Man
Professional
- Messages
- 3,087
- Reaction score
- 627
- Points
- 113
After you have taken care of information security, it is important to think about the regular observance of measures.
As practice shows, even with the most advanced security systems and specialists, this may be useless due to the negligence of a single employee. Therefore, in addition to the measures, it is important to write down clear instructions and monitor their observance. This must be done in writing, verbal instructions do not work here.
We will not describe what job descriptions are needed for your business, but we will note the points related to information security:
1. Each employee has their own personal account in the EDI system and they must be instructed on the procedure for generating, changing and terminating passwords, accounts and the rules for entering a password to access the system. Let us remind you that passwords need to be complex, this was written in the post above. The employee must keep the password in his head. Logging into the system from someone else's account should only be possible with the consent of the manager.
2. The employee must ensure that everything is done via EDI. Ideally, there should be no paper documents. If they arise, let them immediately digitize and save them to a remote hard drive. It is better to destroy the documents themselves in a shredder.
3. Everyone should have a strictly defined circle of information to which they have access. Ordinary employees should have minimal access. Only the manager and, if available, the security service have full access. In some cases, an IT specialist can expand or revoke rights. It is desirable that employees do not know each other's access level. It is worth prohibiting data processing in the presence of other people.
4. In addition to personal accounts, create corporate emails for all employees and prescribe the obligation to correspond only from them. The use of a corporate address for personal purposes, as well as the use of free email services for corporate correspondence must be prohibited. And also the placement of a corporate email address on publicly available Internet resources. If you use instant messengers and social networks, the same.
5. Use corporate SIM cards and prescribe a ban on using them for personal purposes. And also a ban on business communication from personal numbers. There are companies where employees' personal phones are taken away when they enter the office, but this depends on the situation. Personal flash drives should definitely be banned.
6. No information should be on the desktop. Everything should be on a remote hard drive. Of course, no Google Docs or other cloud services. The resources that the user can visit should also be limited.
7. Prescribe a ban on any actions that can be interpreted as attempts to bypass the system's operating conditions, such as installing any software or changing the computer's configuration. And also a ban on using software and hardware components for non-business purposes.
8. The employee must promptly report problems without trying to solve them on his own.
This is the main thing.
All instructions must be communicated to each employee against signature with an explanation of personal responsibility for violations. The minimum is a fine, the maximum is dismissal.
If the commercial secret regime is violated, it is a criminal offense with compensation for possible losses. We propose making the fines impressive. For example, for leaving a computer on or using personal email – 1-2 salaries.
As practice shows, even with the most advanced security systems and specialists, this may be useless due to the negligence of a single employee. Therefore, in addition to the measures, it is important to write down clear instructions and monitor their observance. This must be done in writing, verbal instructions do not work here.
We will not describe what job descriptions are needed for your business, but we will note the points related to information security:
1. Each employee has their own personal account in the EDI system and they must be instructed on the procedure for generating, changing and terminating passwords, accounts and the rules for entering a password to access the system. Let us remind you that passwords need to be complex, this was written in the post above. The employee must keep the password in his head. Logging into the system from someone else's account should only be possible with the consent of the manager.
2. The employee must ensure that everything is done via EDI. Ideally, there should be no paper documents. If they arise, let them immediately digitize and save them to a remote hard drive. It is better to destroy the documents themselves in a shredder.
3. Everyone should have a strictly defined circle of information to which they have access. Ordinary employees should have minimal access. Only the manager and, if available, the security service have full access. In some cases, an IT specialist can expand or revoke rights. It is desirable that employees do not know each other's access level. It is worth prohibiting data processing in the presence of other people.
4. In addition to personal accounts, create corporate emails for all employees and prescribe the obligation to correspond only from them. The use of a corporate address for personal purposes, as well as the use of free email services for corporate correspondence must be prohibited. And also the placement of a corporate email address on publicly available Internet resources. If you use instant messengers and social networks, the same.
5. Use corporate SIM cards and prescribe a ban on using them for personal purposes. And also a ban on business communication from personal numbers. There are companies where employees' personal phones are taken away when they enter the office, but this depends on the situation. Personal flash drives should definitely be banned.
6. No information should be on the desktop. Everything should be on a remote hard drive. Of course, no Google Docs or other cloud services. The resources that the user can visit should also be limited.
7. Prescribe a ban on any actions that can be interpreted as attempts to bypass the system's operating conditions, such as installing any software or changing the computer's configuration. And also a ban on using software and hardware components for non-business purposes.
8. The employee must promptly report problems without trying to solve them on his own.
This is the main thing.
All instructions must be communicated to each employee against signature with an explanation of personal responsibility for violations. The minimum is a fine, the maximum is dismissal.
If the commercial secret regime is violated, it is a criminal offense with compensation for possible losses. We propose making the fines impressive. For example, for leaving a computer on or using personal email – 1-2 salaries.
