Monday, 14 September 2009

Legal Responsability

Where does accountability lay for security both virtual and physical within your company.

We all know the basics like servers are responsibility of your IT staff, but this not the only part, to be honest there are around three main areas of responsibility.

Corporate responsibility, this is the mostly the legal parts of the business we will cover this shortly.
Then we have the Application responsibility this mostly patching and other such vendor related issues, this still fits into your IT department and lastly User responsibility.

With Corporate responsibility is a fuzzy area for most IT departments as they have never be trained in legal profession, so start to think of all the legal aspects of the IT. First think about what happens with all the software you have, and is it really licensed correctly? this can cost a company thousands if there is an audit call and you have missing licenses.

Second have you ever dismissed someone that put a USB key or other removable device into the network that caused an outage ? did you explain to the before this that they shouldn't do it... in black and white? because you can't just dismiss someone for breaking the rules if you haven't first shown them the rules, this come under desktop usage policy. otherwise the company leaves its self open to a counter case for unfair dismissal.

In the case of Application vendors the responsibility to patch security holes is almost voluntary, and even with those that are providing the patches it can often be later to be released. However this does not discount you from following best practice on your network, in fact despite the large number of security hole in software most can be overcome by using DMZ and Layer 3 and 4 switches to prevent undesired traffic. Remember that if you are going to court because a hole is a vendors software cost you millions you have to first make sure you where not leaving the security gate open first.

Lastly the rouge user, these can be at any level within the company from data entry to CEO and can represent a real risk because of the date loss and business impact of that loss.

If alarm bells aren’t already ringing in your head it means ether you’ve covered these points or you a foolish soul indeed.

Here is a quick check list of thing you should have.

1) Clear desktop usage policy, ideally this should be attached to the employee hand book so all employees read it, and should be reminded by a logon banner of some kind. (Remember if it’s not written down you can’t tell them off for it.)

2) Applications and operating systems are not built proof however they can be hardened, enable the firewalls on the operating system, use layer 3 and 4 switches to control unwanted traffic and use DMZ’s for critical system not just public facing systems such as web and email server. (I know it’s a lot of effort I know but it’s all worth it, and the reward of having a working network when others are down is great feeling.)

3) Say no to local data… storing data on laptops and or other removable devices is a security risk at best a foolhardy most of the time. (yes a laptop is a removable device; you take it from the company don’t you?) Try to use terminal services where possible to avoid risk of data leaving the company from theft, encrypt and password protect backup media. If users need to get their email on the go use give them a netbook/notebook as mobile device and other device do not have encryption and if stolen the data/inbox they are connected to has been compromised. There have been cases from banks to military where this has happened no one is above suspicion. It could be the lonely sales guy or the CEO that has his laptop stolen so make sure the data is no on the laptop, centralized applications, this will also give greater control over how the information is seen and prevent office documents containing corporate data leaving the enterprise network.

The last thing and this is for your own protection have a formal risk acceptance form for Managers to sign, this is for example when they don't want to do as you want and what you know is in the best interests of security, write down the risks and get them to sign it and don't do anything till they sign it because other wise it's your job that is on the line.

Reblog this post [with Zemanta]

No comments: