Integrating Policy Presentation with Security Awareness - Essay Example

Interoffice Memo 10/22/2007 Giorgio Papandrogyros, Director of Human Resources Eze, CISO RE: Integrating policy presentation with security awareness Question 1: Security Policy Awareness Mr. Papandrogyros, As you know, our company is fortunate to have developed an extensive intranet and web expertise over the past few years. As our system is so highly developed, we have tried to implement security policies to keep our corporate information, as well as client information safe from unauthorized access or outside attack. Recently our IT department and some of our client representatives have voiced concerns as to whether all employees, particularly the new hires, understand information security policies. In addressing this concern, I am dedicated in finding the most logical and comprehensive way to provide the necessary details of our information security. You expressed interest in using our expertise to provide the information. I have come up with a few ideas for viable solutions that make use of our extensive intranet. The ideas include overviews of our security information for clients who access their account information as well. We want them to know that we value their information and work hard to keep it safe. Frames Pages The first idea is to provide links within our intranet, which divide specific information security issues into different categories, such as password protection, encryption, security questions and other. Each link provides specific information regarding the specified security topic. Each topic is designed to appear on the user screen in a “frames page” using a light colored background that is different from the main user screen. This frame, as a smaller portion of the main screen, will discuss the selected security issue using a common font, in a dark, yet easy to read color. For instance, our intranet main screen is a light blue background with navy blue, aerial font. The new frame selected from the screen might use a tan background with dark brown aerial or other easy to read font. Multimedia Links My second idea is to provide an audio/video link, which, when selected, provides written and voice explanation simultaneously. News agencies use such methods to present stories online. Many retailers and corporations use video demos or video clips to describe products and processes. The multimedia method serves to keep viewer’s attention, while reinforcing the written explanation. Video can easily be adapted for use in conjunction with a power point style written presentation. As many of our newest employees are very multimedia savvy, I believe this method to be the most effective. We could even provide employees with a choice of the frames pages or audio/video presentation. I hope you see my suggestions as viable options, well within our capabilities. Perhaps our IT staff can fine tune my ideas when presented to them. Please feel free to contact me if you would like to comment or add suggestions of your own as well. Eze Interoffice Memo Date: 10/22/2007 To: Gaston LaPierre, Director of Marketing From: Eze, CISO RE: Opportunity for competitive advantage Question 2: A Little Industrial Espionage, Perhaps? Mr. LaPierre, I greatly appreciate your contacting me regarding this matter. Frankly, your recent memo about the new employee, Fred Herrington, in regard to his accessibility to his old password and logon from the previous employer concerns me greatly. I understand Gabe Schwartz has expressed concerns in this matter. I believe he is justified in his concerns about ethical behavior and use of information through Mr. Herrington’s access. In consideration of ethical decisions, we should take into account how our actions will affect not only our competitors, but our organization as well. I understand your intentions are well meaning, but they can have some serious legal implications as well. I will explain the legal and ethical aspects in detail, so that you have a better understanding of Mr. Schwartz’s concern. What is Legal There are legal means in which companies can obtain information about others. Acquisition, in order to obtain technology is considered acceptable. So is joint venture, in which technologies of one company are shared with another. While client account information is not specifically a technology, it is a tool that is used by a competitor in doing business. Open source information, such as that provided in news articles, patent filings and court documents is considered a legitimate means of obtaining information as well. Trade shows are a great place to send our representatives and engineers, to obtain information about our competitors. I realize this does not give us the names and contacts of our competitor’s clients. My though is that we should compete with superior product and service, rather than by enticing their clients. What is illegal Illegal means of obtaining information include use of a mole, or spy, who works for or has worked for one company, in order to obtain information for another. “It does not matter whether the information is found in a computer or in the garbage,” according to Ira S. Winkler of the National Computer Security Association. Perhaps blocking access to account information is an oversight of our competitor, after Mr. Herrington’s departure from employment. In no means does this imply that we are legally permitted to access their information. We stand to lose our entire corporation, face jail time or possibly a civil suit by Diamondback Industries. Ethical Considerations My next concern is of an ethical nature, and one that Mr. Schwartz is correct in applying his logical process for determination. Just because we can access the account information, does not imply that we should. Playing fairly is the best method in maintain our company’s solid reputation. We stand to lose everything, should it become known to the public or our industry, that we accessed our competitor’s account information in this manner. We stand to lose clients to our competitor, should they discover our activity. Aside from such arguments, we would not want our competitors to behave in such a manner, should they discover one of our former employees is still able to access our account information. We stand to corrupt our current sales staff, as well as Mr. Herrington, by participating in such activities. He could use the fact that we’ve accessed competitor information to blackmail us. He could make outrageous demands that would, at some point, become too outrageous. I appreciate your bringing this delicate matter to my attention. Now that I am aware of of Mr. Herrington’s access, I believe his actions should be monitored. When I hired him, I had no idea of this information you have provided me. I do not want one employee to corrupt our entire organization. I also think a meeting with you, myself, Mr. Schwartz and Mr. Herrington is warranted, so that we can make our company’s position on this matter clear to everyone. Please get back with me as soon as possible, so that we may set up an appropriate meeting time for all involved. Eze Interoffice Memo Date: 10/223/2007 To: Liu Naixiong, Corporate Counsel From: Eze, CISO RE: Proposed employment policies Question 3: Legality of Hiring Process Mr. Naixiong, I have read your memo regarding the new interviewing process of candidates in security sensitive jobs. I appreciate your concern and will be happy to explain the justification, in the variety of interviewers, as well as the background checks. As you know, we have had difficulties in the past, in setting aside time for interviews. As positions opened up and applications came in, two Human Resource employees attempted to keep up with the applications received by mail, email and fax. As the two already had a full day’s work on their plates, it became difficult to keep up with the applications. We had been challenged in filling positions in a timely manner. I believe we also may have lost a few top caliber candidates, in taking so much time to respond to them and scheduling interviews out too far. Interviewer Variety By increasing the number of interviewers, we can hopefully proceed in a more timely manner. The idea to enlist a number of employees is one that I have carefully considered for some time. In selecting top candidates, it is important that communications among different staff in our organization occur in a manner that is easily understood. There are additional skill sets that the applicant must have to work in this organization. As different employees possess strengths and weaknesses in various areas, they are more likely to find those strengths and weaknesses in the candidates. For example, our account representatives must possess well developed customer relations abilities. They are also required to do mathematical calculations and at times, estimating. Selecting those employees who have been with us for a while, with highly developed skills in each of those areas, we are able to more accurately determine if candidates are suitable. I intend to select only those employees who are at the top of their game. In other words, those who have been with us for some time and are considered by their department supervisors or managers to be the best at what they do. Those employees, in many cases, also provide oversight in training of new hires. They know what to look for and what questions to ask of candidates. Background Checks You also expressed great concern for the legal aspects of background checks. As you are probably aware, many companies perform extensive background checks on their employees. Criminal or court records are typically public, so accessing such information is not illegal. We also provide opportunity for any criminal charges to be explained on the employment application. Often there is a long enough span of time between the time the act was committed and the time of application, that the employee has had time to correct behaviors, mature and otherwise make necessary lifestyle changes. As for the FBI background check, we will ask this of all employees who handle information regarding customer accounts. Credit Card fraud is a serious problem today and one that we could face severe liabilities over, if it were found to occur within our staff. The FBI checks are limited to employees who will access account information. This applies mostly to account representatives, managers and IT staff. Many companies are concerned about citizenship status of employees. That is because social security numbers can be stolen by those not authorized to be working in the US. “They are zipping the ink stains over to the FBI, calling the Immigration and Naturalization Service to check on legal status” (Scherer, 2002). Our plan is to use an outside firm for the fingerprinting process, who specializes in background checks. We will limit them to those applicants we have identified as top contenders, or those we intend to hire. Though there may be legal ramifications if a candidate is passed over due to results of a background check, it will depend on the nature of the crime and whether our client accounts and other staff would be jeopardized in any matter, from similar crimes. I believe it is better to risk excluding an applicant for a past theft or fraud conviction, than put thousands of client accounts at risk for fraud. The repercussions of Stolen or misused client account information are enormous. Such activity could costs millions in settlements, or even bankrupt our organization, should breeches occur on a broad scale. I hope you will understand my concerns. I am sending a business card to you from a Mr. Fox in Atlanta, who is the branch manager of Choice Point Staffing. He can answer any further questions you may have. He will also be able to provide you with more detailed information on who should be screened. I believe we are taking the right steps to ensure security of client information and safety of our workers. Eze Interoffice Memo Date: 10/22/2007 To: Heinrich Biber, COO From: Eze, CISO RE: New Proposals for computer operations Question 4: Policy regarding production software updates Mr. Biber, I welcome your interest in the new software updates policy. I do believe that distribution of background information is an excellent idea and one that I am willing to provide for the Board Meeting next week. I will have it on your desk before close on Friday, so that it can be distributed well in advance of the meeting. I realize that technical expertise is not your specialty, so I will explain in terms of how the policy affects operations. As you are aware, production can be greatly diminished due to errors or glitches in computerized systems. They eliminate the need for extra manpower, saving us thousands every month. Need for policy However, updates to software, including those developed by our outside software design firm, often cause initial problems with production systems and their ability to understand what is asked or requested. Updates are often not tested before implementation. So, we have no idea whether they will run our production systems smoothly or not. Most do not give us any trouble. As I have mentioned, those that do can cost us in production downtime, which in turn means reduced profits or delays in meeting customer demands. This has caused some worry and some smoothing over with a few clients in the past. I would like to eliminate this concern, so that our sales and account staff can focus on other areas of customer satisfaction. First, I will say that new policy will apply to both pre-tested software provided by our vendors, as well as to application updates from our outside developer. New updates that are required for continued smooth operations are sent to Sophia monthly, or even weekly. We have been attempting to install the updates as soon as they are brought to our attention, as we believe that this provides our systems with the most optimum abilities to meet our production expectations. Adopting New Policy In our eagerness to install the updates, we have run into problems with validation, synchronization and other issues, which have contributed greatly to down time. In the future, each update will be scrutinized and discussed before implementation takes place. We will focus on three key questions: Will it be useful in our product process, is it necessary? And will it require additional technical assistance of our in house IT staff? The decision for ‘go’ or ‘no go’ will then be made. A ‘no go’ may mean that we need more information from the vendor or developer. When the decision to include the update is made, we will schedule the process for a time that does not interfere with production. We will also limit installation to one production center or station at a time. As we do not run full production on our third shift, we will conduct the ‘test run’ of the installed update on this shift. “Once the desired changes have been verified, they can be copied to become the live configuration” ( If all goes well, we will continue with each production station on the third shift, until all stations are updated. If problems occur, they are greatly reduced, by limiting the implementation to one station. Sophia and I have spoken with our vendors and our developer, who are all willing to provide technical assistance for our third shift testing procedure, should it be needed. I hope this helps you explain the new policy to the Board Members. I would be delighted to meet for a racquetball tournament next week. Eze References Global Technology Associates. Automated System Software Updates. Retrieved October 24, 2007 from http://www.gta.com/tech/gbos5/. Scherer, R. (2002). New Steps for Job Applicants: FBI Checks. CS Monitor. Retrieved October 23, 2007 from http://www.csmonitor.com/2002/0201/p03s01-ussc.html. Winkler, I. (1996). Case Study of Industrial Espionage Through Social Engineering. Retrieved October 24, 2007 from http://csrc.nist.gov/nissc/1996/papers/NISSC96/paper040/WINKLER.PDF Read More