Cyberspace: What’s Your Plan?
In today’s ever changing world of business for residential and commercial integrators, client network access/security and your company’s own information resources (along with just about anything else including the kitchen sink!) have become sought after targets by hackers – let’s face it, with social media tracking your client’s every move and multiple database breaches and government agency snooping, you and your clients should naturally be concerned about IT security.
And a security policy is a good place to start for a small company in defending against a possible breach or helping to restore a network and its information should a breach occur. I know some businesses think they are too small to be attacked and don’t see aROI on having such a plan (and/or they don’t feel responsible for the networks they sell and install for their clients), but it only takes once to put your whole company and livelihood in jeopardy.
Having a security policy to follow can help manage recovery scenarios and demonstrate due diligence should the unforeseen occur. Especially if and when a client asks, “How exactly have you locked down my wireless access points?” “What password scheme are you using for the 25 IP appliances I have installed throughout the house?” “Who in your company has access to my network? “Just how secure am I?” Being able to point to a general IT Security Policy demonstrates a level of professionalism that is reassuring to clients and gives your employees a clear road map to follow so everyone’s on the same page when it comes to questions of who can access what, how passwords are devised and recorded, as well as what happens if a network is compromised and data is stolen or lost.
A security policy is defined as a basic framework within a business which establishes needed levels of information security to achieve the desired levels of confidentially. Having a security policy is a must for any organization because it defines what should be done in the event that users abuse the network, or if there is a network outage due to a natural disaster or an attack on the network. Additionally, a simple security policy can serve to include your clients, if you are contracting or executing a remote system management service policy. An effective security policy might cover some or all of the following areas and provide a plan to manage them: Acceptable Use, Backup Policy, Incident Response Policy, Network (wired and wireless) Security Policy, Network Access (on-site and remote) Policy, Email Policy, Outsourcing Policy, Password Policy, Physical Security Policy and Security Training Policy.
Now, this might seem like a major undertaking, but keep in mind that you are only constructing general policy guidelines. Not the details of each part of your policy plan. That comes later, and chances are, you already have a lot of that in place. What your IT Security Policy is designed for, is to have everyone on your team, and those clients you provide remote services for, all informed that you do, in fact, have a general plan should something unforeseen occur on any given network. Being prepared gives everyone a good roadmap to follow – whether there is an actual outside hacking attack, or perhaps a natural disaster where you have to react immediately. Let’s take a closer look at how you might define individual policy segments.
Acceptable usage is defined as the way that the company expects its employees to act and the manner in which they use the companies’ or client’s equipment. Keep it simple. Access accountability defines the roles and responsibilities of users, staff and management in regards to security, especially when you are talking about remote access. Again, you probably already have a working framework assigning and managing access. If you don’t, this area is extremely critical, especially if you are providing remote services. Additionally, network security policies help an organization to manage changes that might be made to a network, such as changes to the ACL, routers and any other configurations that help to keep a company/client and their data safe. System polices help to define what security measures should be on the network, such as IDS, firewall polices and password management. Thee policies helps to define how they should all be configured. Physical security is how the building and/or network itself should be protected. Other areas related to physical security include cameras, visitors and possibly key cards for employees or entry procedures into client homes/buildings. Incident handling and response defines what actions the company should take in the event that their network or a client’s network has been compromised or breached. The last section that needs to be included in a security policy is the security training that the company will provide its employees. This training should include how to guard against well known attacks and most importantly, what to do if security is ever breached within the company or at a client location.
Having a documented IT security policy that covers the above sections will help your company and your employees understand their roles in implementing network changes, updates and upgrades, as well as limit the attacks that can be carried out against a network on the inside, as well as on the outside, and will help them in case a breach of the network is made. Additionally, your clients, both residential and commercial, will have better piece of mind if they know you have set policies concerning IT security. Remember, for your basic policy, keep it simple to begin with and follow up with more details as time permits. As I said earlier, you probably already have a lot of policy you’ve implemented over the years; now you just need to formalize it, train your employees so they are part of the solution, and inform your clients if they have questions about their own network or information security issues you might happen to remotely manage. •