Data Privacy and Security
Throughout the development and lifespan of any system, it is important to take into consideration privacy and security issues. This is especially true when it regards information systems within a growing organization. There are many risks and threats that face both public and internal networks and information resources. It is, therefore, critical that appropriate security procedures and policies are put into place to help mitigate any potential threats and risks.
There are many different types of risks and threats that need to be considered. Some are malicious and others are not. Individuals with malicious intent may attempt to access private network data from the outside world. In addition, malcontent employees may compromise the security and privacy of data. There are also issues with the disregard of proper security procedures and lack of education concerning the acceptable use of company resources. The issues of privacy and security on a company’s information systems are arguably more social matters than technical ones.
In order to maintain high availability, access to high-bandwidth media, such as streaming video, should be limited as a matter of policy. If use becomes excessive, it may be necessary to block such content during normal business hours. Company email should not be used for personal business. This can result in an increase in spam, opening the organization up to potential malware infection. It also increases the risk of private data accidentally being sent to an unintended party.
Firewalls should be active and remain so as much as is possible. This will be controlled at the router level and will not be controlled by individual users. Of course, all illegal or adult content will be filtered and monitored within the network to ensure that the organization’s resources are not being abused.
Network access will require login with a strong username and a password that is periodically reset. Further, access to private data stores and databases will require further authentication and appropriate permissions. Single-sign-on capabilities will be reserved for non-critical areas and systems. All access to private data will be logged with details about what was accessed, when it was accessed, and who accessed it.
The most critical feature of the security and privacy policies and procedures is education. The biggest threat to an organization’s information resources is the organization’s own staff. Individuals tend to have a high level of contempt for seemingly draconian security policies. Most individuals believe that their activity is perfectly safe and justifiable. They do not believe that they will expose the network to outside access or infect the network with a virus or cause bandwidth issues. Most users within an organization simply do not fully understand the potential harm that their actions can cause their organization. It is not only important to keep the internal staff educated about the proper use of information resources, it is also important to make certain that the staff knows why their understanding is so vital. Without that understanding, it is just another policy that is being shoved down their throats and is nothing more than red tape to them, having little impact on their actual actions.
Education should take place at regular intervals to make certain that everyone is fully versed on current policies and procedures. It should also be made clear that eschewal of individual responsibility and willful misuse of the organization’s information resources will not be tolerated. With a combination of technology and good social engineering, an organization can significantly decrease their exposure to risk and increase both security and efficiency.