|Like this CertiGuide? Get it in PDF format!|
Use coupon code "certiguide" to save 20%!
|Need more practice? 300 additional Security+ questions!|
|Get It Here!|
(Page 3 of 5)
Policies and Procedures
You also explored the area of policy
(defines what is to be protected) and procedures (define how it is protected),
including the different types of security-related policies often found
in organizations, including:
- Acceptable Use Policy, or AUP,
which describes in detail permissible use of corporate systems, applicable
laws and company policies which back up the network use policies; should
be reviewed by legal counsel to ensure enforceability, and signed by
all staff in order to demonstrate staff knowledge of policy contents
and agreement with the policy.
- Due Care, a requirement that each person
takes due care to protect those items within their responsibility;
failure to exercise due care could result in liability for the organization.
- Privacy, which specifies the extent of
expectation of privacy by employees, which can frequently be summarized
as none; may also specify privacy of data provided by and
collected about customers and business partners; may also specify compliance
with governmental or industry regulations regarding privacy, such as
the HIPAA guidelines for privacy of health-related information.
- Separation of Duties, splitting job tasks
among multiple employees, so that no one individual can perform all
steps of an activity involving sensitive information; for example, you
might have one employee enter a transaction, and another verify and
- Need to Know, which involves making sure
that each employee has just as much information as is required to do
their job, and no more; the idea is that additional knowledge creates
additional sources of risk.
- Password Management, including frequency
of password change, requirements for password length/quality, procedures
for resetting passwords which have been forgotten, and distributing
reset and new passwords to employees; at a large site, an automated
password recovery/change process can reduce administrative staff time
dedicated to this routine chore.
- Service Level Agreements, or SLAs,
which spell out agreements between your organization and suppliers,
and your organization and its customers, specifying what each can expect
from the entity providing a service, in the area of minimum up-time,
maximum down-time, problem/support response times, alternate arrangements,
- Disposal/Destruction, which specifies
how your organization gets rid of data, whether stored on paper, magnetic
media, etc.; disposing of sensitive data by just tossing it in the trash
enables unauthorized individuals to obtain it by dumpster diving; you
should shred paper materials and destroy data storage media, rendering
it unreadable, before disposing of it; proprietary/sensitive data that
you would not want unauthorized individuals to have includes customer
credit card data, employee lists, network maps, and other current information
about your network such as currently valid passwords.
- HR Policies, human resources policies
which specify how and when employees are granted or denied computer
access, and may also mandate certain procedures to be followed when
enforcing policies like an AUP.
- Termination, which specifies how termination
of an individuals computer access is handled upon termination
of employment; generally their access to the network is disabled prior
to informing them of termination, and other passwords they may have
known are changed.
- Hiring, policies for when an employee
is hired, following the principle of least privilege, and given them
only the amount of access and system privileges they require to do their
- Code of Ethics, often adapted from an
industry-accepted code of ethics which specifies expected standards
of professional behavior.
You also learned that you need to
be aware of your organizations incident response policy, which
governs what happens when a computer security incident is detected.
Make sure you have an incident response policy in place, and rehearse
mock incidents, before you need to put the policy into action for
|If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!|
Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.