Chapter 15: Security Policies and Practices for Small Businesses

2

Objectives

Relate to the unique security needs of small businesses.

Define the type of policies appropriate for small businesses.

Author security policies for small businesses. Develop security procedures for small

businesses. Implement security best practices for small

business.

3

Introduction

Small business owners may not think they would be targets of security attacks, but that is not necessarily true

Small businesses should have security policies and procedures that are reasonable in scope, cost effective, and meaningful

4

What Is a Small Business?

A variety of definitions for a small businessIndependently owned and operatedNot dominant in its fieldEmploys fewer than 500 peopleLess than $6.5 million in annual income

5

What Should a Small Business Do?

Small businesses should have a security policy

Small businesses should teach their employees about security

Some small businesses are subject to government regulations or other contracts or requirements

6

Why Have a Confidentiality Policy?

Businesses must protect their information from unauthorized or inappropriate disclosure

A confidentiality agreement is a legal document that employees must agree to and sign

Must be mandatory condition of employment for all users

7

What Is Acceptable Behavior?

An acceptable use policy details expected behavior in regard to the use of company resources

All equipment and information belongs to the company Includes hardware and software Includes saved files, e-mails, and voicemail No expectation of privacy

8

Internet Use—Where to Draw the Line? Internet access is provided at company

expense for employees to conduct business Noncompany use should be restricted to

personal time such as breaks and lunch Some sites are completely inappropriate Internet policy should state that Internet use

will be monitored and logged

9

Transmitting Data

Data must be transmitted in the course of company business FTP IM—a security nightmare; not secure, and its use

should not be allowed P2P—another security nightmare that does not

belong on a business network

10

Keeping Corporate E-mail Secure

E-mail is like sending a message on a postcard printed on company stock

It can be read by anyone and looks like official company policy

Acceptable use of e-mail must be defined Company e-mail is only for company

business Confidential information should never be e-

mailed

11

Misuse of Resources

Junk e-mail consumes valuable resources. It comes in three main types:

Spam—unsolicited e-mails Hoax e-mails—should not be responded to or

replied to Chain e-mails—should not be forwarded

12

Reporting and Responding to Incidents A security incident—any situation where the

confidentiality, integrity, and/or availability of protected information are put in jeopardy The threat of an incident is always high Calls for strong leadership and a clear, defined

response Someone must be designated as the contact for

reporting and the incident handler A response plan must be in place

13

Managing Passwords

Issue with passwords is convenience vs security Every account must have a password Passwords must be kept secret (not written down) Password characteristics must be defined

Length—generally eight characters Complexity—combination of uppercase, lowercase,

numbers, letters, characters Age—generally change every 90 days Reuse—should be restricted; don’t reuse 2 or 3 favorites

14

Protecting Information

Small businesses are particularly vulnerable to negative events such as loss or misuse of information

Information must be classified according to its sensitivity to disclosure Confidential Restricted Public

15

Protecting Information cont.

Information must be labeled to communicate its level of protection

Must specify who has access at each level and how the information should be treated Access Storage Transmission Disposal

16

Protecting from Malware

Small businesses must have antivirus software installed, maintained, and monitored

E-mail must also be scanned Antispyware must also be installed and used Users must be trained in how they can

minimize malware threats Proactive patch management is vital

17

Securing Remote Access

Remote access to the network must be secure and limited to authorized users

A virtual private network (VPN) is standard An unsecured wireless network should never

be allowed to connect to the company network or to store company information

18

Controlling Change

A network must evolve with the company if it is to remain useful

Change control is a procedure for making sure that only authorized changes are made to a network, including its software, hardware, access privileges, and processes

19

Why Does a Small Business Need a Change Control Policy? Small businesses are likely to depend on

only one or two systems to provide all their services

Small businesses often outsource IT work, so a policy helps to standardize the change management process

20

Change Management Process

Three phases of change management are Assessment Logging Communication

The change control policy must also state the disciplinary actions that will result if the policy is violated

21

Data Backup and Recovery

Backing up data involves making a copy of existing corporate data for archival and potential recovery purposes

Backup media must be protected at the same level of security as the original media

Test restores ensure that the backup media work properly and provide the correct restored data

22

Five Methods of Data Backup

Copy backup--A copy backup copies all selected files but does not mark each file as having been backed up.

Daily backup--A daily backup copies all selected files that have been modified the day the daily backup is performed but does not mark each file as having been backed up.

Full backup--A full backup copies all selected files and marks each file as having been backed up.

Incremental backup--An incremental backup backs up only those files created or changed since the last backup and marks each file as having been backed up.

Differential backup--A differential backup copies files created or changed since the last full backup but does not mark each file as having been backed up.

23

Summary

Small businesses must adopt security policies that are reasonable, cost effective, and meaningful

Employee training and awareness programs are essential

Everyone in the business must assume responsibility for information security

24

Summary (Cont.)

Businesses are stewards of information Customers, shareholders, employees, and

others provide personal information and depend upon businesses to protect it