Cyber Security Awareness Month - Day 28 - Role of the employee
Today’s topic for the CyberSecurity Awareness Month is the Role of the Employee. Almost everyone reading this today will create some form of stored data which is significant to them. Thus is the role of the user. And, basically, every employee with an IT system is a user of some form or other. Recently I had the opportunity to discuss a very similar topic with some friends at www.eitc.edu . The discussion centered on personal responsibility in regards to security. This was a very productive discussion that yielded many of the same questions and conclusions I will discuss today. The role of the employee is essentially the role of the user which always led to 3 questions:
“What data have I produced?”
“How do I get this data back, so I may continue, when all else fails?”
Once you have addressed these questions to the data you have created, whether 2 presentations or 200 emails, you will find the long road ahead much easier. The third question is a bit more difficult, and is topic for another day….
“What data, other than my own, am I ultimately responsible for today??”
I would like to talk about the first 2 here a bit more. Of course discussions or comments are always welcome and encouraged. “What data have I produced today?” This question hopefully leads everyone to ask a number of questions about backup, restoration, and possibly even continuity of operations in regards to their jobs and data. One common question is “how do I keep going after a (insert disaster here i.e… fire, flood, etc)? If you are reading this then most likely we, in both our professional and personal lives, create some form of data each day. In the workplace this may be several proposals or presentations. In the home, it may have been a weekend of pictures downloaded to the home computer. So what happens when the workplace is flooded? God forbid a fire to the home? Is the data created on a computer any less priceless than the letters from 2 years ago? No. You would hopefully plan and protect these electronic artifacts the same as you would the physical artifacts.
“How do I get this data back, so I may continue, when all else fails?” To completely answer this question the answers to question number 1 have to be answered. Essentially once you have identified who is responsible for the backup and restoration, then ask the question “where is my data so I can get it back when everything else fails?” Sometimes this is a question we have to ask of ourselves about personal data we’ve created, in the form of contact lists, email archives, and personal data. In the data realm we are producers, provisions, consumers, and sometimes all three. Anyone in the role of the first two needs to understand completely the role they play in today’s CyberSecurity world.
tony d0t carothers at isc d0t sans d0t org
Comments
Scott H
Oct 28th 2010
1 decade ago
Paul
Oct 28th 2010
1 decade ago
Nathan Christiansen
Oct 28th 2010
1 decade ago
I'm not so sure employees should be the ones worrying about "get the data back" or asking these questions. Company policies should tell the employees where to save their data; and company security policies need to tell the sysadmins how to backup the data.
The average employee cannot be expected to anticipate all possible risks on how they might come up with their own availability strategies.
"What data have I produced?"
Hm.. someone's answer might be something like "a spreadsheet of customer orders, with their credit card numbers, SSNs, and other personal details"
"How do I get this data back, so I may continue, when all else fails?"
hm... "I'll save a copy to the shared drive, FTP a copy up to an offsite server, and e-mail myself a copy to a hotmail account, just to be sure."
That's an example of bad answers that might seem OK to the average person.
Instead; the answers ought to be "Company policy says I should save this information directly into the ordering system, so I do that. The system operators are responsible for getting that back if information is lost in the system."
Mysid
Oct 28th 2010
1 decade ago