5 step data security plan for small businesses
DESCRIPTION
The following presentation presents a 5 step data security plan for small businesses. The plan is easy and inexpensive to implement, and it will provide you a strong plan to protect your proprietary company assets as well as your client's information. To learn more or to read the article, please visit http://www.wilkins-consulting.com/small-biz-security-plan.html.TRANSCRIPT
www.wilkins-consulting.com
5 Step Data Security Plan for Small Businesses
Based on ISO 27001 Principles
www.wilkins-consulting.com
A recent Trend Micro survey that showed that only "49% of small companies view data leakage as a serious threat, while 63% were more concerned about viruses."
But here is an alarming statistic: On November 3, 2010, the Privacy Rights Clearinghouse released a report that among other items showed that "80 percent of small businesses that experience a data breach either go bankrupt or have severe financial difficulties within two years."
www.wilkins-consulting.com
Let Me Share Two Recent Examples• Incident 1:
- 4 person organization hires new sales manager to grow business- Employee leaves after 6 months, but created his own competing company while working there- Organization had no access control plan in place so ex-employee continued to receive work emails forwarded to his personal email account for several months after leaving- Organization was faced with spending $1000s in litigation while facing the loss of several key clients
• Incident 2:- Involved a colleague of mine- Her healthcare provider’s office was broken into and computers were stolen- There was no protection on the computers, and over 400 patient financial records were accessed. My colleague’s bank account was compromised among many others.
www.wilkins-consulting.com
Step 1 – Asset Identification and Risk Assessment
• Identify and record information assets – laptops, desktops, servers, wireless phones, etc
• Classify information assets – High, medium, low• Risk assessment for each asset to determine the level of
risk you are willing to accept- Threats – Theft, damage, virus, etc- Vulnerability – High, Medium, Low- Impact of the loss to your business
• Now let’s look at some examples
www.wilkins-consulting.com
Information Classification
• Asset: Network server that contains your company data
• Classification: High because it contains classified and irreplaceable data.
• Threats: HDD failure, virus, theft• Vulnerability: Medium – High• Impact: Very High• Level of Risk You Accept:
- Use enhanced security measures: keep it locked up, behind a network firewall, and backed up. - Expensive to backup your main server with a second server for real-time redundancy so you backup to tape which will require a longer downtime (takes longer to restore a backup tape) if the server was damaged, but you protect your company.
Complete Risk Assessment
www.wilkins-consulting.com
Step 2 – Network, Computer, Email Access Controls• Password authentication and change password every 90 days• Strong passwords
- Minimum of 10 characters- Use at least 3 of the following 4 (letters, numbers, special characters, capitalized or lower-cased characters).
• Employee network level access• Clean desk clear screen policy
- Employee must sign off computer when they leave their desk. - Setup a password protected screensaver that will activate after 5 minutes. - Do not leave sensitive printed information on desks unattended.
• Mobile computing - Access via programs such as VPN- Ensure connections to your network are securely authenticated- Password and virus/malware protect employee mobile phones
www.wilkins-consulting.com
Step 2 Con’t – Physical Access Controls• Network servers on your company premises - ensure they are
encrypted and kept behind locked doors at a minimum. Limit employee access to servers.
• If the data is sensitive, then consider enhanced access security such as biometric, video cameras, third party security monitoring, etc. Many of these controls can be put in place rather inexpensively.
• If you host your corporate networks at a remote third party facility, keep it local if possible, and tour the remote facilities to ensure they have the proper physical and environmental protections.
www.wilkins-consulting.com
Step 3 – Network and Personal Security Controls• Encryption – Laptops, desktops, flash drives, servers, etc. TrueCrypt
(free encryption software) www.truecrypt.org • Email encryption – MessageLock or PGP email encryption• Anti-virus - http://anti-virus-software-review.toptenreviews.com/ • Downloads & System Acceptance – Test unknown
downloads/upgrades before running company wide• Network Firewall – Update and scan regularly. www.openvas.org is a
free vulnerability scanning software• Wireless Network – I do not recommend, but if you use one ensure
WPA2 encryption.
www.wilkins-consulting.com
Step 3 – Network and Personal Security Controls
• Ecommerce - Use Secure Sockets Layer (SSL) for receiving or transmitting credit card information
• Network & Computer Backups – Very small company – Flash drive, hard drive, online with
sites like Mozy or Carbonite, but encrypt first– Larger – Backup to tape (inexpensive and portable)
• Consider a 3rd party network review at least yearly
www.wilkins-consulting.com
Step 4 – Paper Document Controls
• Information Classification policy– Public – Anyone can view– Proprietary - Management approved internal/external access– Client Confidential – Management approved internal access– Company Confidential – Management approved internal
access• Shred sensitive documents• Locked filing cabinets behind locked doors
www.wilkins-consulting.com
Step 5 – General Security Controls• Employee background checks and training - Review the Privacy Rights
Clearinghouse http://www.privacyrights.org/fs/fs16b-smallbus.htm • Third party review/audit – at least yearly• Visitor policy
- Sign in/sign out sheet- ID check- Name tags- Designated areas off limits
• Incident Management System - Log any type of security incidents, how you corrected the issue, and how you will prevent it in the future.
www.wilkins-consulting.com
Step 5 – General Security Controls• Emergency Response Plan (Business Continuity/Disaster Recovery
Plan)- Who is in charge and who is responsible for each action- Key personnel contact information - For contact and to set in motion pre-assigned duties and responsibilities. - Key contact information for service providers such as third party network administrators, security monitoring, phone, internet, etc. - Key contact information for your local police in addition to your legal representation - Backup communications plan – mobile phones, home phones, laptops, etc
www.wilkins-consulting.com
For More Information• Read the article: 5 Step Data Security Plan for Small
Businesses http://www.wilkins-consulting.com/small-biz-security-plan.html
• Connect with me on LinkedIn and download the presentation: http://www.linkedin.com/in/treywilkins
• Contact me: [email protected]