Chapter 15: Security Policies and Practices for Small Businesses
2
Objectives
Relate to the unique security needs of small businesses.
Define the type of policies appropriate for small businesses.
Author security policies for small businesses. Develop security procedures for small
businesses. Implement security best practices for small
business.
3
Introduction
Small business owners may not think they would be targets of security attacks, but that is not necessarily true
Small businesses should have security policies and procedures that are reasonable in scope, cost effective, and meaningful
4
What Is a Small Business?
A variety of definitions for a small businessIndependently owned and operatedNot dominant in its fieldEmploys fewer than 500 peopleLess than $6.5 million in annual income
5
What Should a Small Business Do?
Small businesses should have a security policy
Small businesses should teach their employees about security
Some small businesses are subject to government regulations or other contracts or requirements
6
Why Have a Confidentiality Policy?
Businesses must protect their information from unauthorized or inappropriate disclosure
A confidentiality agreement is a legal document that employees must agree to and sign
Must be mandatory condition of employment for all users
7
What Is Acceptable Behavior?
An acceptable use policy details expected behavior in regard to the use of company resources
All equipment and information belongs to the company Includes hardware and software Includes saved files, e-mails, and voicemail No expectation of privacy
8
Internet Use—Where to Draw the Line? Internet access is provided at company
expense for employees to conduct business Noncompany use should be restricted to
personal time such as breaks and lunch Some sites are completely inappropriate Internet policy should state that Internet use
will be monitored and logged
9
Transmitting Data
Data must be transmitted in the course of company business FTP IM—a security nightmare; not secure, and its use
should not be allowed P2P—another security nightmare that does not
belong on a business network
10
Keeping Corporate E-mail Secure
E-mail is like sending a message on a postcard printed on company stock
It can be read by anyone and looks like official company policy
Acceptable use of e-mail must be defined Company e-mail is only for company
business Confidential information should never be e-
mailed
11
Misuse of Resources
Junk e-mail consumes valuable resources. It comes in three main types:
Spam—unsolicited e-mails Hoax e-mails—should not be responded to or
replied to Chain e-mails—should not be forwarded
12
Reporting and Responding to Incidents A security incident—any situation where the
confidentiality, integrity, and/or availability of protected information are put in jeopardy The threat of an incident is always high Calls for strong leadership and a clear, defined
response Someone must be designated as the contact for
reporting and the incident handler A response plan must be in place
13
Managing Passwords
Issue with passwords is convenience vs security Every account must have a password Passwords must be kept secret (not written down) Password characteristics must be defined
Length—generally eight characters Complexity—combination of uppercase, lowercase,
numbers, letters, characters Age—generally change every 90 days Reuse—should be restricted; don’t reuse 2 or 3 favorites
14
Protecting Information
Small businesses are particularly vulnerable to negative events such as loss or misuse of information
Information must be classified according to its sensitivity to disclosure Confidential Restricted Public
15
Protecting Information cont.
Information must be labeled to communicate its level of protection
Must specify who has access at each level and how the information should be treated Access Storage Transmission Disposal
16
Protecting from Malware
Small businesses must have antivirus software installed, maintained, and monitored
E-mail must also be scanned Antispyware must also be installed and used Users must be trained in how they can
minimize malware threats Proactive patch management is vital
17
Securing Remote Access
Remote access to the network must be secure and limited to authorized users
A virtual private network (VPN) is standard An unsecured wireless network should never
be allowed to connect to the company network or to store company information
18
Controlling Change
A network must evolve with the company if it is to remain useful
Change control is a procedure for making sure that only authorized changes are made to a network, including its software, hardware, access privileges, and processes
19
Why Does a Small Business Need a Change Control Policy? Small businesses are likely to depend on
only one or two systems to provide all their services
Small businesses often outsource IT work, so a policy helps to standardize the change management process
20
Change Management Process
Three phases of change management are Assessment Logging Communication
The change control policy must also state the disciplinary actions that will result if the policy is violated
21
Data Backup and Recovery
Backing up data involves making a copy of existing corporate data for archival and potential recovery purposes
Backup media must be protected at the same level of security as the original media
Test restores ensure that the backup media work properly and provide the correct restored data
22
Five Methods of Data Backup
Copy backup--A copy backup copies all selected files but does not mark each file as having been backed up.
Daily backup--A daily backup copies all selected files that have been modified the day the daily backup is performed but does not mark each file as having been backed up.
Full backup--A full backup copies all selected files and marks each file as having been backed up.
Incremental backup--An incremental backup backs up only those files created or changed since the last backup and marks each file as having been backed up.
Differential backup--A differential backup copies files created or changed since the last full backup but does not mark each file as having been backed up.
23
Summary
Small businesses must adopt security policies that are reasonable, cost effective, and meaningful
Employee training and awareness programs are essential
Everyone in the business must assume responsibility for information security
24
Summary (Cont.)
Businesses are stewards of information Customers, shareholders, employees, and
others provide personal information and depend upon businesses to protect it