Information Security – Who is Watching the Documents?

No executive in their right mind would voluntarily distribute the sensitive, personal information of their clients to anyone who asked for them, right?

Well, that is exactly what many of us may do, albeit unintentionally.

Private clubs keep a great deal of sensitive information about their members.  Often this includes information such as full names, dates of birth, social security numbers, bank account numbers, home addresses, etc.  In short, everything a social engineer would need to steal an entire identity (as well as someone’s net worth).

The first question to ask yourself is, “How much information on my members do I really need to have on hand?”

If you offer direct billing to the members’ bank account or credit card, then obviously you need that financial information.  Perhaps you also want it initially when you are confirming eligibility for membership.

When information is no longer needed, consider getting rid of it.  (And dispose of it in a way that someone cannot possibly retrieve it.)

After you determine what information you need to have, you then have a responsibility to safeguard that information.  When you dispose of a document with any personal information on it, shred it.  The U.S. Government learned this lesson when the U.S. Embassy was overtaken in Iran in 1979.  Crosscut shredders are very cheap and can easily be obtained at office supply stores, and they can prevent dumpster divers from scoring an information bonanza.

Consider where you keep your paper files.  For paper files that you need to have on hand, keep them in a securely locked room and limit the access to the room.  The door to the room should have a deadbolt lock, and the files should be kept in locked containers within that room.

Surprisingly, I once saw member records kept in labeled boxes in the unlocked coatroom near the front door of a club.  You can imagine the bonanza a social engineer would realize if he/she found that.

Electronic files present a different challenge.

Again, get rid of anything that you don’t need to have.  Often we collect information because we have always done it, not because there is a good reason to have it.  If you really don’t need to have it, don’t keep it.

Once you know what you need to have, secure it (sound familiar?).  Your club’s internal records should not be on the same server that any open email networks use.  In addition, you should have a good hardware firewall and a strong virus/malware protection software.  Speak to your IT professional for specifics.  Access to these files should be limited to only the people who need to have them and should be protected with a strong password/access system.

Speaking of passwords… Walk around your staffs’ computer terminals and look under their mouse pads, on the inside of any cabinet doors, under the keyboards, or even in open sight for any passwords.  Far too many people are a bit lazy and will keep their passwords written down in a convenient place.  Needless to say, this is a very bad practice.

Do you have a comprehensive computer policy that is distributed to all employees?  This policy should include descriptions of your password protocols, types of behavior allowed or not allowed, and a description of actions to be taken as a result of violations of the policy.  Every employee should read and sign a copy of the policy, and that signed copy should be maintained in their employment file.

It should be made clear to everyone that allowing access (intentional or not) to the club’s computer files is akin to leaving the bank deposit bag sitting on the front steps of the club overnight.

Your member information is arguably one of the assets you can least afford to lose.  No one I know would want to deal with the results of a breach of this data. These are just a very few reminders and ideas to try to get you thinking about your information security practices.  Now it is up to you.

– KP

peters2012smKevin R. Peters, MA
Kevin Peters is a retired federal agent and former club manager who conducts the candidate backgrounding for Kopplin & Kuebler, LLC. He is also owner of K.R. Peters Security, LLC, a security consulting company primarily servicing the private club industry.

Information Security – Who is Watching the Documents?2019-09-04T20:00:31+00:00

Anatomy of a Security Review

Seriously consider the consequences of a burglary, cyber attack, or physical assault in your club.

Think of dealing with insurance claims and repair headaches, and imagine explaining to your membership about the theft of confidential membership records.

Think of how you would recover from the publicity of a violent attack in your club by an employee or member?

There are many more scenarios equally traumatic that occur at private clubs across the country clubs regularly. Go your favorite Internet search engine, type in the words “burglary” and “country club”; you’ll be appalled at the results.

Ignoring security concerns is a practice that has seen its time come and go, and today’s business executive knows that you do so at your own peril.

A full risk assessment for a Club would include a tailored threat assessment, an employee-training seminar, a review of security related club operations, a review of information security controls and practices, a physical security assessment, and discussions on workplace violence.

A recent risk assessment was performed for a Club with a 69,000 square foot clubhouse, 52,000 square foot sports facility with tennis, pool, and fitness center, and outstanding golf course comprise a facility that stands at the crossroads of two states, several counties, and multiple diverse neighborhoods.

My assessment included as much information about the club as possible, researching the club and surrounding neighborhoods, meeting with local police, exploring specific security concerns during interviews with club department heads, Internet studies, and conducting drive-throughs during different times of the day.

Employee Seminar
On my first day at the club, a training seminar covering a security overview, burglary and vandalism in clubs, terrorist threats, workplace violence, information security/identity theft, personal integrity, and personal security tips was conducted with staff.

Operational/Policy Review
Perhaps the most beneficial area of my assessment comes in the area of policy review. Many areas of the club are impacted when clear policies are not in place and enforced. Some areas reviewed were employee policies, hiring, key control, alarm code control, closing checklists, employee theft, duties of security personnel, inventory controls, cash controls, document control and destruction, emergency incident procedures, purveyor control and accounting practices.

Management at this Club had written policies and procedures in most critical areas and followed the policies to a great degree, but I was able to make some recommendations. For example, when a line employee was hired, the line supervisor did all the reference checking. While supervisors said they checked references, there were no records to confirm this. I recommended that the Club institute a formalized reference checking procedure where the supervisor would write up the check as he or she conducted the check, and then submit it to the HR director to be maintained in the employee’s permanent file.

I also recommended some very easy (some of them free) Internet searches to screen for registered sex offenders and convicted felons.

Please go on to the next page to read info on Security Management…

Anatomy of a Security Review2019-09-04T20:00:37+00:00
Go to Top