Information Security Basics
One of leadership's primary obligations is to protect corporate information, and the information of customers, associates, and employees, placed in their custody. It is leadership's responsibility to ensure that every employee understands the corporate concern with the protection of information.
An effective information protection program cannot be solely defined in terms of trust. Rather, it must be based upon the same prudent business practices that applied to earlier manual systems; careful definition of individual responsibilities, separation of controls, maintenance of audit trails, protection of vital records, and access to information limited, based on "need to know". These are all controls, and are exactly what auditors look for.
Sound business practices include policies, procedures, controls, reviews, and especially, separation of duties. However, sound business practices require more than solid practices to be effective. They must have real and continued management backing and involvement. Management must be pro-active regarding sound business practices. They must let their people know the practices are important through example. They must take pride in their program. They must help bring about attitudinal changes in their people through strongly administered awareness programs, bringing about a clear understanding of the reasoning behind sound business practices, instilling real concern about information protection, and instilling dissatisfaction with anything less than great execution. Executive leadership must ensure that newly appointed management, is apprised in detail of the sound business practices in place, and of the pride in them, and that existing management is refreshed, annually.
In addition, to be successful with sound business practices, management must also organize their team so there are clearly defined roles and responsibilities, with no conflicts of interest. Separation of responsibilities must be an integral part of sound business practices. Training must be provided as required.
Further, management must also learn to manage "smarter". The multitude of sound business practices required to address the major audit concerns and issues, and the associated workload to do so, mandates that management be imaginative in administering the responsibilities to put the sound business practices initially in place, and to maintain them on an ongoing basis.
Both federal and state regulations exist, which relate to control of, and authorized access to, information and computer resources. The Foreign Corrupt Practices Act of 1977 made most corporate managers and directors personally liable for assuring that "transactions are properly authorized, transactions are properly recorded, and access to assets is properly controlled". Management must provide shareholders with reasonable assurances that accurate books and records are properly maintained, and that the business is adequately controlled.
The Copyright Act of 1976 reaffirmed that computer programs and software are protected under the Federal Copyright Law. One must read and understand licensing agreements before attempting to make copies of programs or documentation. All of the United States has enacted Computer Crime Laws that establish specific penalties for unauthorized persons attempting to access a computer system, or assisting someone in gaining unauthorized access to a computer system.
Every employee must understand the rationale behind the sound business practices in place. To facilitate that goal, an ongoing awareness program to educate employees about the practices should be established. Management should make information protection awareness a job description key element, and a part of each employee's annual evaluation, at a minimum.
The main responsibility for a successful implementation of sound business practices lies with people. Awareness and understanding are necessary to develop information protection conscious work habits.
Adherence to Corporate Information Protection Policies, implementation of local procedures, promoting awareness, administering appropriate information access, reviewing access violations, etc., are all administrative concerns. Each manager is responsible not only for the protection and integrity of assets under their control, but also for compliance with Corporate Information Protection Policies and Procedures. Each manager must make the necessary risk management decisions that consider the unique environment in which their resources are used, and must be prepared to justify their decisions during an audit.
Information Security and protection cannot be assured without the implementation of the "BASICS."