A lot of executives and business owners – especially in smaller organizations – haven’t a clue about where things stand with information security and compliance. But that doesn’t mean they don’t have the fiduciary responsibility to do so. Well, here are four things that can be done right now, over the next week or two, to find out where your business stands and what needs to be done to fill in the gaps:
1. Take inventory of sensitive information. Find out what sensitive electronic information your business processes and/or stores and where it’s located on the network. Sensitive information such as SSNs, health records, credit card numbers, employee records, and intellectual property is likely scattered about on servers, workstations, laptops, smartphones, and external storage devices in Word documents, Excel spreadsheets, emails, database files, log files, zip files, and backups. It’s everywhere and it’s usually unprotected from malicious intent.
2. Assess the risks. Find out how this sensitive information is at risk. Look at all external entry points such as Web applications, network connections, wireless networks, and mobile devices as well as internal entry points such as unprotected server shares, weak Windows/database/application passwords, missing patches that can be exploited (very easily) to allow a malicious insider to gain full access to a “protected system.” Don’t forget about physical entry points including server rooms and unmanned reception areas that have unfettered network connections (such as VoIP phones). Using the right tools and a malicious mindset, you’ll be amazed at what’s putting your business at risk right now. Outsource this expertise if you have to. Network admins and developers – as smart as they are – often cannot see the forest through the trees. There’s also the conflict of interest factor.
3. Draft and finalize a policy on paper. Find out what documentation you have – or don’t have – that outlines what’s expected of your users and what steps will be taken when a breach or disaster occurs. This is one of the biggest areas of security that’s overlooked and taken for granted the most.
4. Consult laws and regulations. Find out which state, federal, and even international privacy and security laws and regulations govern your business; outsource this as well, if needed. By all means don’t rely on your legal counsel if he/she has limited experience in this area.
Best of luck.
Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.