> TE home
> about TE
> contact us
> editorial info
 > e-mail update
short circuits
> engineering history:
 John Stone Stone
> world bytes:
 Always Keep Trying
viewpoints
archives
keyword search
(e.g., author name, title)
resources
> IEEE-USA
career resources
> career navigator
> ieee-usa salary service
> ieee job site
> ieee spectrum careers
public policy resources
> IEEE-USA Policy Forum
> Legislative Action Center

 


August 2006

think security

Security Begins With You

By Glenn S. Tenney, CISSP, CISM

Almost every week, it seems like there’s another front page story about a computer being stolen or misplaced, leaving thousands (sometimes millions) of people’s private and sensitive information at risk. In the engineering trade news, we also read about thefts of trade secrets, which cause millions of dollars of damage each year.

Today, every company has to deal with security on some level — security of information, security of trade secrets, security of financial transactions and so on — but security is also very personal, too. Each of us has to deal with our own security every day, from credit card offers to medical records to home computers.

Some IEEE members deal directly with security on the job, but most deal only incidentally with it because their employers demand that their inventions be kept secret, especially from competitors prior to new product releases. But, there’s much more to security than some people being careful about some situations some of the time.

Security is much more than just adding firewalls to a network, or security features to products. Bruce Schneier, a well-known security expert, has said, “Security is a process, not a product,” meaning that security should be a part of every business process, and all employees need to be involved in and aware of security.

But, how does this affect you when your job is not security?

You may have heard about the Sarbanes-Oxley Act (known as “SOX”), the Gramm-Leach-Bliley Act (known as “GLBA”), or the VISA / MasterCard PCI DSS (the full title is “Payment Card Industry Data Security Standard) that applies to many companies accepting credit cards. Or, perhaps you’ve heard of California SB 1386, which requires notification anytime a California resident's sensitive personal information has been breached. Even at home, when you go to the doctor (or perhaps on the job, if you deal with medical records at work), you might have heard about HIPAA (the full title is the Health Insurance Portability and Accountability Act).

A common aspect of these bills and industry requirements is that they compel companies to institute security policies and procedures and then document compliance with their own policies and procedures. That’s where you come in. A company’s security policies cover its employees, and demonstrating compliance usually involves a variety of audit trails and logs. For example, if there were a security incident at your company, even if you weren't involved, your company’s policies might call for a careful investigation of employees' computers and other audit trails covering their computer usage — including your own.

Corporate security scenarios teach us a great deal about security that we can apply both on the job and at home.

How does any of this really affect you if your job description doesn't involve security, or your company's security department monitors its network and secures all of its computers, or you use a firewall at home? Security must be a part of the corporate culture at all levels. Cisco President and CEO John Chambers has said, “Security starts with me, the CEO, down to the individual contributor level … it’s mandatory.”

Think back to those news stories about the pilfered or misplaced personal data? When you heard about those incidents, you may have thought: I’d hate to lose my job because I was at fault. In each of those cases, not only might someone have lost their job, but the companies definitely took a hit financially. Reasons abound why you should care about security, not the least of which is that a security breach at your company can affect your salary, job, stock options, even retirement plans. Familiarize yourself with your company's policies so that you're aware what your role is in your company's security, and how you should deal with possible breaches.

Corporate security scenarios teach us a great deal about security that we can apply both on the job and at home. You won’t get fired because of a security problem at home, but you should still apply the same security basics to your computer and network at home. Of course, if you have children at home using the Internet, plenty of other issues exist that we won’t get into here.

What can you do?

Because security is a process, no simple checklist exists for ensuring security of your computers and networks. Most security professionals will tell you that it’s virtually impossible to be 100 percent secure, the joke being that the only secure computer on the Internet is the one that’s powered off (and some professionals are even skeptical about that).

Make security a part of everything you do, because when it’s always in the back of your mind, you’ll be more aware when something doesn’t feel quite right, whether you’re using your computer on the Internet or designing an embedded device.

You can take many security precautions when working on your computer, on the Internet, on the telephone, at home, and while traveling on business or pleasure — precautions related to phishing, pharming, social engineering, botnets, zombie machines, and the list goes on. Future columns will deal with more security measures in greater detail, but for starters, the following are a few simple security measures that you should employ when using any computer:

  • Know your company’s security policies. If you run the company, or you are using your home computer, you must establish security policies

  • Never share your password (or security token) Be sure that whenever you enter a password or other sensitive information (e.g., credit card number) that it’s in a trusted system or that it’s being encrypted when transmitted

  • When in doubt, throw it out. Don’t click on links in e-mails or open e-mail attachments unless you trust the sender 100 percent and you're certain that the e-mail came from who it says it did. Since criminals often attempt to imitate people you know or trust, the safest approach is to avoid clicking on links or opening attachments in questionable e-mails. Remember: just because it looks like an e-mail from someone you trust, it might not be.

  • Use up-to-date anti-virus / anti-spyware software appropriate for your computer system

  • Whenever possible, use a firewall

A hallmark of my security talks that I've give over the years is that I tell people they need to: Think Security!

Recent Graduates
 ----------------------------
Through college, students are encouraged to share information with colleagues across the hall and across the world. The old motto “publish or perish” means that they also have to publicly disclose much of their research.

Recent graduates going into the commercial sector often find it difficult to make the transition from that spirit of openness and sharing to the world of of non-disclosure agreements and trade secrets. I’ve seen post-docs join  startups and continue to share what they’re working on (i.e., their new company’s research) with their former academic colleagues; and I’ve seen other recent graduates go to the other extreme, where they stop sharing and discussing anything and everything.

Finding the right mix of security and openness —  between keeping trade secrets and engaging in the very useful peer-to-peer discussion and sharing of ideas and research — can be a recent graduate's toughest professional challenge. A suitable career mentor might be able to provide excellent counsel in this regard.

 

Back

 

Glenn Tenney, CISSP CISM, is a former chair of IEEE-USA's Intellectual Property Committee, and is IEEE-USA's Career Policy editor. Comments may be submitted to todaysengineer@ieee.org.

Copyright © 2007 IEEE