Regulating Interactivity Through Information and Equipment Control
Consistency is the key to effective communication of most messages. Whether it is a senior executive consistently repeating a specific objective or the simple labeling of documents to create an expectation, the need for employees to adhere to guidelines is of paramount importance.
This section considers the following topics:
Determining levels of confidentiality
Inventory control: logging and tagging
Determining Levels of Confidentiality
Most organizations regularly e-mail and courier envelopes and documents they deem to be sensitive in nature. Labels such as private, personal, protected, confidential, and secret are used to ensure that documents are afforded appropriate respect. The decision to label and choose terminology is generally made by the sender.
Regulating interactivity attempts to define a process users can call upon to determine the following items:
When a situation or file warrants labeling
What label to use—private, confidential, secret, and other similar markers
This process sets expectations. It allows e-mail users to effectively prioritize incoming traffic. It also allows the mailroom to appropriately segregate and distribute internal mail, and reception staff to effectively handle couriers and pass confidential packages to the intended receiver or the appointed agent.
At a minimum, three security communication classifications should be used, and the security level should be noted on each segment of the communication, including the envelope, e-mail, file, and actual document. The latter is particularly important in the case of e-mailed documents, where the receiver is more likely to generate a printed copy of the confidential file. An accompanying comments section should note that sensitive documents should only be printed on a dedicated printer, when the user is available to immediately collect the documents.
Inventory Control: Logging and Tagging
It might seem odd to individuals uninvolved in the process, but maintaining up-to-date and comprehensive inventory listings of all hardware, software, and data assets can be challenging. It is particularly difficult for large enterprises with remote offices, but it is advisable to develop centralized practices or to construct a controlled decentralized process whereby every department has one IT-sanctioned individual who can perform the necessary work. The process would strive to curtail aberrant network additions and to protect the organization against unknown equipment vulnerabilities, because an IT department cannot protect equipment it does not know exists.
In an attempt to sidestep perceived bureaucracies, the following mistakes might be made:
Departments might be tempted to purchase and install their own network equipment, unwittingly creating a possible conflict with centralized security measures.
Departments that independently install certain equipment and software could unwittingly cause negative implications, similar to two doctors prescribing prescription drugs for a patient, although neither is aware of the other's involvement. The computing pairing would likely not result in a fatal error, but it could serve to undermine security by creating back doors.
Users could install personal wireless hubs, enabling them to wander from their workstations but still be connected. As discussed in Chapter 2, "Crucial Need for Security: Vulnerabilities and Attacks," this could inadvertently result in a breach.
Enforcing a consistent program that logs every piece of equipment, both hardware and software, can serve to remind all employees that equipment purchases must be approved and sourced centrally. The logging and tagging of equipment can help to thwart those who attempt to undermine a company's security measures by purchasing and installing appliances and software locally. Most importantly, manufacturers issue patches for their equipment immediately upon learning of a flaw. If the IT department were not fully aware of all equipment on the company network, fundamental patches might not get applied.