The value of physical equipment is often far less than the value of the data it contains. The loss of sensitive data to a company’s competitors or to criminals can be costly. Such losses can result in a lack of confidence in the company and the dismissal of computer technicians in charge of computer security. To protect data, several methods of security protection can be implemented.
An organization should strive to achieve the best and most affordable security protection against data loss or damage to software and equipment. Network technicians and the organization’s management must work together to develop a security policy that ensures that data and equipment are protected against all security threats. In developing a policy, management should calculate the cost of data loss versus the expense of security protection and determine which trade-offs are acceptable. A security policy includes a comprehensive statement about the level of security required and how this security will be achieved.
You may be involved in developing a security policy for a customer or organization. When creating a security policy, ask the following questions to determine the security factors:
- Is the computer located at a home or a business? - Home computers are vulnerable to wireless intrusions. Business computers have a high threat of network intrusion, because businesses are more attractive to hackers, and because legitimate users might abuse access privileges.
- Is there full-time Internet access? - The longer a computer is connected to the Internet, the greater the chance of attacks. A computer accessing the Internet must use a firewall and antivirus software.
- Is the computer a laptop? - Physical security is an issue with laptop computers. There are measures to secure laptops, such as cable locks, biometrics, and tracking techniques.
When creating a security policy, these are some key areas to address:
- Process for handling network security incidents
- Process to audit existing network security
- General security framework for implementing network security
- Behaviors that are allowed
- Behaviors that are prohibited
- What to log and how to store the logs: Event Viewer, system log files, or security log files
- Network access to resources through account permissions
- Authentication technologies to access data: usernames, passwords, biometrics, and smart cards
The security policy should also provide detailed information about the following issues in case of an emergency:
- Steps to take after a breach in security
- Who to contact in an emergency
- Information to share with customers, vendors, and the media
- Secondary locations to use in an evacuation
- Steps to take after an emergency is over, including the priority of services to be restored
The scope of the policy and the consequences of noncompliance must be clearly described. Security policies should be reviewed regularly and updated as necessary. Keep a revision history to track all policy changes. Security is the responsibility of every person within the company. All employees, including non-computer users, must be trained to understand the security policy and notified of any security policy updates.
You should also define employee access to data in a security policy. The policy should protect highly sensitive data from public access, while ensuring that employees can still perform their job tasks. Data can be classified from public to top secret, with several different levels between them. Public information can be seen by anyone and has no security requirements. Public information cannot be used maliciously to hurt a company or an individual. Top secret information needs the most security, because the data exposure can be extremely detrimental to a government, a company, or an individual.