View the security of your office/facility in a ‘community’ setting. Develop relationships with surrounding businesses so that their ‘eyes and ears’ become yours and vice versa. The fact is his problem could become yours and yours could become his. This is application of the ‘combat multiplier’ approach; the more eyes and ears involved the safer and more secure we can be by ‘extending our perimeters’ at no cost beyond establishing a basis for coordination, cooperation and communication. This will also facilitate deconflicting evacuation plans or mutual support for ‘stay where you are’ plans.
Develop and maintain a good working relationship with local law enforcers through your security personnel, if you have them, or management.
Support local First Responders with encouragement and, if possible, financial support. The fact is local police, fire and emergency medical personnel will ALWAYS be the first to respond; the first to help you.
Develop and test internal security and emergency response plans, to include, if possible, training of a building or office response team. Make sure employees are aware of and understand the plan.
Have alternate evacuation and rally point plans and routes.
Review your continuity of business plan for recordkeeping and communications in the event of any disaster, natural or man-made.
If you have video surveillance equipment, make sure tapes are reviewed for ‘patterns’.
To the extent possible, encourage, recognize and support employees who are members of the National Guard, Reserve or local volunteer units.
Establish procedures for knowing your visitors and vendors.
Vary security patterns; change barriers without forewarning; use different doors, gates.
It is crucial you keep employees aware and informed of what you are doing for their benefit and protection. Encourage their vigilance and thank them for putting up with any inconveniences necessary to keep them safe.
The following tips were prepared by the Commonwealth Technology Center, John Kanovich Director at the request of the Pennsylvania Office of Homeland Security to assist business, industry, institutions and organizations in assessing and improving their cyber security plans and procedures.
The topic of Cyber Security covers many actions that together help to deter against hackers, viruses and other potential risks to the networked enterprise. Everyone has a role to play including:
- Information technical staff
- End users
The key to effectively managing Cyber Security is to demonstrate top-level executive support. Some of the key management activities include:
- Create security policies to match the size and culture of your business. Policies must be written, enforced, and kept updated.
- Establish a computer software and hardware asset inventory list and create a lifecycle plan for each device.
- Classify data by its usage and sensitivity. Establish owners of all data assets. Identify data covered by specific regulations and requirements. (Federal laws, credit card information)
- Prepare comprehensive budget. Ensure that security is a specific budget line item.
Information Technical Staff
Information technology staff members are on the front line when it comes to cyber security. Some key activities include:
- Maintain configuration management through Security policy implementation and systems hardening.
- Maintain patch management on all systems. Follow a regular schedule for applying patches for operating systems, software, and anti-virus updates; subscribe to security mailing lists.
- Maintain operational management through the reviewing of all log files, ensuring system backups with periodic data restores, and report any known issues or risks.
- Perform security testing through annual security audits and penetration scanning.
- Ensure physical security of systems and facilities. Limit access to key personnel.
End users must ensure that security is addressed in detail. Some of these key activities are:
- Ensure anti-virus software is loaded and active on systems.
- Delete without opening email from unknown sources.
- Back up data on a regular basis.
- Utilize strong, hard-to-guess passwords.
- Use personal firewalls.
- Download and apply security patches.
- Disconnect from the Internet when not in use.
- Check security on a regular basis.
- Restrict access to systems to authorized users.
- Ensure users know what to do when a system become infected.
In order to ensure continuity of business, proactive security measures must be taken and be part of daily operations. Routine security testing and regularly scheduled self risk assessments and third party security audits must be performed. These are example questions to be addressed:
- Does your team know how to respond to emergency alarms?
- If you could not re-enter the workplace, do you have a pre-determined location to meet to coordinate recovery operations?
- Do you maintain a current list of employees, customers, and suppliers off site?
- If you lost a critical system, do you have a pre-determined plan to recover or at least a workaround?
- Have you have met with local emergency response groups (i.e. Facilities, Security, Environmental, Health, and Safety) to discuss their role in recovering the business?
- Do you have an established business resumption team?
- Have you systematically evaluated all of the potential sources of disruption to your business and have an active program to reduce the likelihood of a disruption?
- Do you have a business resumption plan this is securely stored remotely?
- Do you periodically test your business resumption plan along with your site emergency response plan?