Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search







Table Of Contents  CertiGuide to Security+
 9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)

Previous Topic/Section
5.9.7  Destruction
Previous Page
Pages in Current Topic/Section
12
3
45
Next Page
5.11  Success Questions
Next Topic/Section

5.10  Summary
(Page 3 of 5)

Policies and Procedures



You also explored the area of policy (defines what is to be protected) and procedures (define how it is protected), including the different types of security-related policies often found in organizations, including:

  • Acceptable Use Policy, or AUP, which describes in detail permissible use of corporate systems, applicable laws and company policies which back up the network use policies; should be reviewed by legal counsel to ensure enforceability, and signed by all staff in order to demonstrate staff knowledge of policy contents and agreement with the policy.

  • Due Care, a requirement that each person takes “due care” to protect those items within their responsibility; failure to exercise due care could result in liability for the organization.

  • Privacy, which specifies the extent of expectation of privacy by employees, which can frequently be summarized as “none”; may also specify privacy of data provided by and collected about customers and business partners; may also specify compliance with governmental or industry regulations regarding privacy, such as the HIPAA guidelines for privacy of health-related information.

  • Separation of Duties, splitting job tasks among multiple employees, so that no one individual can perform all steps of an activity involving sensitive information; for example, you might have one employee enter a transaction, and another verify and approve it.

  • Need to Know, which involves making sure that each employee has just as much information as is required to do their job, and no more; the idea is that additional knowledge creates additional sources of risk.

  • Password Management, including frequency of password change, requirements for password length/quality, procedures for resetting passwords which have been forgotten, and distributing reset and new passwords to employees; at a large site, an automated password recovery/change process can reduce administrative staff time dedicated to this routine chore.

  • Service Level Agreements, or SLAs, which spell out agreements between your organization and suppliers, and your organization and its customers, specifying what each can expect from the entity providing a service, in the area of minimum up-time, maximum down-time, problem/support response times, alternate arrangements, etc.

  • Disposal/Destruction, which specifies how your organization gets rid of data, whether stored on paper, magnetic media, etc.; disposing of sensitive data by just tossing it in the trash enables unauthorized individuals to obtain it by dumpster diving; you should shred paper materials and destroy data storage media, rendering it unreadable, before disposing of it; proprietary/sensitive data that you would not want unauthorized individuals to have includes customer credit card data, employee lists, network maps, and other current information about your network such as currently valid passwords.

  • HR Policies, human resources policies which specify how and when employees are granted or denied computer access, and may also mandate certain procedures to be followed when enforcing policies like an AUP.

  • Termination, which specifies how termination of an individual’s computer access is handled upon termination of employment; generally their access to the network is disabled prior to informing them of termination, and other passwords they may have known are changed.

  • Hiring, policies for when an employee is hired, following the principle of least privilege, and given them only the amount of access and system privileges they require to do their job.

  • Code of Ethics, often adapted from an industry-accepted code of ethics which specifies expected standards of professional behavior.

You also learned that you need to be aware of your organization’s incident response policy, which governs what happens when a computer security incident is detected. Make sure you have an incident response policy in place, and rehearse mock incidents, before you need to put the policy into action “for real”.


Previous Topic/Section
5.9.7  Destruction
Previous Page
Pages in Current Topic/Section
12
3
45
Next Page
5.11  Success Questions
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $



Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.