishing the policy because they can suggest areas where the company is vulnerable based on their on-the-job experience.

Besides setting rules for users, the policy should spell out manager's responsibilities. Computer-security experts and products vendors recommend that a company's policy include the following items:

What Computer-System Managers Must Do

Monitor employees' use of PCs, computer networks and the Internet. Inform employees that monitoring will occur.

Classify information based on its importance and assign security clearances to employees based on their need for access to the data.

Record serial numbers of technology equipment such as personal computers, notebook computers and printers.

Limit visitors' access to the facility.

Assign a person whom service providers can call if they discover unusual computer or telephone-call activity that suggests a break-in during evening or on weekends.

Periodically assess the vulnerability of computers and networks and of security devices such as alarms and locks.

Keep up with new security vulnerabilities by consulting sources such as the Computer Emergency Response Team at Carnegie Mellon University (, the National Computer Security Association ( and the SANS Institute ( Remove modems from individual PCs and cut down on the number of modem lines that go out of the building.

What Employees' Supervisors Must Do

Assign passwords to employees and instruct them to keep them confidential. Employees should not reveal passwords to others or write them down where they could be found.

Instruct employees not to give out sensitive information over the telephone. Employees should verify a request for information with a supervisor if they are unsure about the sensitivity.

Install password-protected screen savers that prevent people from seeing what is displayed when the user has stepped away from the computer.

Have employees log off the network and shut down their PCs at the end of the day or when they go to lunch. Don't allow employees to install their own software on PCs.

Require employees to encrypt sensitive files that they send via the Internet.

Additional Tips:

  • Conduct regular property and equipment audits, record missing items.
  • Allocate responsibility for equipment to individuals.
  • Establish measures to control use and movement of equipment.
  • Mark your equipment - brand the exterior shell of equipment and mark exterior and interior where safe and possible. 
  • Consider the use of electronic marking devices.
  • Record details of equipment serial numbers/identification marks. Details need to be readily available in the event of theft.
  • Anchor equipment to solid furniture, floors or nearby walls using appropriate means.
  • User intruder alarm equipment to monitor building or room entry.
  • Use alarms to monitor movement of individual computer equipment.
  • Consider tagging equipment using electrical article surveillance methods.
  • Store computer equipment within secure rooms/cabinets when buildings or departments are unoccupied.
  • Use CCTV and audio recording equipment to monitor buildings and areas where computers are in use.
  • Introduce appropriate access control for the building and for serving areas where computers are used.
  • Ensure mobile and laptop computers are properly secured when used away from the office.
  • Review existing security precautions, regularly.
  • Make Security part of your Program

Next ]


Home | About Kevin Coffey | Seminars | Consulting Services | Meeting Planners | Media Coverage | Clients | Video Demos | Products | Safety Tips | Contact Info
Corporate Travel Safety. All rights reserved.
All other trademarks and copyrights are the property of their respective holders.