Most companies track private information, whether the
Social Security numbers of clients, records of financial transactions, their own
employee and payroll information, client lists, and even trade secrets. Once
upon a time, all this information was in paper files, which could be secured
with a heavy, locked door, a grumpy armed guard, and an alarm system.
Most corporate data is now stored electronically, calling
for the same levels of security on a digital level. The sad thing is, a locked
door is no longer good enough. What’s worse, it’s not so easy to tell where the
doors are, or how to lock them.
The first step in the process of analyzing your company’s
potential security shortfalls is to locate all of your data. Once you figure out
where it is, you can figure out how to protect it. If it is spread throughout
your entire organization, it will be harder to secure.
Once you have identified what data you’re worried about and
where it is, think about all the possible ways it can get accessed. Consider the
- From inside your office – by employees and staff.
- From inside your office – by unauthorized personnel
(cleaning crews, visitors, vendors, etc).
- From outside your office – hackers, working in
conjunction with viruses and spy ware, circumventing your firewall, exploiting
vulnerabilities in your operating system and application software, or hacking
your web site or Intranet.
- From outside your office – by remote users who are
- From outside your office – by the unauthorized friends
and family of authorized remote users.
- From outside your office – by disgruntled former
These are just a few of the possibilities, and they raise
all kinds of questions about the security of your organization. Here are some
guidelines in evaluating your level of data security
INSIDE YOUR OFFICE
- Are your employees’ user names and passwords taped to
their monitors or sitting in their desk drawers? All passwords should be
confidential, known only to the user and the system administrator.
- Do your employees have complicated and confidential
passwords? Good passwords should be at least 6 characters long, containing
both numbers and letters. Passwords should be changed at least once every
three months, or whenever someone leaves your employ.
- Do your employees leave their computers logged in when
leaving for lunch or leaving for the day? It is very easy for an unauthorized
user to get access to a computer that has been left logged-in. You can set a
screen saver that, when it activates, it requires the user to log back in with
their user name and password before proceeding.
- Your employees should be prevented from downloading
unauthorized software such as screen savers or other utilities. These programs
often come with spy ware or malware, which can cut into your bandwidth and
network performance, as well as potentially opening their PC up to intruders.
Your company should have a list of approved software. Anything not on the list
should stay off the network.
- Regular checks for spy ware should be run on all servers
- Are all your PCs and servers protected by
regularly-updated and scanned anti-virus protection? The best anti virus
protection is one that is updated regularly, and runs regular scans that
cannot be cancelled by the user. Additionally, your office should have a plan
in place to deal with unexpected virus infections.
- Do you regularly install all critical software patches
on your servers and workstations? Most hackers ply their trade by exploiting
known vulnerabilities in operating systems and application software such as
Microsoft Office. Keeping your software patched, on servers and workstations,
helps keep hackers out.
- Your servers should be separated from the rest of your
office, preferably in a room that can be locked to prevent unrestricted
access. Your servers should never be sitting logged in—the consoles should be
locked to prevent anyone from gaining access.
- Think about who has access to your office after-hours –
cleaning crews, maintenance workers, employees with keys, etc. Do you track
after-hours access to your office? Even authorized employees can use
after-hours access to breach security.
- Are visitors to your office required to sign in and out?
What kind of access to your computer system might they have while they are in
your office? Are they escorted by an employee the entire time?
OUTSIDE YOUR OFFICE
- External security – your Internet connection should be
protected by a hardware or software firewall that is configured to prevent all
inbound access except that which you specify. The logs of the firewall should
be checked as part of a regular security audit to make sure it is functioning
properly. If you use wireless connectivity, wireless encryption should be set
up to prevent users from outside the office getting on to your wireless
- Your nightly backup tape should leave your office. Make
sure the tape cannot get lost or otherwise misplaced. Diskettes, CDs, or DVDs
that contain your company’s data should be accounted for when leaving the
- Computers that you replace should be wiped clean before
- Remote users who work from home should have their home
PCs checked for viruses and patches on the same schedule as you do at the
office. They should be required to have anti-virus, spy ware, and hacker
protection as well as the same robust password strategy you use at the office.
Unauthorized users should never be in a position to use a remote user’s
computer to access your office.
- Laptops, PDAs, and external drives such as USB keychain
drives should be used with care, and only after these devices have been
certified as virus and spy ware free. The same antivirus, antispyware, software
patches, and password complexity standards should apply to any computer or
data store that attaches to your network. Additionally, it is possible for
sensitive data to easily be copied and removed from your office using these
- Remote locations – too often, remote locations are the
“poor stepchildren” of the main office, getting secondhand equipment and
lackluster maintenance. The computers at remote locations should be subject to
the same standards as those of the main office.
TRUST BUT VERIFY
The only way to be sure your security procedures are
working is to periodically update them and verify their operation. I recommend a
security audit once a quarter (or more often, depending on your needs) in which
all workstations and servers are patched, their antivirus and anti-spy ware
mechanisms are updated and verified, and workstations and servers are
inventoried for allowed software. Firewall logs should be checked and firmware
updates applied. Passwords should be changed. These audits will likely take less
time the more often they are done.
GOOD POLICY MAKES GOOD NEIGHBORS
With apologies to Robert Frost, remember that if all else
fails, you may be able to control more than you think by having a concise
written security policy that all employees are aware of.
of the CSM Family!
each newsletter, we would like to welcome clients to our "family." If
you would like to have your business highlighted, please email Carrie @
Who said it???
"Champions know that success is inevitable, that there is no
such thing as failure, only feedback. They know that the best way to
forecast the future is to create it."
the first person to email us with the correct answer at
and win a $10.00 gift certificate from
Winner: In our last newsletter; the "Who said it" quote was:
"I had to pick
myself up and get on with it, do it all over again, only even better this time"
This quote has
been attributed to Sam Walton
(1918-1992, American businessman, founder of Wal-mart)
Our winner is:
M.J. Hiles with AM Peck & Company, Inc.
of the Month
CSM is offering clients free on-site security
consultations in which one of our technicians will assess your vulnerability and
provide you with a written analysis of your current status.
Call Kim at 859-491-7947 to schedule
It's that time of year... again.
Did you know that statistically there is a peak of viruses towards the end of
summer every year? Symantec has listed 7 new viruses in just the last 2
New News @ CSM!
CSM has been selected as one of only 10 AMS Preferred Vendors in the United
States for AMS 360 installations. CSM will be beta testing 360 and would
welcome your input.
If you would like to assist us in the beta process, please email
know that CSM is 11 years old this year?
Computer Systems Management, Inc. is about
service and about taking the extra steps needed to form lasting
partnerships. In addition to helping our corporate clientele, CSM serves
the community by coordinating PC donations to low-income families and schools,
providing free training classes to "welfare to work" participants,
motivational assistance to GED students and on-the-job training to transitional
Systems Management Inc.;
2517 Anderson Road, Crescent Springs, Kentucky 41017
(859) 491-7947; Fax: (859) 392-2682
Did someone forward this email to you? Would you like to join
our mailing list?
Please click here
Your privacy is paramount to CSM. You are receiving this
email, either because you have an email account on our server or you have
requested to receive periodic newsletters from CSM. If you would like to
be removed please click HERE and
type REMOVE in the subject line and we will remove you from our database.