Information Security Management - Conclusion

Over the course of the last 12 weeks, my blogs covered a wide range of topics.  My topics tied into what interested me the most each week for the class.  I wanted to get the most out of this class and out of writing the blog so I picked things that interested me the most.

On the first week, I introduced myself in my blog and got into a silly list of “definitions” for the acronym COBOL.  In the course of my almost 26 years as a programmer, I have heard many times that COBOL is a verbose language that will “die” soon.  And guess what?  It has not “died” yet and will likely be around after I retire in another 20 years (give or take depending on when I am ready to move onto the next chapter of my life).  I have not programmed in COBOL since 1999 but I have never regretted the 10 years I did it.  I even taught COBOL for four years and still remember the silly joke I made about never missing a period when you code in COBOL.

My blog went onto cover various topics such as Agile, penetration testing, disaster recovery, information security policies and readability, best practices for information security, security risks, personal firewalls, and even got into security risks of terminating an employee.  Most of the topics I picked I had at least minimal understanding of before I took on the topic.  I have had exposure to most of these things I covered in my blog during my career.

In terms of my sources, they were quite varied for my blogs.  The only source that I lean to for research is Google.  By using Google searches for my topics each week, I ended up getting a wide variety of sources.  It is rare that I end up on the same site repeatedly for my sources.  I first find a bunch of links and then start reading a bit from each source that I find until I find a source that resonates with what I want to write about.  I then try to read from at least a couple of sources before I write my blog so I get a combination of viewpoints (including my own).  Then I can provide a more balanced opinion on my topic.

I feel blogging can be a very valuable tool for not only the reader but the author of the blog.  By writing the blog, it helped me to organize my thoughts.  It also pushed me to dive deeper into topics that I was learning for this class.  I don’t think that blogging is for everyone.  Some people hate writing.  I work in a field where documentation has huge value but is also something most technical people hate to do.  I think that some do well at documentation and others do poorly and should leave it to people who love doing it.

The biggest recommendation I have about an information security blog is that it is important that no sensitive information be included in the blog.  I always wrote my blog considering whether what I was writing was sensitive and would be inappropriate to write about.  A blog can be valuable to a company but it should also consider whether the information is OK to be publicly discussed.  Maybe a secure blog that only internal information security staff could get to would be a better option for an information security department.

Employee Termination & Security Concerns

Terminating an employee from a company is never an easy thing to do.  An employee may be terminated for lack of performance, breaking the rules, long term illness, or even being laid off due to a bad economy.  A manager who has to make that hard decision to terminate an employee needs to make sure that they keep security factored into the termination steps.

Every employee who works for a company has some form of access to the company and the company assets.  An employee may have only access to a building using a keycard.  An employee may have access to confidential information via a computer / network and/or paper files with confidential information.  An employee who has been terminated can cause problems for a company if the termination is not handled properly.

One key thing is to track what accesses each employee has including physical and access to computers.  If access is not tracked properly, it is much more difficult to make sure that all access is revoked upon termination.  A large amount of employees have remote access to company computers also.  All of this access must be tracked so that when an employee leaves a company voluntarily or otherwise that the access can be revoked.  If any of the employee’s access is not revoked upon ending their employment, this would allow them to do harm to the network or the people in the company.

How should a company handle terminating a potentially violent employee?  This is a tough situation because if a manager is concerned about a violent reaction from an employee, they may fear for their safety or the safety of other employees in the company.  If an employee is being terminated and there is worry about repercussions, the manager should have another person involved such as a security person.  The location of the termination may need to be a neutral area away from other employees.  Sometimes employees may not be given an opportunity to clear their own desks depending on the circumstances due to potential backlash due to anger at being terminated.  Extra security may be warranted after a termination of a volatile employee.  There has been an increase in workplace violence in recent years so all these steps are necessary to ensure the safety of employees in a company (Dimoff n.d.).

It is important that employee electronic and paper files be reviewed for important information for the company.  If all the files are deleted and/or thrown away, there may be important information that is lost.  Files may also be valuable if the employee is suspected of doing illegal activities while employed.

It is also important to consider these things when an employee resigns because resignations may also be done by an angry employee.  It is important to monitor employee actions at all times and especially in the days or weeks after a resignation is submitted before the employee has their access revoked.  One thing that can be considered is to start revoking unnecessary access as soon as possible to limit the exposure to the company.

All these things are very important to consider when an employee is leaving a company whether voluntarily or not.

References:

• Dimoff, T. i-Sight (n.d.).  6 Tips to Lower Risk in High-Risk Employee Terminations.  Retrieved from  http://i-sight.com/employee-relations/6-tips-to-lower-risk-in-high-risk-employee-terminations/
• Jones, R. About Money (n.d.).  Employee Termination from an IT Perspective.  Retrieved from http://humanresources.about.com/od/whenemploymentends/a/it_termination.htm