SECURITY

 

The Definitive Business Security Solution Customised To Meet Your Needs

 

Service Contract

Kaon Security Ltd offers New Zealand customers a security service contract based around an annual subscription fee where subscribers receive service and support for a range of security issues.  Subscribing to this service provides your organisation with:- 

  • annual site audit and full report
  • policy review and update
  • technical support includes specified hours onsite and unlimited phone and email support
  • subscription to E-Secure-IT, global early warning security alerting system
  • staff education and training programme includes specified hours onsite and training CD
  • security awareness brochures
  • screen saver promoting IT security best practice

Together, the IT Security Policies and the SecurITy service contract provide a total security solution for organisations that are serious about improving IT security and successfully managing the risks of a security breach.

Benefits 

An ever increasing number of security incidents highlights the need for organisations to be responsible and take a proactive approach to systems and information security.  The Kaon SecurITy solution offers you:- 

ASSURANCE

Be reassured that your staff have access to experts for support, advice and assistance. Regular assessments of your IT environment provide evidence of improvement and highlight potential problem areas allowing managers to stay informed about the organisation's security status.  IT security is a complex and specialist area that very few IT Managers have been trained to handle.  New threats are being discovered every day making it difficult and time consuming to keep abreast of current trends.  Unless you have an employee dedicated to tracking security threats, ensuring that controls don’t loosen over time, checking that best practice is always followed, monitoring systems for compliance and updating processes and procedures then you need SecurITy.

COMPLIANCE

In many corporates, Government and Local Government agencies, policies and procedures are considered mandatory and actual onsite practices are assessed against this documentation during an annual audit.  As many vital business records are now stored and accessed from computers, businesses are beginning to recognise that along with the convenience there is also an element of risk that has to be managed.   Directors are becoming much more accountable to stakeholders for ensuring that this remains acceptable and are required to report significant risks which could potentially affect profitability. 

Kaon SecurITy Ltd takes a pragmatic approach to compliance working with you to ensure that the organisation meets its security objectives and continues to improve over time.   Regularly auditing of systems not only tests for compliance against existing policies and best practice but provides information for a policy review and update so that documentation remain current and meaningful.  Actual onsite practices can also be reviewed to ensure that what happens in reality matches the documented requirements.

 

If you do not have this documentation, Kaon SecurITy Ltd can provide it for you.  The IT Policy System contains a full set of 24 policies provided in a user friendly format which can be installed as part of your intranet. 

 

More about the IT Policy System        

CONFIDENCE

Policies and procedures are useless without an ongoing commitment to ensure that staff:- 

  • know about the policies, understand what is required and comply

  • fully comprehend the significance and ramifications of a serious security breach

  • have their work assessed regularly to ensure that important tasks are not being omitted and that controls do not loosen over time

  • accept that security is part of the corporate culture and not just something the IT department does

Managers need to be confident that staff are performing day to day business activities in line with documented policies and procedures and that they will act correctly should the organisation experience a security incident.  Managers need to ensure that staff have the knowledge to identify a potential security problem and that they know what to do to ensure that damage and downtime is minimised.  The cost to the organisation of experiencing a security breach is directly related to how well it is initially handled.  Doing the right things at the right time and receiving the right advice will save thousands of dollars and ensure critical evidence is not destroyed.   

SecurITy provides education seminars for staff so that the above is communicated to them.  Refresher seminars performed annually keep staff up to date and a training CD is also available to use as part of a staff induction program so that new staff know about security before they start work.  Including this training in a staff induction program also ensures that when signing an Employee Acceptance form agreeing to abide by the information systems security policies, new staff know and understand what they are signing. 

 

Why is this so important

Adhering to well documented and known procedures and correctly configuring systems will prevent 90% of security incidents

When you experience a security incident the way it is handled is directly linked to the impact on your business.

 

 

 

What sort of Security Issues might affect your Business

 

UNAUTHORISED ACCESS OF CORPORATE SYSTEMS AND  INFORMATION 

Attempts, (successful or not) by an unauthorised person to gain access to sensitive or confidential information by way of snooping, eavesdropping or interception.  The information may be viewed, altered, copied or deleted causing systems to be compromised and information to lack integrity.  These actions will potentially threaten business continuity, company competitiveness, profitability and reputation.  A hacker can also use your system resources for the relaying of spam mail, browsing the internet and for other non-business related activities.  You pay for this and if you exceed your allocated traffic volumes you will be paying penalty rates. 

SYSTEM SABOTAGE 

An attack of this nature can either be internal or external and cause loss or corruption of information and the removal or destruction of hardware, backups, networks and equipment.   

SPYWARE, MALWARE, VIRUSES, TROJANS AND WORMS 

There are literally thousands of these bugs in a myriad of forms and many new variants are introduced each week.  Systems can be rendered unusable, business continuity threatened by denial of service and there is always the potential for loss or corruption of information especially with the escalation of keylogger programs which collect and send back your data to a host. 

DENIAL OF SERVICE ATTACKS 

Where an attacker will render an application or system unavailable through the exploitation of a known vulnerability or by exceeding its processing capacity.  Business processing stops because systems can’t cope with the number of requests and stop working.  

WEBSITE ATTACKS   

Web developers often focus on functionality and spare little thought for security creating many vulnerabilities which can be exploited by a resourceful hacker.  Websites that have active content and especially those handling financial transactions are easily compromised if they are not protected by a web application firewall.  For businesses that depend on online trading for income, this can be very detrimental to profitability and reputation.  Links can be changed, websites defaced, customer and credit card information stolen and in some cases, the whole website disappears. 

 

What Can Be Lost in a Serious Security Incident

 

Reputation

                  Staff

                    Sales

                              Customers

                    (and potentially) YOUR WHOLE BUSINESS

   

Business Ramifications

  • Financial.  It will cost you money to fix including restoration and possibly reparation costs

  • It will also cost you dollars to ensure it doesn’t happen again

  • There may be legal consequences

  • Loss of confidence by staff who may even leave

  • Loss of business

 

Network Security Audit

The SecurITy package begins with a comprehensive network audit that defines your current security status.  This report sets the benchmark for continued improvement in IT Security.  The audit is carried out in three stages:-

  • With no authentication and no access rights

  • With general user access rights

  • With administrator access rights

This audit looks at all aspects of network security including:-

  • people management - registration, deregistration and access privileges

  • password management - password policies and management

  • information management - who has access to what information and where from

  • network devices - the configuration of switches, routers, firewalls and other primary equipment

  • external connectivity - who has access into the organisation and how this is set up

  • server management - patching, trusted relationships, configuration and general management

  • domain management - how domains are configured, access controls and high level privileges

  • remote access - how this is provided and authentication requirements

  • network configuration - whether the network structure has any security weaknesses

  • intrusion prevention - how port 80 security threats are handled

  • web content controls, spam management and anti virus controls

  • web2 controls

 

Getting the Security Message across to Staff

Developing security policies is no guarantee that users of information systems will read them.  Even if they read them, how can the organisation be sure that people understand them?  The organisation is responsible for ensuring that staff, contractors, consultants, remote users and any other third party connecting to corporate networks is aware of their obligations.

The only way to be sure those users of corporate computer systems know and understand the contents of the policies and procedures is to tell them.  The detail has to be explained.   Computer users must also understand the reasons why certain rules have to be followed and what will happen if they are not adhered to. 

Non-compliance whether by error or ignorance, can cause a security incident which may have long term implications on business operations.  Worse still, these actions may also affect other businesses that seek reparation for loss of income and may also lay criminal charges.  Deliberately acting irresponsibly or being wilfully negligent is serious misconduct and may result in termination of employment or contract.  Computer users must understand this and must sign an Employee Acceptance Form which forms part of their contract.

 

 Onsite Training

Unfortunately, in many organisations, information systems security is just seen as something the IT Department do and therefore any training must be co-ordinated by them.  With other more pressing priorities, staff training and education is relegated to the bottom of the list and in reality, never happens.  Subscribing to SecurITy changes all that.

Kaon SecurITy Ltd provides training seminars for staff at all levels - from the general user through to technical training for specific issues.  As part of SecurITy you will get a specified number of training hours allocated and you define how you want these used.  You may want to target Managers or have regular meetings for Technical staff to keep them up to date on the latest security problems.  Our staff work in the area of IT security day in and day out and have a wide range of experience and knowledge that they can share with your staff.

The format of seminars can be tailored to suit individual corporate requirements.  It can be geared to a specific number of users with a particular level of competency, so that the more technical content is saved for technical staff.  We can provide handouts or run the session as an interactive workshop.  Content can be general or specific and often provides an opportunity to emphasise issues that are currently causing problems onsite.

 

                                                   Training with CDs

The training CD for general users is included as part of the SecurITy package.  It is approximately 40 minutes long and can be viewed by individuals from a desktop or by groups of staff by connecting a PC or laptop up to a projector and speakers.

This CD has been developed to cater for all levels of user and explains basic IT security principles and practices and why it is important that everybody is aware of the implications of a security breach.  The presentation includes text, action graphics and narration.  Each topic is fully explained using easy to understand language.

The benefit of having the CD is that it is always available onsite.  You can order one or multiple copies and they are a great addition to the corporate training library.  Other topics will be available in due course.

 

 CD Titles 

Information Systems Security Policies Explained to General Users - 40 minutes

Includes:-

Definition of IT Security, Why Policies are needed, User Responsibilities, E-Commerce, Email, Computer Systems and Equipment Use, Controlling Access to Systems, Anti Virus, Business Continuity, Cyber Crime, Electronic Information, Passwords, Physical Access, Social Engineering and Moving Equipment

 

Staff Induction Training

In many instances where staff have been dismissed for abusing privileges associated with information systems and have taken a personal grievance case to the Employment Court for wrongful dismissal, the organisation more often than not will lose the case and have to reinstate the employee.  The defence used most successfully is "I didn't know".  This is because even if policies and procedures have been developed by the organisation, they have not been communicated to staff.  Staff may not have signed an Employee Acceptance Form agreeing to abide by the policies and there is no ongoing education programme to maintain staff awareness. 

Kaon SecurITy Ltd recommends that the training CD for general users provided with the SecurITy package is included as part of the induction program for new staff.  This means that new staff are introduced to the security requirements of the organisation before they even turn on a computer for the first time.  They will understand why certain actions are a bad idea and the implications of non-compliance.  Have them sign the Employee Acceptance Form after they have watched the presentation.  This simple process will go a long way to defeating the "I didn't know" defence used so successfully in the Employment Court. 
 

Security Awareness Products

Promoting staff awareness of IT Security issues is not a one-time activity.  In order for staff to retain the security message it must be reinforced and reiterated in as many ways as possible.  Kaon Security Ltd has teamed up with Simply Done Pty Ltd, an Australian company specialising in Security Awareness Products.

Some of the ways you can do this onsite are:-

Security Posters prominently displayed around the office and in cafeteria areas

    

Brochures can be handed out when equipment is allocated, during training sessions or left on cafeteria tables where staff are likely to browse through it.

    

Screen Saver that can be deployed to all users on the network.  Every time the screensaver activates the message of security awareness is replayed.  The graphics are made up from the cartoon posters which are attractive, bright and fun.

 

Customise SecurITy

The SecurITy package consists of several modules which are integrated to provide all round support to those responsible for managing IT security risks.  Core modules include Policy Updates, Annual Audit and Report, Technical Support and Staff Training.  Optional modules include Security Awareness Products, E-Secure-IT Service and additional Technical Support. 

Different organisations have different levels of expertise in-house.  SecurITy is designed to assist IT Managers in managing IT security risks and to provide support, knowledge and expertise over and above the scope of internal IT staff.  When things go wrong and a security incident occurs you have an expert to call in who knows how to handle the situation correctly, is impartial and can protect the best interests of the organisation.

Education and staff awareness are key factors in preventing a security incident.  The security awareness products provide a variety of choices on how best to get the message out to staff.

Each module is priced separately so the amount you pay is determined by the items you select in your personalised SecurITy package. 

 

How to Get SecurITy

SecurITy is only currently available to our New Zealand customers.   Contact us at Kaon SecurITy Ltd to discuss your SecurITy requirements.  Initial discussions include:-

  • Setting up and signing the SecurITy contract agreement

  • Scheduling an IT security audit

  • The format and content of staff education seminars and when these sessions will take place

  • Obtaining the details required for setting up the E-Secure-IT global early warning security alerting system

  • Contact details of technical staff that may require technical advice and support

Sending a purchase order will initiate the process.  As SecurITy is an annual subscription you will receive a renewal notice 60 days prior to the expiry date of the contract.

 

 

                                                     

© 2004 Kaon Security Ltd 20 Nov 2004