1. Preserving data integrity ("real" security)
   • The role of management
   • Physical security
   • Ever Watchful
   • Viruses
2. Long-term storage & retrieval
   • Steps for Action
   • Email
3. Disaster recovery & business continuity
   • The role of IS
   • Preparation
   • Plans and testing
4. Conclusion
5. Self Check

Physical Security

The third step is to secure access to your network servers and other equipment. A good place to start is by locating sensitive equipment in a room with a lock on the door. This will keep out the mischievous and those curious, well-intentioned, folks who do so much damage to their own PCs. When establishing a secure server room or network center take the time and invest the resources to provide the room with stable electrical power and a good operating environment. A good UPS and air conditioning should come first on the list. More demanding enviroments such as hospitals, financial institutions, or government installations may require the continuous uptime provided by standby generator systems.

After that you can think about such things as temperature alarms, burglar alarms, and fire suppression systems. Tailor your level of security to that needed by the business. Banks and defense contractors need much higher levels of physical security than a company making party favors: judge how much your company is willing to invest accordingly.

Ever Watchful

The last of our steps to securing your company's data is a large one. You must be constantly mindful of what is going on in your environment and the office environment around you. This includes being aware of the human factors in security (Appendix A).

Conduct regular audits of user accounts and their associated levels of access. Adjust them as necessary, and don't hesitate to ask management if someone should have access to the information that they do. As time passes and employees move from one job function to another they tend to accumulate access privileges -- some of which they need to do their jobs, and some of which they probably do not need.

Get nosy and ferret out unsecured points of access into the company. A single user who leaves his PC running with a copy of PC Anywhere (a dial-up remote control package) with no password for outside access opens your company to invasion by thieves, vandals, and snoops just as if you'd left the back door standing open at midnight. Dial your company's telephone numbers and make sure you know the identity, purpose, and security behind every line that has a modem answer it. If you find an unsecured point of access do not hesitate to pull the plug until it is made secure.

Take a good look at what goes into your dumpster; make sure that your "trash" isn't ripe to become "treasure" to a "dumpster diver". Invest in a good shredder and use it to destroy old documents and printouts before they go into the trash. In some cases of industrial espionage, it's not who your customers are or what your pricing is, but how you run your company -- your business processes -- that are the real prize.

Ensure that old magnetic and optical media meet the same fate. Destroy, or at least erase, all floppy diskettes and tapes before disposing of them. Don't give away old company PCs or hard disks to employees or charities without first reformatting them. Some business environments will have very stringent requirements for data destruction. And, a lot more should but don't. Information is your company's life-blood; don't ever do anything to willingly give it away.

There are firms that specialize in high security document and media destruction. You can find them in the Yellow Pages and on the web. The workers above are operating a truck-mounted mobile shredder.

Viruses

In addition to watching over what goes in and out of your office, you need to be aware of a threat that moves within your office: viruses. Most computer viruses these days are created by programmer wanna-bes out to prove that they can do it, or people with some bone to pick with society or technology. Some viruses have been created by individuals and companies for specific ends -- to get revenge on an ex-girlfriend or for competetive advantage or profit. Generally they fall into the nuisance category -- the common cold of computing, not HIV or cancer. That does not mean that viruses can be ignored. You should use virus cleaning software to regularly scan your network and client systems for virus infection. You will also need to keep up a constant level of user education about how viruses are transmitted and how to remove them. Below is a table showing the three main types of virus, how they are transmitted, and (generally) what they do.

The macro viruses deserve some special attention, in part because they are relatively new, and in part because they are so easy to spread. Some research organizations estimate that half of all virus infections today are macro virus infections. A macro virus is a clever perversion of a powerful feature built into many office productivity applications. Most apps, such as Microsoft Word and Excel, have powerful programming languages built in. Normally these languages are used to automate functions such as entering data into a form and making sure that it is properly formatted. Excel "macros" -- short programs written in Excel's internal programming language -- can be used to perform sophisticated numerical analysis.

Macro viruses exploit these programming languages to force the application to replicate the virus code into other data files, and (usually) perform some sort of mischief. The first macro virus -- the Concept virus -- caused MS Word to save all documents as document templates. The Wazoo virus -- another Word macro virus -- randomly deleted words in documents and inserted "Wazoo!" in their place... something both annoying and destructive. The latest MS Word macro virus isn't really a macro virus -- its written in Microsoft's VBA (Visual Basic for Applications -- an even more powerful language) -- and it exploits the linkages between MS Office applications to automatically propogate itself to the first fifty people in your MS Outlook address book.

The threat of macro viruses for damaging data and frustrating office staff is so large because the virus is in the data, not the application code or the computer operating system. So, any document sent from one system to another via email can instantly transmit the virus. All you need to do is double-click on an infected attachment in your email and your system has the virus too. Because of the asynchronous nature of email, infections reappear over and over again despite repeated virus cleaning. One of the best defenses is email server software that incorporates virus scanning and removal into its mail handling.

Second, develop documented procedures for purging information that is no longer needed. The documentation will help you in several ways. It will reduce the chance for accidental destruction of information that should be retained, and it will protect both your company and you in the event that you are the subject of legal action. If you have an established policy that calls for the destruction of all memos relating to finished work after one year, then you cannot be called to task in court for having destroyed documents that fall within that criteria. This is where the professional shredding outfits mentioned earlier can come into play.

Third, make sure that you have a means of restoring information that has been archived to off-line storage. The seven year retention interval for IRS records equates to two or three generations of computing technology. This creates an obligation on your part to make sure that a tape written five years ago is still readable by the systems you are using today.

Fourth (and last), be conscious of physical security of your backup media. Store tapes and optical cartridges in a locked, climate controlled, room. Don't leave tapes out in the open where the curious or criminally-minded can see and pilfer them. After all, it is much easier to overcome whatever security there is built into your backup tapes than it is to attack your online system head-on.

Email

Electronic mail deserves special attention in this discussion. Some will recall the considerable embarassment suffered by Microsoft corporation during the trial brought against it by the U.S. Justice Department starting in 1998. Several top Microsoft executives were made to look quite foolish and dishonest when DOJ lawyers read to them copies of their own internal emails. This is far from the first case of electronic mail coming back to haunt its sender. Almost a decade earlier Lt. Colonel Oliver North faced a congressional hearing for actions taken by the Regan administration in the Iran-Contra scandal. He was there not because he failed to thoroughly destroy the operation's paper trail, but because copies of email regarding the operation had been retrieved by the Iran-Contra Independant Council from the White House's IBM PROFS system.

Email poses such a vexing problem because it goes so many places between sender and recipient, and because of how people use email. Modern email systems tend to leave multiple copies of messages lying about as they operate. A copy is saved in the sender's sent mail folder; a copy might hang out on the recipient's mail server; the recipient might save a copy in a folder. Even if they "delete" an email it's still there until they empty their "trash". Even then the email is probably still retrievable from their local or server-based message file. People also tend to be much more free in whay they'll say in an email than in more formal business communications (this is part of what got Microsoft in so much trouble).

The best advice I can give at this point is this:

• If your email system supports automatic purging of messages, turn it on.
• If you have an existing document retention policy, work with your company lawyers to have the policy extended to cover email and all other electronic documents.
• Encourage your users to use judgement in writing emails. Remind them that Internet email is insecure, and that any document (electronic or otherwise) might wind up in court. "Don't write anything in email that you wouldn't want to read on the front page of the Wall Street Journal" is a good rule of thumb.

Preparation is the key

Quantifying the type of disaster after the fact will do nothing to restore your business to normal operation. Preparation in advance is the only method for mitigating the effects of a disaster. Just as disasters come in varying shapes and sizes, so do levels of preparedness. The level of disaster preparedness that is appropriate in your organization will depend on the type of business you are in. Financial institutions, hospitals, government agencies, and organizations critical to the national defense will require the highest levels of disaster preparedness. Other businesses whose business practices are very sensitive to computing outages, such as customer service centers, will also have a need for sophisticated disaster recovery planning, as well as business continuity planning. Business continuity planning differs from disaster recovery planning in that DRP is centered on restoring what has been destroyed, while BCP centers on continuing business operations while the recovery is going on.

Plans and testing

The bottom of the ladder of preparation is "none" -- you have no plan at all for recovery from a disaster. Too many small and midsized businesses operate in this mode. The first step up from the bottom is having an "informal" plan. Having an informal plan means that you have discussed recovery options with your peers and your management. Nothing has been committed to paper, but you have thought about it and hopefully outlined how you would respond to likely disasters. The top of the ladder is a "professional" plan. With professional level planning your disaster recovery plans are documented, communicated throughout your organization, and tested in advance. Without periodic testing you have no way of knowing if the disaster recovery plan you have crafted is a logistical masterpiece, or weak plan that leaves so much out that it isn't worth the paper it's printed on. In truth, preparedness is only half of the equation; testing is the other half.

The following table outlines steps you can take to prepare your business to recover from a disaster. They are grouped into categories from "basic" steps to "advanced" steps:

The information presented here is not meant to provide you with a recipe for disaster recovery, but to make you aware of the things you need to think of in devising a disaster recovery plan that fits your business' needs. It cannot be stated enough: thorough preparation and testing are the only methods that will preserve your company (and your job) if the unthinkable happens to you.

1. What four steps should you take when an employee leaves your company?
   
   
2. You are setting up a server room in a new office building. What should this room have in order to be a safe and secure home for your systems?
   
   
3. Describe human engineering, and what you might do to limit its effectiveness among your user community.
   
   
4. What types of trash should you check before it reaches the dumpster? And, what should you do with it?
   
   
5. Summarize the "four steps for action" in section II.
   
   
6. Describe the three types of viruses and how they propogate.
   
   
7. Name the three levels of disaster and describe each one in a sentence or two.
   
   
8. Do the same for the three levels of disaster planning.