If you have not had a chance to read Part 1 please do so by clicking here.
In part one we talked about the physical network infrastructure. Those are the tangables, items that you can easily see and make on-the-fly adjustments to. In this segment we will be dealing with the human component. Policies and Procedures are the strategic link between the Company’s Vision and its day-to-day operations. But why is that so important? It’s because well written policies & procedures allow employees to understand their roles and responsibilities within predefined limits. Basically, policies & procedures allow management to guide operations without constant management intervention.
Sounds great doesn’t it? Our experience with companies show us that in a typical network environment people, for the most part, just perform their jobs. Not much though is given to policies and procedures unless it is for disciplinary action. This is why it is so important to: 1.) Regularly review what you have for policies and procedures and 2.) implement some sort of electronic system to enforce, where practical, those policies.
Here is a perfect example: XYZ Corporation has an Acceptable Use Policy (AUP) for the internet. This AUP specifically states that users are not allowed to download and install software from the internet to install on their computers. Experience tells us that while there will be a few users that will not do this, most will do whatever they want. It is not out of malicious intent but the somewhat misguided belief that “this is my computer” and “I need this software”. Unlike your IT manager, most of your users do not have the experience to know what applications can be installed without causing problems with other applications already on the system. This behavior exposes the company to serious viral threats as well.
We take people through our Security Readiness Profile (SRP) to flush to the surface what policies and procedures that have been lost by the way side on your quest to sustain and grow your business. Without solid and enforced polices and procedures all of the work placed on shoring up the network and implementing a full DR solution could be for naught. Take a look at some of the questions from our SRP:
- What security measures do you have in place to: 1.) Protect your data from being taken off-site through the use of removable media (e.g. CD’s, DVD’s, flash drives, etc.) and 2.) Protect your network from people bringing in something from home that could compromise your network?
- What type of auditing is performed on the logs generated by your firewall to ensure your network has not been compromised?
- Is there an enforced formal process for making users aware of what is and is not acceptable use of Internet access in the work place? Is that information tracked or logged?
- Is your networks VPN access audited to ensure that there has been no unauthorized access?
- What is the procedure to ensure that your network routing equipment is not operating under excessive capacity?
- Have your network workstations security levels been hardened (e.g. administrative privileges removed) to prevent users or viruses from installing software?
- Are all virus incidents managed in a secure manner, in that they are cleaned up, investigated, reported to management, and properly documented?
- What type of monitoring is currently in place to track what is considered to be normal network traffic? What alerts have been put in place to notify network administrators of unusual traffic?
- If your building is damaged or destroyed, is the media required to install software and the backup media to restore the data located at a secure off-site location?
- With what regularity do you test your disaster preparedness/recovery plan?
These were only the 10 most commonly missed questions out of our SRP. Most people cannot answer more than 5 or 6 of those with a positive answer. That may look like a failing grade. The problem with industry standards is that they do not take into consideration that operating environment of the organization. For example: It’s best to change your password every 30 days, however if none of your information is private then why is it nessisary?
There are hundreds of questions in 10 different sections that we cover when we go through this process with you. The entire report is prefaced with an executive summary of each of the categories red flags that we recommend receive your attention. That is why this step of the process must be done with an outside company. Our goals are to help you build the necessary foundations for a solid disaster recovery plan. We do not have an emotional stake in the policies and procedures that you have in place, giving us an unbiased view.
In the next section we will start talking about prioritizing. In the interim if you would like to talk to one of our team members for more information please give us a call at 860.450.1737 or email us at email@example.com!