Computer and Information Security 101
Introduction:
Compuer Security is as varied as the realms from which people make decisions
to use computers. Further, there is / are a huge mis-perception in
the public's and business-person's mind(s) that to resolve computer(information)
security issues, one merely throws dollars at the problem in the form
of, "I have this or that problem - I'll buy a router or a firewall or an
anti-virus software package and I am done, move on, next problem, thank you."
_
Unfortunately NOTHING could be farther from the truth and those people who
believe in and execute on this mis-perception are the most vulnerable of
all.
Here's a very small / very brief view of why computer-security is such
an issue:
Now - here's the 'hard-part' - ask yourself how 'hard' it might be for someone
to access what is in the inside-most-box, called "critical electronic data"
by any of these means?
- to get past the 'computing policy document' ?
- to get into the 'locked building'?
- to get into the 'locked computer room'?
- to get to be sitting at the 'keyboard / mouse'?
- to get inside the 'locked computer cabinet'?
- to be able to access the computer via one of the network-connections?
The reality is - that no-one HAS to be inside the building/room/cabinet -
they can just get in through the network connection (and how hard is that?)
and 'steal' / 'corrupt' / 'make-unavailable' any file or resource on this
computer system, not just the DATA but what if someone comes in and just
disables all the network connections? - to your customer or employee, the
data can be there (on the hard disk) but if the customer or employee can
not get TO the data - then what good is it to them. Further, if they can-not
get to the data - they don't really care - they just know that your business
is "un-responsive" because your "computers are down"?
SO - now that you've had a little eye-opening experience here - you say to
yourself,
"So, I'm vulnerable, what do I do next?"
- You and./or someone you trust engages in a Risk Assessment
of your data and what (fnancial) impact the loss of that data would have
on your business
- You and/or someone you trust engages in an 'Attitude
Survey' to determine the 'mental state' of your employees and their understanding
of the risks your business faces - with respect to the business-data?
- You and/or someone you trust offers-up solutions
to solve both problems at one time:
- a policy assessment to determine if you have, in place, written,
documented, signed-off (by each and every employee) policies documenting
what the business is expected to do and what the employee is expected to
do in terms of protection of the company's valuable electronic assets.
- a technology assessment of whether or not your data is adequately
protected and if not what to do about it
- an indoctrination / awareness / alertness training program
for employees (ALL employees), and a follow-up program of training to make
sure they stay aware / alert / on-edge about information security.
last updated: Monday_29_April_2002;nsc6.2; revID: 1s