E Bryan Information Security Management Protecting Your Assets


Published on

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

E Bryan Information Security Management Protecting Your Assets

  1. 1. Information Security Management: Protecting your Assets By Emerson O. Bryan We are in now officially in the Hurricane Season for this year, and while it is the norm for us here in the Caribbean to focus on Business Continuity Planning, relative to hurricanes, and disaster preparedness to reduce exposure to water damage, there is an even more urgent issue that we often don’t pay too much attention to. The other issue that needs to be seriously considered by us as information management professionals is Information Security. What is Information Security? Definition Systems and procedures designed to protect an organization’s information assets (throughout their life cycle), from disclosure to any person or entity not authorized to have access to that information, especially information which is considered sensitive, proprietary, confidential or classified, and which protects the integrity of an organization’s information. (IRMT) Information which may be needed to be kept secure may vary from organization to organization depending on the operations/ type of business of the organization. For example: Type of Organization Type of information vulnerable Hospital patient’s health records Private‐Sector entity trade secrets, new product information, or innovative marketing strategies Government with FOI legislation exempt classes of records. 1
  2. 2. Some other commonly targeted information may include: customer lists, financial data, patent or copyright information, legal transactions, executive correspondence, personnel records, research and development data, marketing plans, budget projections and so on. Strategies for Protecting Corporate Information In order to minimize the risks of information theft, loss or leak, the following should be included in any organization’s information security management programme:- 1. Establish the basic objectives of the overall security programme of the organization; 2. Define the various responsibilities of each staff member, consultant and vendor representative; 3. Solicit the cooperation of your Legal Counsel, IT Manager, Finance Director and other key personnel for their input into the programme; 4. Ensure that all corporate legal information and trade secrets are properly registered and copyrighted; 5. Assess the risks that loss or theft of various information may pose to the organization; 6. Establish information security policies and procedures (including all the penalties outlined if breached); 7. Establish procedures for continuous auditing, monitoring and evaluation of the system. How does Records Management relate to this? Some essential policy components specific to recordkeeping may be:- • Ensuring proper Security Classification of all records according to the assessed risk(s) that they may pose if exposed, NB. This can be done by using numerical coded taxonomy when coding files and correspondence, which will aid both in the identification and the protection of sensitive information; • Educate users on the methods that are to be used to secure sensitive records ensuring that these procedures are clearly indicated (preferably in a RM Manual) and observed by all levels of staff; • Establish after discussion with senior management, the procedures to be followed when responding to requests for the releasing of company documents, information and records to persons external to the organization; • Get senior management to outline in a statement to new and existing employees that any record created by, 2
  3. 3. and used by them during the discharge of their duties is the exclusive property of the organization; • Practice redacting to ensure the continued security of documents when sharing information that is subjected to FOI legislation; • Don’t label records with stamps such as ‘CONFIDENTIAL’ or ‘SECRET’—these will instead draw curiosity, use instead special color coded folders (e.g.; pink, blue or buff) and keep confidential records segregated in a ‘secure area’ and in a locked filing equipment; • Always ensure that the movement/ transportation of the records within the building (and if possible off-site as well) is secure; • Observe a ‘Clean Desk’ Policy, where at the close of business each day, all employees clear their desks and lock away all files and correspondence. Internal Document Control Facsimiles It is often the case that most facsimile machines are usually located (i.e.; for both dispatched and received faxes), in a centralized or public area and therefore restricted documents conveyed by this method is susceptible to possible interception or inadvertent or deliberate exposure. It is recommend that sensitive information not be transmitted via fax; unless you know for-a-fact that the fax is being sent directly to the intended recipient or the machine is in a secure area. Personal Computers Methods of securing documents: • Users should treat phone numbers to dial-up their computers to the company servers or ISP as carefully as their passwords; • Users should never leave their computers unattended for any extended period whilst logged-on without having either a password protected screen saver, or a secure monitor energy-saver; • Terminal/ keyboard locks employing the use of passwords for computer access, (preferably along with a challenge-response calculator); • Automated audit trails to enable system security personnel to trace any additions/ deletions/ changes back to the person who initiated them, and which also indicates where and when the changes occurred; • Utilize removable hard/ optical disk drives or desktop docking ports for laptops, but when these are not in use, stow them in a secure storage area and never leave them openly unattended; 3
  4. 4. • Back-up disks and tapes must also be securely stored and regularly purged; • Always within a highly classified security networked environment, establish ‘dummy terminals’ ‘i.e.; disk less’ workstations for public use; Reprographics • Ideally, employees should make only the minimum number of copies that are actually needed; • Ensure that ‘sensitive’ documents are not ‘accidentally’ left by the photocopier. Internal Literature Most company newsletters, memoranda other ‘in-house documents’ often contain information, while not sensitive, but which was intended primarily for internal use. Therefore, care should be taken whenever decisions are being made regarding content for these publications, and to whom it should be circulated to. Disposal Never throw records or documents into office waste bins without properly shredding them before. You must dispose of them in a secure and approved manner, which may be: burning, shredding (preferably with a cross-shredder) or by pulping. Finally, when disposing of computer equipment, ensure that hard disk drives are reformatted or de-magnetized to ensure that there is no information left in volatile memory, and most importantly, since we hardly use them anymore…ensure and that no floppy disks are left in the drive(s)! Emerson O. St. G. Bryan 4
  5. 5. Mr. Bryan has been a Records and Information Management practitioner for over twelve (12) years; currently he is the Information and Document Management Specialist with the Caribbean Regional Negotiating Machinery (CRNM) in Barbados. And has worked with several regional organizations including: the United Nations Department of Economic and Social Affairs (UN-DESA), the Caribbean Centre for Development Administration (CARICAD), and the Ministry of Foreign Affairs and Foreign Trade of Jamaica. He is also an Associate Consultant/ Trainer at Lorson Resources Limited, “the Records and Information Company of the Caribbean”, which is based in Trinidad and Tobago, see: www.lorsonresources.com/seminar1.asp Emerson O. St. G. Bryan Contact: emerson.bryan@gmail.com 5