Safeguarding
Your Data
in the
Digital Age

Most companies track private information, whether the Social Security numbers of clients, records of financial transactions, their own employee and payroll information, client lists, and even trade secrets. Once upon a time, all this information was in paper files, which could be secured with a heavy, locked door, a grumpy armed guard, and an alarm system.

Most corporate data is now stored electronically, calling for the same levels of security on a digital level.  The sad thing is, a locked door is no longer good enough. What’s worse, it’s not so easy to tell where the doors are, or how to lock them.

The first step in the process of analyzing your company’s potential security shortfalls is to locate all of your data. Once you figure out where it is, you can figure out how to protect it. If it is spread throughout your entire organization, it will be harder to secure.

Once you have identified what data you’re worried about and where it is, think about all the possible ways it can get accessed. Consider the following:

  • From inside your office – by employees and staff.
  • From inside your office – by unauthorized personnel (cleaning crews, visitors, vendors, etc).
  • From outside your office – hackers, working in conjunction with viruses and spy ware, circumventing your firewall, exploiting vulnerabilities in your operating system and application software, or hacking your web site or Intranet.
  • From outside your office – by remote users who are authorized.
  • From outside your office – by the unauthorized friends and family of authorized remote users.
  • From outside your office – by disgruntled former employees.

These are just a few of the possibilities, and they raise all kinds of questions about the security of your organization. Here are some guidelines in evaluating your level of data security

INSIDE YOUR OFFICE

  • Are your employees’ user names and passwords taped to their monitors or sitting in their desk drawers? All passwords should be confidential, known only to the user and the system administrator.
  • Do your employees have complicated and confidential passwords? Good passwords should be at least 6 characters long, containing both numbers and letters. Passwords should be changed at least once every three months, or whenever someone leaves your employ.
  • Do your employees leave their computers logged in when leaving for lunch or leaving for the day? It is very easy for an unauthorized user to get access to a computer that has been left logged-in. You can set a screen saver that, when it activates, it requires the user to log back in with their user name and password before proceeding.
  • Your employees should be prevented from downloading unauthorized software such as screen savers or other utilities. These programs often come with spy ware or malware, which can cut into your bandwidth and network performance, as well as potentially opening their PC up to intruders. Your company should have a list of approved software. Anything not on the list should stay off the network.
  • Regular checks for spy ware should be run on all servers and workstations.
  • Are all your PCs and servers protected by regularly-updated and scanned anti-virus protection? The best anti virus protection is one that is updated regularly, and runs regular scans that cannot be cancelled by the user. Additionally, your office should have a plan in place to deal with unexpected virus infections.
  • Do you regularly install all critical software patches on your servers and workstations? Most hackers ply their trade by exploiting known vulnerabilities in operating systems and application software such as Microsoft Office. Keeping your software patched, on servers and workstations, helps keep hackers out.
  • Your servers should be separated from the rest of your office, preferably in a room that can be locked to prevent unrestricted access. Your servers should never be sitting logged in—the consoles should be locked to prevent anyone from gaining access.
  • Think about who has access to your office after-hours – cleaning crews, maintenance workers, employees with keys, etc. Do you track after-hours access to your office? Even authorized employees can use after-hours access to breach security.
  • Are visitors to your office required to sign in and out? What kind of access to your computer system might they have while they are in your office? Are they escorted by an employee the entire time?


OUTSIDE YOUR OFFICE

  • External security – your Internet connection should be protected by a hardware or software firewall that is configured to prevent all inbound access except that which you specify. The logs of the firewall should be checked as part of a regular security audit to make sure it is functioning properly. If you use wireless connectivity, wireless encryption should be set up to prevent users from outside the office getting on to your wireless connection.
  • Your nightly backup tape should leave your office. Make sure the tape cannot get lost or otherwise misplaced. Diskettes, CDs, or DVDs that contain your company’s data should be accounted for when leaving the office.
  • Computers that you replace should be wiped clean before disposing of.
  • Remote users who work from home should have their home PCs checked for viruses and patches on the same schedule as you do at the office. They should be required to have anti-virus, spy ware, and hacker protection as well as the same robust password strategy you use at the office. Unauthorized users should never be in a position to use a remote user’s computer to access your office.
  • Laptops, PDAs, and external drives such as USB keychain drives should be used with care, and only after these devices have been certified as virus and spy ware free. The same antivirus, antispyware, software patches, and password complexity standards should apply to any computer or data store that attaches to your network. Additionally, it is possible for sensitive data to easily be copied and removed from your office using these devices.
  • Remote locations – too often, remote locations are the “poor stepchildren” of the main office, getting secondhand equipment and lackluster maintenance. The computers at remote locations should be subject to the same standards as those of the main office.


TRUST BUT VERIFY

The only way to be sure your security procedures are working is to periodically update them and verify their operation. I recommend a security audit once a quarter (or more often, depending on your needs) in which all workstations and servers are patched, their antivirus and anti-spy ware mechanisms are updated and verified, and workstations and servers are inventoried for allowed software. Firewall logs should be checked and firmware updates applied. Passwords should be changed. These audits will likely take less time the more often they are done.  

GOOD POLICY MAKES GOOD NEIGHBORS

With apologies to Robert Frost, remember that if all else fails, you may be able to control more than you think by having a concise written security policy that all employees are aware of.

 

Part of the CSM Family!

In each newsletter, we would like to welcome clients to our "family." If you would like to have your business highlighted, please email Carrie @ carrie_epperson@csmworld.com

Contest

Who said it???
"Champions know that success is inevitable, that there is no such thing as failure, only feedback.  They know that the best way to forecast the future is to create it."

Rules:  Be the first person to email us with the correct answer at kim_roberts@csmworld.com and win a $10.00 gift certificate from
Blockbuster Video!

Last Contest Winner:  In our last newsletter; the "Who said it" quote was:
"I had to pick myself up and get on with it, do it all over again, only even better this time

This quote has been attributed to Sam Walton
(1918-1992, American businessman, founder of Wal-mart)

Our winner is:
M.J. Hiles with AM Peck & Company, Inc.

Deal of the Month

Security Audit

$ FREE $

CSM is offering clients free on-site security consultations in which one of our technicians will assess your vulnerability and provide you with a written analysis of your current status.

Call Kim at 859-491-7947 to schedule

UPCOMING ISSUES: 
Virus Protection
It's that time of year... again.
Did you know that statistically there is a peak of viruses towards the end of summer every year?  Symantec has listed 7 new viruses in just the last 2 days.

New News @ CSM! 
CSM has been selected as one of only 10 AMS Preferred Vendors in the United States for AMS 360 installations.  CSM will be beta testing 360 and would welcome your input. 
If you would like to assist us in the beta process, please email Kim.

About Our Organization:

Did you know that CSM is 11 years old this year?  
Computer Systems Management, Inc. is about service and about taking the extra steps needed to form lasting partnerships.  In addition to helping our corporate clientele, CSM serves the community by coordinating PC donations to low-income families and schools, providing free training classes to "welfare to work" participants, motivational assistance to GED students and on-the-job training to transitional workers.


Computer Systems Management Inc.; 
2517 Anderson Road, Crescent Springs, Kentucky 41017
(859) 491-7947; Fax: (859) 392-2682
E-mail: info@csmworld.com

Did someone forward this email to you? Would you like to join our mailing list?
Please click here to subscribe!

Your privacy is paramount to CSM.  You are receiving this email, either because you have an email account on our server or you have requested to receive periodic newsletters from CSM.  If you would like to be removed please click HERE and type REMOVE in the subject line and we will remove you from our database.