If you have a company that you own, and have some computers and other systems on a network, are you in charge of that network? Ultimately maybe you are _responsible_, but are you in charge of it?
Or is it the computer users? or any user with a phone and device on the network? Is the IT person in charge?
If you have the following people:
- Customer reps
- Sales reps
- Warehouse person
- PointoOfSale person (at cash register)
- HR person
- IT person
I chose 7 different entities in a sample company to illustrate what a company could look like. You can add your titles and make notes of the people in your employment.
Do you know where I will be going from here? Now that I set the stage – are you in charge of a company network when there are more than a few people using it every day.
By ‘In charge’ I mean can you micromanage every person’s internet usage? Or computer use? Obviously not. We depend on people that we employ to do the right things, only use resources for what they are intended to be used.
But does this happen every day?
What has to communicated to every employee is the consequences of incorrect usage, and to understand why this is so?
A security policy must be created to convey this message.
The Security policy must explain why and how one can protect the network and computers. It also must go over access management – i.e. warehouse person should not have access to HR data. The owner should or should not have access of HR? For some companies maybe that is ok, but for a certain size company no. Everything must be spelled out. The IT person has authority and access to all the IT resources, whereas other roles should not have access. But you could give another person access to printers for example. (Customer reps for example could also manage a certain number of printers).
With a proper Security Policy one can do everything one is supposed to – for example the following is from the PCI compliance Data Security Standard v3.2.1:
12.5 Assign to an individual or team the following information security management responsibilities:
12.5.4 Administer user accounts, including additions, deletions, and modifications.
12.6.1 Educate personnel upon hire and at least annually.
12.6.2 Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
So if you accept credit cards, you are supposed to do this anyway.
Each business has it’s own customizations, number of employees, type of employees, and roles that each employee provides.
Also do not forget to manage the service providers that may get access to a system or network for a certain time.
Identity Access Management (IAM) is what the above role access and review of who gets to run what is called.
List your titles of employees, explain the title (sometimes is needed) and then explain the roles in the organization.
Now will have to slowly build the Security Policy.
Contact me to discuss this in detail.