Professional Documents
Culture Documents
Information Security: For Small Business
Information Security: For Small Business
Information Security: For Small Business
INFORMATION SECURITY
FOR SMALL BUSINESS
About Me
Julius Clark Sr.
Location: Charlotte, NC
Current home, been residing in
Charlotte, NC for over 10 years
Hometown
Boston, Ma
Profession
BDPA History
2010-2012
2010-2012
2007-2009
2006-2004
2001-2003
Education
Charlotte President
National BDPA CISO
Charlotte President-Elect
VP of SITES (Education)
Charlotte HSCC Coordinator
BS in Electronic Engineering
Wentworth Institute of Technology, Boston, MA
Certifications
Agenda
Information Security for Small Business
IT Security & Business
Wholeness
Agenda
(Continued)
Highly Recommended IT
Security Practices
4
IT SECURITY &
BUSINESS WHOLENESS
5
Statistic:
There are over 26
million small businesses
in the U.S.
Source: NIST
What Is At Stake?
Your Business!
WHAT IS
INFORMATION SECURITY?
10
Confidentiality
Integrity
Availability
11
12
Integrity
Addresses two objects, which
are protecting data and
processes from improper
modification, and ensuring the
operations of the information is
reliable and performing as
expected.
13
COMPONENTS OF
INFORMATION SECURITY
ARCHITECTURE
15
Components of Information
Security Architecture
The process of
instituting a complete
information security
solution to the
architecture of a
business, ensuring the
security of business
information at every
point in the architecture.
People
Processes
Technology
People
Processes
Technology
16
Components of Information
Security Architecture
People
People are the weakest
link of a business process.
You all know why!
17
Components of Information
Security Architecture
Processes
The operational aspects of
small business.
Safeguards can be
automated or manual.
18
Components of Information
Security Architecture
Technology
All of the tools, applications,
software, and infrastructure
that allows a business
process to work and perform
efficiently. Thus as a
business owner you must
ensure that you have
adequate logical controls in
place to help you stay on
track with your business
mission or purpose.
19
CYBER CRIME
IN THE NEWS
20
Their Roles:
Experimenters
Hacktivists
Cyber criminals
Information Warriors
Employees
Dumpster divers
Natural disasters
Terrorist activities
21
Malicious Code!
Key loggers Stealing
your keystrokes
Viruses
Denial of service
Turning your computer
into a zombie aka Bot
22
23
24
25
26
27
28
29
What happens if there is a disaster (flood, fire, tornado, etc) or a contingency (power outage,
sewer backup, accidental sprinkler activation, etc)? Do you have a plan for restoring business
operations during or after a disaster or a contingency? Since we all experience power outages or
brownouts from time to time, do you have Uninterruptible Power Supplies (UPS) on each of your
computers and critical network components? They allow you to work through short power outages
and to save your data when the electricity goes off.
Conduct an inventory of all information used in running your business.
Do you know where each type of information is located (on which computer or server)?
Have you prioritized your business information so that you know which type of information is most
critical to the operation of your business and, therefore, which type of information must be
restored first in order to run your most critical operations?
If you have never (or not recently) done a full inventory of your important business information,
now is the time. For a very small business, this shouldnt take longer than a few hours. For a
larger small business, this might take from a day to a week or so.
While you are doing this inventory, ensure that the information is prioritized relative to importance
for the entire business, not necessarily for a single part of the business. When you have your
prioritized information inventory (on an electronic spreadsheet), add three columns to address the
kind of protection that each type of information needs. Some information will need protection for
confidentiality, some for integrity, and some for availability.
30
IDENTIFYING BUSINESS
CRITICAL ASSETS
31
32
33
34
SAFEGUARDING
CRITICAL ASSETS
36
People
Processes
Technology
37
People
38
2.
39
Processes
40
2.
41
4.
42
Technology
1. Protect information, systems, networks
from damage by viruses, spyware, and
other malicious code
2.
43
Technology
3. Secure your wireless access points
and networks.
44
Technology
4. Install and activate software firewalls on
all of your business systems.
45
HIGHLY RECOMMENDED
IT SECURITY PRACTICES
46
47
48
Do not click on links in email messages. Recently, scams are in the form of
embedded links in emails. Once a recipient clicks on the link, malicious software (for
example, key stroke logging software) is installed on the users computer. Dont do it
unless you know what the web link connects to and you trust the person who sent the
email to you.
49
When connected to and using the Internet, do not respond to popup windows requesting that you
to click ok for anything.
If a window pops up on your screen informing you that you have a virus or spyware and
suggesting that you download an antivirus or antispyware program to take care of it, close the
popup window by selecting the X in the upper right corner of the popup window.
Hackers are known to scatter infected USB drives with provocative labels in public places where
their target businesss employees hang out, knowing that curious individuals will pick them up and
take them back to their office system to see whats on them. What is on them is generally
malicious code which installs a spy program or remote control program on the computer. Teach
your employees to not bring USB drives into the office and plug them into your business
computers (or take them home and plug into their home systems). It is a good idea to disable the
AutoRun feature for the USB ports on your business computers to help prevent such malicious
programs from running.
50
51
52
53
When disposing of old business computers, remove the hard disks and destroy
them. The destruction can be done by taking apart the disk and beating the hard disk
platters with a hammer.
It is very common for small businesses to discard old computers and media without
destroying the computers hard disks or the media. Sensitive business and personal
information is regularly found on computers purchased on Ebay, thrift shops,
Goodwill, etc, much to the embarrassment of the small businesses involved (and
much to the annoyance of customers or employees whose sensitive data is
compromised).
Consider Using Full Disk Encryption if you handle sensitive data and information.
54
Small Business Information Security : The Fundamentals (Security Guide for Small Business)
http://csrc.nist.gov/publications/drafts/ir-7621/draft-nistir-7621.pdf
Small Business Center Documents
http://csrc.nist.gov/groups/SMA/sbc/library.html
55
Closing Remarks
Remember the IT Security
Triad!
The Information Security Triad is
the foundation for Information
Security and is based on
concepts and principles known
as CIA.
Confidentiality
Integrity
Availability
56
References
Surviving SecurityHow to Integrate People, Process and Technology, 2nd Edition
http://www.isaca.org/Template.cfm?Section=Home&CONTENTID=27320&TEMPLATE=/ContentMan
agement/ContentDisplay.cfm
Introduction to the Business Model for Information Security , 2009 ISACA
http://www.isaca.org
Small Business Information Security : The Fundamentals (Security Guide for Small
Business)
http://www.nist.gov/cgi-bin//get_pdf.cgi?pub_id=903080
Small Business Center Documents
http://csrc.nist.gov/groups/SMA/sbc/library.html
InterHack,- Information Security: Friend or Foe, 2002
http://web.interhack.com/publications/whatis-security.pdf
57
Contact Information
Julius Clark
Email: Julius.Clark.Sr@gmail.com
Tel: 704-953-379
Blog:
www.clarkthoughtleadership.blogspot.com
58