Workforce Development Online - Issue 16 - Security, it's Everyone's Business

Security, it's Everyone's Business

Protecting the highly-sensitive individual, personal and financial information gathered and stored as a part of Virtual OneStop operations and activities is very high on the Geographic Solutions list of priorities. A variety of security tools at the application, database, and systems levels are used to protect this highly-important and sensitive information from unauthorized access and/or disclosure. Multi-level access authority logins and passwords, security software to protect against viruses, unauthorized intrusion attempts, denial of service attacks, hardened clustered firewalls, and Secure Sockets Layer (SSL) transmission protection are just a few of the tools and sensors used to provide full-time automated protective measures.

However, none of these tools are effective without the most valuable sensors in this process — the awareness of every single user who has access to the systems and data being guarded by the many protective measures designed to thwart unsecure, undesirable, and unauthorized activities. We constantly need everyone's awareness, vigilance, and assistance in reporting any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with information systems operations.

The Geographic Solutions' Operations Department is the central point of contact for all information-security matters and the Operations Manager is designated the Security Officer for the company. One of their key responsibilities is the timely investigation, response and resolutions of suspected security incidents.

A well advertised and exercised incident reporting process is the mechanism of the security program that allows for the identification, investigation, response, and resolution of known or suspected security breaches and incidents. Whether the initial indication comes from a pre-configured automated system security notification or user discovery, Geographic Solutions uses any communication means available to rapidly report and document the details of the suspected security incident. The Online Project Communications (OPC) ticketing system is the primary tool used to document and track any suspicious security activities.

Specific occurrences which will trigger the preparation of a security incident OPC may include, but are not limited to the following:
- Any suspicious or known breach of security by any user for any reason known to be a violation or contradiction of Geographic Solutions' philosophy of protecting and safeguarding private information.
- Any suspicious or known breach of security by an external third party for any reason known to be a violation or contradiction of Geographic Solutions' policy of protecting and safeguarding proprietary and confidential information.
- Any suspicious activity uncovered through review of routine or random audits.
- Request for audit log review of user activity (special authorization required).
- Suspected or proven violation of protection or malicious software.
- Violation of login attempt (Using or attempting to guess another user's login and/or password).
- Sharing of passwords.
- Improper network activity.
- Improper e-mail activity.
- Improper information exchange (credit cards, personal information, etc.).
- Inappropriate access by an individual user, employer, client, contractor, or business associate.
An OPC trouble ticket must be accurately and thoroughly completed within 2 hours of the incident discovery (or sooner if the suspected or known breach causes serious risk to the organization) and forwarded immediately to the attention of the workforce member's direct supervisor and the Geographic Solutions' Operations Manager. In the event an organization or individual outside Geographic Solutions provides the report, the same time frame and reporting procedure applies to the Geographic Solutions workforce member in receipt of the report. As a minimum the report should contain the following:
- Date of the incident.
- Start time of the incident.
- Clients affected.
- Is the activity suspected or known?
- Description of the incident.
- Impacted systems.
- Impacted users.
- Any details that would help in the investigation.
Upon receipt of the Security Incident Report, the Operations Manager and as needed other members of the Operations Team will review (and conduct the initial investigation) in order to confirm the validity and level of risk associated with the reported incident so the appropriate priority for actions and response can be established.
The Operations Manager, Senior Systems Administrator, and any other affected department Director/Manager will convene within a reasonable time frame (depending upon the level of risk of the incident) and as frequently as needed:
- Investigate and validate the facts included in the incident report, this should include assessment of possible damage to the organization or clients.
- If it is deemed to be damaging to the client(s), the client(s) will be immediately notified while the incident continues to be investigated by security resources.
- Determine if the incident needs to be reported to law enforcement, other authorities, or the client.
- Lessen or mitigate any harmful effects, both necessary and applicable.
- Determine if the issue should be evaluated as part of a larger review (such as part of ongoing risk analysis), and whether or not systems configuration and/or changes to other related Geographic Solutions policies and procedures are necessary.
- Address communication and training to all affected workforce members if policies and procedures are to be implemented or modified.
All necessary actions, including outcomes, will be handled promptly and documented in accordance with Geographic Solutions policy.
On a routine basis the Operations Manager will provide, to the senior management level representatives, aggregate reporting of all received security incident reports, and the organization's response, including level of sanctions applied, mitigation attempts, and/or resulting changes to policies and procedures.
After the annual security policy review, or when policy/procedures are updated or changed, the staff that is involved in the security of the organization will be educated on the new policies and procedures.

A quality security program is not just a set of automated tools or a set of documents with written policies and procedures. It must be a living, breathing program of awareness and involvement by all participants. Please do your part to help us maintain a top quality security program designed to protect and preserve the integrity and confidentiality of all sensitive, proprietary, and confidential information we handle. Your active participation in this effort will help us achieve our goal of delivering the best protection, best performance, and highest reliability possible.

Copyright © 2001-2010 Geographic Solutions, Inc. All rights reserved. Geographic Solutions shall not be held liable for any errors in the content, or for any actions taken in reliance thereon. Virtual OneStop is a registered trademark of Geographic Solutions, Inc. All other trademarks are the property of the respective trademark holders. If you no longer wish to receive email announcements from Geographic Solutions, you may remove yourself from our mailing list.