ICT Management > Making Policies & Best Practice
Using Your Computer > Safe & Responsible Computer Use

Maximum Security - Lock Up Your Data

By Lynette Turnbull-Grant, LTG Consulting

Whenever the word security is mentioned people automatically start looking for the nearest IT manager. They look for this person to reassure them that all the latest gadgets and gizmos are in place to protect the organisation...

What is wrong with this assumption?

IT is only one part of the security picture. The whole organisation - everyone in it and all those that have dealings with it need to buy into the concept of security. Why?

Take the following scenario:

Elsie works in the Fund Raising department of a national VCS (Voluntary and Community Sector) organisation to which she has come straight from university. She is bright, alert and willing to learn. Her first day in the office is spent with Human Resources and others responsible for showing Elsie around the organisation and being introduced to her new colleagues. Each department is visited and they explain what they do and how this fits in with the organisation's overall mission.

Finally Elsie is handed over to her immediate line manager. She has her job role explained in detail and is given a set of tasks to undertake. Elsie sits at her desk and starts to work; when she leaves at the end of the day her desk is not untidy. However, on her desk is a neat stack of documents that relate to the next campaign the organisation is running, including income and expenditure projections. Also on the desk is a bundle of signed letters waiting to be placed in envelopes ready for adding to the final marketing literature due to be sent to prospective supporters.

Nothing amiss with any of this - except security has been breached in a couple of ways, neither of which are under the direct control of the IT Manager.

The first is the direct contravention of the Seventh Principle of the 1998 Data Protection Act, which pertains to the management and security of the data that an organisation holds. This means it is up to the organisation to train and inform their staff how they should treat documents relating to the organisation's supporters. There should also be in place a policy and/or staff handbook where staff can find information on security.

The second is a risk of snooping from anyone who happens to be in the building when everyone else has left. In a security conscious organisation Elsie would have also been instructed on what is acceptable to leave on her desk at the end of the day and, more importantly, why and where certain information should be secured.

This isn't to say that others within that organisation don't do this themselves. However, there may be no formal mechanism or policy for staff to refer to in order to guide them on security issues.

Security Awareness

Becoming security conscious starts at the top and filters down. It can't be achieved overnight as the culture of an organisation has to change in order to embrace the security challenge. Organisations that do could look forward to informed employees who are efficient and knowledgeable about the handling of data and securing documents.

Can the daily business of the organisation be conducted without having to worry every time they see a news article about a breach of security and how they would handle this? Should a security incident occur, existing policies should be reviewed to take into consideration the event and a revised policy with preventative measures created if necessary.

Everyone is more aware of the simple things they can do to protect a valuable asset to any fund raising organisation - the supporter. Ultimately the organisation works as a cohesive team understanding the benefit of security viewing it holistically rather than just being the domain of IT.

So, where does IT fit into all of this? Elsie would have been given access to the fund raising database as a direct request of her line manager. The IT manager would have provided her with a password to access this database. In the above scenario I wonder if Elsie would have left her password visible on her desk. If she had, what would the repercussions have been?

The result of an insecure password is that anyone could potentially gain access to your network and in turn any databases or more importantly data you hold on your supporters. Who would be responsible for this breach?

It is a few months later. Elsie understands the importance of securing data when she is not at her desk and keeps her password secure. However she now has a mobile piece of equipment, a laptop computer, so she can travel and work.

Elsie is to attend a meeting with prospective sponsors in a major city and while travelling she decides to put some final finishing touches to her presentation. She also double checks her financial information ready for any questions the sponsor may have.

This is an admirable task and one that many of us will identify with. However, who is sitting next to Elsie? Who is looking over her shoulder? Do you want whoever it is to know who you are approaching and what they may sponsor you for?

Apart from the password securing access to the portable equipment, security once more is in Elsie's hands.

A security conscious approach to data belonging to your organisation could be one of asking yourself how sensitive is the data I'm working on? Will it matter if someone else reads it and talks about what they have seen? If the answer to these questions is "no" then go ahead and work whilst travelling - just be aware you don't know who you are sitting next to and who they might know.

With the appropriate briefing, Elsie might have decided that it was more prudent to finish her presentation in the office and work on something less sensitive while travelling.

The scenario above is only an example and bears no relation to any organisation or living person. It is a simple illustration of areas where security can unwittingly be breached.