CertiGuide to Security+  9  Chapter 5:  Operational/Organizational Security (Domain 5.0; 15%)

5.9.7  Destruction 1 2 3 4 5 5.11  Success Questions

Policies and Procedures

You also explored the area of policy (defines what is to be protected) and procedures (define how it is protected), including the different types of security-related policies often found in organizations, including:

• Acceptable Use Policy, or AUP, which describes in detail permissible use of corporate systems, applicable laws and company policies which back up the network use policies; should be reviewed by legal counsel to ensure enforceability, and signed by all staff in order to demonstrate staff knowledge of policy contents and agreement with the policy.
  
  
• Due Care, a requirement that each person takes “due care” to protect those items within their responsibility; failure to exercise due care could result in liability for the organization.
  
  
• Privacy, which specifies the extent of expectation of privacy by employees, which can frequently be summarized as “none”; may also specify privacy of data provided by and collected about customers and business partners; may also specify compliance with governmental or industry regulations regarding privacy, such as the HIPAA guidelines for privacy of health-related information.
  
  
• Separation of Duties, splitting job tasks among multiple employees, so that no one individual can perform all steps of an activity involving sensitive information; for example, you might have one employee enter a transaction, and another verify and approve it.
  
  
• Need to Know, which involves making sure that each employee has just as much information as is required to do their job, and no more; the idea is that additional knowledge creates additional sources of risk.
  
  
• Password Management, including frequency of password change, requirements for password length/quality, procedures for resetting passwords which have been forgotten, and distributing reset and new passwords to employees; at a large site, an automated password recovery/change process can reduce administrative staff time dedicated to this routine chore.
  
  
• Service Level Agreements, or SLAs, which spell out agreements between your organization and suppliers, and your organization and its customers, specifying what each can expect from the entity providing a service, in the area of minimum up-time, maximum down-time, problem/support response times, alternate arrangements, etc.
  
  
• Disposal/Destruction, which specifies how your organization gets rid of data, whether stored on paper, magnetic media, etc.; disposing of sensitive data by just tossing it in the trash enables unauthorized individuals to obtain it by dumpster diving; you should shred paper materials and destroy data storage media, rendering it unreadable, before disposing of it; proprietary/sensitive data that you would not want unauthorized individuals to have includes customer credit card data, employee lists, network maps, and other current information about your network such as currently valid passwords.
  
  
• HR Policies, human resources policies which specify how and when employees are granted or denied computer access, and may also mandate certain procedures to be followed when enforcing policies like an AUP.
  
  
• Termination, which specifies how termination of an individual’s computer access is handled upon termination of employment; generally their access to the network is disabled prior to informing them of termination, and other passwords they may have known are changed.
  
  
• Hiring, policies for when an employee is hired, following the principle of least privilege, and given them only the amount of access and system privileges they require to do their job.
  
  
• Code of Ethics, often adapted from an industry-accepted code of ethics which specifies expected standards of professional behavior.

You also learned that you need to be aware of your organization’s incident response policy, which governs what happens when a computer security incident is detected. Make sure you have an incident response policy in place, and rehearse mock incidents, before you need to put the policy into action “for real”.

5.9.7  Destruction 1 2 3 4 5 5.11  Success Questions