Information Security

by Andy Taylor

An acceptable usage policy

If you employ people or otherwise allow other people to access your information, it is prudent to ensure you have made it absolutely clear to them what they can and (more importantly) cannot do. There are several reasons for this.

  • It makes it much easier to prosecute or dismiss those who choose to break the rules, for whatever reason – unless you have made it clear what is acceptable use of the system and what isn’t, a tribunal will find it difficult to condemn a worker who was, in their words, ‘Trying to do my job’.
  • It should reduce the temptation to try to access certain information: accessing their pay account to ‘adjust’ the figures might be a temptation, but if it is clearly stated that there will be areas of the system to which they will not be given access, most people won’t make the attempt (naturally, it is unlikely to stop some from trying, but then see point one above!).
  • It can help to promote best practice. For example, all users might have to sign a document telling them what they should do with regards to accessing information. This could be couched in terms that clearly explain the correct way of doing so. Your document could also include advice and guidance on the ways of dealing with, for example, emails while on holiday, taking back-up copies of important information and what to do in the event of a major emergency. All these areas should also form part of the ‘induction course’ for new staff, helping to instil good practice in them (for more, see What about training?).

An acceptable usage policy does not stop all risks occurring, but it does help to prevent them and ensures that all staff know where they stand. It is not reasonable or acceptable not to tell staff exactly what they can and cannot do on the officially-provided IT system, specifically, and with the organisation’s information in general.

The formal policy can be as simple and straightforward as you like. Naturally, it will be closely linked to the complexity of the systems used to store and process information within the organisation. The language must be in common usage, though, not some technical waffle that only the geeks can understand.

Format

The policy should be drafted to suit the organisation. It is best practice that each new staff member signs the policy. This could be a written statement that each person signs when they join, as part of their induction training. It is common for the policy to form part of the normal employment contract, linking it directly to employment legislation.

An alternative to a written statement is to have an intranet-based policy that must be read and signed by all staff. There are software systems available to help enforce the reading and understanding of electronic communications of this type.

It is vital that all staff are covered by the policy: the most junior and the most senior, the permanent and the temporary, the skilled IT workers and the cleaners.

Third parties

You should also consider outsiders who need to be given access to information – for the maintenance of IT equipment, for example. If outside specialists are invited to perform a penetration test to see how secure the IT system is against potential attackers, the people involved may gain access to some very sensitive information. In this case, instead of an acceptable usage policy, you will need some form of contract that spells out exactly what they must do with any information they uncover.

Policy elements

The main elements of the policy should address or refer to the areas listed below.

Information security policy

The organisation’s chief executive or managing director should write a short statement stating that the organisation regards risk to the organisation’s information as a serious issue and will actively manage the risk in a variety of ways. (This may be very similar in form to the health and safety policy statement.) It should include a statement about the high level organisation to manage information risks and how the subject will be addressed at appropriate meetings.

It is common, for example, to set up a committee to manage information security in larger organisations, but in any event, the senior management board should always have the item for discussion on the board meeting’s agenda. The policy may also provide a high level commitment to making information available to all employees on a ‘need to know’ basis. This ensures that those who should get to see information can, while more secure areas are hidden from those with no need to know.

Acceptable usage policy

The normal acceptable usage policy spells out in clear understandable terms what members of staff can and cannot do in the office. This is likely to include what access they have to the internet, use of email for private purposes and use of the organisation’s information for other purposes, such as social activities. It should also explain the facilities the organisation has available to monitor what is being done on the official information systems and when such monitoring might be carried out.

It might include generic information about the types of information all staff members may access, those staff members who might have privileged access and those areas of the network to which very few will be given access. Naturally, this must be expressed in terms which make it clear that the employee should not try to access those sensitive areas without authority rather than making it a target for underhand activity.

Other items

The policy could also include other aspects, such as the use of photocopier facilities, making private phone calls, the use of home computing facilities for work purposes and other related activities. Mobile phones and personal digital assistants (PDAs) could all be covered if there is sufficient concern that the staff member might misuse their access to organisational information. This is particularly important where sensitive information might be moved around. A district nurse out on his rounds or a social worker making visits to clients’ homes may now have access to lots of personal information on the move via laptops or other devices. All these need to be considered and covered by a policy statement, with clear advice as to what is and isn’t acceptable as well as what could go wrong and how to prevent it. It will also allow staff members to take advantage of the facilities provided to them by their employer with less worry about legal issues or the attitude of the employer.

Desk instructions, checklists, business continuity plans (BCP) and disaster recovery (DR) instructions – all these support the principle of information security and tell users how they should do things so as to promote secure operations.

Involve everyone

There are a lot of similarities between information security and health and safety. It is widely accepted that as soon as health and safety is seen as just one person’s job, the battle for a safe working environment has been lost. The same can be said about information security – it must not be delegated to, for example, the IT manager, but seen as the responsibility of every single member of the organisation. The adage that a chain is only as strong as its weakest link is very true in the world of information security. Allow one individual to ‘bend the rules’ and the security of the system is in danger, potentially putting at risk all the information assets contained therein.

Keep it practical

There is, however, one more very important factor to consider when writing an information security policy – that of practicality. The human brain is a wondrous beast and has the seemingly infinite capacity to find alternative ways of doing things. If the policy on the usage of information systems is so restrictive as to make the normal working life of staff very unsatisfactory, it is highly likely that the more adventurous of the staff (at least) will try to find ways around the security.

For a while it became the vogue to ban the use of all USB memory sticks to reduce the risk of information being misused through their loss. While it is clear this may well have the desired effect, the consequence is that if there is a business need to move information from one system to another, unless a practical alternative is provided, staff will use other means to transfer information around. One way might be to use their personal ‘Hotmail’ account to email information to themselves. This practice is probably inherently much more risky and more likely to result in inappropriate access than the risk of losing a memory stick.