Corporate E-Security Policy
By Patricia S. Eyres
lurk in cyberspace. Every business, regardless of size or industry
should have an easily understood, consistently enforceable policy to
protect trade secrets, maintain the integrity and security of all
networks and servers, protect sensitive customer information, protect
the organization from lawsuits by third parties, protect the integrity
and reputation of the organization and its business and ensure
achievement and productivity. Security is everybody’s business.
and viruses are the most visible, but not the most significant
security challenge. Fearing
loss of valuable trade secrets and confidential company records from
intrusion by criminal hackers, large and small organizations alike are
installing firewalls to protect their networks. These firewalls will
stop many, but not all of today’s hacker attacks. Hackers can take
advantage of holes in a network’s perimeter defenses, created by
employees who bypass protections by attaching modems to their PC’s,
setting up wireless access points without permission or downloading
risky software, such as chat or file-sharing programs, all of which
offer entry points for the creative criminal. That’s why security is
everybody’s business, and all managers and employees must understand
the importance of following your established security procedures. This
is especially important when using laptops or working from remote
your networks secure from hackers is just as critical to protect your
customers’ private information. Hackers target electronic databases
of companies selling products on the Internet, because they often have
a mountain of information from which identities can be stolen: names,
addresses, credit card information, and other personal data.
Theft of customer data gets the attention of the media, and one
company was hit with a class action lawsuit charging that it failed to
secure credit card information online. In addition to the legal
exposure and negative PR, it wasn’t helpful for future business
development. The visibility of insecure networks has prompted tough
laws in several states, most notably California, that require any
business that collects data from California consumers to immediately
notify every person if there is a breach of security – from any
about mischief and malice by employees and coworkers? In many ways,
email is ideally suited to smuggle trade secrets and valuable company
data out of your organization. Leaks
of important business plans can be embarrassing and costly, as Apple
Computers learned when it was forced to speed up the launch of a new
product due to a leak from inside its walls.
And, intentional disclosure of secrets can cost a lot more. A
scandal involving nuclear secrets leaked from the U.S. Department of
Energy’s lab at Los Alamos
underscores the security risks inherent in email. Investigators found
evidence that email was the critical component in the theft of top
secret data about how to fabricate smaller nuclear warheads.
comprehensive e-security plan should address internal threats that are
as dangerous as attacks from outside. Identifying internal threats is
the first step. The combination of email overload and careless
attachments is one risk; intentional stealing from internal electronic
files by email attachment is quite another. Whether accidental or
deliberate, breaches of confidentiality, can erode customer and
employee confidence, cost jobs and devastate your organization.
Information security requires effective policies and consistent
enforcement. It is imperative that every employee know and understand
their role in security, even when it seems like a hassle. This article
provides strategies you can put into practice immediately.
What is the Purpose
of Information Security?
security is designed to prevent unauthorized access or damage to
hardware, software, and data. This encompasses misuse, malicious or
accidental damage, vandalism, intentional intrusion, fraud, theft and
sabotage to information resources.
purpose of information security is to safeguard The Company
information resources. Information resources include all The Company
hardware, software, and data in both electronic and hardcopy formats.
This document defines the responsibility and accountability of The
Company personnel, contractors, and vendors with regards to the
security of The Company information. It also educates all computer
users about security and informs them of the serious legal risks
associated with security violations.
Responsibilities for Information Security:
job of protecting hardware, software and data (hard-copy and
soft-copy) from abuse is shared by all users - employees, contractors,
management, administrative staff, and customers. Make it the
responsibility of all every system and information user to read,
understand, and comply with your Corporate Information Security Policy
and all associated information security policies and procedures.
the essential provisions on the Company intranet as well as publishing
it in hard copy in your Employee Handbook.
Information Systems Department should manage information security
standards, procedures, and controls intended to minimize the risk of
loss, damage, or misuse of your organization’s data. They should
and maintaining policies, procedures, and standards for access
information managed by the Company and implementing access to
data custodians in identifying and evaluating information security
implementing, and administering controls and procedures to manage
information security risks.
security report information in a timely manner to management, data
custodians, and appropriate system administrators.
as the focal point for reviewing data security issues that have
security awareness to all managers, supervisors and other end-users
through timely information and training.
Accountability Standards and then Enforce Them Consistently:
is everybody’s business. End-users, including contractors and
vendors, accessing Company data should be personally responsible for
proper use of the resulting available information. The Company
employees who access data must be responsible for:
with all Company information security policies and procedures in the
use, storage, dissemination, and disposal of data.
data from unauthorized access.
information security violations to their supervisor or the Enterprise
Information Security Department.
Address Data Confidentiality:
to the value and sensitive nature of the Company’s data and customer
information, employees must exercise caution and care in their jobs
and adhere to all Company information security policies and
procedures. Information security policies and procedures are published
on the Company intranet. In order to effectively communicate this
policy and emphasize the importance placed on the confidentiality of
data and software, all employees should be required to sign a Data
Confidentiality Statement on an annual basis. New employees should
sign the statement prior to being hired.
Accounts and Passwords - Access to accounts and passwords is the
responsibility of each user.
Security and Individual Privacy - Security measures should be strictly
observed by all system users to protect critical or sensitive data
files (softcopy and hardcopy) from accidental or intentional
disclosure to unauthorized users. In addition, all users should
respect the privacy of other users' software and data. The Company
should reserve the right to monitor and review all system activities
performed by system users and notify users that they do not have a
reasonable expectation of privacy in their computer files, including
of Security Problems - All users should be required to report
instances of security violations, including unauthorized or attempted
Read other articles and learn more
Patricia S. Eyres.
[This article is available at no-cost, on a non-exclusive basis.
Contact PR/PR at 407-299-6128 for details and