IT security in any realm involves logical security and physical security.  Logical security is the integrity of data (content), precision of associated processing, and the delivery of coherent, accurate, content.  In other words, data that reflects reality; data that does not mislead or distort various actuals by virtue of distortion/errors of input, process, and output.

Physical security is such things as locked doors on computer rooms.  It’s the safety and surety of infrastructure; protection against overheating, for example.  Physical security is often mundane; don’t set your coffee on a server, for example.

Mobile is especially vulnerable within the realm of physical security.  Devices are constantly transported, their owners on the go, and they can be lost or stolen.  Ensure that users make immediate reportage of loss or theft.  Consider strong encryption, as any content risks exposure.

As to logical security, determine whether users access organizational resources via a virtual-private-network (VPN), or the internet.  Also, ensure strong malware protections are emplaced on devices.

In BYOD environments, that last is especially important:  It’s hard to know where users will be surfing, and what manner of personal downloads will be transpiring.  Regularized scanning for viruses, malware, and unauthorized intrusions is imperative.

Well, it happened to me:  My laptop’s operating system corrupted and I had to re-install it.

Fortunately, I had a comprehensive backup, which made me whole once I reinstalled the O/S.

I’m a self-employed consultant, so it would have been a bit embarrassing had I not been able to recover.  Perhaps it would have even been professionally crippling:  Loss of client information, billing records, data… even business reputation. 

In the case of lost data and associated problems, even large enterprises and sizable medium-scale businesses get bit.  We frequently hear about these situations in the news:  Remember the Heartland Payment Systems data breach?  How about something from this month?  Health Net, Inc. has a data breach investigation going on affecting 1.9 million patient records.  Ouch.

It’s interesting to Google “Largest Data Breach” and “Most Recent Data Breaches”… have a look at what comes up.  Another interesting area of perusal is The Chronology of Data Breaches, as reported by The Privacy Rights Clearinghouse (PRC).

I’d forgotten that March 6^th through 12^th was the 13^th annual National Consumer Protection Week – but better late than never.  The PRC still has their Top 5 Privacy Tips for that week headlined, as well as tips for privacy protection during tax season, best practices regarding identity theft perils, and others.  It’s a handy reference – check in from time-to-time.

As to small business:  I know several small business owners and operators.  For many, backups are… well… almost an afterthought.  They’re performed sporadically, they’re not comprehensive enough, stuff is overlooked, and suddenly… something happens and critical data and business information is lost.

It’s simple enough to procure an outboard drive; “storage is cheap,” as we like to say.  You can easily get a backup routine scheduled with simple-to-use software.  At a minimum, just kick off a whole-drive backup manually – run it overnight.

Even for personal laptops/computers that aren’t involved in business use:  You can’t imagine all the stored passwords and IDs that you’ve forgotten, for such things as social networking, banking, downloads, blogging, etc., etc.

Don’t wait:  Back up.

On This Day:  In 1960, the first patent for lasers was granted to Arthur Schawlow and Charles Townes.

Any organization’s leaders (senior governance, management, board[s]) should have content awareness – but many don’t.  (Of course, the entire organization needs to have content awareness, but the emphasis in today’s post will be on leadership).

Content, from an information perspective, is data the organization harbors, or contains (hence, “content”).  Any data, electronic or hardcopy – irrespective of system or vessel – has to be managed for security, control, access, and use.  Whether that’s data contained in F&A systems, core application and database systems, word processing, presentation programs, on portable drives, in filing cabinets – anything and everything – it must be managed with a 360^o awareness. 

We spoke of metadata the other day.  It may seem a burden to tag every piece of content in your organization with appropriate metadata – but recognize:  With a Content Management System (CMS), the assignation of metadata can be automated.  The CMS merely rakes through the content, looks for key information based on controls that the organization sets, and fills in a metadata template which is forever linked to that content.

Such metadata fields could include:

-        Source (Author, outside agency, etc.)

-        Format

-        Purpose of data

-        Key departments, contributors, stakeholders…

-        Authorizations (who is allowed to see/use; who is allowed to edit)

-        Disposition instructions:  Archive and/or destruct dates

-        Applicable regulations (internal, external, or both) for dispositions

-        Date and time of creation

-        Any file manipulations such as encryption, passwording, etc.

-        …

Metadata can be anything the organization assigns for the control of data.  You determine your own handles and controls for data.

Increasingly, organizations of all sizes must not only protect data, they must have ready access to it.  They cannot afford to overlook any particular information-asset.  Further, they must know how to dispose of content, in avoiding a glut of information that becomes difficult to sort through – slowing systems, corrupting databases, delivering out-of-date data that no longer has meaning or relevancy.

Content awareness – weave it into your organization.

NP:   Sonny Rollins, Saxophone Colossus, on… CD.  I know, I know… when I get home, I’m going to cleanse by playing an original Charlie Parker LP on Dial…  maybe followed by Oscar Peterson at Carnegie Hall…   

Not too long ago I purchased a Seagate 320 Gb drive.  I procured it for comprehensive backups of my business laptop, the very device I’m typing on now.

I like it – it is very, very fast – and the associated software is quite navigable and straightforward.  I don’t Sync or do anything particularly special, opting for a simple capture of my entire main drive.

Last evening I had a question regarding the operation of the drive.  The agent running on my laptop had a support link, so I jumped out to the web.  I was rather surprised to see that I only had 30-days of free support upon registration.  Fortunately, I had not registered the drive (I guess), being that I’ve had it for about 6 months.  Online support required registration, so I began…

I had to fill two simple fields:  serial number (S/N) and part number (PN).  I looked on the back of the drive, and there – in a little white sticker – was the information… in about 2 pt. font.  (ß in about 2 point font).

My eyes are quite good, but I had to get a lighted magnifier to read the information – and even then, I mistook a “6” for an “8” – it just wasn’t clear.  I had to try a couple times to get registered.

The little white sticker with the information I needed (crowded with other extraneous info) was about ½” x 1” in size.  The drive itself is about ¼” x 2  ½  ” x 5” – there’s plenty of room for a larger, legible, readable sticker.

I collect vintage audio gear.  Generally, Model Numbers, Serial Numbers, Part Numbers, etc. are anywhere from 1/8  ” to ¼” high – quite legible and readable.  Maybe we could think of that for future computers and components.  I know I would appreciate it.

And as long as I’m talking about my fast, efficient, and much-liked Seagate backup drive… what’s with that limited 30-day support?

NP:  Jimi Hendrix, Red House, the 13+ minute live version from the San Diego Sports Arena, often referred to as the “San Diego ‘69” version.  A tour-de-force, with incredible soloing, and a real nice downshift into a jazz motif before wrapping things…  Reprise LP, “Hendrix In The West.”

A couple articles ago, I talked about a business deficit.  It’s only fair we consider one on the other side of the line.

Let’s look at a common mistake on IT’s part.  How many organizations have a requirement for “centralized” data, yet have full knowledge that users – the business community – are storing data on local (c:, etc.) computer drives or on desktops?  Even the most sophisticated organizations, and the most tightly controlled environments, have this condition.  This goes on even in organizations where it violates a document retention and content management policy – policies that are often imposed or required by outside regulatory agencies, or other bodies (that is, boards, classes of customers/clients, and so on).  Yet, if business members and leaders insist that it’s a necessary “work-around,” IT goes along.  This can be a major mistake on IT’s part.  Let’s leave the document retention/content management considerations aside for the moment, and look at the situation from a simple backup and recovery standpoint. 

IT’s position in any organization should be that all data is secure:  accessible according to authorization; safely and securely maintained in the technical environment; recoverable in the case of loss in the production environment through any reason.  Too often, users are responsible for backing up their own local drives.  This is wrong.  If there is genuine business data that is not coming under the umbrella of IT’s backup domain, then that is a wrong situation and you cannot profess to have complete security. You are at risk.  You can hash out in the BIT forum as to how to expose peripheral data, and how to manage it, secure it and back it up – at a minimum you must document exceptions to policy and put them on record.  Many important caches and swaths of data have been lost by organizations because the central, qualified, authority for the safekeeping of data (IT) was unaware of it.  So, there was no central authority guaranteeing its safekeeping under these circumstances. 

Let’s look at one more area where IT is frequently remiss.  Increasingly, organizations are responsible for anything and everything that happens within.  We see where large judgments have been made in favor of employee plaintiffs who had complaints regarding offense and damages over electronic content containing porn, offensive jokes, illegal advocacy, and other inappropriate content.  This is content that has long been defined as this kind of liability by courts.  Remember too that just because some content may be “legal” in the broader sense, it can still violate your organization’s best interest.  Should your organization’s data be subpoenaed, you wouldn’t want negative characterizations of business partners or critical evaluations of members made public, for example.   Most organizations have policies to guard against inappropriate use of business resources and to explain the consequences of harboring improper content, but many don’t adequately reinforce the policy.  Further, it’s apparent that a lot of IT departments haven’t picked up their responsibility, or perceived their own liability, in this area. 

Let’s be clear:  One thing you don’t want to have happen is that something blows up into an embarrassing exposure, with people asking how “IT” could have let inappropriate content broach your business-technology environment.  For it is IT that implements spam-guards, monitors storage, and has the means (even if only under special permission by Business) to do a comprehensive review of data.  The mechanics of, and the burden in, running a “clean” environment is IT’s.  While it is true that Business must cooperate and contribute to a clean environment, and that this is reinforced by policies both Business (HR) and IT – no business person has the authority to look across the board at data and content on a regular basis.  No business person is tasked to have knowledge superior to IT’s regarding best practice protections and best software solutions.  This is a “behind the screen” faculty.  If you’re an IT staff member, and your IT department is not comfortable in answering to your organization’s content, you need to get this into the BIT agenda quickly.

Next, we’ll discuss putting activity where it belongs.