Importance of Information Security Policies

Have you ever read a company policy and felt like you were reading Greek?  Have you ever gotten a policy sent to you and then been required to take a test to prove that you read and understood the policy?  Have you ever felt aggravated that you had to take time out of your day to read a policy and not see the point to it?

Information security policies are very important to protect the company from many things including viruses, email systems being used for illegal activities, passwords not being strong enough, sensitive documents left out on desks after hours when cleaning staff can access it, etc.  Without policies, employees have no way of knowing what they can and cannot do on company time and with company equipment.

Most policies are only as useful as they are understandable.  If a policy is written in a way that makes it hard to understand, an employee who inadvertently broke a policy may have a case against the company due to the incomprehensible nature of the policy.  Another factor into creating good policies is that they should be written at the level that the reader is able to comprehend.  There are many tools available to determine if a policy is written at the right level for the audience including Microsoft Office, read-able.com, and Readability-Score.com.  If the audience is factory workers with high school educations or maybe less, the policy should be written at a level that they would understand. 

Policies are important and the next time you are asked to read a policy, consider that it is protecting you as much as it is protecting your company.  If you don’t understand expectations as an employee, how can you hope to do the right thing?

Reference:

·         Microsoft Office (2014).  Test your document’s readability.  Retrieved on September 23, 2014, from http://office.microsoft.com/en-us/word-help/test-your-document-s-readability-HP010354286.aspx?CTT=1

·         Read-able.com (2009 – 2014).  The Readability Test Tool.  Retrieved on September 23, 2014, from http://read-able.com/check.php

·         Readability-Score.com (2011 – 2014).  Reading Ease.  Retrieved on September 23, 2014, from https://readability-score.com/

No Disaster Recovery Plan – Lose Business – Lose Jobs

What would happen if your company had a massive fire that destroyed the building that you worked in?  Would your company know what to do?  Would your company have a plan for restoring critical systems quickly to avoid customer impact and thus avoid loss of customers?  Would you still have a job a month or a year later?

Disaster recovery planning is critical for all companies small and large.  About 80% of companies without disaster recovery plans will fail in approximately one year after a disaster (Hatter 2004).  If a company has a significant loss of data, they will likely be out of business within five years (Hatter 2004).  And with those statistics, there is an alarming 30% of companies who say they do not have a disaster recovery plan.  An equally bad thing is that 40% of companies indicated that they have never tested the disaster recovery plans that they have created (Hatter 2004).  Testing a DR plan is a critical component to the plan because issues will not be discerned without testing.

Large companies are more likely to have a disaster recovery plan than small and medium sized companies.  Part of the problem is that these smaller companies do not feel they have the money to put into a disaster recovery plan.  Although most probably do not ever experience a true disaster, the losses can be large if a disaster occurs.  Maybe a company feels that is what insurance is for.  If a company has insurance and a fire destroys their business, will they survive?  Chances are they will not survive because they will have lost their customers during the time that they are restoring operations.

Overall, disaster recovery planning is critical to a business surviving the unthinkable.

Reference:    

• Hatter, D. Cincinnati Business Courier (Aug 2004).  Without a disaster recovery plan, your business is at risk.  Retrieved on September 20, 2014, from http://www.bizjournals.com/cincinnati/stories/2004/08/09/focus5.html?page=all  

Information Security Planning & Penetration Testing

Information security does not just happen in an organization.  Information security takes a lot of planning and proactive work to keep customer information secure.  Security of customer data cannot rely on one person or group to make it happen.  Everyone needs to be involved.

Our information security department has to take a very proactive approach to keeping our data secure.  At least once a year penetration testing is done against all of our Web sites to make sure they stay secure.  Our information security department plans out the testing of all of our Web sites and communicates with each area to coordinate this test.  They then will write up a report detailing all security risks and the developers will be assigned the task of fixing those issues.  The issues reported are categorized as low, medium, or high.  The high issues must be fixed as soon as possible.  The medium risks are also remediated as soon as possible.  The low risks usually just require that we have a plan in place to remediate the issue as soon as we can.

Occasionally, a risk is low and the cost to remediate it is high so the risk is “signed off on” by the business unit.  They have the ability to accept the risk once they know all the information.  This type of risk has to be low or they would not have the option of accepting the risk.

What does penetration testing do?  It is an authorized attempt to circumvent the security of a Web site.  The main purpose of a penetration test is to get past the safeguards in an application.  These allowed “attacks” of a Web site are planned and coordinated with all areas impacted by the test.  This is the only time it is legal to attack a Web site in this manner.  A company will often pay another company that specializes in this kind of testing to find all vulnerabilities.  It is much better to find and fix any weaknesses before a customer is impacted by a breach.  For more information on penetration testing, the link below has some great information on what penetration testing is, why penetration testing is done, how often it should be done, and who benefits from doing a penetration test (Core Security n.d.).

Reference:

• Core Security (n.d.).  Penetration Testing Overview.  Retrieved on September 14, 2014, from http://www.coresecurity.com/penetration-testing-overview

Project Management, Information Security & Agile

The purpose of my ongoing blog is to tie in what I am learning in my Information Security Management course at Bellevue University.

This week we have tied in project management to information security management.  I have been involved in many projects in my 25 years in IT and honestly it seems to me that a lot of those projects have not focused on security concerns.  It is very important that information security be factored in for all projects to determine if there are risks being introduced to a company as part of a project.  It is also important that the information security department manage corporate security concerns as projects so key points are addressed.

Project management leads to development methodologies used to complete projects.  Agile is a newer methodology used on many projects currently.  But is agile the best way to do things and is agile factoring in information security concerns?

I looked for information on what’s next after agile.  Is there something that has been created that is “better” than agile?  Mike Gualtieri wrote a thought provoking article in 2011 that said agile is not that great and that there are better ways to manage projects.  He had some very interesting points on whether having “working software” is a measure of progress or is it narcissistic?  He also indicated that having the business unit involved at every step can be perceived as the developers being “lazy” by having the business unit tell the developers what needs to be done (Gualtieri 2011).

From my experience with agile, the business units do not always get involved very much if at all in projects.  A lot depends on the project.  When doing BAU work, agile is not necessarily the best fit.  For larger projects, agile makes more sense because you can break up projects into smaller pieces and see measurable achievements as you go.  Agile can factor in security concerns as tasks that need to be complete as part of the project.

Does agile address security concerns while working on projects?  In my experience, the agile methodology really doesn’t get into details on what should be included in projects and does not ensure that security concerns are factored in.  Should the methodology include security concerns as a milestone?  Security concerns should be a primary factor in all projects in an environment where more and more people are successfully attacking web sites and gaining access to sensitive information.

I look forward to continuing posting to this blog as I progress through this course.  I am also taking a project management course this term so this week’s chapter for my information security management course tied heavily into that course.

Reference:

·         Gualtieri, M. (Oct 2011).  Agile Software Is a Cop-Out; Here’s What’s Next.  Retrieved on September 5, 2014, from http://blogs.forrester.com/mike_gualtieri/11-10-12-agile_software_is_a_cop_out_heres_whats_next