Computer Security:

20 Things Every Employee Should Know - The Employee Handbook for Securing the Workplace

Second edition

Author: Ben Rothke

ISBN: 0-07-226282-6

Published by McGraw-Hill (2005)

~50 pages

Price: ~US$8 from Amazon

Executive summary

This neat little booklet summarizing computer security for ordinary employees could usefully support a structured security awareness program, but do not rely on it alone.

Coverage

Here are the ‘20 things every employee should know’ in the order they appear:

1. Phishing and spyware - don’t click links requesting personal info or download programs from unfamiliar companies, and set browser security
2. Identity theft - be careful over phone and web, monitor finances
3. Responsibility - guard your ‘access credentials’ and follow policies
4. Passwords - choose wisely, don’t write them down and don’t share them
5. Malware - be aware of the threat, update anti-virus and anti-spyware, be careful with email attachments
6. Telecommuting/home working and remote access - use a personal firewall, encryption and physical security
7. Email - be cautious with attachments, update your antivirus software
8. Email hoaxes - spot them, check them and don’t forward them
9. Web surfing - minimize personal use, avoid cookies and software downloads
10. Internet use - don’t visit chat rooms at work, take care with IM
11. Instant Messaging - don’t release secrets or illicit material, update IM software
12. Firewalls and patches - use a personal firewall, patch the system and update antivirus
13. PDAs - physically secure them, use passwords and encryption, and disable wireless autoconnection
14. Backups - schedule backups and store them securely
15. Classified data - respect classifications, log off or lock up the PC when not in use
16. Office IT security - apply the clear desk policy, physically protect PDAs/USB devices etc. and securely delete or shred sensitive information before disposal
17. Social engineering - be alert, don’t disclose sensitive information without verifying the requester
18. Appropriate use of corporate IT equipment - limit personal use
19. Seek help - call the incident response team if a security incident occurs
20. Keep things in context - be alert, understand the risks and act intelligently

This is a good breadth of topics to cover, broadly resembling the security awareness topics we cover in NoticeBored.  There is some duplication and a few apparent gaps (see below) but overall, it’s a good mix.

Depth

Each topic is covered in a double-page spread with about 400 words.  That’s actually quite a lot for an awareness booklet meaning that some employees may need ‘gentle persuasion’ to read it.  Some case -study type real world examples and news stories might have spiced it up a bit.

Writing style and readability

Despite being promoted for use by non-technical employees, the language sometimes slips briefly into jargon (e.g. “Never share your information security credentials, whatever the circumstances” on page 5).  The booklet ends with a reasonable 5-page information security glossary in which some of the explanations could have been further simplified, de-jargonized and put into plain English (e.g. “Security incident - Act that deviates from the requirements of security policy”).  On the whole, though, the booklet should be reasonably accessible to the average computer-using reader.

What’s missing?

In my opinion, the following are relatively weak:

• Security of USB devices and wireless networks should be covered in more depth - these are increasing threats that, to some extent, post-date the book;
• The backup section could usefully mention contingency planning;
• It would be good to advise employees not to mess with the security configuration settings of their desktop systems, perhaps in the context of change and configuration management;
• Compliance with legal and regulatory obligations might be mentioned in the same context as corporate policy compliance;
• There is nothing on software development or risk assessment: end users who develop spreadsheets and other desktop applications should be aware of the need to make them secure;
• It’s a shame there is no quick summary (such as the list shown above).  Perhaps the next edition might include a pull-out-and-keep reminder postcard?
• There are no obvious reference sources for those readers who might be interested enough to want more information.

Conclusion

At just $8 per copy, it should be economic to purchase a pile of these to distribute around the company and add to the goody-pack presented to new employees during the first day employee orientation/induction course.  You do have a security slot in your induction course, don’t you?

[PS  For a similar but even briefer alternative, check out Fred Cohen’s 24-page booklet Information Security Awareness Basics.]

Copyright © 2010  IsecT Ltd.