Asset Protection through Security Awareness Tyler Justin Speed 2 3 CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2011 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20120113 International Standard Book Number-13: 978-1-4665-5141-1 (eBook - ePub) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or 4 retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com 5 Contents INTRODUCTION WHAT IS INFORMATION SECURITY? CHAPTER 1 CREATING A CULTURE OF SECURITY AWARENESS Protecting Corporate Assets Protective Measures Technical Protective Measures Physical Protective Measures Personnel Protective Measures A Culture of Security Awareness Education Is Key Creating the Culture Acknowledging Security Issues Accepting Responsibility Assessing Risk 6 Crafting Security Policies Training at All Levels Creating Benchmarks for Success Security Audits Encouraging Secure Operations Building a Security Team Planning for Disaster Remaining Dynamic CHAPTER 2 OVERVIEW OF SECURITY AWARENESS CATEGORIES Industry Standards Privacy Concerns Visual Data Privacy Protection Auditory Privacy Protection Digital Data Privacy Health Information Concerns Client Records Password Management 7 Credit Card Compliance (PCI) General File Management File Access Control Physical Access Control Examples of Security Regulations and Laws Financial Institutions Industry-Specific Regulations CHAPTER 3 WHO IS AN IS PROFESSIONAL? Empowering Security Professionals Top-Down Approach C-Level Managers Upper Management Mid-Level Managers Low-Level Managers End Users A Workforce of Security Professionals CHAPTER 4 DIPLOMACY 8 The “People” Portion of Information Security A Breakdown in Trust = A Breakdown in Security The IS Specialist An Issue of Communication Two Different Worlds Diplomacy—The IS Professional’s Best Friend Softening the Security Message The IS Servant A Caretaker’s Approach End Users Are Great Network Monitors Super-Users The End User’s Diplomatic Responsibility CHAPTER 5 PRIVACY CONCERNS What Is Privacy? Why Does Privacy Matter? Types of Private Data Proprietary Information 9 Customer Records Employment Records Health-Related Information Industry Research Keeping Files Private Digital Data Physical Data Management Notes Verbal Data Privacy-Related Regulations and Laws Gramm–Leach–Bliley (GLB) Financial Modernization Act of 1999—Year Enacted: 1999 Health Insurance Portability and Accountability Act (HIPAA)—Year Enacted: 2003 (Final Ruling) Children’s Online Privacy Protection Act—Year Enacted: 1998 Privacy Policies CHAPTER 6 INTERDEPARTMENTAL SECURITY Interdepartmental Security 10