Agency Systems Security:
A Framework for Success
By Tim Woodcock, President, Courtesy Computers, Inc.
Systems security is a broad, technical subject that unfortunately is growing in importance for all businesses. This is certainly true for independent agencies which are interacting with their carriers and customers electronically over the Internet continuously. The very value of independent agencies is determined by the security of their proprietary customer information contained in their computers.
Most agencies will engage a technology expert to handle the details of securing their systems. However, there are management issues and agency policies and procedures which agency executives must focus on to secure their businesses. This article is designed to help agents establish the necessary framework and mindset within their agencies to manage the “security” issue on an ongoing basis, as the risks confronted continue to evolve. The article also provides a good overview of the kinds of issues that agents should be thinking about in the security area.
By implementing three basic steps-- prepare, organize, execute-- your agency can establish a "best practices" network security program that will help protect your business, and instill a sense of responsibility and teamwork among the entire staff to safeguard security.
STEP 1: Prepare
The preparation stage is three-pronged and involves creating policy statements, conducting a risk analysis and establishing a security team structure.
The Policy Statement
The security policy is a formal definition of an organization's stance on security. Policy begins with understanding what it is you need to protect and what it is you need to protect against, what is allowed and what is not allowed. The levels of responsibility need to be understood, and imply that security is everyone's job. Best practices in network security are more about the what and why of securing the organization's information assets than about the how.
Policy statements should include acceptable use of systems and data for all categories of users including the systems administrator. The policy should also identify specific actions that could be taken in response to a violation of security policy, including disciplinary action. Put it in print and post it on the walls.
Some companies require the signature of every employee on a copy of the acceptable-use statement.
A sample agency security policy is attached to this article. Keep in mind that it is only a sample and needs to be customized to the particular needs of your agency.
The Risk Analysis
Conducting a risk analysis is a way to determine the organization's security vulnerabilities. Many agencies hire a technology consultant to provide the network security audit and assist in the creation of the agency’s security policies. The purpose of a risk analysis is to identify points of entry to the network and possible means of attack from both an internal and external perspective. This requires identifying all network resources and assigning a risk level to each. For instance, if a core router or firewall were compromised, what would the risk level be? The next step is to identify who has access to these resources, given that there are users, power or privileged users, administrators, partners and others. This can be a painful process depending upon what type of authentication and authorization methods are in place. Some risk analysis methods include running a password cracking utility on the network in privileged mode to uncover unauthorized users.
The Security Team
One of the first steps in designing and executing a security policy for the agency is to create a “security team”. The security team needs to have participants from every operational area within the agency. The team is responsible for policy awareness and enforcement as well as being informed on the technical aspects of the security architecture. The team also monitors the security of the network, creates an incident response process, responds to security breaches, is involved in changes in security policy and execution, and reports to senior management on security issues.
STEP 2: Organize
Once armed with policy statements, a risk analysis and a security team, it is important to define and organize the individual information as either a “business function” (procedures and responsibilities) or a “resource” (computing platform, operating system, application, database or network device). This will facilitate your creating the guidelines and assigning responsibilities. List them according to their risk level, with high-risk categories first. A portion of your security policy should include both an “end user security guide” and “administrative security operations guide”.
The end user security guide portion will consist of policies/procedures and user’s rights pertaining to the use of passwords, the authorized and unauthorized installation/access/removal of specified software or equipment, anti-virus policies, internet access, SPAM, and other non-network administrative items.
However, the administrative security operations guide portion will be quite extensive and include administrative policies and procedures pertaining to items such as service packs and hot fixes, antivirus software, e-mail policy, security breaches, physical security of equipment, SPAM, event log review and reports, continuing education, and other network administrative items.
STEP 3: Execute
Once prepared and organized, executing the security policy is not as overwhelming as you might think.
Each organization must determine for itself what level of security is wise, and how much enforcement is necessary. Whether you implement a “permissive” or “restrictive” policy, remember that the goal is to create security awareness, minimize risk and maximize the use of technology.
To help minimize your exposure, implement a security checklist as part of your overall security policy. It will prove to be invaluable in preventing data theft, disrupted workflows, lost communications, system down-time, and lost profits. A sample security checklist is attached but should be customized to the particular needs of your agency.
Invoke an
effective Login and Password Policy
A comprehensive password policy
is the first line of defense in a well-rounded IT security plan. Many
organizations consider password policies to have the same security priority as
disaster recovery and Internet defense. ACT recommends that agencies use
employee based passwords rather than agency based passwords and that all
passwords be actively managed by the agency so that when an employee is
terminated, all of the employee’s passwords are immediately invalidated. Review
the ACT Guidelines for Multiple
Passwords on the ACT website for
additional helpful suggestions.
Physical inspection of the entire network is important. Network monitoring for unusual or odd traffic patterns may also help spot protocol analyzers or malicious software—“malware”-- that have been put in place by potential hackers. Session authentication and password protection are useless if the network itself is compromised.
Data Backup Policy
The loss of data can be disastrous and fatal for any business. A well executed data back up is key to your business continued survival. A quarterly test and review of this policy is highly recommended.
Virus Protection Policy
Insure that your agency installs and maintains an effective virus protection policy. Whether your Anti-Virus solution is outsourced or in-house, it should allow for automatic software updates and provide effective management and monitoring tools for your systems administrator. Although “spyware” is not a virus, it can be very detrimental to the overall performance of your network and should be included in this policy.
SPAM, Internet and E-mail Usage Policy
By implementing a strong SPAM, Internet and E-mail policy, your agency will save an average of $600 (and more) per employee per year in labor lost to dealing with SPAM. As SPAM proliferates, employing an outsourced or server-side spam-blocking solution should be your first step toward fending off junk e-mail. Make sure your employees read and understand the company's policies on e-mail and Web usage. Provide detailed instructions for how employees should deal with inappropriate e-mail.
Remote Access Policy
If your agency allows remote access to your network, it is imperative that you put in place a remote access policy that covers not only the employees, but vendors and partners which must have access to the system. The policy should at least include who has rights to remotely access the system, dates and times for accessing the system, what can be accessed, and the proper procedures for entering and exiting the system. Some agency policies include signed commitments from the remote users that their remote connections are secured with firewalls and anti-virus software solutions.
Stay current with all operating system security patches and updates
Operating system security patches and hot-fixes should be constantly monitored and updated. As software becomes more sophisticated and complex, the likelihood for “security holes” increases. It is most important that this procedure become an important item in the administrative security operations guide of the security policy.
Firewall and router security policy
The majority of agencies now implement broad-band connections to the Internet, which require a hardware router and firewall. Both the router and firewall are the “protector” of your network from the outside world. In order to maintain their efficiency, it is essential that your security policy include provisions for continued training of your system administrator on the proper operation, administration and monitoring of these most important devices.
Disaster Recovery and Data Backup Policy
Ask yourself the question “If (or when) a disaster were to occur, how long would it take our agency to recover and continue the business of servicing our clients?”
Agencies that do not implement an effective network security program tend to have the attitude of “That can never happen to me”. When a disaster happens, the reality is that there will be a severe disruption to normal operations, a backlog of work, staff morale problems, cramped and inadequate accommodations, and a potentially disastrous effect on customer satisfaction, credibility and goodwill.
Create and execute an IT Disaster Recovery Plan that includes such IT related items as a strong data backup and restore policy, contingencies for recovering network system operations, and allowing for remote access to the system if available employee workspace is compromised. Don't forget that any business continuity plan should be reviewed, rehearsed and revised on a regular basis to meet changing business needs, technologies and contact information.
Tim Woodcock is President of Courtesy Computers, Inc. which specializes in consulting with independent agencies on their technology needs and in providing technology solutions for agencies. Tim can be contacted at mailto:tim@courtesycomputers.com. This article represents the views of the author and should not be construed as an official statement of the Agents Council for Technology (ACT).
Attachment A
Information Security Policy (Sample)
This is a set of guidelines on corporate information security. We’re presenting it here to serve as a framework for your own information security policy or to compare to the one your organization has on the books.
To ensure that employees understand the policy, the agency should provide a copy for each worker. Employees should also attend a meeting to help them understand why the policy is so important to the agency.
After reading the policy, workers sign a form acknowledging that they have read the policy and understand it. We’ve included that form on the last page. To make sure that the business is following its own guidelines, the agency should conduct routine compliance audits.
Computer information systems and networks are an integral part of business at “Agency Name”. The agency has made a substantial investment in human and financial resources to create these systems.
The enclosed policies and directives have been established in order to:
· Protect this investment.
· Safeguard the information contained within these systems.
· Reduce business and legal risk.
· Protect the good name of the agency.
Violations may result in disciplinary action in accordance with agency policy. Failure to observe these guidelines may result in disciplinary action by the agency depending upon the type and severity of the violation, whether it causes any liability or loss to the agency, and/or the presence of any repeated violation(s).
The information services manager (IS manager) is responsible for the administration of this policy.
The topics covered in this document include:
· Statement of responsibility
· The Internet and e-mail
· Computer viruses
· Access codes and passwords
· Physical security
· Copyrights and license agreements
General responsibilities pertaining to this policy are set forth in this section. The following sections list additional specific responsibilities.
Managers and supervisors must:
1. Ensure that all appropriate personnel are aware of and comply with this policy.
2. Create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe this policy.
The IS manager must:
1. Develop and maintain written standards and procedures necessary to ensure implementation of and compliance with these policy directives.
2. Provide appropriate support and guidance to assist employees to fulfill their responsibilities under this directive.
The Internet is a very large, publicly accessible network that has millions of connected users and organizations worldwide. One popular feature of the Internet is e-mail.
Access to the Internet is provided to employees for the benefit of “Agency Name” and its customers. Employees are able to connect to a variety of business information resources around the world.
Conversely, the Internet is also replete with risks and inappropriate material. To ensure that all employees are responsible and productive Internet users and to protect the agency’s interests, the following guidelines have been established for using the Internet and e-mail.
Employees using the Internet are representing the agency. Employees are responsible for ensuring that the Internet is used in an effective, ethical, and lawful manner. Examples of acceptable use are:
· Using Web browsers to obtain business information from commercial Web sites.
· Accessing databases for information as needed.
· Using e-mail for business contacts.
Employees must not use the Internet for purposes that are illegal, unethical, harmful to the agency, or nonproductive. Examples of unacceptable use are:
· Sending or forwarding chain e-mail, i.e., messages containing instructions to forward the message to others.
· Broadcasting e-mail, i.e., sending the same message to more than 10 recipients or more than one distribution list.
· Conducting a personal business using agency resources.
· Transmitting any content that is offensive, harassing, or fraudulent.
File downloads from the Internet are not permitted unless specifically authorized in writing by the IS manager.
An employee who uses the Internet or Internet e-mail shall:
1. Ensure that all communications are for professional reasons and that they do not interfere with his/her productivity.
2. Be responsible for the content of all text, audio, or images that (s)he places or sends over the Internet. All communications should have the employee’s name attached.
3. Not transmit copyrighted materials without permission.
4. Know and abide by all applicable Agency policies dealing with security and confidentiality of agency records.
5. Run a virus scan on any executable file(s) received through the Internet.
6. Avoid transmission of nonpublic customer information. If it is necessary to transmit nonpublic information, employees are required to take steps reasonably intended to ensure that information is delivered to the proper person who is authorized to receive such information for a legitimate use.
Employees using the Internet are not permitted to copy, transfer, rename, add, or delete information or programs belonging to others unless given express permission to do so by the owner. Failure to observe copyright or license agreements may result in disciplinary action by the agency and/or legal action by the copyright owner.
All messages created, sent, or retrieved over the Internet are the property of the agency and may be regarded as public information. “Agency Name” reserves the right to access the contents of any messages sent over its facilities if the agency believes, in its sole judgment, that it has a business need to do so.
All communications, including text and images, can be disclosed to law enforcement or other third parties without prior consent of the sender or the receiver. This means don’t put anything into your e-mail messages that you wouldn’t want to see on the front page of the newspaper or be required to explain in a court of law.
Computer viruses are programs designed to make unauthorized changes to programs and data. Therefore, viruses can cause destruction of corporate resources.
It is important to know that:
· Computer viruses are much easier to prevent than to cure.
· Defenses against computer viruses include protection against unauthorized access to computer systems, using only trusted sources for data and programs, and maintaining virus-scanning software.
IS shall:
1. Install and maintain appropriate antivirus software on all computers.
2. Respond to all virus attacks, destroy any virus detected, and document each incident.
These directives apply to all employees:
1. Employees shall not knowingly introduce a computer virus into agency computers.
2. Employees shall not load diskettes of unknown origin.
3. Incoming diskettes shall be scanned for viruses before they are read.
4. Any associate who suspects that his/her workstation has been infected by a virus shall IMMEDIATELY POWER OFF the workstation and call the IS manager.
The confidentiality and integrity of data stored on agency computer systems must be protected by access controls to ensure that only authorized employees have access. This access shall be restricted to only those capabilities that are appropriate to each employee’s job duties.
The IS manager shall be responsible for the administration of access controls to all agency computer systems. The IS manager will process adds, deletions, and changes upon receipt of a written request from the end user’s supervisor.
Deletions may be processed by an oral request prior to reception of the written request The IS manager will maintain a list of administrative access codes and passwords and keep this list in a secure area.
Each employee:
1. Shall be responsible for all computer transactions that are made with his/her User ID and password.
2. Shall not disclose passwords to others. Passwords must be changed immediately if it is suspected that they may have become known to others. Passwords should not be recorded where they may be easily obtained.
3. Will change passwords at least every 90 days.
4. Should use passwords that will not be easily guessed by others.
5. Should log out when leaving a workstation for an extended period.
Managers and supervisors should notify the IS manager promptly whenever an employee leaves the agency or transfers to another department so that his/her access can be revoked. Terminations must be reported concurrent with the termination.
The Personnel Department will notify MIS monthly of associate transfers. Terminations must be reported concurrent with the termination.
It is agency policy to protect computer hardware, software, data, and documentation from misuse, theft, unauthorized access, and environmental hazards.
The directives below apply to all employees:
1. Diskettes should be stored out of sight when not in use. If they contain highly sensitive or confidential data, they must be locked up.
2. Diskettes should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields.
3. Critical computer equipment, e.g., file servers, must be protected by an uninterruptible power supply (UPS). Other computer equipment should be protected by a surge suppressor.
4. Environmental hazards to hardware such as food, smoke, liquids, high or low humidity, and extreme heat or cold should be avoided.
5. Since the IS manager is responsible for all equipment installations, disconnections, modifications, and relocations, employees are not to perform these activities. This does not apply to temporary moves of portable computers for which an initial connection has been set up by IS.
6. Employees shall not take shared portable equipment such as laptop computers out of the office without the informed consent of their department manager. Informed consent means that the manager knows what equipment is leaving, what data is on it, and for what purpose it will be used.
7. Employees should exercise care to safeguard the valuable electronic equipment assigned to them. Employees who neglect this duty may be accountable for any loss or damage that may result.
It is Agency’s policy to comply with all laws regarding intellectual property.
Agency and its employees are legally bound to comply with the Federal Copyright Act (Title 17 of the U. S. Code) and all proprietary software license agreements. Noncompliance can expose Agency and the responsible employee(s) to civil and/or criminal penalties.
This directive applies to all software that is owned by the agency, licensed to the agency, or developed using agency resources by employees or vendors.
The IS manager will:
1. Maintain records of software licenses owned by Agency.
2. Periodically (at least annually) scan agency computers to verify that only authorized software is installed.
Employees shall not:
1. Install software unless authorized by IS. Only software that is licensed to or owned by Agency is to be installed on Agency computers.
2. Copy software unless authorized by IS.
3. Download software unless authorized by IS.
· Liability for damages suffered by the copyright owner
· Profits that are attributable to the copying
· Fines up to $100,000 for each illegal copy
Violations of copyright law that are committed “willfully and for purposes of commercial advantage or private financial gain (Title 18 Section 2319(b)),” expose the agency and the employee(s) responsible to the following criminal penalties:
· Fines up to $250,000 for each illegal copy
· Jail terms of up to five years
Attachment B
Acknowledgment of Information Security Policy (Sample)
This form is used to acknowledge receipt of, and compliance with, the “Agency Name” Information Security Policy.
Complete the following steps:
1. Read the Information Security Policy.
2. Sign and date in the spaces provided below.
3. Return this page only to the information services manager.
By signing below, I agree to the following terms:
i. I have received and read a copy of the “Information Security Policy” and understand the same;
ii. I understand and agree that any computers, software, and storage media provided to me by the agency contains proprietary and confidential information about “Agency Name” and its customers or its vendors, and that this is and remains the property of the agency at all times;
iii. I agree that I shall not copy, duplicate (except for backup purposes as part of my job here at “Agency Name”), otherwise disclose, or allow anyone else to copy or duplicate any of this information or software;
iv. I agree that, if I leave “Agency Name” for any reason, I shall immediately return to the agency the original and copies of any and all software, computer materials, or computer equipment that I may have received from the agency that is either in my possession or otherwise directly or indirectly under my control.
Employee signature:
Employee name: ________________________________________
Date: _________________________________________________
Department: ___________________________________________
Attachment C
Security Checklist of issues to consider (Sample)