Every company or organization has experienced a security lapse either in internet or physical security. One way to prevent losses from events like this is to do occasional tests of the non-automated parts of your company’s security, namely the human factor.
In banks, these tests might consist of an attempt by a security penetration test company to gain access to secure areas in off-hours. There may be a test of computer or internet security by sending a phishing email to a group of employees to test which of those employees will click on links or forward the mail to others within and without the company.
In the fervor to ensure security in a company, these penetration tests often push the envelope of legal and ethical boundaries that could land the company in some serious trouble. There are some things that you have to keep in mind before implementing any type of plan to ‘test’ a company. First, you have to familiarize yourself with the local laws. If the test involves using audio or video taping, in some states there are laws against filming or recording anyone without their expressed consent. Second, remember the Hippocratic oath for doctors of “do no harm”. In testing an employee or group of employees, it is important to remember that the “harm” can be either physical or emotional.
Next, get permission from the high level executive, make sure he or she knows what is going to happen before you do any test and put in the contract what kinds of tests you will be doing. Having that signed and secured ahead of time will avoid legal trouble of many kinds. Next, let the company being tested determine the mode of the test. Obviously in testing the security at a bank, you don’t want to fake a robbery during business hours.
You can follow any responses to this entry through the RSS 2.0 feed.
Leave your comment