Information Security Policy

Businesses that do not have clearly written Information Technology security policies and practices in place run the risk of being named in legal actions in the very near future. Although no current court cases exist, many security experts are warning that if you lose or expose confidential business or customer data, unknowingly distribute viruses or experience a breach of your systems that results in loss of service to your customers, you could be found liable.Computer and network security used to be the concern of only the largest corporations.

Now, however, with the high availability of networks, web hosting and Internet applications to even the smallest office, the tide is turning. Today, a small business with two employees can construct an economical network, share a cable modem and purchase a firewall, which enables remote access using a Virtual Private Network (VPN). This is also a double-edged sword. This new "high availability" has also born a vast breed of crackers.* These individuals can find ways to access, steal and/or destroy data residing on public and private networks. Starting th Process The key to establishing these policies and practices is to not be overwhelmed by the complexity of the process.

Start by taking inventory of your systems, connections to the Internet and external providers, the method in which you store data and the method in which you secure and backup data. During this documentation process, you can identify clear procedures for the handling and transfer of this data, as well as new security measures you can use to show due diligence in addressing any potential security risks.

The Basics
Even the smallest network should adhere to the following: Never use a computer system for both personal and business use (i.e. family uses for fun, but business is also processed on the machine). This is an immediate risk to public disclosure of confidential information and accidental loss of data. A daily and monthly data backup process should exist which also provides for off-site or fireproof storage of the backup data in a non-editable format (i.e. offline magnetic tape or CD-R (not CD-RW)). Any connection to the Internet, from a shared 56 K modem to a broadband (DSL, Cable or T1) connection, should be behind a software or hardware-based firewall. If not, this is an immediate and gaping hole through which crackers can access your private network or use your computer for an attack on a larger public or private network (often called a DDOS or Distributed Denial of Service attack).

Use a password to login to your computer even if it is not on a network. Passwords should be at least eight characters and changed as often as tolerable (90 days is a satisfactory time period). Use and update daily an anti-virus software suite, which can protect your individual computers as well as any servers you use. By taking these steps, you are dramatically reducing your exposure to uninvited intrusions. The inventory you established earlier can then be reviewed and a plan can be developed by your business and your technology staff/consultant to ensure your office network and data is a fortress with a little risk as possible.

Learn More About Securing Your Computer, Data and Network Security Tracker This site tracks all known vulnerabilities and threats in Internet and network technology. http://securitytracker.com

Microsoft Security Micorsoft's site dedicated to their own applications, including software patches and alerts to newly discovered security issues. http://www.microsoft.com/security/default.asp

TinHat The ABCs of web and Internet Security. http://www.tinhat.com/

About the author:
Prior to participating in the founding of BMRW & Associates, Blane served most recently as the Director of Technology for VESTAX Securities Corporation. In this capacity he was responsible for the management and evolution of the IT infrastructure and services for internal operations and field technology services for VESTAX financial advisors.

Blane brings substantial knowledge in application & data integration, mining and management .