stty consulting › our future

Information & Systems Risk

The basics of information and technology risks are focused around three main areas:

In order for you to understand the problems you are facing you will need to assess the risks that exist. Below we will examine the common areas and potential ways to reduce the potential impact

People & Technology

The main people related risks are:

Unacceptable use by or through staff, contractors, partners, and former employees

Unauthorised access, fraud, identity theft

Lack of professional, affordable IS/IT risk specialists to advise on and implement risk mitigation & reduction plans

Loss of key resources - staff/supplier relationships

Regardless of how big or small you are the business must make security compliance a priority and enforce it from the top down.

Put security responsibilities including Internet and e-mail use constraints into job descriptions, terms and conditions, and the contracts of any full-time, part-time or temporary employees. Make it clear that there are disciplinary sanctions for infringement of the policies you set.

Make sure passwords secret and implement a policy of not sharing login IDs and passwords.

Implement an enforced automatic password change facility.

Ensure all employees think about who is in earshot when discussing security, passwords or access codes.

Audit and enforce your detailed security policies. For example, email preview panes can trigger malicious code. Make sure that users haven't switched them back on since the last check.

Educate employees about the dangers of opening attachments they were not expecting. Encourage them to check who's sent them. Highlight the particular risks of file names ending in .vb, .vbs, .exe, and .scr.

Train users to treat email with the same respect as written correspondence. Be strict about what they send and who they send it to. Make sure that email is not a drain for confidential data.

Make sure that employees know how to identify a security incident, report it adequately, and how to react. If possible, make someone responsible for security and give them the authority to enforce security rules. Ideally, this should not be the same person who is responsible for IT.

The links below provide additional information and resources:

Introduce an Internet and email policy

Sample Internet policies and notices

Comply with data protection legislation

page 2