Many companies have existing guidelines for security procedures in a corporate environment. These can be in the form of a statement of conduct rules for employees---which, to some extent, outlines how employees are to deal with confidential technology, intellectual property rights, and other confidential corporate information. These guidelines can be a basis for establishing a strategy for an enterprise network security policy because they establish corporate rules for what information is valuable to the company from a business point of view. The following is an example of a corporate statement of conduct.
Sample Corporate Standard of Conduct Scope
Clearly articulated and consistently administered standards of conduct form the basis for behavioral expectations within a corporate community. The enforcement of such standards should be accomplished in a manner that protects the rights, health, and safety of the corporate members so that they can pursue
their goals without undue interference.
As a way of supporting our individual commitments to fairness, honesty, equity, and respon-sibility, the members of this corporation subscribe to the following ethical principles and standards of conduct in their professional practice. Acceptance of membership signifies that the individual member agrees to adhere to the principles in this statement.
Use of This Statement
The purpose of this statement is to assist corporate personnel in regulating their own behavior by providing them with standards commonly held by practitioners in the industry. Self-regulation is
preferred. However, if an individual observes conduct that may be contrary to established principles, she or he is obligated to bring the matter to the attention of the person allegedly committing the breach of ethics. If unethical conduct continues, the matter may be referred to the offender's superiors for
appropriate action.
Signing this document implies agreement with and adherence to the following ethical principles and standards of conduct:
1 Professional Responsibility. Corporate employees have a responsibility to support both the general mission and goals of the employing company. All employees shall make every effort to balance the developmental and professional needs of employees with the obligation of the company to protect the safety and welfare of the corporate community.
2 Legal Authority. Employees respect and acknowledge all lawful authority. Employees refrain from conduct involving dishonesty, fraud, deceit, misrepresentation, or unlawful discrimination.
3 Conflict of Interest. Employees shall seek to avoid private interests, obligations, and transactions that are, or appear to be, in conflict of interest with the mission, goals, policies, or regulations of this
company. Members shall clearly distinguish between those public and private statements and actions that represent their personal views and those that represent the views of this company. Further, if employees are unable to perform their duties and responsibilities in a fair and just manner because of previous involvement with a party or parties, they shall remove themselves from the decision-making process. 4 Confidentiality. Employees ensure that confidentiality is maintained with respect to all privileged communications and confidential corporate information and professional records. Employees inform all parties of the nature and/or limits of confidentiality.
For existing computer networks, in addition to the corporate statement of conduct, an anonymous user survey can be conducted to gather information on the possible circumvention of security procedures. This survey can result in invaluable information from people who may be circumventing security
procedures for productivity reasons without any malicious intent. The circumvented security procedures can then be re-evaluated to determine how the policy can reflect security measures that can practically be implemented. Following is a sample survey questionnaire you can use.
It is important to recognize that the business opportunities are what drive the need for security procedures in the first place. If a corporation does not have many secrets to guard---perhaps because all the
information and data available on the network is nonconfidential and freely available---then security procedures may be minimal. However, the more likely it is that a security breach will have negative
business implications resulting in lost revenues, the more stringent the security policies should be. Sample Security Survey Questionnaire
The corporate Information Systems (IS) department is currently conducting a review of current security procedures to identify areas that may need improvement. Please answer the following questions to the best of your knowledge. All information will be kept confidential to the IS task force performing this survey. Please drop completed forms into the box marked "IS Survey" in the building lobby. Thank you for your participation.
1 I use the following systems (circle all that apply): Windows UNIX Macintosh Other(specify):
2 Rate the percentage of time spent accessing the corporate network using the following mechanisms: Corporate LAN:
Corporate frame relay (remote branch office): Internet:
Modem dial-in: ISDN:
3 The applications I use most often are (circle all that apply): Web browsers E-mail Other (specify):
4 Rate the existing security measures: too restrictive just right too loose
5 Have you discovered any security problems in the last 12 months? If so, what? .
. .
6 Are you aware of any back-door accesses to the corporate network? If so, what? .
. .
7 Any additional comments on security issues: .
.
. Name (optional):