So the tone of many of our posts is giving you – individuals, or businesses, big and small – with some ideas on implementing security at your level. Our focus is to demystify security and also alert you to some key issues that everyone faces. You are not alone. The challenges you encounter whether in your home or business are real and they are ones that people experience every day, and some times over and over again.
So where do we begin? Our philosophy on security begins with you, the home owner, small business manager, CISO, corporate management, or CEO. Whatever your position, you can control how you are going to address security. You can help set the climate and culture of a positive security environment. You can choose put convenience to the side and accept that security requires an extra effort. You have to take ownership of your security. You have to realize that you will uncover issues and identify some vulnerabilities. Some may be minor and easily corrected, but others are going to have significant impacts. A positive security environment takes time and people will look to you and gauge your response to matters. You can’t dismiss the risks, and at the same time, you can’t over-react to issues. You will have to help set the example and set the tone.
Once you get in the right place and accept your responsibility, we have to start understanding how you build your organizational security posture. We want to make this point though, you are not going to be perfect from the beginning, especially if you don’t have any security posture. It is possible that as you do this, whether it’s the first time or the 100th time, you may not get every thing right. You may even overlook something. That’s ok, start at a point and look to improve each time. You should even adapt on the fly and incorporate other areas and observations as you go along even if they aren’t on the list. Security is constantly changing. A policy that is established one day might be irrelevant the next. Attackers constantly learn and adapt; likewise, we should too.
Assessments. The recognition that change won’t happen over night is critical to moving forward. But you will have to have a starting point for organizational understanding and recognition of the issues. This is where you will need to conduct an organizational security vulnerability assessment. This holistic assessment needs to include three critical areas – personal/personnel security, physical security, and information security. Some thoughts on each.
- Personal/personnel Security. Two elements of this – not only do you want to evaluate your own personal security, you also want to evaluate your personnel and assess the risk they pose to your organization. This means you do your due diligence when you hire employees and make sure that they didn’t leave an organization because they were security liabilities or threats. And it also means that you assess their security during your onboarding process. You look at their incoming security posture and the training that they have, and what they need for the future. This helps you plan for the future. More information can be found here.
- Physical Security. This means so much, we have a previous post about it.
- Information Security. Information security is probably much more familiar for most current security professionals. This includes many elements – access controls/permissions, data storage, website management, password management, application security, and BYOD devices to name a few. Do you have firewalls? How is your network protected? What about your servers? Is your anti-virus up to date? There are a lot of areas to go into and it needs to be done.
Policies. We want to be very clear – you need to have a security policy and you need to be able to enforce it. This is critical in setting the culture and climate. You outline your expectations for your security posture. This then allows you to be able to enforce that standard and expectation. Start with your overall security philosophy and build off of that. What other areas are important to address:
- Restricted Areas – do you have them? If so, who is allowed in those area? What is the process for gaining access to them? Are visitors allowed in?
- Access Controls – do you need a badge to enter the office? If so, when do you get one? What happens if you lose one? How do you address visitors? Are family members visitors?
- Neat Desk Policy – do you need one? What are benefits of this?
- Bring Your Own Device Policy – do you allow employees to bring their own device? If so, do you want to allow them to access your work network? What conditions have to exist? What happens if they lose their phone or trade it in with network information or work related materials on there? Do you require encryption? Do you require screen protectors?
- Security Training – if you want to get better, you learn and train on it. Implementing a security training policy helps establish security as a priority.
- Work from Home – do you allow this? What safeguards are required at home? Do you have to certify it?
- Removable Media Policy – do you want to allow this? What happens if someone wants to burn a document for an official use? Do you require a disinterested party/security officer conduct the physical transfer?
- Incident Response – what do you do? Who is responsible for what and when? How do you practice this?
Programs. Now that you have done an assessment and established policies, you need to follow through with programs. Programs are the means that will help achieve that nirvana of security consciousness and awareness (wow, that’s setting some high expectations).
- Security Awareness. Do you have security postures up on the walls that people see security at every corner? Do you have a security banner that shows up every time you turn on your computer? Do you have security reminder emails?
- Security Training. As the threats evolve, so must our education. What will this comprise of – classroom, online, or both? Do you need a training officer? How often will you have training?
- Data Back Up. This is especially critical with all the ransomware out there? Do you have a routine back up date and time? Is it cloud based?
- Incident Response. Following up on your incident response policy, do you do practical exercises to practice and prepare for the real thing?
- Contingency Plan. The incident response can be part of your Contingency Plan. Other things to consider is what happens during an extensive power-outage. Do you work out of your home or work out of an alternate area? Who are the essential personnel? What are the priorities of work?
- User Agreements. This is a policy that requires users to acknowledge that by using a company computer or device, certain behaviors are expected. This should be done annually.
There is a lot of information in here and as we have said before, it can seem overwhelming. So take it slow; and make progress every day. And most of all, don’t try to be perfect. Get something up and running and then make changes.