Creating Security Policies in a Down Market
Originally Posted on Successful Thinkers Meetup by Josh Shackelford
Security is a big issue for all IT leaders. Whether your a CIO, CTO, IT Director, or an IT manager, you are constantly battling security. It can be very difficult to work on projects to move you forward, when you are constantly fighting to maintain a secure network.
New Sources of Attacks
US infrastructure remains vulnerable to cyber terrorism. While the US seems to behind as a country, many of our corporations practice much stricter polices than our governing agencies. Government agencies will always be targets, but more so by terrorists and other countries. These criminals are not the same criminals that we, as corporations, need to protect against. Don't get me wrong, we still need to be protected, but our focus needs to be on fraud, identity theft, financial theft, etc. Most of our attacks will be geared towards financial gain.
Jump Start your Policies
In a slower economy, often security takes a back seat to corporate priorities. Most projects are going to be focused on saving money or generating money, but security at a time like this is just as important, if not more important. We need to stay aware of the increased risks that are brought on my a recession. There are more qualified, intelligent people in circulation that are getting desperate for income. We need to watch out for threats from past employees, current employees, desperate unemployed, and the casual hacker who is just bored.
So how do you enhance security when your time is already so limited? Here are a couple of tips of increasing security, without having to spend too much time devising your own. When constructing security policies, take a look at Health Insurance Portability and Accountability Act. The SANS Security Policy Project and NIST are also great sources. While these policies might not work for you untouched, they give you a good place to start.
Rising Attacks
Attacks are on the rise. There are even reports of attacks on US power companies. We need to minimize our risks as much as possible and if you are on the internet, have eMail, eCommerce, or just a static website, you need protect yourself from these points of risk. Try starting with something as basic as a Web Agreement like, "By using this website, you agree to be bound by the terms of this agreement"
A well-drawn Web Wrap Agreement can help you to significantly reduce your legal risks. The most basic thing that you should put in every Terms and Conditions is a limitation of liability clause. So even if you get sued and lose, at least the maximum damage award against you is nominal. I'll typically limit damages to something like $50 to $100.
To further insulate you from the claims of users, have them agree that use of the site is at their own risk and that you disclaim all warranties. Also, include a clause making them liable to you if they upload things to the site like copyrighted or trademarked material that they don't have a right to use. This gives you some protection if a third party sues you for something posted to your site by a user. Try including a clause requiring that any lawsuit be filed in my client's home state, not the user's, to discourage getting sued over nonsense. Using the courts looks a whole lot less attractive as the mileage increases.
Be Proactive
Once you get sued, you can't require the other side to come to your home state if you didn't have the agreement already on the site. Don't be like the people that put in the burglar alarm after the burglary. A little preventive law is much cheaper and less stressful than crisis law. Try starting with some basics. Here are 10 steps to improve security within Internet Explorer. Don’t be hesitant on implementing new security practices, even if they seem dumb. Often people reserved when implementing simple security practices, as they now change is always met with resistance, and many people fear being hated. But even the SEC is has many basic security challenges to overcome, such as plain text passwords, or shared security accounts.
And if you’re still looking for an extra little oomph to get that financing for that security project that you just can’t get past… Try going back to some of your current vendors and ask for a discount. You might be surprised how many are willing to negotiate. Then try some scare tactics. Often security is on the back burner because decision makers aren’t aware of the true risks. Try looking into 5 things you can’t see on your network.
Move Forward
Even though you might think that your IT security is at a stand still, try working on some basic, free, and time optimized tasks. Some of these things might be new policies, such as the above mentioned password or data policies, or others might simply be applying new updates to your software. Software updates are often free, simple ways to maintain your security. Oh… and read about the updates. The holes they find and fill, might give you ideas about other holes that you need to fill in your own network and applications.
Originally Posted on Successful Thinkers Meetup by Josh Shackelford
No comments:
Post a Comment