For any business establishment, the financial records are by far the most sensitive records and efforts should be made to ensure that they are well secured. This goes double for the company GCI because not only does it have in its possession records for its own operation but it also hosts some financial records of client enterprises(Pfleeger, & Lawrence, 2007). The latter documents are most likely released to GCI on some sort of goodwill arrangement which have to be sealed by the law in the form of contracts. There are vulnerabilities and threats which the company will have to face especially if it maintains the system that allows staff to store confidential company data on laptops.
The most primary vulnerability that the company is subjected to is the fragility of security barriers that comes with every member of the company carrying confidential data on their laptops. With new and new internet technology coming up that allows individuals to leech on data from other people’s computers without informing them, it is very easy for competitors to hire hackers to obtain whatever piece of information they want from any laptop that is connected to the internet. This is even worsened by the fact that the strength of a leech transfer depends on the number of donors seeding the same information. The more computers there are sending out the same information at the same time, the easier it is for unauthorized personnel to download the data.
The major threat which the company faces comes from either their competitors or the competitors of the companies they serve. Once competitors notice that this system of laptops is the one being enforced by GCI and getting to know of the vulnerabilities that come with it, GCI will be under constant threat of attempts to breach its security protocol with an aim of getting to that crucial data. Since all the company’s data comes from one central database, in-house sabotage can easily be implemented with disgruntled employees going into the database and maliciously destroying all the important records. Laptops as compared to desktops can be easily stolen. This then goes ahead to pose another threat to the system regarding the safety of the company information. Extracting data from a stolen laptop is much easier than trying to hack into the system in order to obtain the same information. Competitors and other detractors will definitely be on hand to try and get the information they want and they could even go for uncivilized methods including stealing whatever equipment they believe contains the data.
The major proposition to GCI regarding the security of its records, will be to mainly advise the management to consider reverting to the old but reliable system of having all the important documentation of a company stored in only one location from where it can only be accessed by selected individuals. In case it is absolutely necessary that the enterprise maintains this laptop system, then appropriate measures and adequate ‘fire-walling’ should be insisted on. The company should purchase top-end software for protection against external encroachment into the systems. These software should ideally support the function of password protection such that individuals would not enter the system with proper identification. Managerial decisions have to be made regarding who has access to what data depending on their position in the firm. This will provide for accountability because if any information about the company’s finances or those it serves is found to have been leaked to the public or even the competitors, then a particular individual can be isolated to offer an explanation. Company legislation should either be created or if already-existing, be redrafted to encompass the issue of information leakage. The appropriate consequence for actions deemed to put the company’s confidential information at risk should be clearly stipulated and this should be communicated to all levels of management.
The following conditions must be observed when designing a policy statement for a company (Tipton, & Krause, 2007). First and foremost, the policy statement should be picked from rules that have been established to govern the operation of the enterprise. Secondly, the statement should have guidelines that show the company’s basic strategies towards achievement of the said goals. The statement should also clearly state what is expected of the employees of the enterprise while giving clear reasons as to why such expectations are required of the staff. A company policy statement should stipulate the foundation for the preparation and the implementation of the regulations that have been decided upon and should have a provision for accommodation of changes occasioned by professional demands. The policy statement should as well provide for ways of evaluating the performance of both the company and the individuals.
Global Corporation INC.
Data Protection Policy Statement
In recognition of the company’s responsibility to client enterprises, we hold the belief that all the necessary effort should be made to maintain the security of both our company’s and our clients’ financial records.
The materialization of this policy is the combined effort of both management and staff of Global Corporation Inc. (GCI). Cooperation is expected between these two groups in order to ensure that the policy is well adhered to.
The institution shall provide the required software to protect each individual laptop from infringement by hackers. However, all individuals are expected to be extremely vigilant in the protection of company data. All members of staff will be required to sign an agreement detailing what types of data they can gain access to depending on their position in the company.
Software shall be provided to render data unusable should there be an unavoidable breach in security and staffs are expected to report such a breach as soon as they notice it.
Adopted on this _______ day of __________________, 2010
Chief Executive officer: _____________________________
ATTESTED: _____________________________________
Reference List
Pfleeger, P. C, & Lawrence, S.P. (2007). Security in computing. (Volume 4). New Jersey: Prentice Hall.
Tipton, F.H, &, Krause, M. (2007). Information Security Management Handbook, (Volume 2). United States: CRC Press.