1 / 24

Chapter 15: Security Policies and Practices for Small Businesses

Chapter 15: Security Policies and Practices for Small Businesses. Objectives. Relate to the unique security needs of small businesses. Define the type of policies appropriate for small businesses. Author security policies for small businesses. Develop security procedures for small businesses.

cerise
Download Presentation

Chapter 15: Security Policies and Practices for Small Businesses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 15: Security Policies and Practices for Small Businesses

  2. Objectives • Relate to the unique security needs of small businesses. • Define the type of policies appropriate for small businesses. • Author security policies for small businesses. • Develop security procedures for small businesses. • Implement security best practices for small business.

  3. Introduction • Small business owners may not think they would be targets of security attacks, but that is not necessarily true • Small businesses should have security policies and procedures that are reasonable in scope, cost effective, and meaningful

  4. What Is a Small Business? A variety of definitions for a small business • Independently owned and operated • Not dominant in its field • Employs fewer than 500 people • Less than $6.5 million in annual income

  5. What Should a Small Business Do? • Small businesses should have a security policy • Small businesses should teach their employees about security • Some small businesses are subject to government regulations or other contracts or requirements

  6. Why Have a Confidentiality Policy? • Businesses must protect their information from unauthorized or inappropriate disclosure • A confidentiality agreement is a legal document that employees must agree to and sign • Must be mandatory condition of employment for all users

  7. What Is Acceptable Behavior? An acceptable use policy details expected behavior in regard to the use of company resources • All equipment and information belongs to the company • Includes hardware and software • Includes saved files, e-mails, and voicemail • No expectation of privacy

  8. Internet Use—Where to Draw the Line? • Internet access is provided at company expense for employees to conduct business • Noncompany use should be restricted to personal time such as breaks and lunch • Some sites are completely inappropriate • Internet policy should state that Internet use will be monitored and logged

  9. Transmitting Data • Data must be transmitted in the course of company business • FTP • IM—a security nightmare; not secure, and its use should not be allowed • P2P—another security nightmare that does not belong on a business network

  10. Keeping Corporate E-mail Secure E-mail is like sending a message on a postcard printed on company stock • It can be read by anyone and looks like official company policy • Acceptable use of e-mail must be defined • Company e-mail is only for company business • Confidential information should never be e-mailed

  11. Misuse of Resources Junk e-mail consumes valuable resources. It comes in three main types: • Spam—unsolicited e-mails • Hoax e-mails—should not be responded to or replied to • Chain e-mails—should not be forwarded

  12. Reporting and Responding to Incidents • A security incident—any situation where the confidentiality, integrity, and/or availability of protected information are put in jeopardy • The threat of an incident is always high • Calls for strong leadership and a clear, defined response • Someone must be designated as the contact for reporting and the incident handler • A response plan must be in place

  13. Managing Passwords • Issue with passwords is convenience vs security • Every account must have a password • Passwords must be kept secret (not written down) • Password characteristics must be defined • Length—generally eight characters • Complexity—combination of uppercase, lowercase, numbers, letters, characters • Age—generally change every 90 days • Reuse—should be restricted; don’t reuse 2 or 3 favorites

  14. Protecting Information Small businesses are particularly vulnerable to negative events such as loss or misuse of information • Information must be classified according to its sensitivity to disclosure • Confidential • Restricted • Public

  15. Protecting Information cont. • Information must be labeled to communicate its level of protection • Must specify who has access at each level and how the information should be treated • Access • Storage • Transmission • Disposal

  16. Protecting from Malware • Small businesses must have antivirus software installed, maintained, and monitored • E-mail must also be scanned • Antispyware must also be installed and used • Users must be trained in how they can minimize malware threats • Proactive patch management is vital

  17. Securing Remote Access • Remote access to the network must be secure and limited to authorized users • A virtual private network (VPN) is standard • An unsecured wireless network should never be allowed to connect to the company network or to store company information

  18. Controlling Change • A network must evolve with the company if it is to remain useful • Change control is a procedure for making sure that only authorized changes are made to a network, including its software, hardware, access privileges, and processes

  19. Why Does a Small Business Need a Change Control Policy? • Small businesses are likely to depend on only one or two systems to provide all their services • Small businesses often outsource IT work, so a policy helps to standardize the change management process

  20. Change Management Process • Three phases of change management are • Assessment • Logging • Communication • The change control policy must also state the disciplinary actions that will result if the policy is violated

  21. Data Backup and Recovery • Backing up data involves making a copy of existing corporate data for archival and potential recovery purposes • Backup media must be protected at the same level of security as the original media • Test restores ensure that the backup media work properly and provide the correct restored data

  22. Five Methods of Data Backup • Copy backup--A copy backup copies all selected files but does not mark each file as having been backed up. • Daily backup--A daily backup copies all selected files that have been modified the day the daily backup is performed but does not mark each file as having been backed up. • Full backup--A full backup copies all selected files and marks each file as having been backed up. • Incremental backup--An incremental backup backs up only those files created or changed since the last backup and marks each file as having been backed up. • Differential backup--A differential backup copies files created or changed since the last full backup but does not mark each file as having been backed up.

  23. Summary • Small businesses must adopt security policies that are reasonable, cost effective, and meaningful • Employee training and awareness programs are essential • Everyone in the business must assume responsibility for information security

  24. Summary (Cont.) • Businesses are stewards of information • Customers, shareholders, employees, and others provide personal information and depend upon businesses to protect it

More Related