From James Farmer (FSLO):
Part of an organization's security policy should be a remote access policy that provides guidelines regarding secure and controlled access from a remote laptop or computer. Employees or users accessing internal resources remotely should be required to have explicit permission to do so by appropriate management.
All users connecting to an organization's network remotely, be it from a laptop or home PC, should be required to utilize a VPN connection (an encrypted "tunnel"). Any wireless connectivity via a laptop/desktop used to remotely access confidential data should be encrypted at a minimum via WPA (Wi-Fi Protected Access). Due to known security vulnerabilities, WEP (Wired Equivalent Privacy) should not be used.
Physical security should be maintained through controls, such as locked entryways and alarm systems for the server room or data center and access control should be strictly monitored. Only authorized persons should have physical access to the rooms. Encourage users either to log off or shut down their PCs when away from them for any extended period of time.
Human error has long been considered one of the primary threats to a company's data. Have a clear security policy that classifies what information may be housed or accessed; direct personnel in the handling of the information. Employees should be knowledgeable of the nature of information they deal with through awareness training.
From James Tillman (Seva Technology):
Training on policy and procedure has to be provided to everyone, even those who may think they know what they're doing (who may be braver in use of data and the Internet, thus exposing themselves more frequently).
Stipulate how to control your telecommuters' home network security.
Insist on:
Strict policy and procedures about what data can be stored where, as well as password strength and file-sharing policies;
Strict utilization of file systems and network encryption;
Dogged enforcement of all security policies, plus auditing to confirm enforcement.
From Paul Peeples (FAIA):
Become more proactive locally and nationally on security issues.
Constantly build data security.
Assess your processes; don't leave D&O, E&O, credit reports, and umbrella policy information exposed.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.