Insights from practitioners in Information Management

Issue 3 – Security of information

This month’s issue deals with data security, how you can protect your organisation from the threats of viruses, worms, Trojans and other e-nasties.  As well as looking at disaster planning.  This is a huge area of concern for all organisations and we know that we have just scratched the surface and will return to the issue periodically to keep you updated.

In this issue…
• Effective E-mail Policies;
• Did you know;
• Free Firewall download available;
• Oops – now what: A Guide to Disaster Planning;
• Further Reading;

Effective E-mail Policies Can Make a Difference:
It can be argued that the best defence against viruses, worms and Trojans is to not allow your computers access to the outside world, which as we all know is virtually impossible these days.  So what’s the next best thing? Make sure that any potential problems are stopped before they hit your computer, but banning all attachments is not the answer either, especially if you want your employees to do any work. However, an effective e-mail policy will significantly reduce the risk, and an effective firewall and virus scanning software should hopefully handle the rest.  For those of you who have not yet implemented an e-mail policy, you might want to include the following:
1. Personal use of an employer’s email is permitted, but should be kept to a minimum
2. Employees should be informed that they have no expectation of privacy or guarantee of confidentiality in email sent or received through your organisations email system
3. Inform employees that the organisation reserves the right to monitor the email system, and, if monitoring is being used, make that known as well.
4. Indicate that employees should treat email messages in the same manner as other written business communications – with professionalism, care and confidentiality.
5. State that usage and access to the organisations computers, email system and distribution lists should be restricted to its employees.
6. Make perfectly clear that explicit statements that are harassing, discriminatory, defamatory, fraudulent, obscene, indecent, embarrassing or intimidating messages will not be tolerated, and may lead to discipline up to and including termination.

All employees should be required to sign a form acknowledging and agreeing to the policy. Reinforcement of the policy at every opportunity is also recommended.
Taken from CCH Human Resources Headlines 7 May 2002.

Did You Know?
More than one in four American companies have sacked employees for the misuse of the Internet and E-mail.  In Australia, Telstra, Toyota, Holden and Centrelink have also sacked people for similar offences.  If you want to read more, go to The Sunday Age, 6 October 2002.

Free Firewall Download Available:
Zone Labs has a free firewall that can be downloaded for use by individuals. You can protect your home computer from hackers, crackers and cyber punks by visiting and head for the download section. 

Oops – Now What: A Guide to Disaster Planning
An organisation without an adequate disaster plan is like owning a house and not bothering with insurance. Why risk it? Recent events have proven that the days of thinking it could never happen to your organisation are over.  Quite simply – having a disaster plan can make the difference between whether your organisation survives or not.  It has been said on numerous occasions that almost half of organisations that suffer from a disaster fail to recover, and the reason is that they are simply not able to re-create their working environment and systems.

Disasters can include:

. Natural disasters, such as floods, fires, storms and earthquakes;
. Structural or building failures, such as malfunctioning sprinklers or pipes;
. Industrial accidents, such as nuclear or chemical spills;
. Technological disasters, such as viruses, worms and Trojans, and
. Disasters caused by criminal behaviour, such as theft, arson, espionage, vandalism, riots, terrorism and war.

In simple terms a disaster plan covers the following areas: -What to do, By whom, In what order and With what.

If prevention is better than a cure, it is wise to establish good records management practices, identify your vital records and back up your data, and look at storing them away from your main centre of operations.
Be prepared: Train your personnel so that they know what to do in an emergency.
Response: Only when you put your plan into action will you truly know if you’ve covered everything, so be prepared to test the plan until you are happy with it, and finally the recovery phase, how fast can you resume normal operations?

Know your organisations limitations and have contingency plans for when the best-laid plans don’t quite work out as planned.  So flexibility is the key.

If you do it correctly, you will reduce the severity, reduce the anxiety and speed your organisations recovery time.

Further Reading:
The Cuckoo’s Egg: Tracking a spy through the maze of computer espionage; by Clifford Stoll.  If you think the problems of hacking, cracking and cyber punks is a recent phenomena, think again.  Dr Stoll’s book is a funny but chilling account and well worth a read.