>

Most Viewed Networking Devices:

  1. Small business firewalls
  2. Computer networking hardware
  3. High speed gigabit PCI adapter
  4. USB 3.0 PCI Card for Super Speed Data Transfer Rate
  5. Small Business Computer Network with Apple Mac Mini Server
  6. NSA 240 Sonicwall Small Business Network Security
  7. Cisco WRVS4400N Wireless Security Router
  8. Cisco RV 120W Wireless-N VPN Firewall and VLAN Router
  9. Cisco RV016 Multi WAN Router For Small Business
  10. Cisco RV220W Small Business Router
  11. Cisco RV082 Dual WAN VPN Router
  12. Edimax EnduraLINK ER-1088 Multi WAN Routers
  13. TL-R4299G Dual WAN Router for Internet Café
  14. New WNDR4500 N900 Vs Tew-692GR N900 Routers
  15. Netgear WNDR4000 and WNDR3800 Dual Band Routers
  16. Linksys E2500 Advanced Dual Band Router Vs E2000
  17. Linksys E-4200 Dual Band Gigabit Router

Most viewed Security Management:

  1. Information security management
  2. Firewalls Security Guidelines
  3. Business Continuity and Disaster Recovery Planning
  4. An Example of LAN Network Risk Assessment
  5. Information security policy guidelines
  6. Network Security Best Practices
  7. IT Security Risk Assessment

Most Viewed Networking Concepts:

  1. Local area network topology
  2. LAN Cable - standard deployment
  3. Easy way to calculate subnet mask
  4. VLAN tutorial
  5. WAN technologies
  6. Route summarization
  7. Understanding firewall with DMZ

 
«  
  »

Employee Security Guidelines


The employees are an important element of Defense in Depth, an important layer of the onion.

Employee Security Guidelines in the Organization provides employees with security guidelines on how to protect and manage the corporate assets on a daily basis, appropriately and consistently. The previous article discussed about the internet security guidelines, this article which is part of the management of information security will discuss about the need of employee security guidelines.

Defense in Depth

The Security in place is to protect people and all the corporate assets which is applied by what is called Defense in Depth. Defense in Depth is based on the principle of layered security, thus protecting the core assets. It’s very much like the layers of an onion; each layer of the onion represents a security measure or control with the following principles:

  • Deter
  • Detect
  • Delay
  • Respond
  • Detain.

The whole idea of this is to firstly deter an intruder from gaining access to the corporate areas or assets of any kind (you want them to go somewhere else instead). Secondly if they do gain access, you want to detect their presence as soon as possible and with the security measures in place, delay the intruder sufficiently so that you can respond and detain the intruder. This type of approach is applied to both physical security and IT security.

Security Measures

There are various types of security measures in place in both the physical and IT realms that represent the Defense in Depth layers. Examples of these are:

  • Policies, standards and processes – this measure outlines what should be protected, how and by whom.
  • Physical perimeter security measures include fencing, lighting, locks, alarm systems, video surveillance cameras such as CCTV, reception areas, guards etc.
  • IT perimeter security includes intrusion detection systems, firewalls, anti virus scanning, User IDs and passwords etc.
  • Internal measures include visitor escort, supervision of maintenance personnel, lockable cabinets and safes etc.
  • The Employees

Employee role

The employees are an important element of Defense in Depth, an important layer of the onion. Therefore should be diligent by taking notice of what is happening around them and taking appropriate action if something does not appear right. Knowing the information that will help the employees determine what is right; when something is wrong or amiss should be provided.

What are the corporate assets?

The organization assets are broadly categorized as the following:

  • People (employees, clients, customers etc)
  • Facilities (buildings, equipment, machinery etc)
  • Vehicles of all types
  • IT and telecommunications equipment
  • Your organization products
  • Information held in all forms:
  • Electronic – stored or transmitted in computer systems, networks, laptops, workstations etc
  • Hardcopy – paper, files, books, records, notes etc
  • Media – diskettes, CDs, DVD, tapes etc
  • What is known and spoken.

Need to Know Principle

Access to information and other assets is based on the Need to Know Principle. This means that the employees are provided access to information and assets needed for them to carry out their job, no more – no less. This applies to everyone, including employees (full time, casual or temporary), contractors, consultants and third parties.

If this principle is applied all the time, you will ensure that the authorized level of access is not exceeded. The organization has a responsibility due to various legislation and regulations to protect specific information and other assets from unauthorized access and/or use.

Security Risks and Exposures

What are the organization safeguarding assets against? There are many risks and exposures facing the organization assets which can be outlines below.

Unauthorized disclosure of sensitive business information Loss or theft of equipment, information, materials etc
Unauthorized access to business areas and computer systems Unauthorized changes to information
Breach of copyright and licensing agreements Malicious destruction or destruction of assets
Breach of legislative and regulatory requirements Fraud and corrupt conduct

Source of risk and exposure

The sources of risk and exposure are many and varied. The risks and exposures for one organization can vary for another. Generally the organization is exposed to the following sources:

Hackers, crackers and script kiddies Environmental and activist groups
Competitive intelligence gatherers (industrial and economic espionage) Political unrest particularly in unstable regions
Politically motivated groups Organized crime
Opportunists Terrorists
Thieves and robbers Disgruntled employees or ex employees, contractors, consultants etc

Consequences

The consequences faced by the organization if a risk or exposure occurs include the following:

Loss of life and injury Interruption to business
Loss of client confidence Loss of shareholder confidence
Financial loss Criminal charges
Litigation Brand and reputation damage

Having a good understanding how important it is to be security conscious in helping and protect the corporate assets is a good practice for all the employees in the organization. For a more complete security guidelines check here.


See also:

Share
April 29th, 2009 | Tags: , , | Category: Information Security, Tips

1 comment to Employee Security Guidelines

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>