Security Forensics, Inc.

Security Forensics Corporate Messaging Architecture

Acceptable Usage Policies for e-mail, the Internet, Enterprise-Wide Network
Architecture and Meeting Corporate Compliancy

Security Forensics mission for acceptable usage policies is to help organizations limit their corporate liability. Through our extensive audit and assessment methodology, we will develop and implement a fact-based, effective e-Mail, Internet and Software policy for your entire enterprise. These policies will limit your overall corporate risk and safeguard your company from litigious persecution. In today's contentious business environment, organizations must be vigilant when establishing, enforcing and monitoring all usage on their network.

Policy defines accountability and responsibility
Policy enforces internal controls and risk assessment

Business Need

Security Forensics Corporate Messaging Architecture starts with identifying your Business Need. Understanding your business drivers, the mechanisms that enable your day-to-day operations flow and exactly how each individual department within your organization communicates will allow Security Forensics to establish the foundation from which we will be able drive security policy and protocol. Each department within an organization is seen as either a cost-center or revenue generator, as thus policy would be determined by departmental need. Customer Support for example would have more need for interaction with relationship management tools, than Legal would. Add the communication between your customers and Customer Support, would need to be followed more stringently. Security Forensics Business Needs approach first focuses on a myopic view, drilling deep into each department first, then would encompass and blend together the entire enterprise.

Companies walk a tight rope of being seen as either "Big Brother" when analyzing employee e-Mails or potentially worse; being too passive by ignoring email productivity and utilization problems, sexual harassment issues in an electronic work place and corporate espionage facilitated through email and attachments. What makes it a tight rope versus a fine line is, how good is your safety net to protect the company brand, intellectual property, compliance to Federal laws, remediation, Errors and Omissions costs, sexual harassment, and contractual commitments in email? The liability exposure and costs consequence to companies determines how hard the fall or how soft landing.

Quantify Business Risks

By quantifying business risk we determine costs associated with claims against an organization and a fact based policy driven by organizational demand. We look at layout of cost determinants pertaining to Sexual Harassment Claims, Trademark and Patent Infringement Suits, Sabotage and Internal Security Breaches, External Cracker and Hacker Attacks, Lost Productivity, Wasted Computer Resources, cost of Viruses, Worms, Trojans and Malicious code, Lengthy Business Interruption, Six-Figure Fines and Jail Time for Software Piracy, Million Dollar Legal Fees and Settlements, Media Scrutiny and cost to an organization based on Public Embarrassment

Next, we access new business risks introduced by adding additional technology components such as wireless access, software applications and hardware. Using the needs defined above to pinpoint exposure, cost variables and day-to-day operations we will determine, what private or sensitive information do these resources contain? We will produce a list of informational assets that must be defended against corruption, loss, theft, disclosure and compliancy, which in turn would effect the probability of compromise and the overall cost to your organization.

Audit Current Usage, Analyze and Define Policy

In this phase of Security Forensics methodology, we will work with a team environment and use the latest tools available to perform an audit of your organizations e-Mail architecture and your enterprise architecture to ascertain specific lapses of security protocol and lapses of Federal Regulated compliancy in your enterprise. Our team approach will include a diagnostic overview of your current policies and interviews with your Legal and Human Resources department, with Security Forensics findings being provided to your executive team and your Legal and Human Resources Directors. The audit will provide information pertaining to compliancy, when, where and how compliancy has been enforced on every unique communication that has or will take place in your enterprise. We will review your organizations retention policy based on journaling and archiving and determine what categories of messages should be placed in your archive based on stipulations pertaining to Federal Regulated mandates. The information gathered up to this point will determine best practices moving forward for an enterprise wide policy that encompasses all departments and compliancy within your organization.

Implement and Follow-up

When all defined pieces of our evaluation and interviews have been completed, Security Forensics will write an outline of each policy (e-mail and enterprise wide) and forward on to the named executive in charge that has the responsibilities to enforce these policies. With their signature on buy-off, Security Forensics will develop the final copy. A preamble will be written explaining to each department and employee of the policy, why the policy has been written and the current laws pertaining to security and the mandates put into place by state and governmental agencies. The final policy will also include:

     1. Policy that prohibits employees from using company computer assets to visit inappropriate sites, or upload or download objectionable material from the Internet.

     2. Security Forensics will clearly communicate the fact that the organization's computer resources are not to be wasted, but are to be used strictly for approved, business purposes.

     3. We will enforce cyber-language and content guidelines designed to keep copy clean and clear.

An electronic and a hardcopy of the policy will be sent.

As part of Security Forensics commitment our customers, 14-days after the policy has been put into place a re-visit, either by phone or on-site will be scheduled to make sure all aspect of the policy are being followed. In addition, we also provide policy training to key departmental heads, managers and executives and any other employee to help educate the importance of the policy and the repercussions to the organization if the policies are not followed. Don't expect your employees to train themselves. Reinforce your Policies with on-going employee education.