Mayday, Mayday…Where Did My Laptop Go?! Nine Basic Information Security Controls Any Company Should Implement

I’m sure you’ve heard of laptops being stolen, but have you heard of laptops being swapped? Lost or stolen laptops and the data they carry are just one of the disasters that may ail you or your organization one day. In reality, there are many more security incidents that can affect the security of your organization or employees, putting sensitive information at risk.

Whether your organization is adopting the ISO 27001 Information Security Management System standard or not, whether your organization is small or large, or whether you deal with top secret information or not, nowadays everyone needs to be aware of information security. Information has become such an intricate part of every individual and most certainly every organization, that ignoring this area is not an option. In this article, I present to you 9 basic controls I believe are essential in every organization in order to preserve the security of their information.

Misplaced Laptop

Recently, a friend of mine told me about an incident where his laptop was taken by somebody else at the airport security check point. Basically, he sent his laptop through the X-ray machine and picked up another one on his way out. Low and behold, by the time he realized that the laptop he picked up was not his, it was…well, a little too late. In a sea of people, gate, bags and briefcases, who could possibly have his laptop?!

I thought that was pretty scary. So in one of my trips I decided to ask the agents at the airport security checkpoint about such type of incidents. I was at a small airport –those were you still pick up your rental car outside. The security officials were training a new agent, so I had plenty of time to ask the question. I was alarmed by what the answer was: “It has happened here many times, we can only imagine it happens so much more at larger airports”.

With these words in mind, I decided that it was time to put together a must-do information security checklist for every organization. Not just those embarking on ISO 27001 certification or implementing Information Security Management Systems. These 9 controls apply to any organization and are recommended to any organization who wants to safeguard their property and their information.

9 Basic Controls

1. Mis-Label your propertyIf you ever lost something that did not have a label, you probably regret not putting some kind of identification that will make it easier for the person who found it to return it. However what would you do or what do you think the average person may do if they found a laptop with a big-o label that said “John Doe, Software Engineer, Microsoft Corp. Return to 111 Microsoft Dr. Seattle”. You guessed it. You would probably think you hit the jackpot as far as the laptop’s system capacity concern. However in the hands of an information thieve the data may be more valuable than the laptop itself.So here is an idea. What if you would just label your property with information such as: “J. Doe, Landscapes Unlimited, P.O. Box 123, Seattle”. First at all you are not divulging your entire name, you are putting the name of a company who is not as interesting and worth as Microsoft or the likes. Also use an address that does not reveal the real organization and a phone that does not answer, well the real organization’s name. Obviously setting strong passwords and other controls will be very useful in preventing access to the data.In the hands of a thief, a laptop from Microsoft may be more enticing that a laptop from a landscaping guy. So definitely label your property but don’t give away all your eggs, so that it will be easier for somebody to figure out your life and your worth from the label.
2. Establish expectationsI remembered about 15 years ago or so when the pagers where in fashion, it was very hard for organizations to understand and control their use. While some banned them in the workplace worrying that employees may be up to no good when they were beeped, some gave those units to people in high positions, or perhaps those in the warehouses or other areas where communication was needed.Although access to internet and cell phones went through the same learning curve, it is now part of every employee’s life and very much needed and used by most organizations. However many organizations have not really established definite and clear policies leaving it to the employees to set their own rules. My suggestion is that every organization should establish an information security policy or procedure where it is clearly laid out how employees are expected to use company information, the internet, etc. whether they are using it within the physical confines of the job or outside of it.Similarly, employees should understand that they are accountable for how they use technology within the company premises including using the internet, cell phones, Facebook, etc. After all it is your organization and you pay for all expenses, so establishing the rules of the game will go a long way in securing the information in your organization and avoiding future problems.
3. Restrict AccessWhile an information security policy or procedure helps to establish the rules of the working field, implementing physical and virtual access controls will help in carrying out those policies.For example, networks should be restricted no matter how small of a company you are. Likewise hard files and system folders should be accessible only to those who need them and should be restricted otherwise. Visitors should always be escorted and if you have card readers to access doors, then employees should be prevented from tailgating.Restricting access is not about making employees feel that you are being secretive, but rather it is to make them feel responsible for company information and to make them understand that by putting restrictions in place, the data they use will always be available to them when they need it. In fact, putting this control in place should make employees feel comfortable that neither their information nor any customer information will land in the hands of the wrong people.
4. Employee TerminationHow many times have employees left your organization with safety hard hats, boots, perhaps office keys, cell phones or much worse a laptop? Is it the case that when an employee resigns you have to ask him/her what they have that belongs to the company instead of you telling them what they need to return? Most often employers do not know all the tangibles and intangibles employees are given during their tenure with the company. Of course all this is plausible only if the employee tells you he/she is leaving. What happens when they leave for the day and decide to never come back? In this case, well I guess you are out of luck.If you are not sure what equipment employees were issued, what kind of access to programs or networks they were given, or what kind of physical access they were authorized to then you are really asking for problems. It only takes one upset employee with access to areas that he/she should not have access to, for him/her to cause a lot of trouble.That’s why I recommend you implement on boarding/off boarding procedures or checklist. During the on boarding phase, which should happened immediately upon hiring, you should create a full list of what the employee was assigned to or given access to, not just in terms of needed equipment, but in terms on:
   • Hardware: computer, phones, cell phones, network, printer
   • Software: software programs, especially those requiring licenses, passwords, special IP address outside the network, etc.
   • Physical Access: Keys, alarm codes, gate codes

   By doing this, your job during the off boarding stage will be much easier. Whether the employee is transferring to another department, location or leaving altogether, you will know exactly what they have and exactly what needs to be returned. Make sure you withhold money or even a paycheck for those risk job positions that have a tendency of leaving the job with company property.

   If you need a sample on boarding/off boarding form, email me with your company name and I will send you a copy.

5. NDANDA does not stand for non-dispensable agreement, the one you have but you actually do not dispense or use. A Non-Disclosure Agreement, commonly known as NDA should be a must for companies or contractors who do business with your organization and who have access to significant pieces of your information, whether tangible or intangible. Your customer’s information is just one piece of information contractors can steal. There is more than that. We are talking about contractors stealing equipment, formulas, designs, etc.Recently while helping a client implement ISO 9001, I advised them to implement a Supply Chain procedure in order to meet the requirements of ISO 9001. I also took the opportunity to suggest them to add certain security controls to their suppliers, especially those in the contractor/consultant category (yes that includes me too!). Not long had I finished my suggestion, he started telling me that in the past, one of the suppliers they used to transport their product to the final customer, started dealing directly with the customer and ultimately stole that part of the business from them. If you think about it, the supplier had access to product information -which in resale cases could be easily obtained- and the customer information. So the bad supplier had in essence all the pieces of the puzzle to steal the business.Information security is so important, that I suggest every organization should have such an agreement not just with subcontractors or consultants but also with all their employees. If you have a small confidentiality clause buried in your personnel manual, you may want to think about expanding that section into a full blown NDA and ensuring that an acknowledgment letter or form is signed by the recipient so that they understand the implications and that they could be held accountable if a breach is found.
6. Clear desk Clear screen. Hurricanes, intrusions or other emergencies do happen. Ensuring that all information is securely stored and not left spread out all over the office for someone else to peek on is more important than you think. There was a joke in the information security circles that talked about a bank that had the best IT security practices however the clear desk policy was never implemented. Then one day a storm broke the windows of the bank and out went all the papers that were lying around the desks. So much for securing their digital information when papers with sensitive information were travelling freely in the city.The clear desk policy seeks nothing more than ensuring that paperwork is stored at an appropriate secure place. Obviously when employees are working, it is ok to be using the paperwork, but when stepping out of their desks, the policy requires employees to secure the information on a cabinet, preferably locked if the information is sensitive. Think about it, if an intruder or an employee sniffing around for information was walking around, it would be easier for them just to read the documents lying on the desk than to have to open and close cabinets to find the information.Likewise the clear screen policy aims at ensuring that employees who leave their computers do not leave sensitive information -such as sales orders, purchase orders, e-mails, etc. – open for others to see, especially those who do not need to know. Standard recommendation is to set the screen to go on standby or be locked after 5 min. of inactivity, after which a password is required in order to unlock the screen.In essence the premise “The information is disclose on a need-to-know basis” should be in everyone’s mind.
7. Virus softwareIf you remember the days when access to the internet was introduced in the workplace, then I guess you have been around for a few years. Besides that, you may remember those were exciting times, not just for those who enjoyed the access, but also for those who were trying to establish the rules of the game. Remember when people would play games on the computer, look at inappropriate pictures or say too much on emails? I would like to think that by now, everyone who is working, probably knows the do’s and don’ts of internet, cell phone and email etiquette -or not? Whatever the case may be, one thing is for certain extensive communication channels are here to stay and you should guard your IT infrastructure for possible viruses.If your employees are downloading music and software, synching their cell phones with their desktops, downloading apps, bringing the ever more capable USB memory sticks, etc. then chances are you organization is very prone to be infected by a virus. Yes, stealing or breaching information is definitely a concern, but my point here is merely the fact that if you don’t have the latest virus software, then your computers are more vulnerable to security incidents that if you have the latest virus security upgrades and patches. Ensure that your employees are aware of these enhancements and that your IT organization has the resources, not just in terms of manpower but also the knowledge to implement this policy.
8. Business continuity. It happened after 911 with many financial companies. It happened with Katrina, all over New Orleans. It’s entirely possible that a purposeful or natural disaster may be coming your way. Would your company be prepared? How long will it take for your company to be in operation after the disaster? You need not be in imminent danger to know that a man prepared is worth two men. Likewise, ensuring your company is well-equipped and organized in case of a disaster may save you several headaches if disaster ever knocks your door.After Hurricane Ike hit the greater Houston-Galveston area, many businesses were left without a place of business to operate, due to massive flooding, debris and damaged structures. A neighbor of mine, who was the executive for a consulting firm based in the Greenway Plaza area, was actually tasked with finding a place for their business from which to operate, move all their salvaged computers, furniture to the new place, purchase whatever was needed to get the business back up and running…all within a few days. Of course that was not an easy task and although things got done, you will be wiser if you have a continuity plan in place.A robust business continuity plan should contain at minimum:
   • Baseline information
   • Primary Recovery strategy for servers, data, network, computer equipment and email
   • Business Operation Recovery including production, supply chain, facilities, amendment of procedures based on new operations, outsourcing, etc.
   • Financial Management Recovery
   • Emergency Contact Lists for staff, customers, critical vendors, law enforcement agencies, emergency service providers, etc.
   • Crisis/Emergency Teams

   Furthermore continuity plans should be revised periodically, tested if possible and definitely be updated if a disaster happened.

9. Corrective/Preventive Action/ Incident handling. As in a Quality Management Systems, handling security incidents as corrective or preventive actions is essential to improved information or physical security. Do not take actions lightly: did you know that many security incidents either could have been prevented if suspicions would have been brought up by those who noticed them? Increase awareness in your organization so that every security incident is reported, followed up, and actions are taken.In some cases even when suspicions are raised, your IT or security department may not have the appropriate methods, channels or even knowledge in order to ensure that issues raised are followed up and acted accordingly. In the Quality Management System world, it has been a long practice to train employees to record opportunities for improvement using the corrective or preventive action process established. Training on corrective or preventive action systems related to QMS often occurs during the employee induction or orientation. However when it comes to securing your information, a companywide incident handling policy is not common. If you currently have a CAR or PAR system in place, or CIP as we call it, find out if it can be extended and used to keep track of security incidents as well.And if you subcontract your security to a third-party company, you should make sure that such company trains their employees or security officers on security practices just as you would your own employees. On a recent ISMS audit, I had to audit a security company who had been subcontracted by my client and worked on site. While the security company was not ISO 27001 certified, they were indeed ISO 9001 and that along with security awareness processes in place had provided them with outstanding practices. Every security incident that happened during the previous year was carefully recorded on a form and presented to me for review on a big binder. The incidents even contained pictures and a followed up response. I was amazed at their level of knowledge and congratulated my client for doing such a good job on selecting their supplier. Do you think your security company could deliver that?

Summary

Just like you don’t need to be ISO certified to know customer satisfaction is top priority, you don’t need to be an information security guru or get your company certified to ISO 27001 to know that information security is of utmost importance in our current environment. By applying these 9 basic controls now, you may be saving yourself enormous headaches in the future, not to mention saving your organization a great deal of resources. After all, security incidents may not send you to jail, but they may help you to stay sane!