P. 1
Data Security For the Business Owner

Data Security For the Business Owner

Ratings: (0)|Views: 94 |Likes:
Published by Eric Vought
This a partial draft of a manual on data security for a non-computer nerd small to mid-sized business owner. it explains security concepts, contains a glossary, an annotated bibliography, and identifies ways to manage the risk represented by information technology. I worked on this a couple of years ago and gave up at least temporarily because the technology and threats were changing faster than I could write. I have put up the partial draft because it might be useful to some people and I occasionally refer folks to sections I wrote when they ask related questions. If the draft does appear to be useful and there is sufficient interest, I may continue working on it.
This a partial draft of a manual on data security for a non-computer nerd small to mid-sized business owner. it explains security concepts, contains a glossary, an annotated bibliography, and identifies ways to manage the risk represented by information technology. I worked on this a couple of years ago and gave up at least temporarily because the technology and threats were changing faster than I could write. I have put up the partial draft because it might be useful to some people and I occasionally refer folks to sections I wrote when they ask related questions. If the draft does appear to be useful and there is sufficient interest, I may continue working on it.

More info:

Published by: Eric Vought on Jun 24, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

04/11/2014

pdf

text

original

 
1
Data Security For the Business Owner
How and Why for non-IT Professionals
Eric Vought
<evought@pobox.com>
$Id: BusinessDataSecurity.dbxml,v 1.67 2007/05/19 00:06:11 evought Exp $Copyright
©
2007 Eric Vought
Legal Notice
Some of the designations used by manufacturers and sellers to distinguish their products areclaimed as trademarks. Where those designations appear in this text, and I was aware of thetrademark claim, the designation is appropriately marked on first appearance. Unless otherwisenoted, references to specific tools and applications in this article are presented only as examples of what is available and not as endorsements. The reader is encouraged to read reviews and researchadditional alternatives for his or her self.I am not a lawyer and nothing in this documentis to be construed as offering qualified legaladvice.All Rights Reserved.This document maynot be reproduced in whole or in part, in any form(beyond that copying permitted by Sections 107 and 108 of the U.S. Copyright Law), withoutwritten permission of the author. Copyright and permission of accompanying graphics andstylesheets as noted in those files.
Abstract
This document is a data security primer for non-technical business owners, including explanationsof risk management, basic security concepts, and development of a sound security strategy.
Table of Contents
Preface ............................................................................................................................. 2Goals ........................................................................................................................ 2Audience ................................................................................................................... 3Approach .................................................................................................................. 3"Real World" Risks ............................................................................................................ 3Building Safety .......................................................................................................... 3Keeping People Out .................................................................................................... 4Screening and Trust .................................................................................................... 4Insurance Policies Mitigate Loss ................................................................................... 5Data Security Is Also Risk Based .................................................................................. 5Cybercrime and the State of the Internet ................................................................................. 6The Internet Is Not Magic ............................................................................................ 6The Goals of Internet Criminals .................................................................................... 6Common Cybercrime .................................................................................................. 7Things Are Not Hopeless ........................................................................................... 10First Principles ................................................................................................................. 11Secure the Perimiter .................................................................................................. 11Guard Your Secrets ................................................................................................... 12Create a Defense In Depth ......................................................................................... 12Security By Obscurity Is Not Effective ......................................................................... 13
 
Business Data Security2Exploits and Vulnerabilities ........................................................................................ 13Keep Your Eyes Open ............................................................................................... 14Building a Data Security Strategy ........................................................................................ 14First Steps ............................................................................................................... 14Your IT Professionals ................................................................................................ 16Document Retention and Protection ............................................................................. 18Documentation, Policies, Audits— How Much, How Often .............................................. 18An Incident Response Plan ......................................................................................... 22Making IT and Security Purchases ............................................................................... 27Your Network Layout ........................................................................................................ 32The Network Perimiter .............................................................................................. 36Employee PCs - The IT Battleground ........................................................................... 39Network Services - Sharing and Editing Files ................................................................ 46Internet Services and Communication ........................................................................... 50Conclusions ..................................................................................................................... 50Frustrations .............................................................................................................. 50Glossary .......................................................................................................................... 51Bibliography .................................................................................................................... 63
Preface
Goals
Data security, the protection of business information and associated computer networks, is a highlytechnical field which is often associated with black magic by non-technical professionals. This situationis not helped by a communications gap between IT professionals and business owners. Business ownersare not trained to understand the technical concepts and computer professionals cannot explain risks inconcrete business terms.Uninformed business owners cannot avoid dangers and capitalize on opportunities in a rapidly changingtechnical landscape. Frequently, critical issues are ignored and money is spent on ineffective solutions.This document:explains security in terms of risk-management,reports on the current state of the Internet,describes fundamental security concepts in concrete, non-technical terms,develops basic data security strategies from first principles,presents example business cases where security versus opportunity trade-offs are made,and concludesby encouraging a "security mindset" where technology concerns are incorporated intoday-to-day business decisions.This document will not turn the reader into an IT professional, much less a security professional. What itcan do, however, is better equip you to evaluate how data security affects your business and communicatewith technical professionals and vendors you hire to secure your data. It will also, hopefully, help you torecognize the snake-oil salesmen who offer ineffective solutions to problems you may not even have.Some parts of this document, those describing current electronic threats to your business, may seemalarmist. These reports should alarm you: the current state of Internet security is very poor and someauthorities would say
. Most people are unawareof the ways in which systems are routinelycompromised. Vendorshave a vested interest in k eeping these facts quiet or no one would use theirproducts or services. Fortunately, however, prudence and care can elimate the mostcommon threats and
 
Business Data Security3make trouble even for sophisticated attackers. The biggest threat on the Internet is ignorance and the factthat most computer users do not take even basic precautions. Safely navigating large cities requires street-sense and awareness; the Internet is no different. As our world changes, businesses that become street-smart will have a competitive advantage over those that do not.Although I provide links to examples of products or technologies, I stear clear of providing steps toaccomplish tasks, use products, or secure particular types of systems (such as tightening down a WindowsXP™ computer or using encryption in Microsft Outlook™). Technology changes rapidly and my goalhere is to teach concepts that are independent of particular products. Specific technical solutions are besthandled by IT staff for larger businesses or technology specific howtos for SOHO professionals.
Audience
This article is targetted at small to medium-sized business owners. Much material applies to Small Office/ Home Office (SOHO) users, particularly background information, basic security strategies, and much of the discussion on desktop and communications security. SOHO readers who are not connected with or donot work within a larger organization will find that discussions of policy, management, and organization,as well as network architecture and services will not directly apply to them and will likely skip or skimthose sections. Owners or managers of larger businesses will find that discussions of security plans hereare necessarily simplified. Medium to large organizations have complex and varied networks with legacytechnologies and layers of existing policy which cannot be treated in one document. In these cases, theglossary and bibliography will help you to find other sources of information. Given the concepts presentedhere and the help of competent specialists, it is hoped that a manager can learn what they need to knowabout their own system to manage it effectively.
Approach
The information presented here is extensive— do not try to absorb it all at once and do not expect to changeyour business overnight. Take it in steps. I recommend reading through once at a high level to absorbthe contents and skim the detail. Then start through again. I have worked to provide extensive references,links, and a glossary. Focus on the parts that are most important to your business, explore the referencesand talk to your IT people. If you find that your IT staff or consultants will not work with you, get newones. Try to learn and improve something each week. The end goal is to turn the Internet from an unknownsource of risk to something which can be understood and capitalized on.
"Real World" Risks
Tip
The goal of security is not to combat risk for its own sake, but to maximize business opportunity.Outside of cyberspace, your business must balance risks in order to remain profitable. When you seebusiness opportunities, you identify risks, determine how likely they are, how much damage they maycause, what may be done to lower or avoid the risks, and, ultimately, whether the opportunities areworthwhile. Sometimes outside experts, such as lawyers, market experts, or insurance agents, are consultedto assess the risks or suggest ways to protect the business. Sometimes the business must change the way itoperates to avoid liability or comply with regulations. In any case, the overriding goal is never to combatrisk for its own sake but rather
to maximize opportunity
and create a successful business.
Building Safety
Buildings are required to have basic safety features such as lighted exit signs. In some locations it isforbidden to use a corded vacuum cleaner during business hours in an area with pedestrian traffic. In other

Activity (14)

You've already reviewed this. Edit your review.
1 thousand reads
1 hundred reads
yogeshdhuri22 liked this
yogeshdhuri22 liked this
lkdavinci liked this
santosh1z liked this
MoonsMoon liked this
Ahmad liked this
sizweh liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->