Iteratioal Chamber of Commerce The world busiess orgaizatio Securig your busiess A compaio for small or etrepreeurial compaies to the 2002 OECD Guidelies for the security of etworks ad iformatio systems: Towards a culture of security INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 1
Published i July 2004 by INTERNATIONAL CHAMBER OF COMMERCE The world busiess orgaizatio 38, Cours Albert 1er 75008 Paris, Frace Copyright 2004 Busiess ad Idustry Advisory Committee to the OECD (BIAC) ad Iteratioal Chamber of Commerce All rights reserved. No part of this work may be reproduced or copied i ay form or by ay meas graphic electroic or mechaical icludig photocopyig recordig, tapig or iformatio retrieval systems without writte permissio of ICC. 2 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
FOREWORD Every compay, o matter how small or where it is based, has a role to play i creatig a global culture of security. What is a culture of security? It exists whe every participat i the iformatio society, appropriately to their role, is aware of the relevat security risks ad prevetative measures, assumes resposibility ad takes steps to improve the security of their iformatio systems ad etworks. But how ca small compaies, or those i developig coutries, kow what their role is ad how to play their part? This guide is addressed to small ad etrepreeurial compaies with limited iformatio techology resources. BIAC ad ICC cosulted members aroud the world to come up with a way to explai the key poits of iformatio security to o-techical people whose first resposibility is ruig a busiess. Drawig o the priciples of the OECD Guidelies for the security of iformatio systems ad etworks: Towards a culture of security, busiess experts* have produced a practical guide o how to make good iformatio security practice as familiar ad ituitive as the steps we take to physically secure our busiesses. Iformatio security issues ad resources for small ad etrepreeurial compaies shows that the questios we routiely ask ourselves before buyig ay ew product What do I really eed it to do? How well will it work with what I already have? How do I lear eough about it to get the best performace? are just as relevat to iformatio security. It helps busiess people ask the right questios to make sure their software ad hardware, ad their busiess processes ad procedures, work together to keep the busiess secure. Tacklig iformatio security ca seem itimidatig, especially if you re ot a techical perso. But this guide shows that the key is beig able to ask the right questios ad act promptly ad decisively o the aswers. * We draw particular attetio to the cosiderable draftig work of Jeremy Ward, Director of Service Developmet, Symatec U.K. INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 3
We ecourage people ruig etrepreeurial busiesses all aroud the world to use this guide ad the resources it poits to, ad take the first step towards makig your busiess security-aware ad security-assured. Joseph Alhadeff Vice-Chair, BIAC Committee o Iformatio Computer ad Commuicatios Policy; Chairma, BIAC Task Force o Iformatio Security; Vice Presidet for Global Public Policy, Oracle Talal Abu-Ghazaleh Chairma, ICC Commissio o E-Busiess, IT ad Telecoms; Presidet, Talal Abu-Ghazaleh Iteratioal, Arab states 4 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
TABLE OF CONTENTS Foreword... 3 I. Itroductio... 7 II. Dispellig the myths, possible solutios ad a call to actio... 8 Myth...8 Possible solutios...9 Call to actio... 10 III. The OECD Iformatio Security Guidelies the path forward... 12 The OECD Guidelies... 12 How is the culture of security relevat to me?... 13 What does this guide do?... 13 IV. The Guidelies ad their applicability... 15 Foudatio Priciples... 15 Social Priciples... 15 Security Lifecycle Priciples... 15 V. Security checklist path forward... 16 Usig the priciples... 16 What you should kow... 16 What you eed to do... 16 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 5
What you should kow... 17 Uderstadig the importace of iformatio to your busiess (Awareess)... 17 Uderstadig iformatio security related assets (Risk assessmet) 17 Uderstadig how assets are used, by whom ad for what reaso (Awareess)... 18 Uderstadig security maagemet (Awareess)... 18 Uderstadig your broader obligatios (Resposibility)... 19 Summary... 20 What you eed to do security basics... 21 Security Policy... 21 Security Stadards... 21 The path forward... 26 6 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
I. INTRODUCTION Networks ad iformatio systems have become essetial to busiesses both large ad small. They hold the promise of expaded markets ad overall ecoomic growth. But these opportuities deped o the security of those etworks ad iformatio systems. Eve busiesses that cosider themselves less depedet o computers eed to be active i esurig their iformatio security. Every busiess that uses a computer eeds to be a participat i the global drive toward a culture of security. Everyoe has a role to play i securig the iformatio o the systems ad etworks they cotrol. The role played should be appropriate to the busiess s resources, ad will chage with the ature ad sesitivity of the iformatio ivolved. I the past, iformatio security was ot ofte see as essetial or eve relevat to smaller busiesses i both developed ad developig coutries. Now, the iterdepedece of differet commuicatio ifrastructures ad busiess models mea that all busiesses are potetially itercoected. So, it is imperative that everyoe play their role i the global culture of security. INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 7
II. DISPELLING THE MYTHS, POSSIBLE SOLUTIONS AND A CALL TO ACTION Myth Security is importat for large eterprises, but ot for a small compay like mie. False! Security is essetial for large eterprises that provide access to systems ad etworks for hudreds or thousads of people. But it is also a importat cocer for a small or medium sized eterprise. If you aswer yes to ay of the questios below, the security is a importat issue for you. Is ay of your importat compay or persoal iformatio (whether yours or that of employees, customers, cotractors or parters) stored o a computer? Do you or your employees access ay importat iformatio (icludig bakig, credit card, supplier or delivery iformatio) across a iteral etwork? Do you have a compay website? Do you or your employees use the Iteret at work? Do you or your employees use e-mail at work? Could your orgaizatio survive if it lost the use of its computers for several days or loger? If you aswered yes to oe or more of these questios, the the security of etworks ad iformatio systems is a essetial part of your busiess. You eed to take steps to review the security of your systems ad etworks ad make sure that it is up to the task. Also, it is essetial for all computer users to take proper precautios i order to avoid causig problems for others. 8 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
Possible solutios OK, so I eed to cosider security, but what ca I do? We re ot a techology compay, I do t have a IT departmet, ad I m ot a techical expert. Ufortuately, igorace is o excuse for iactio. I these days of higher levels of etwork coectivity ad itelliget viruses, iformatio o a usecured system ca be quickly compromised, or the system itself ca be used as a lauchig poit for attacks o other systems ad etworks. Eve if you re ot a expert, you still eed to take steps to protect your compay ad others. Eve with limited resources ad expertise, there is much you ca do to help secure your system ad etwork access. Cosider the questios below. Are you takig these steps? Do you have a firewall o your computer if you have Iteret access (especially broadbad access)? Do you have software to detect ad destroy viruses trasmitted by e-mail or i documets? Is security a importat criterio whe you choose software or service providers? Do you uderstad the security fuctios of the software ad hardware you already have? Has ayoe i your compay take a computer course to become more familiar with these fuctios? If you have the resources ad it s appropriate, have you cosulted a local expert o the cofiguratio ad deploymet of your IT system? Have you checked if there are resources or iformatio from govermet, a local trade associatio or chamber of commerce that relate to computer security? Have you take steps to physically secure your computers, especially laptops ad portable devices? Do you regularly back-up data off-site? Ad test your back-ups? Do you require your employees to use passwords? INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 9
Do the passwords used cotai both letters ad umbers? Are passwords kept securely (ot writte dow or shared, for example) ad chaged at least every three moths? Do you try to trai your employees o iformatio security? Have you told your admiistrative support ad receptio staff what iformatio they may ad may ot give to callers ad visitors? Call to actio All these thigs apply to my busiess, but it souds overwhelmig! Like ay challege, security i its etirety ca seem overwhelmig. This guide provides you with a roadmap for how to start ad what questios to ask. However, there is o oe-size-fits-all security solutio. Ad there is o free magic bullet. Iformatio security costs both time ad compay resources. But security is a essetial part of doig busiess today. Iformatio security may require some specialist kowledge, but the approach is ot all that differet from how you maitai the physical security of your busiess. For example, whe you istalled the doors ad locks o your premises, you probably cosidered the followig factors: Usability Fuctioality Security Reliability Cost Maiteace Your systems ad etwork access are o differet. Choosig ad istallig geeral software applicatios ad specific iformatio security measures requires the same calculatio of factors ad costs. The steps you take to esure the physical security of your busiess probably seem like secod ature. But they are a leared respose to kow threats ad vulerabilities. Locked doors, secure filig cabiets, ad a safe or cash register are all security steps that we take for grated as just part of doig busiess. Securig our etworks ad iformatio systems should be o differet. 10 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
Just as with other purchases, good iformatio security requires both iitial effort ad ogoig checks. You eed to do your research before buyig security software, hardware or maiteace services. While you should expect the techology to work well, you still eed to carry out the right checks to esure that it s workig correctly. Appropriate features must be set ad adapted to work with your existig computers, software ad etwork coectios. May security vulerabilities are created whe people istall a ew applicatio ad simply leave all the default settigs i place, makig them much easier for uauthorized users to maipulate. It may seem complicated or overwhelmig at first, but over time your actios will become so familiar ad automatic that they costitute a culture of security. No oe expects people ruig small busiesses to review software code or uderstad the itricate workigs of hardware. But you ca ad should read the relevat iformatio, ask pertiet questios ad get explaatios of issues that do t seem clear. By takig the iitiative ad showig that security is importat to your busiess, you ca go a log way to makig sure that your iformatio systems develop i a secure way. I some cases, for example whe makig sigificat chages to your iformatio systems, you may eed expert assistace i the iitial cofiguratio ad deploymet of the system. It is essetial to keep askig the experts what they are doig ad why, ad to satisfy yourself that the choices made reflect your busiess eeds ad improve the iformatio security of your busiess. INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 11
III. THE OECD INFORMATION SECURITY GUIDELINES THE PATH FORWARD The OECD Guidelies O 25 July 2002, the OECD Coucil adopted the OECD Guidelies for the security of iformatio systems ad etworks: Towards a culture of security ( the Guidelies ) 1. The Guidelies address the itercoectivity ad evolvig risks of the et-worked ecoomy. Util quite recetly, iformatio security was a specialist issue of little direct iterest to most people. Today, coutries critical ifrastructures (icludig eergy, water, ad commuicatios) rely o iformatio systems, makig iformatio security a key cocer for govermets, busiess ad citizes. This chage is reflected i the ew subtitle of the Guidelies, towards a culture of security, ad the fact that they are directed to ALL participats i the iformatio society, as appropriate to their roles. The Guidelies are basic ad succict, to make them uderstad-able to everyoe. Private busiesses ow ad operate most of the world s iformatio systems ad ifrastructure. They therefore have a clear respo-sibility to the overall developmet ad promotio of iformatio security. This eeds to be uderstood at the highest levels of compaies. BIAC ad ICC developed Iformatio Assurace for Executives 2 as a primer o security issues to help high-level executives put these issues i cotext ad eable them to direct IT staff ad specialists appropriately. Iformatio Assurace for Executives elaborates o the Guidelies to show their relevace to the busiess commuity. 1 http://www.oecd.org/dataoecd/16/22/15582260.pdf The 2002 Guidelies are a updated versio of the OECD Security Guidelies first issued i 1992. 2 Available at http://www.iccwbo.org/home/meu_electroic_busiess.asp 12 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
The Guidelies also apply to how smaller compaies deal with security issues i a way that is appropriate to their role, size, resources ad sector. The priciples i the Guidelies ad Iformatio Security Assurace for Executives are applicable to all busiesses. This guide, Iformatio security issues ad resources for small ad etrepreeurial compaies, elaborates o the OECD priciples to make them relevat to smaller compaies i both developed ad developig coutries. How is the culture of security relevat to me? The culture of security meas that we all have a role to play i improvig global iformatio security, ad that each participat i the iformatio society has a set of appropriate security resposibilities ad behaviours, depedig o their role ad situatio. Through learig ad practice, security-improvig behaviours should become ituitive so that we are all part of a truly global culture of security. For example, i a culture of security, ati-virus software should always be used to scree icomig messages ad files, ad be kept up-to-date so that ew viruses ca be elimiated. I a culture of security, passwords ad other autheticatio procedures are kept secret so that they remai effective. A culture of security meas that these ad other behaviours become as automatic ad commo-sese as lookig both ways before crossig the road. What does this guide do? Buildig upo the previous OECD ad ICC/BIAC work, Iformatio security issues ad resources for small ad etrepreeurial compaies follows the format of the OECD Guidelies. This guide: shows the cocept behid each of the Guidelie priciples; highlights examples of the priciples beig applied i practice; suggests factors to be cosidered whe deployig security solutios. This guide will help smaller busiesses to idetify ad respod to security issues. However, the guide caot determie the best security solutio for a particular compay as this depeds o factors icludig: INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 13
size ad resources of the busiess; sesitivity of the iformatio beig secured; risks faced by the busiess i terms of exteral coectivity (potetial exposure to threats) ad hardware ad software used (potetial umber of vulerabilities); This guide helps you to be better iformed about the questios you eed to ask, ad should improve your uderstadig of the types of security solutios available to your compay. It is supplemeted by a set of olie liks to security resources aroud the world. 14 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
IV. THE GUIDELINES AND THEIR APPLICABILITY The ie Priciples i the Guidelies ca be cosidered i three mai categories as follows: Foudatio Priciples Awareess what you should kow. Resposibility what you should be doig. Respose how you should react to security icidets i a timely ad cooperative way. Social Priciples Ethics what is appropriate i behaviour that affects others. Democracy geeral respect for rights ad freedoms. Security Lifecycle Priciples Risk assessmet uderstad threats ad vulerabilities to your systems, processes ad employees. Security desig ad implemetatio how you ca select ad deploy hardware ad software. Security maagemet maagig security over time ad throughout the busiess. Reassessmet security is a cotiuig process, ot a oe-time solutio. INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 15
V. SECURITY CHECKLIST PATH FORWARD Usig the priciples This sectio follows the OECD Guidelies, but re-arrages their priciples to help the practical cosideratio, decisio-makig ad implemetatio ivolved i good security practice. The words or phrases i brackets refer to the relevat priciple i the OECD Guidelies. This guide focuses o two simple categories; what you should kow, ad what you eed to do. What you should kow What do I eed to kow about iformatio security i my compay? (Awareess) How ca I uderstad threats to, vulerabilities of, ad the effect o, my systems, processes ad employees? (Risk assessmet). What is expected of me based o the size ad ature of my busiess? (Resposibility). What social obligatios must I be aware of? (Ethics ad democracy) What you eed to do Creatig ad implemetig a security policy (Security desig ad implemetatio) Factors that I should cosider i selectig ad implemetig solutios (Security desig ad implemetatio). Developig ad implemetig practices ad procedures (Security maagemet / awareess). How to deal with icidets (Respose). Review ad improvemet of processes ad systems (Reassessmet). This guide is comprised maily of checklists ad possible solutios. As security is ot a oe-size-fits-all solutio, you eed to determie your requiremets based o the eeds of your busiess, the type of iformatio you hadle ad the ature of your techical ifrastructure. 16 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
What you should kow Below is a set of checklists to help you assess your iformatio security eeds. Uderstadig the importace of iformatio to your busiess (Awareess) How does the iformatio you use i your busiess relate to your primary busiess objectives? Have you idetified the iformatio that is critical for you to do busiess? What tasks do you perform that ivolve the creatio, processig, storage, use ad trasmissio of that busiess-critical iformatio? What assets do you use to create, process, store ad trasmit that busiess-critical iformatio (for example computers, card-idexes, mobile phoes)? Do you kow what would happe to your busiess if the cofidetiality of those assets was compromised (if, say, a competitor gaied access to them)? Do you kow what would happe to your busiess if the itegrity of those assets was compromised, ad you were uable to trust the iformatio i them? Do you kow what would happe to your busiess if those assets were uavailable to you for a period of a hour, a day, a week or a moth? Usig what you ow kow about the cofidetiality, itegrity ad availability of your compay s iformatio assets, ca you prioritize them? Oce you have prioritized iformatio assets i order of their importace to your busiess, you will be able to esure that they are give a appropriate degree of protectio. Failig to do this could mea that you will be wastig time ad resources o assets that are ot critical to your busiess; or worse, that busiess-critical iformatio is ot adequately protected. Uderstadig iformatio security related assets (Risk assessmet) Do you have a writte ivetory of your busiess-critical iformatio assets: hardware, software ad itellectual property (such as patets ad cotracts)? INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 17
Does that ivetory tell you where the assets ca be foud? Do you regularly update the ivetory ad audit it to esure it is comprehesive ad valid? Are you aware of the security features i the hardware ad software you use, ad do you have appropriate mauals or traiig materials about these features? Has ayoe i the office had previous experiece with these products or take classes o them? Uderstadig how assets are used, by whom ad for what reaso (Awareess) Who i your compay has access to busiess-critical assets? Do your employees use uique passwords to cotrol access to the computer assets they use? Are those passwords kept securely ad chaged regularly? Do you esure that access is give oly for geuie work-related reasos? Do you keep lists of who has access to what, ad do you regularly update those lists? Do you ru a local or wide-area etwork? If so, how do you cotrol access to that etwork? If passwords are used, are these uique to each user, chaged regularly ad kept securely? Do you have Iteret access? If so, do you have broadbad access or dial-up? Which computers / devices i the compay have etwork or Iteret access, ad do you kow who uses these? Do employees have remote access to your etwork (either from home or o the road). How do employees gai access to your etwork whe they are workig remotely? Uderstadig security maagemet (Awareess) Read the followig list of security techologies ad ask yourself; which are you aware of, ad which do you use? firewalls ad VPN (Virtual Private Networks) access, authorizatio ad autheticatio cotrols 18 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
ati-virus measures spam filters software patches Iteret cotet cotrol etwork-security policy compliace tools vulerability ad threat databases cryptography tools such as SSL, public-key cryptography ad harddisk-ecryptio itrusio detectio systems. Do you regularly back up your busiess-critical data? Do you test the back-ups, restorig the data from them ad makig sure it s usable? Is your data backed up off site o a regular basis? Do you regularly patch ay vulerabilities i the software you use? Do employees usig laptops or other computers for remote access have ati-virus software ad firewalls o those computers? Do you allow employees to use the compay s computers, systems or etwork access for o-busiess purposes? If so, do you make it clear to them that certai uses are uacceptable ad may result i discipliary actio? Do you provide ay security educatio or traiig for employees who use the compay s computers or iformatio systems? Do you have ay policies, stadards or procedures related to security? Uderstadig your broader obligatios (Resposibility) Are you familiar with legal requiremets related to securig certai types of iformatio (fiacial services iformatio, health iformatio, all types of data covered by your local data protectio law / regulatios icludig persoal data, moey lauderig/ati-terrorism requiremets)? This may ivolve privacy legislatio as well as sectoral regulatio. I some cases, especially where persoal, sesitive or cofidetial iformatio is ivolved, you may be required to provide a miimum level of protectio for that iformatio, irrespective of the size of your compay. INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 19
Are you familiar with the rights of employees i the workplace? Some laws may limit your access to certai types of employee iformatio ad commuicatios, or require otice or coset before you are able to access real or virtual iformatio held i a employee s workspace. Are you aware of your role regardig the security of others? The security of iformatio systems is complex because busiesses are coected to each other directly ad through the Iteret, creatig iterdepedecies ad spreadig risk. Failig to properly secure your system may ot just compromise ad potetially harm your busiess; it ca icrease the risk of other systems to which you are coected. Greater risk could result from virus programmes usig your cotact lists to spread further, or from malicious programs usig your usecured etworked computer to attack or sed spam to other systems or computers. Do your employees uderstad what is appropriate behaviour o the Iteret? This goes beyod ot dowloadig or postig illegal, iappropriate or offesive material, ad icludes geeral coduct that is i keepig with the values ad ethical practices of your busiess. Summary The first five steps to kowig about good iformatio security are: 1. Assess your busiess objectives, iformatio-related tasks ad critical iformatio assets ad thus your risk. 2. Idetify ad make a ivetory of your busiess-critical iformatio assets. 3. Kow who accesses those iformatio assets, how ad why. 4. Fid out how to improve the secure maagemet of those iformatio assets. 5. Get to kow your broader obligatios i the use of your iformatio assets ad i relatio to society as a whole. Havig take these steps, you will be i a good positio to implemet some of the security basics outlied i the ext sectio. 20 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
What you eed to do security basics Below is a set of checklists to help you desig, implemet, maage ad cotiually reassess the iformatio security strategy of your busiess. Security policy (Security desig ad implemetatio / security maagemet) A simple ad clear iformatio security policy is essetial. It should be as short as possible o more tha a few pages ad should be give to all employees. As each busiess is uique, your compay security policy eeds to be tailored to the eeds of your busiess. The policy should iclude the followig statemets: Iformatio is vital to our busiess. We protect the cofidetiality, itegrity ad availability of our busiesscritical iformatio. We have stadards that help do this, icludig: physical security persoel security access cotrols security techology security respose ad recovery, ad security audits. We have procedures that help us to meet our stadards. Employees should be familiar with the procedures relevat to their roles ad resposibilities. We take discipliary measures agaist employees who persistetly or deliberately flout these iformatio security policies, stadards ad procedures. The policy should say where details of the stadards ad procedures ca be foud. Security stadards (Security desig ad implemetatio / security maagemet / respose / reassessmet) The stadards listed i the security policy sectio above are examied i more detail below. INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 21
Physical security (Security desig ad implemetatio) Fit appropriate locks or other physical cotrols to the doors ad widows of rooms where you keep your computers. Physically secure laptops whe they are uatteded (for example, by lockig them i a drawer overight). Esure that you cotrol ad secure all removable media, such as removable hard-drives, CDs, floppy disks ad USB drives, attached to your busiess-critical assets. Make sure that you destroy or remove all busiess-critical iformatio from media such as CDs ad floppy disks before disposig of them. Keep i mid that simply deletig a file might ot be eough to make it completely urecoverable. Make sure that all busiess-critical iformatio is removed from the hard drives of ay used computers before you dispose of them. Store back-ups of your busiess-critical iformatio either off-site or i a fire ad water-proof cotaier. Access cotrols (Security desig ad implemetatio / security maagemet) Use uique passwords that are ot obvious (ot birth dates or easily foud or guessed iformatio) ad chage them regularly, preferably every three moths. Use passwords that cotai letters i both upper ad lower case, umbers ad special keys, ad are six or more characters i legth. It helps if you cosider your password as a memorable setece, rather tha a sigle word. For example the setece: at forty-two I m a star! could be traslated ito a eight-character password that looks like this: @42Ima*! Do t write your password dow, ad ever share it with ayoe. If you do have to share it, make sure you chage it as soo as possible o matter how well you trust the perso you shared it with! 22 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
Security techology (Security desig ad implemetatio) All computers used i your busiess should have ati-virus software istalled, ad the virus defiitios must be updated at least oce a week (may providers have a oe-click update). All icomig ad outgoig traffic should be scaed for viruses, as should ay disk or CD that is used, eve if it is from a trusted source. At least oce a moth, ad preferably every day, computers should be scaed for viruses. If your computers are coected to the Iteret, ad especially if you use a broadbad coectio, you must deploy a software fire-wall. This will help to prevet malicious code from eterig your computer ad potetially compromisig the cofidetiality, itegrity ad availability of your etwork. It will also help to stop your system beig used to attack other systems without your kowledge. Software firewalls for use by o-professioals are readily available at a reasoable cost. Your operatig system, virus cotrol software or Iteret Service Provider may also offer a firewall. Cosumer ad popular trade magazies compare firewall fuctios ad features of well kow products, ad so are a good source of iformatio. Free shareware firewalls are available, but these usually require expert kowledge for correct use. System updates/patchig: Complex software will always cotai vulerabilities. Crimial hackers may attempt to exploit these vulerabilities, ad the oly way to protect yourself is to apply the patches software vedors provide. For example, computer users who applied a security patch made available well i advace of the Sasser attack were immue to that worm. If possible, set your system to automatically update by dowloadig patches whe available, or at least esure that you apply patches as quickly as possible. If your busiess has a small iteral etwork that is coected to the Iteret, you should cosider deployig a all-i-oe hardware box that cotais a firewall, ati-virus program ad a itrusio detectio system. This will greatly simplify your use ad maiteace of essetial Iteret security techology. INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 23
Persoel (Security maagemet / awareess) Perform itegrity checks o all ew employees to make sure that they have t lied about their backgroud, experiece or qualificatios. Give all ew employees a simple itroductio to iformatio security, ad make sure that they read ad uderstad your iformatio security policy. Make sure they kow where to fid details of the iformatio security stadards ad procedures relevat to their role ad resposibilities. Esure that employees have access oly to the iformatio assets they eed to do their jobs. If they chage jobs, make sure that they do ot retai their access to the assets they eeded for their old job. Whe dismissig employees, esure that they do ot take with them ay busiess-critical iformatio. Make sure that o ex-employees have access rights to your systems. Make sure your employees kow about the commo methods that ca be used to compromise your system. These iclude e-mail messages that cotai viruses ad social egieerig ploys used by hackers to exploit employees helpfuless to gai iformatio that will give them access to your system. Examples of social egieerig iclude a hacker usig the telephoe to pose as a systems maiteace egieer or pretedig to be a ew employee. Security icidet / respose (Respose / reassessmet) A security icidet is ay evet that ca damage or compromise the cofidetiality, itegrity or availability of your busiess-critical iformatio or systems. Vulerabilities i your software are a importat potetial source of security icidets. Vulerabilities should be patched as soo as possible after they are aouced by the software vedor. Software vedors may also issue appropriate patches which you ca dowload to deal with the vulerability. It is importat to make your staff aware of telltale sigs of security icidets. These could iclude: l strage phoe requests, especially for iformatio; 24 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
l uusual visitors; l strage patters of computer activity; l uusual appearace of computer screes; l computers takig loger tha usual to perform routie tasks. Your staff should uderstad that it is always advisable to otify the right perso if they observe aythig that might be a telltale sig of a security icidet. If a security icidet happes, employees should kow who to cotact ad how. You should have i place a pla to esure busiess cotiuity i the evet of a serious security icidet. The pla should specify: l desigated people ivolved i the respose; l exteral cotacts, icludig law eforcemet, fire ad possibly techical experts; l Cotigecy plas for foreseeable icidets such as: power loss atural disasters ad serious accidets data compromise o access to premises loss of essetial employees equipmet failure. Your pla should be issued to all employees ad should be tested at least oce a year, eve if you have t had a security icidet. After every icidet whe the pla is used, ad after every test, the pla should be re-examied ad updated as ecessary usig the lessos leared. Ogoig educatio is vital. Audit cotrols / due diligece (Reassessmet) Good iformatio security icludes kowig who has access to your system ad beig able to log that access. You also eed to have i place a system to make sure that your security procedures are actually followed. The ability to audit ad evaluate iformatio security compliace is essetial you ca t maage what you do t measure! INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 25
You should audit importat aspects of your security, for example, who has access to your systems ad who has used what iformatio. You should have a record of each oe of your security procedures. For example, if your procedure says that you test your back-up geerator oce a week, someoe should sig a record to show that this has bee doe. Keepig good records is essetial to audit cotrol. Some audit cotrols may be ecessary for legal or regulatory purposes. Good record keepig will clearly demostrate that you are complyig with your obligatios. A audit should esure that the procedures you have i place are effective ad relevat. It is a trigger to re-assess ad re-evaluate the effectiveess of your iformatio security stadards ad procedures. Audits are oly effective if you follow through o their fidigs ad idetify ad implemet the steps that eed to be take. A good audit trail is ot just a paper exercise. If somethig goes wrog, the trail should let you to see what happeed ad why. This will help you to keep improvig the security of your busiess. The path forward If your compay uses a computer, ad if that computer is coected to a etwork, iformatio security must be a part of the way you do busiess. Iformatio security is t just about techology, ad it s ot just for experts. You ca radically improve the security of your busiess ad those you do busiess with by takig a few small steps. Usig proper passwords, a firewall, virus detectio ad makig regular back-ups will make a sigificat improvemet i your security ad the security of those you deal with. These steps require research ad effort to begi with, but will soo become secod ature to you ad your employees. There is o oe size fits all approach to iformatio security, ad there are o magic bullets. Iformatio security issues ad resources for small ad etrepreeurial compaies helps maagers to idetify ad respod to the security issues that are relevat to their compaies. Everyoe who 26 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES
uses this guide eeds to tailor their iformatio security policy, stadards ad procedures to their ow compay. Each compay is uique, ad has its ow set of eeds, resources ad circumstaces. But what every compay-shares, o matter its size or locatio, is the eed to play its role i creatig a global culture of security. Security is a cotiuous process, ot a ed-state. We poit to the extesive resources o the ICC website for more iformatio o a rage of security topics from experts aroud the world. Iformatio security issues ad resources for small ad etrepreeurial compaies is simply a startig poit for securig the way you do busiess. For more iformatio ad resources o iformatio security, please visit the ICC website at www.iccwbo.org/home/meu_electroic_busiess.asp. INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES 27
28 INFORMATION SECURITY ISSUES AND RESOURCES FOR SMALL AND ENTREPRENEURIAL COMPANIES