A Company Model for Developing Policies and Procedures

Posted on 1, Jun | Posted by Christine L. Peterson, CPP, ISP

While attending the NCMS Carolinas Chapter meeting at Cisco Systems recently, I saw a presentation by Mark Whitteker, MSIA, CISSP, ISP. Mark comes out of the IT security world, so most of his presentation focused on IT security. He also presented a segment on Building a Comprehensive Security Architecture Framework that might benefit all of us. What Mark shared with the group is a pragmatic approach to creating and updating policies and procedures that could be used by any organization. When implemented, this process creates a customizable framework that will allow organizations the stability to prosper.

In general, policies establish the strategic objectives and priorities of an organization. They set the standards and expectation for the population. From a security perspective, they are a powerful tool because they identify roles and responsibilities and provide for accountability. Policies establish responsibilities and expectations for every population within an organization. This should include all employees, contractors, visitors, and any other personnel on site. As is demonstrated in Mark’s flow chart below, procedures are developed much later in the process. Procedures are the detailed implementation instructions for individuals to carry out the policies. They are often presented as forms or as lists of steps to be taken.

Why is this so important from a security perspective? All security events are caused by people who intentionally do something to obtain, injure, or destroy an asset, or unintentionally do something due to lack of knowledge or understanding. Therefore, unless an organization can protect all of their assets (human, capital, and reputation) from the nefarious or inadvertent actions of others – at all times – they need a security program that deters, detects, and defends business assets every day, all the time. Most businesses are not Fort Knox (which, by the way, is not immune from security events), and security-related policies and procedures are a critical tool that businesses can use to defend against the human threat.

What I believe Mark’s flow chart does is provide a systematic approach to the development of policies based on industry standards in a manner that can be applied company-wide.

policy and procedure flow chart

In any organization that is evaluating their policies or putting policies in place, the first place to start is the industry standards for the area to be covered by the policy. Areas such as lighting, egress, the protections of trade secrets, IT security, and the protection of classified and/or personal information are just some of the areas where security industry standards are available. In addition to the industry standards, there are security best practices that play an important role in any company’s security program. These may be industry specific or provide general guidance. In the absence of standards, companies will and are judged based on recognized best practices. Premises liability is a prime example of where this would apply. An organization’s ability to defend itself against litigation is incumbent in its ability to establish that a security program was in place to respond to threats that they were aware of or should have been aware of. Similarly if an organization has to defend itself from a compliance violation or establish that they are due damages in a loss of trade secrets, it is incumbent on the organization to be able to demonstrate the protective measures that were in place to protect that information. In all cases security-related policies will be a key component of the security program.

There are many sources for security related standards and best practices. Organizations such as ASIS International, the International Association for Healthcare Security & Safety (IAHSS), or National Classification Management Society (NCMS), are good starting points for this kind of information.

Policies are the guidance necessary to protect your organization’s assets. When establishing those guidelines, look to industry standards and best practices for a general framework. Policies should be high-level and solution agnostic in order to minimize the need to revisit them as technology changes. Those details should be left to the policy standards.

Policy Standards are the specific technical implementation requirements established within the policies. Within the policies these should be hyperlinks or references to policy standard documents, not detailed within the policy itself. This enables an organization to modify or update the standards as technology advances without requiring policy changes with resulting review and approval by senior management.

Policy Implementation is about communication (who, what, when, where). Considerations include:

  • Who does this policy apply to?
  • What do you want them to do?
  • When does it apply?
  • When and how will the population be trained?
  • When and where will the population get additional awareness reinforcement?

Procedures are the guidance that individuals will need to comply with the policy. It provides detailed, step-by-step instructions users must follow in order to implement controls according to the latest standards.

Services provide the population with information about the support services that are available to them and are there to support their efforts. In this case we are referring to security-related services, but it could also be applied in other areas of the business. If this is considered on the front end, it will provide better communication and hopefully provide the professionals responsible for implementing the policy and procedures the resources they need to provide the population with the tools and support they need to comply.

Measuring Success brings the process full circle and puts in place a system of continuous quality control and improvement. Things change; populations change; and industry standards and best practices change. There should be a process to measure success and allow the organization to adapt.

In the world of security, the best that any organization can hope for is that they have the internal and external controls in place to divert persons with nefarious intent. It’s kind of like termites – if we can’t eliminate them, let’s at least make it so uncomfortable that they move somewhere else because there are lots of unprotected opportunities.

Continue reading

Data Security: Where there is data, there should be policy

Posted on 30, Mar | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

locked computerThe recent report by the Wall Street Journal about the Morgan Stanley breach scares me as an employee. Reportedly Galen Marsh, a financial adviser for Morgan Stanley, was fired for allegedly stealing account information from about 350,000 wealth management clients and posting some of it online. The part that concerns me are the reports that federal law enforcement officials are focusing their probe on the possibility that Marsh’s computer was hacked. (Full story here.)

I have not reviewed the full report nor have I looked deeply into the incident. My attention was drawn to the consequences that befell Mr. Marsh and the slim possibility that he did nothing wrong. It seems that in this day of BYOD – Bring Your Own Device – and the use of laptops and mobile devices by employees, it is time for there to be a clear understanding about the company’s responsibilities and the individual employee’s responsibilities. This is not to suggest that an employee’s first question should be “Will I get fired if this laptop is hacked and company data is stolen?” when presented with a company laptop. There should be a clear understanding between the company and the employee what is expected of each as it relates to the security and control of any electronic device that contains company data.

The foundation of this understanding begins with a good company policy. A policy should be specific regarding the proper use of electronic devices. A policy should also indicate who is responsible for areas such as email security, data security, acceptable use, and physical security of the device. A policy should be a living document. An electronic device policy that covers laptops should be reviewed at a minimum once a year. Policies should be flexible. Some employees may take a laptop home and some may not.

Companies should give employees a chance to review policy before they sign it and allow them to ask questions. I suspect Morgan Stanley utilizes policies that cover the use of laptops by employees for work purposes. I doubt the employee thought he would get fired if the laptop was hacked and client data was exposed. What if the employee were a CFO or CEO?

There is most likely a lot more to this story than has been made public, but the heart of the matter is, as an employee, make sure you are fully aware of what the company expects as it relates to the use of company data and company provided electronic devices.

Continue reading

RMA Awarded South Carolina Federal Credit Union Security Assessment Project

Posted on 24, Feb | Posted by RMA

RMA will perform a physical security assessment, including a threat assessment, of the South Carolina Federal Credit Union (SCFC) Corporate Office and 17 branches. Included in the assessment RMA will review existing security programs, security officer duties, reporting structure, and job descriptions. Members of the RMA Team will be traveling to 18 different sites in South Carolina to become familiar with SCFC security practices. RMA will complete a physical assessment, interviews and review security programs and security officer responsibilities at the corporate office as well as 17 branch offices.

South Carolina Federal is a community-chartered credit union with 17 branches and more than 50 ATMs throughout Charleston, Georgetown and Columbia. South Carolina Federal Credit Union offers a full range of financial services including savings and investments, checking, credit cards and loans.

Continue reading

RMA Awarded DHSS – State Laboratory of Public Health Security Assessment Project

Posted on 17, Feb | Posted by RMA

RMA will conduct a physical security assessment of the North Carolina Department of Public Health State Laboratory of Public Health and Office of the Chief Medical Examiner. The security assessment will include site interviews, physical security and electronic security assessment and a review of the policies and procedures.

The State Laboratory of Public Health provides certain medical and environmental laboratory services to public and private health provider organizations responsible for the promotion, protection and assurance of the health of North Carolina citizens.

Continue reading

RMA Teams with Perkins &Will to Provide a Security Assessment of Piedmont Electrical Membership Corporation

Posted on 12, Feb | Posted by RMA

RMA has teamed with Perkins & Will a global architecture and design firm, to provide a security assessment to Piedmont Electrical Membership Corporation. The security assessment will include a physical security of building exteriors and a review of security systems technology.

Perkins & Will is an interdisciplinary, research-based architecture and design firm established in 1935. Each of the firm’s 24 offices focuses on local, regional and global work in a variety of practice areas. Perkins & Will is recognized as one of the industry’s preeminent sustainable design firms due to its innovative research, design tools, and expertise.

Piedmont Electric Membership Corporation is a Touchstone Energy Cooperative in Hillsborough, North Carolina. Piedmont Electric is a nonprofit electric utility serving 31,000 consumers in parts of Alamance, Caswell, Durham, Granville, Orange and Person counties.

Continue reading

Chris Peterson Published in Campus Safety Magazine

Posted on 3, Nov | Posted by RMA

“Public Safety Departments Need More Resources, Support to Comply With Clery & SaVE” was published in Campus Safety Magazine on November 3, 2014.

Clery Act legislation with the newly enacted SaVE requirements and Title IX are federal statutes that require colleges and universities participating in federal financial aid programs to maintain and disclose campus crime statistics and security information. Clery Act compliance is a requirement of the entire institution, not just the security or police department. This is an important distinction and one that too many college and university administrators fail to recognize and embrace. Until administrators recognize this distinction and put in place top-down responsibility and accountability for Clery Act compliance, institutions will be at risk from a compliance and litigation perspective.

To read the entire article, please visit Campus Safety Magazine.

Continue reading

Chris Peterson Guest Speaker on Radio Station WCOM 103.5

Posted on 2, Apr | Posted by RMA

On Tuesday, April 1, 2014, Chris Peterson was the guest speaker on the program “Focus on Business” hosted by Lea Strickland which aired on radio station WCOM 103.5. “Focus on Business” provides insights, information and perspective on building strong businesses, sustainable businesses that build sustainable communities. Guests include area business leaders, experts and professionals who share their experience. If you want to start, expand, grow or repair a business, tune in.

Chris and Lea had a discussion on fraud in the workplace and that a typical company loses 5% of their revenue each year. The discussion expanded to the vulnerability of employees bringing their own electronic devices including phones, tablets and computers into the workplace.

WCOM 103.5 is listener-supported, volunteer-powered community radio station located in Carrboro, North Carolina. The mission of WCOM is to educate, inspire, and entertain the diverse populations of Carrboro, Chapel Hill and nearby areas. They cultivate local music and facilitate the exchange of cultural and intellectual ideas, with particular regard for those who are overlooked or under-represented by other media outlets. They provide a space for media access and education by providing equipment and training to our community. “Focus on Business” airs on Tuesdays from 12:00 – 1:00.

Continue reading

Christine Peterson and Marty Coolidge Present at Institute of Management Accountants Luncheon

Posted on 28, Feb | Posted by RMA

Christine Peterson and Marty Coolidge presented at the IMA NC Triangle Chapter and the Carolinas Council Annual Winter Conference on February, 28, 2014, at the Prestonwood Country Club in Cary, NC. The presentation titled Enemies at the Gate or Are They Already Inside? focused on fraud and abuse in the workplace which costs businesses on average 5% of revenue per year.

IMA is the worldwide association of accountants and financial professionals working in business. They are committed to helping more than 65,000 members to expand professional skills, better manage organizations, and enhance careers. For more than 90 years, IMA has been a champion of – and resource for – the financial management and accounting profession. The organization was founded in Buffalo, N.Y., in 1919 as the National Association of Cost Accountants (NACA) to promote knowledge and professionalism among cost accountants and foster a wider understanding of the role of cost accounting in management.

Continue reading

RMA Presents at CSI Week at Meredith College

Posted on 25, Oct | Posted by RMA

Chris Peterson presented Enemies at the Gate – or Are They Already Inside? as part of CSI Week at Meredith College. CSI Week allows students at Meredith to explore career opportunities in law enforcement and related fields. The event is sponsored by the Sociology and Criminology Programs, and the Sociology & Criminology Club (and with the support of Political Science, Accounting, & Social Work).

Other presenters during the week included:

  • Special Agent Jahaira Torrens spoke about Homeland Security Investigations.
  • Cat Flowers, owner of Cat Eye Detective Agency, presented.
  • Police Officer and Social Worker Renea Lockhart spoke about domestic violence and being both an officer and a social worker.
  • U.S. Marshals talked about the work they do tracking down fugitives and other law enforcement activities.
  • Wake Country Prosecutors spoke about their work.
  • RPD Gang Unit talked about their work with gang prevention and dealing with gangs in Raleigh.
  • Crime Scene Analysis, RPD patrol officer, CCBI investigator (the local CSI) and a detective from Raleigh Police talked about how they work and investigate a crime scene.
  • Cary Police Department crime mapping analyst Elise Pierce spoke about her work in the use of Crime Scene mapping to facilitate the work of police in Cary.

Chartered in 1891, Meredith College is one of the largest independent private women’s colleges in the U.S. Meredith also offers coeducational graduate programs in business, education and nutrition, as well as post-baccalaureate certificate programs in pre-health and business, a dietetic internship program, a didactic program in dietetics and a paralegal program. Meredith’s programs – undergraduate and graduate — challenge each individual student to think deeply, push hard, discover new strengths and grow even stronger. Meredith has been cited as one of the “best colleges” in the region and the country by U.S. News & World Report, The Princeton Review and Forbes.com.

Continue reading

Held Hostage by a Dishonest Employee

Posted on 16, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

power shiftI recently was involved in a case in which a company employee was discovered using a company credit card for personal reasons. This happens occasionally, and one would think that immediately terminating the employee would resolve the issue. But what happens when the employee is the one and only IT person for the company?

Many companies have only one person to manage all of their IT needs. There is nothing wrong with this. Considering that 99.7 percent of U.S. employer firms are a small business (http://www.sba.gov/sites/default/files/FAQ_Sept_2012.pdf), having a sole IT person may be very common. The problem with this situation is the lack of oversight and management of the IT person by company executives and owners. What are the consequences caused by this scenario? How can companies and organizations prevent the backlash experienced when a single person has the “keys to the kingdom”?

This issue can occur in any business with a small IT staff. This particular case involved an employee who had been with the company for eight years. In that time, the employee came to be the only person who dealt with all IT issues. He managed the website, the phone system, the internet service, all servers, all workstation, the data connections for multiple facilities – you get the point. The employee could have brought the company to a standstill for several days if not several weeks, if he had wanted to do so. It was not until deciding that he needed to be fired that someone finally asked the question “What does he do and can we do it without him?” The answer was, “No.”

In this case, the employee was being terminated for cause. What if he had been hit by a bus? The company would still be in the same position. The only option left for the company was to hire someone to come in and inventory the network to help them prepare for the employee’s termination. This involved hundreds of man hours. Fortunately, the transition was successful and the company lost no production time.

There are several steps that can be taken to prevent this from occurring in your business. The person responsible for a company’s IT needs should document everything and provide this documentation to management or ownership in a reviewable format on a regular basis. This document should be considered a living document, and any time there is a network change or system change, the document should be edited to reflect the change. The document should include but not be limited to:

  • A list of service providers and all information needed to contact this service provider for support or changes. This includes the Internet service provider, phone service provider, web hosting company, cell phone provider, cloud services, or any other service provider used by the company.
  • Administrator passwords. These can be sealed in an envelope and/or put in a safe.
  • Device passwords and configuration. Think about firewalls, switches, wireless routers, and other equipment.
  • Software passwords and configurations. The IT administrator may be the only person aware of specialized software used in the office that requires specialized configuration or passwords. Make sure this information is documented and available to company executives.
  • Procedures for backing up and restoring systems.
  • A “What if…” document. This document would include instructions on how to deal with and recover from system outages, power outages, or other unique IT failures.

Depending on your network, the information needed in this document will differ. The best way to determine what you may need to document is to sit back and think of the problems created if your IT person were gone. What questions would you have? The document should answer all of these questions. It is also important to make the person responsible aware that this document is a “Continuity of Operations” document. There are many reasons why an IT employee may not be able to come to work, but their absence should not disable any part of the IT infrastructure.

It is also critical to make sure there are two people on the point-of-contact list with all service providers. The second person on the list should be an owner or executive of the company. If the IT person should be unable to perform his or her duties for any reason, the executive or owner of the company can call the service provider and make necessary changes without jumping through a lot of hoops to gain ownership of the service.

Finally, have a third party review this information at least once a year. That third party could be an outside consultant or even a current employee with knowledge of the network and need for business continuity. An outside consultant has the advantage of being objective when looking at an environment and utilizing their experience to help direct and drive a “Continuity Plan” that will protect the company in the event of any number of unexpected events.

Continue reading