In the operation of a modern IS or IT department or group, there is a continuum of “outside” demands that must be met—in computer jargon these are “interrupts.” Program behavior that constantly jumps from one task to another, without apparent progress toward an overall high-level goal, is said to be “interrupt-driven.” The objective of security (at a routine level) and of business continuity planning (at a more catastrophic level) is to provide a stable operational basis for behavior that is goal-driven rather than interrupt-driven.

The first level of security interrupts to be guarded against consists of access/control issues. I visit many AEC businesses that tolerate effectively unlimited and unprotected physical access to the firm's servers, LAN equipment and cabling plant. Throughout these offices unattended workstations are routinely left on, logged in, and with active files open on-screen. I see too few password policies, access logs, or other elementary security tools (this is not to say that such policies do not exist, merely that they are not actively pursued).

Access/control procedures must be periodically reviewed and enhanced, when appropriate. Formal written policies must be developed and/or updated, and made part of an employee manual. New employees and, periodically, existing employees should be asked to acknowledge in writing that they have read, understood, and are willing to comply with these policies. Consistent and diligent enforcement is necessary.

Security studies have shown that one of the most likely sources of system intrusion and damage is from disgruntled present or former employees. Because employee turnover is inevitable in any business, and can run as high as 20 to 25 percent of total headcount in large A/E firms, it is essential that policies be set and enforced regarding account codes and access rights for terminated personnel. This should include surrender of laptops and remote access privileges. The higher-ranked the terminated employee (in terms of IS/IT access privileges) the greater the risk; therefore, special upper-management procedures must be in place to secure all systems in the event of departure of IS/IT staff (it is customary in many businesses to escort departing IS/IT staff immediately from the premises, under supervision to ensure that they not have physical access to any computing or communications device).

Computer virus/worm infections and other "hack attacks" are an all-too-likely occurrence in today's networked environment. The associated threat level ranges from transient inconvenience to significant disruption. Proper use of firewalls, anti-virus scanning, operating system updates and patches, and good system housekeeping are appropriate measures to help ensure business continuity in the face of such threats (good system housekeeping includes policies such as access controls, rotating backups and not leaving installation default accounts like "admin" with a carriage return as the "password" ).

Recent adoption of wireless networking or "WiFi" within offices poses new security vulnerabilities that few firms have yet addressed on a par with wired access. However, the vulnerabilities of wireless access are far greater than for wired. Although comprehensive coverage of security for wireless access would require a separate article, the following list of highlights suggests the scope and severity of the potential problems. Typical and/or default WiFi installations openly broadcast the SSID (wireless system address) and accept connections from any machine, regardless of its MAC (media access control) address—leaving networks open to "drive-by hacking." Most WiFi systems default to no encryption; the first generation WEP encryption is better than nothing; the newest WPA (Wireless Protected Access) encryption is better still. Wireless access point devices are so cheap that users in large offices may be tempted to add their own access points to the network in order to achieve better connectivity; such "rogue" access points likely are totally unsecured, so must be hunted down (by commercially available "sniffers") and patched or disabled. Mobile users connected to public access points or "WiFi hotspots"—such as those available in many airports, hotel lobbies, Starbucks and MacDonalds—are unwittingly transmitting user IDs, passwords and other confidential information in the clear, for any other WiFi user within a 100 meter radius to intercept (the solution here is never to log on to any off-premises network, wireless or wired, without going through a secure VPN connection to the office). None of this negates the tremendous benefits of WiFi connectivity, but it does argue for greater attention to security issues in WiFi deployments.
JL

> Page 1, Business continuity planning
> Page 2, Computus interruptus
> Page 3, Backing up is hard to do
> Page 4, The road to recovery