In Part One of my blog series aimed at breaking down each section of Online’s security policy, we looked at some general best practices surrounding the development of a security policy. This included answering the question of “why develop a security policy?” and went into detail about developing the scope of content contained within. Part Two analyzed the organizational roles and responsibilities needed to implement an effective security policy. Now let’s take a look at how Electronic Communication plays into an effective policy.
As the world continues to become more interconnected, more and more of our communications are taking place electronically. I mean, when is the last time you actually wrote someone a letter? In doing so, our work and personal lives continue to become more intertwined and it’s easy to lose sight of what’s confidential (e-mails sent through a work account) versus what’s personal (e-mails sent through a personal account). With that said, and this should come as no surprise, it is of vital importance that you treat company information (heck, even your own sensitive information) in a way that keeps it reasonably protected.
All users must apply the right amount of security controls to the data they are communicating. Keep in mind that any company data is owned by the company and not by you, even if it happens to sit on the laptop or mobile device that you’re carrying around as we speak. Most organizations reserve the right to monitor and review any message sent, created, or received by you through company accounts. This is not a ‘big brother’ thing – if you are using company resources, company data, or company systems (including e-mail), then any company practicing proper due diligence ought to reserve this right.
If you are using company e-mail and other messaging systems, remember that anything you write via email, even if it was intended to go to just one recipient, could end up in the hands of many people (have you ever hit ‘reply all’ by mistake?) or worse yet, in the hands of competitors or rogue states. You have to always be careful about what you write, not only on company resources, but even on your personal e-mail/social media. Windows is not just an Operating System – in the world of interconnectivity, we all live in glass houses.
What does this mean for me?
- Practice good karma. Anything you write that is considered offensive or disparaging could come back to haunt you. This includes graphic images, racial/gender slurs, or anything that might offend someone because of their age, sexual orientation, gender, religious or political beliefs, national origin, disability, or any other protected basis, or which would constitute harassment.
- If it’s sensitive data, think twice before hitting the send button.
- Do NOT use non-company approved communications platforms (Gmail, Yahoo, etc.) to transmit sensitive company data.
- Use only company-approved communications mechanisms for e-mailing and collaborating.
- PLEASE don’t ever send sensitive data like credit cards or Driver’s License numbers, etc. over unencrypted email. You may as well just leave your front door open.
- If you DO need to send sensitive information via email or some other messaging platform, make sure that you are doing so with the right safeguards to help protect that message. Confidential and Sensitive information assets must be encrypted during transmission over networks where it could be subject to being intercepted, modified, or
Many of us are technologists at heart and we are interested in the next awesome tool to allow us to do more with less. That said, do not be the first one to attempt using new tools, platforms, SAAS solutions, etc., without conferring with your security team - It only takes one well-intentioned but badly executed move to put the entire company in jeopardy.
In my next blog, I will be covering the acceptable use portion of security policies.
Are you looking for guidance on creating or reviewing your organization’s security policies? Feel free to reach out to me directly or leave a comment below.