|
Information Security & Privacy Regulatory Compliance:
High-Tech
First, if you’re reading this, let
me say “thank you.” I run into so many high tech firms that have not
even considered information security, until it is too late that is.
It’s enough to make a grown man cry. Or write an article about it!
Second, let me assure you that there
is a structure that is measurable and concrete and
that can provide your firm a measure of protection vastly superior
to the current method of applying whatever security add-ons vendors
choose to provide.
If you are in high tech, then you
have one advantage: the levels of regulations that bind you are
significantly less than those that bind financial sector or defense
contractors. However, this can also be a weakness. If you do not
have the time, resources or discipline to apply information security
(or as we say, “infosec”) standards at your firm, there will be no
one around to force you to do so.
Here are just a
few examples of high tech firms that failed to adhere to the rules
of information security until it was too late.
 |
In an example of malicious intent, an
engineer at one company opened up an FTP port and throttled it
to send just a few packets per second out to his home computer.
The engineer’s intention in taking the project information was
to use it to secure a future position in the event he was laid
off or fired. |
While common,
malicious intent is hardly the only concern;
|
In a case of
accidental leakage, an employee was practicing building a
website for a company Intranet. The employee took his laptop
home and accidentally left the website software on. You can
imagine the consternation when the company’s largest customer
called them and asked why they were leaving sensitive
information (provided to them by this of their largest customer)
exposed to the Internet. In this case, the company simply felt
it didn’t have the resources to have pilot machines to test new
software. Sound familiar? |
|
As a final
example I leave you with the nightmare of a lost laptop or even
simply a sensitive report left at a restaurant or inexplicitly
missing. |
All of these
breaches cost the companies money. As much as a $1000 an hour until
the security incident is investigated and resolved. In addition,
there is always the time and business opportunities lost when senior
management has to become involved in security breaches. Invariably
these breaches cost many more thousands of dollars (sometimes
hundreds of thousands) in lost revenue and research and development
costs than the sometimes simple measures that might have prevented
them.
You would not give your latest design to your competitor--why make
it easy for them to data mine it or have it “accidentally” turn up
at their firm? Ethical questions aside, it is your
responsibility to secure your company’s intellectual property.
So, being a responsible C-level manager, what tools are at your
disposal?
First, understand that you are not a security expert.
If the answer to the question of “who is your firm’s information
security officer?” is you or the CEO, CFO, CIO or COO, then you are
already on the wrong track!
Your company needs to charter a security department dedicated to
information security. If your company is too small to have a CSO
(chief security officer) at least have an Information Security
Officer (ISO). The role of the ISO has a myriad of essential duties
so there is no fear that you would be hiring “deadwood.”
Some examples of what an ISO does are:
| Manage the
information security risk assessment process |
| Manage the
incident response process |
| Manage the
security awareness process |
|
Participate in (or manage) the business continuity process |
| Manage
cyber-crime relationships with FBI and local authorities
|
| Manage the
information security program |
| Manage the
regular reporting to senior management and the board of
directors |
There is a standard for security put out by the ISO (International
Standards Organization). This standard (known as 27001) provides
guidance and delineates each aspect of a successful information
security program. If your firm is not doing something to comply
with the ISO 27001 standard, you should have a very good reason for
why it is not doing so. As with all standards, not everything has to
be followed (as least if you’re not regulated) but you should know
what the compensating controls are so that you can ensure they are
in place.
In
summary, if you are a high tech firm, you still have a high infosec
risk, and you reduce that risk by setting aside the resources
necessary to build an effective information security program.
Failure to take these actions can result in the loss of a few
thousand dollars or even the loss of jobs, and in this day and age
that kind of lack of due diligence is simply not acceptable. The
threat is there, and the tools to combat the threat are also
available. All it takes is the corporate will to do all that is
necessary and reasonable to prevent the kind of information security
incidents that occur every day in every industry, to the detriment
to companies and individuals alike.
By John Barchie,
Senior
Information Security
Governance Fellow
John Barchie Biography
Back to Top
Information Request Form
|
|
