Given the many threats organizations face in protecting critical information and processes, an information security policy is arguably one of the most important documents an organization can create. Consider these best practices for creating a new security policy and keeping an existing policy up to date.


By now, most lawyers know what e-discovery is. They know about electronically stored information (ESI), have mastered the 2006 e-discovery amendments to the Federal Rules of Civil Procedure and subsequent changes,1 and are keeping track of the proposed e-discovery changes to the Wisconsin civil procedure statutes.2 Most try to keep up with the area’s rapidly evolving case law. Some may even know the difference between a computer forensics expert and an e-discovery expert and the differences in the types of services each provide.  Most lawyers know a “deleted” file is not necessarily a file that cannot be recovered, and that computer forensics examiners can analyze computer hard drives, often restoring deleted files. Computer forensics examiners can determine when an external storage device like a thumb drive or external hard drive has been attached to a computer and from that information infer that files have been copied to the external storage device. Lawyers know these examiners can track Internet history and usage and analyze system-related information to determine when computer files were created, who created them, and when they were last accessed or modified.


Despite all the reports of Internet security breaches, identity theft, and hacked bank accounts, people are still using easy-to-guess passwords for nearly all of their online activity.  That’s the conclusion from two recent studies that looked at passwords in general and banking passwords in particular.  At the end of last year, a hacker was able to gain access to 32 million passwords held by software company RockYou. The list was briefly posted on the web and security researchers were able to take a detailed look at the most popular choices.


Information security, including the development of an expanded workforce in this field, is among the most critical issues facing the United States today.  Data from the past seven years show that the threats from computer crime and other information security breaches continue unabated, and the financial toll is mounting (2002 Computer Security Institute/FBI Computer Crime and Security Survey).  Losses incurred due to the theft of proprietary data from our high-tech and financial services industries, manufacturing companies and government agencies currently exceed $170 million annually.  Other annual losses are significant as well:  financial fraud ($116 million), insider abuse of Internet access ($50 million), computer viruses ($50 million), network denial of service attacks ($18 million) and system penetrations by outsiders ($13 million) (2002 Computer Security Institute/FBI Computer Crime and Security Survey).

The need for individuals knowledgeable in information security was made an issue of national prominence in 1997, when the President’s Commission on Critical Infrastructure Protection released its report, Critical Foundations:  Protecting America’s Infrastructures.  In it, eight critical infrastructures were identified as being at risk serious enough to threaten national security (telecommunications, banking and finance, electrical power, oil and gas production and storage, water supply, transportation, emergency services, and government services).  In May 1998, Presidential Decision Directive 63 was issued, which called for a national effort to secure the nation’s critical infrastructures.  The National Security Agency was charged with promoting higher education in information security in order to produce more professionals with information security expertise.

Information security has been identified as a particularly important knowledge need for workers in the New England states.  At the Information Technology Workforce 2002 Conference sponsored by the New England Governors’ Conference, industry leaders from across New England emphasized the importance of addressing information security as an emerging workforce issue.

The need for information security workers was echoed at the national level by recent reports from the President’s Critical Infrastructure Protection Board, including The National Strategy to Secure Cyberspace (February 2003), and Promoting Innovation and Competitiveness, President Bush’s Technology Agenda.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: