240 likes | 432 Vues
Chapter 15: Security Policies and Practices for Small Businesses. Objectives. Relate to the unique security needs of small businesses. Define the type of policies appropriate for small businesses. Author security policies for small businesses. Develop security procedures for small businesses.
E N D
Chapter 15: Security Policies and Practices for Small Businesses
Objectives • Relate to the unique security needs of small businesses. • Define the type of policies appropriate for small businesses. • Author security policies for small businesses. • Develop security procedures for small businesses. • Implement security best practices for small business.
Introduction • Small business owners may not think they would be targets of security attacks, but that is not necessarily true • Small businesses should have security policies and procedures that are reasonable in scope, cost effective, and meaningful
What Is a Small Business? A variety of definitions for a small business • Independently owned and operated • Not dominant in its field • Employs fewer than 500 people • Less than $6.5 million in annual income
What Should a Small Business Do? • Small businesses should have a security policy • Small businesses should teach their employees about security • Some small businesses are subject to government regulations or other contracts or requirements
Why Have a Confidentiality Policy? • Businesses must protect their information from unauthorized or inappropriate disclosure • A confidentiality agreement is a legal document that employees must agree to and sign • Must be mandatory condition of employment for all users
What Is Acceptable Behavior? An acceptable use policy details expected behavior in regard to the use of company resources • All equipment and information belongs to the company • Includes hardware and software • Includes saved files, e-mails, and voicemail • No expectation of privacy
Internet Use—Where to Draw the Line? • Internet access is provided at company expense for employees to conduct business • Noncompany use should be restricted to personal time such as breaks and lunch • Some sites are completely inappropriate • Internet policy should state that Internet use will be monitored and logged
Transmitting Data • Data must be transmitted in the course of company business • FTP • IM—a security nightmare; not secure, and its use should not be allowed • P2P—another security nightmare that does not belong on a business network
Keeping Corporate E-mail Secure E-mail is like sending a message on a postcard printed on company stock • It can be read by anyone and looks like official company policy • Acceptable use of e-mail must be defined • Company e-mail is only for company business • Confidential information should never be e-mailed
Misuse of Resources Junk e-mail consumes valuable resources. It comes in three main types: • Spam—unsolicited e-mails • Hoax e-mails—should not be responded to or replied to • Chain e-mails—should not be forwarded
Reporting and Responding to Incidents • A security incident—any situation where the confidentiality, integrity, and/or availability of protected information are put in jeopardy • The threat of an incident is always high • Calls for strong leadership and a clear, defined response • Someone must be designated as the contact for reporting and the incident handler • A response plan must be in place
Managing Passwords • Issue with passwords is convenience vs security • Every account must have a password • Passwords must be kept secret (not written down) • Password characteristics must be defined • Length—generally eight characters • Complexity—combination of uppercase, lowercase, numbers, letters, characters • Age—generally change every 90 days • Reuse—should be restricted; don’t reuse 2 or 3 favorites
Protecting Information Small businesses are particularly vulnerable to negative events such as loss or misuse of information • Information must be classified according to its sensitivity to disclosure • Confidential • Restricted • Public
Protecting Information cont. • Information must be labeled to communicate its level of protection • Must specify who has access at each level and how the information should be treated • Access • Storage • Transmission • Disposal
Protecting from Malware • Small businesses must have antivirus software installed, maintained, and monitored • E-mail must also be scanned • Antispyware must also be installed and used • Users must be trained in how they can minimize malware threats • Proactive patch management is vital
Securing Remote Access • Remote access to the network must be secure and limited to authorized users • A virtual private network (VPN) is standard • An unsecured wireless network should never be allowed to connect to the company network or to store company information
Controlling Change • A network must evolve with the company if it is to remain useful • Change control is a procedure for making sure that only authorized changes are made to a network, including its software, hardware, access privileges, and processes
Why Does a Small Business Need a Change Control Policy? • Small businesses are likely to depend on only one or two systems to provide all their services • Small businesses often outsource IT work, so a policy helps to standardize the change management process
Change Management Process • Three phases of change management are • Assessment • Logging • Communication • The change control policy must also state the disciplinary actions that will result if the policy is violated
Data Backup and Recovery • Backing up data involves making a copy of existing corporate data for archival and potential recovery purposes • Backup media must be protected at the same level of security as the original media • Test restores ensure that the backup media work properly and provide the correct restored data
Five Methods of Data Backup • Copy backup--A copy backup copies all selected files but does not mark each file as having been backed up. • Daily backup--A daily backup copies all selected files that have been modified the day the daily backup is performed but does not mark each file as having been backed up. • Full backup--A full backup copies all selected files and marks each file as having been backed up. • Incremental backup--An incremental backup backs up only those files created or changed since the last backup and marks each file as having been backed up. • Differential backup--A differential backup copies files created or changed since the last full backup but does not mark each file as having been backed up.
Summary • Small businesses must adopt security policies that are reasonable, cost effective, and meaningful • Employee training and awareness programs are essential • Everyone in the business must assume responsibility for information security
Summary (Cont.) • Businesses are stewards of information • Customers, shareholders, employees, and others provide personal information and depend upon businesses to protect it