Viruses, Trojans, theft of critical information, denial of service attacks, and malware in general are threats, which in recent times are becoming almost daily incidents.
The data on incidents and vulnerabilities detected, according to the CERT, are not at all promising, doubling in recent years. On the other hand, and supporting the published figures, it is shown every day that technical measures are not enough to solve incidents related to security, although appearance can sometimes deceive us, and the situation makes us more vulnerable due to the sensation and confidence in the security achieved.
Policies and Standards
In recent years we are witnessing the notable success of different standards to implement strategic information security models; COBIT, COSO, CMMI or the ISO 17799-ISO 27001 binomial as one of the most successful and widely accepted standards worldwide. If we analyze some of these regulations, one of the factors that should be established from the beginning is the set of policies, principles, and compliance requirements in the Company, which will establish the focus on security management. Said documents must be published and known by all employees, establishing by means of a simple and easy-to-understand wording, the standards that are considered necessary to comply with the established requirements, together with the general and specific responsibilities in terms of security management,including the mechanism to follow to report any incident. Last but not least, it will be necessary to establish the consequences of violations of the security policy and regulations that the Directorate has approved. The various security standards define as a key point the establishment of roles, responsibilities and functions for all employees, and the way to establish these security premises for any employee hired by third parties with access to Company information.The various security standards define as a key point the establishment of roles, responsibilities and functions for all employees, and the way to establish these security premises for any employee hired by third parties with access to Company information.The various security standards define as a key point the establishment of roles, responsibilities and functions for all employees, and the way to establish these security premises for any employee hired by third parties with access to Company information.
Despite the technical measures, the necessary resources and any policy or regulation that the Company may develop and oblige to comply with, one of the most important assets in any security approach is the personnel themselves and any worker who processes information and manages resources. according to the attributions and responsibilities assigned. This might seem obvious, not in all Organizations is analyzed and treated with the same relevance as the implementation of any technical tool that affects systems, such as a firewall, an antivirus or an access control system to the CPD. In order to ensure that employees assume both their responsibilities and the established rules and policies, a continuous effort of awareness, education and training is vital.Awareness should constantly remind people of the policy and responsibilities, either through the publication of brochures or informative conferences, and its purpose is that individuals can recognize security problems and incidents, and respond according to their role and job position.. The training should focus on different aspects, such as specific policies, legal responsibilities, correct use of resources and technical measures, disciplinary process, etc. Any organized activity must be carried out based on professional profiles or defined roles.and respond according to their role and job position. The training should focus on different aspects, such as specific policies, legal responsibilities, correct use of resources and technical measures, disciplinary process, etc. Any organized activity must be carried out based on professional profiles or defined roles.and respond according to their role and job position. The training should focus on different aspects, such as specific policies, legal responsibilities, correct use of resources and technical measures, disciplinary process, etc. Any organized activity must be carried out based on professional profiles or defined roles.
Legal requirements
One of the necessary approaches, in the field of security, is found in the mandatory legal requirements that affect Companies in the use of new technologies and in the treatment of data and information, such as the LOPD (Law Organic Data Protection) to ensure everything concerning the processing of personal data or SOX (Sarbanes-Oxley) that allows to ensure the correct processing of information, transactions and authorized access to financial information of companies listed on the US Stock Exchange. The Security Measures Regulation (RMS) of 1999, whose purpose is to establish technical and organizational measures for the protection of automated files containing personal data,articulates the mechanisms to define responsibilities in the treatment of the data through article 9 (Functions and Obligations of the Personnel), which through its first point, obliges the Companies to define the profiles and the functions assigned to each of them in access to information systems, and through the second point, establishes the obligation to provide the necessary mechanisms so that personnel know the defined attributions, and the consequences that could be incurred in the event of non-compliance. The establishment of responsibilities and their efficient communication to employees should be one of the first steps in the security chain that affects the end user who works with the information.that through its first point, obliges the Companies to define the profiles and functions assigned to each of them in access to information systems, and through the second point, establishes the obligation to provide the necessary mechanisms so that staff are aware of the defined attributions, and the consequences that could be incurred in the event of non-compliance. The establishment of responsibilities and their efficient communication to employees should be one of the first steps in the security chain that affects the end user who works with the information.that through its first point, obliges the Companies to define the profiles and functions assigned to each of them in access to information systems, and through the second point, establishes the obligation to provide the necessary mechanisms so that staff are aware of the defined attributions, and the consequences that could be incurred in case of non-compliance. The establishment of responsibilities and their efficient communication to employees should be one of the first steps in the chain of security that affects the end user who works with the information.establishes the obligation to provide the necessary mechanisms for staff to know the defined attributions, and the consequences that could be incurred in case of non-compliance. The establishment of responsibilities and their efficient communication to employees should be one of the first steps in the security chain that affects the end user who works with the information.establishes the obligation to provide the necessary mechanisms for staff to know the defined attributions, and the consequences that could be incurred in case of non-compliance. The establishment of responsibilities and their efficient communication to employees should be one of the first steps in the security chain that affects the end user who works with the information.
As part of the contractual obligations, employees should accept and sign the terms and conditions of their employment contract, which should establish their responsibilities as well as those of the Company with regard to safety. The conditions and terms of the employment contract, in any of its forms, should contain:
- The general policy defined and approved by the Management A commitment to confidentiality and non-disclosure of the information that they will deal with during their work in the Company Specific responsibilities related to regulations that affect the Company (LOPD, LPI, etc.) Responsibilities for the classification of information and its treatment Responsibilities for the handling of information received by other companies or third parties Responsibilities for the treatment of information outside the usual facilities Actions to take in case of non-respect of security requirements by part of the employee
Conclusions
With both the legal and voluntary regulations that allow establishing responsibilities in the field of safety in the workplace, it is clear that the systems, however complex and safe they may seem, are in the hands of the users. Mechanisms must be established to publicize the general regulations and mandatory requirements, but without forgetting that it is the user who processes the information and who must have the appropriate knowledge and specific training so that we can entrust all the procedures and technology acquired by the Organization in achieving a reliable and safe environment.
