Failure to have adequate information security policies can lead to many risks for an organization. Do you know if you need information security policies or what can happen if you don't have them?

The following are a list of general scenarios that may help your organization identify whether it is vulnerable to potential security incidents and why you would need security policies in place BEFORE such incidents occur. To find out more, request a copy of our FREE 15-Point Security Policy Checkup.

Do You Need Information Security Policies?

• Inform workers of their information protection duties, to tell them what they can and cannot do with respect to this sensitive information.
• Define how employees are permitted to represent the organization, what they may disclose publicly, and how they may use organizational computer resources for personal purposes.
• Clearly define protective measures for these special information assets. The existence of a policy may be a decisive factor in a court of law, showing that the organization took steps to protect its intellectual property.
• Define both acceptable and unacceptable behavior. For example, spending a lot of time surfing the web and downloading pornography from the Internet are both generally unacceptable. Policies are needed to establish the basis for disciplinary action, up to and including termination.

Real World Problems Caused by Missing Information Security Policies:

The following are specific case problems designed to give you an idea of how adopting specific security policies can help you avoid problems in various industries:

At a Government Agency...
A clerk spent a great deal of time surfing the Internet while on the job. Because there was no policy specifying what constituted excessive personal use, management could not discipline this employee. Then management discovered that the clerk had downloaded a great deal of pornography. Using this as a reason, management fired him. The clerk chose to appeal the termination with the Civil Service Board, claiming that he couldn't be fired because he had never been told that he couldn't download pornography. After a Civil Service hearing, the Board ordered him to be reinstated with back pay.

At a Law Firm...
The manager of data processing took a job with a competing law firm. Because his former employer had nobody who could do the job that he did, they kept him on as a contractor. On a part-time basis, he would perform systems management tasks. In order to do these tasks he needed full privileges on the former employer's network. One day the former employer learned that the manager's new employer was opposing them in a high-visibility lawsuit. Could the former data processing manager gain access to the shared legal strategy files for this case on the network? The answer was yes, but nobody knew whether the manager had exploited these capabilities because no data access logs were being kept. This situation could have been avoided if the former employer had policies about conflicts of interest, system access privileges, and keeping logs.

At an Oil Company...
An oil company computer technician compiled a list of jokes about sex. Proud of his list, he broadcast this list on the Internet, appending his electronic mail address to the end, just in case the recipients happened to have heard any new ones. Management was able to have the posting deleted from several discussion groups, but was not able to control copies that had been made. Around the same time the same technician had printed a copy of his list, and when distracted by something else, had left it in the hopper of a departmental printer. Women in the department objected that they had been subjected to sex jokes via email that they didn't want to hear. They pointed to the Internet postings and the printer output as examples. The pending sexual harassment lawsuit was settled for an undisclosed sum. A policy about permissible use of the Internet, as well as a policy about representations made using the company name on the Internet were noticeably lacking.

At a Local Newspaper...
A local newspaper had no policy requiring the termination of user-ID and password privileges after an employee left. A senior reporter left the newspaper, and shortly thereafter, the newspaper had trouble because the competition consistently picked-up on their exclusive stories (scoops). An investigation of the logs revealed that the former employee had been consistently accessing their computer to get ideas for stories at his new employer.

At a Midwest Manufacturing Company...
A virus hoax sent by email through the Internet indicated that if people receive a message with the heading "Join the Crew" they should not read it. The hoax went on to state that this email would erase a hard drive if ever it should be displayed. Thinking that they were doing others a favor, 10% of the staff at a large manufacturing company broadcast the hoax to all the people they knew. Because no policy defined how they should handle these warnings, they flooded the company's internal networks with email and caused a great deal of unnecessary technical staff time to be wasted.

At a West Coast Manufacturing Company...
Because it had no policy requiring employee private data to be encrypted when held in storage, a large manufacturing company found itself facing a public relations problem. A thief made off with a computer disk containing detailed personal details and bank account information on more than 20,000 current and former employees. The press speculated that this could be used to facilitate identity theft, including application for credit cards in the names of other people. The event precipitated a massive notification process including recommendations on changes to bank account numbers.

At a Major Online Service Company...
A Navy enlisted man registered with an Internet online service company and filled out a profile form which indicated that he was gay. An employee at the service company, after an inquiry from the Navy, shared this profile information with the Navy's "top brass." Based on this information, the enlisted man was given a dishonorable discharge. The enlisted man sued the Navy for violating its own "don't ask, don't tell" policy, and won an honorable discharge with retirement benefits as a result. The online service company publicly stated that its employee had violated "the privacy policy," but this policy had been violated on multiple occasions before including top management's publicly stated intention to sell customer home telephone numbers to telephone marketers. At least the service firm now admits that it has a policy.