The modern company must guard against the ever-present threat of a security breach. Some breaches are the work of sophisticated computer hackers like the ones who gained access to AOL's server and obtained the personal information of over 35 million subscribers. But some incidents are the result of plain old carelessness. Like in London where a company didn't bother to purge employee information from computers before dumping them in the trash or the recent case in the U.S. where an employee simply threw out old computer printouts - with social security numbers for all to see. Unbelievable!

According to a 2003 report from the FBI and CSI (Computer Security Institute), security breaches cost businesses $201,797,340 in a year. And that only counts the losses to businesses that knew a breach had occurred!

Most companies rely on piece-meal procedures to combat these risks. What's really needed, though, is a security protection framework that integrates security across all aspects of business operations. And I'm not talking just about big companies; the same principles apply to small and mid-sized companies. Here are some guidelines you can use to create such a framework. Or, if you plan to hire an outside firm to construct your framework, you can use these guidelines to organize your expectations and work more effectively with the professionals.

The Elements of a Business Security Framework

To construct a business security framework you must develop the following elements:

• Security Policy;
• Privacy Policy to comply with laws such as PIPEDA in Canada or HIPAA in the U.S.;
• Standards of Business Conduct policy;
• Public Relations policy;
• Website usage policy;
• Catastrophic Event/ Cascade Policy;
• Emergency Contact List - per department;
• Evacuation Route Maps and Drills;
• Chemical Spill and Clean up Process; and
• CPR/ First Aid Personnel List.

How to Create a Framework

Here are the eight steps a business must take to organize its framework:

Step 1. Analysis of Business Needs

Organize a brainstorm session with all department heads to discuss your company's internal and external needs. First look at the kind of protected information your business currently handles, such as personal information about employees and customers, proprietary information, as well as information about physical means (building security), etc. Consider the regulatory requirements that apply to the obtaining, use and disclosure of that information.

Step 2. Security Infrastructure Coordination

Once you identify business security issues the assignment of responsibility begins. At this point, security basically becomes a question of where, what, when and how. Assign security mechanisms by:

• Departmental contents, physical area;
• Security method - professional installation, training, posting signs or practice;
• Validation/Consequences/Recourse for each type of possible security breach;
• Creation of an improvement cycle - annual, monthly or weekly; and
• Choosing of a repetition period.

Conclusion

That's all my time for this week. Next week, in Part 2, I'll describe the last six steps of information security framework building.

THE BUSINESS CASE FOR INFORMATION SECURITY

'Selling' Privacy to Your CEO

By Glenn Demby

Some companies have been slow to recognize the importance of protecting the privacy of personal information of their customers and employees. If you're having trouble getting your CEO to take these issues seriously, here's a nice little story you might want to relate at your next briefing.

The CIBC Fiasco

Branch offices of Canadian Imperial Bank for Commerce (CIBC) fax documents containing personal information about customers including names, Social Insurance Numbers, addresses, phone numbers and details about banking transactions to bank offices. A glitch causes the faxes to go to a junkyard in West Virginia . Hundreds of them. For more than three years. CIBC finally discovers the mistake but not in time to prevent a public relations disaster.

The story gets out and becomes national news. The bank's CEO has to write a public letter for the newspapers apologizing for the error and accepting full responsibility for how long it took to correct. Meanwhile, the Federal Privacy Commissioner issues a scathing report and contemplates charges under the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Moral

This sad story is a perfect illustration of what can happen to companies that don't take privacy seriously. It's also a reminder that, at the end of the day, if privacy breakdowns occur, it's the CEO that must answer for them.

Admittedly, the CIBC situation is an extreme case. But it's hardly an aberration. Josee mentions a few incidents in her piece. Here are some others from Canada:

• A software glitch causes the Ontario welfare office to send cheques containing personal information about 27,000 clients to the wrong recipients;
• Burglars steal personal information about 30,000 employees from the Winnipeg office of a major benefits plan administrator service agency;
• BMO Financial Group of Bank of Montreal ships obsolete servers to an outside service provider for scrubbing of customers' personal data prior to resale. One of the employees of the service provider accidentally ships two servers to resellers before scrubbing is complete.

The Solution

Enron and other recent corporate scandals have led to stricter regulation and more onerous corporate governance laws in the U.S. and Canada . But the impact on officer and director liability of personal privacy laws such as HIPAA and PIPEDA has gone relatively unnoticed. The CIBC case and incidents like it are important because they show that the CEO has a personal stake in the establishment of a business information security plan.

EMPLOYEE E-MAIL

The Threat from Within

Complacency about information security isn't confined to the boardroom. According to a new survey, 68 percent of U.S. employees have used their work e-mail account to send or receive information that puts their companies at risk. Of these, 92 percent don't realize they've sent or received a risky e-mail. Some other results:

• 61 percent (of 1,000 employees surveyed) admit to using e-mail at work for personal purposes;
• 48 percent acknowledged sending or receiving jokes or funny stories that were racy, politically incorrect or otherwise questionable in tone;
• More than 51 percent of employees admitted to saving business e-mails outside their company's network; and
• 22 percent said they've e-mailed personal information including SSNs to the company's HR department.

Source: Fortiva Inc., http://www.fortiva.com.

Story Tools:  Email This Post  Print This Post Top