Small Business impact

On February 23, 2008, in Security, by

Resource Kit Done! – Jesper’s Blog:

As you can tell I kinda already pre-ordered the book.  In full disclosure I wrote the chapter on small business issues and kudos of course goes to Dr. Jesper Johansson for thinking about, and including the issues of security that impact small businesses. 

A recent post about security in the Small Biz space and points out one of the biggest impacts… knowing what regulates this space.  For me and my industry, I’m impacted primarily by the State of California laws covering disclosure breech notification.  But for everyone looking for a silver bullet, a checklist of steps to make them “secure” there is none.  I can point you to products like Scorpion Software’s AuthAnvil Two factor authentication that helps you to keep one area, that of password management meeting and exceeding today’s regulations, but at the end of the day, all of us need a foundation.  A policy.  A document.  An idea of what is and is not appropriate.

You can’t educate users, you can’t enforce what users can and cannot do without this fundamental document.

The Firm uses various forms of electronic communication devices, including, but not limited to, computers, e-mail, telephones, voice mail, and fax machines.  All electronic communications, including all software and hardware, are the sole property of the Firm and are to be used only for Firm business to transmit or receive business information and are not to be used for personal use.  The Firm treats all messages sent, received or stored in any of the electronic communication devices as business messages.  The Firm reserves the right to access and review, copy or delete electronic files, voice mail messages, etc., for any purpose and to disclose them to any party (inside or outside the Firm) it deems appropriate.  The Firm further reserves the right to monitor the use of electronic communications as is necessary to ensure that there is no misuse or violation of Firm policy. Use of any of the Firm’s electronic communications devices in violation of this policy may lead to discipline up to and including immediate termination.  Should employees make incidental use of the e-mail system, fax machine, etc., to transmit personal messages, such messages will be treated no differently than other messages, i.e., the Firm reserves the right to access, review, copy, delete or disclose them for any purpose.  Accordingly, employees should not use the computer, e-mail system, voice mail system, or fax machine for any personal information they wish to keep private.   The Firm’s e-mail system permits employees to communicate with each other internally and with selected outside individuals and companies that the Firm, in its sole discretion, decides should be connected to the system.  Users should treat the computer and e-mail systems like a shared file system — with the expectation that messages sent, received or stored in the system (including any individual hard disks) will be available for review by any authorized representative of the Firm for any purpose.

….and more in the policy……

So do you clients’ have a policy? 


One Response to Small Business impact

  1. Philip Elder says:

    We have designed an Acceptable Use Policy document that most of our clients have adopted.
    In the case of our SBS Premium clients, that AUP is on the Companweb.
    Whenever a user heads to a site that they should not, they are automatically redirected to that AUP page on Companweb by ISA.
    It works as an excellent deterent … and as a result we have only had one or two users that have needed to be dealt with a little more directly.