9.4 Other People

Other people who have access to your system may not all have your best interests in mind?or they may simply be ignorant of the damage they can wreak. We've heard stories about home environments where playmates of children have introduced viruses into home office systems, and where spouses have scoured disks for evidence of marital infidelity?and then trashed systems on which they found it. In business environments, there are stories of cleaning staff and office temps who have been caught sabotaging or snooping on company computers.

You may not be able to choose your family, but you can have some impact on who accesses the computers at your company location. Visitors, maintenance personnel, contractors, vendors, and others may all have temporary or semi-permanent access to your location and to your systems. You should consider how everything we discussed earlier can be applied to these people with temporary access. At the very least, no one from the outside should be allowed unrestricted physical access to your computer and network equipment.

Examples of people whose backgrounds should be examined include:

  • System operators and administrators

  • Temporary workers and contractors who have access to the system

  • Cleaning and maintenance personnel

  • Security guards

  • Delivery personnel who have regular or unsupervised access

  • Consultants

  • Auditors and other financial personnel

All personnel who do have access should be trained about security and loss prevention and should be periodically retrained. Personnel should also be briefed on incident response procedures and on the penalties for security violations.

Don't forget your family! Whether you are protecting a home system or occasionally have your kids visit your office, it is important that they understand that the computer is not a toy. They should be taught to leave business-critical machines and media alone. Having strong passwords and screensavers in place can be a major help. Additionally, teach your family members about not discussing your business computing environment with strangers.

    Part VI: Appendixes