5.1 Explain the importance of policies, plans and procedures related to organizational security. Flashcards
Standard Operating Procedure (SOP) (aka. Procedure Policy)
The SOP documents step-by-step procedures showing how to configure a system or device, or step-by-step instructions on how to implement a specific security solution.
Agreement Types
.
Agreement Types - BPA
Blanket purchase agreement (BPA) is needed, which is used to cover repetitive needs for a product or service
Agreement Types - SLA
Service level agreement (SLA) specify guaranteed uptime.
A service level agreement (SLA) is a contract, or agreement, between your organization and anyone providing services to the organization. The SLA sets the maximum amount of downtime that is allowed for assets such as Internet service and e-mail service and is an important element of the security policy.
It is important to ensure that you have an SLA in place with all providers, including Internet providers, communication link providers, and even the network service team. Should the provider not meet the SLA requirements, that could warrant looking elsewhere for the service.
It should also be noted that SLAs are used within a company between the IT department and the other departments so that the various departments have reasonable expectations regarding quality of service.
Agreement Types - ISA
Ensure that you are familiar with your Internet service agreement (ISA) and ensure that you are comfortable with any data limits and the guaranteed uptime of the Internet connection. This is critical if you are taking advantage of cloud services, as you need Internet connectivity to access any services or data in the cloud.
Agreement Types - MOU/MOA
A memorandum of understanding (MOU), sometimes referred to as memorandum of agreement (MOA), exists. A MOU/MOA is a document that establishes an agreement between the two parties and specifies their relationship to one another
Personnel Management
.
Personnel Management - Mandatory Vacations
From a security point of view, it is important to ensure that the security policy enforces mandatory vacations vacation time that must be used. The importance of taking vacation time is that it helps detect fraudulent or suspicious activities within the organization because another employee will need to take over the job role while someone is on vacation. This will help keep employees honest in their job functions because they know they will be held accountable for irregular activities discovered during their absence.
Personnel Management - Job Rotation
Just as it is important to enforce mandatory vacations, your company should also employ job rotation. Job rotation ensures that different employees are performing different job roles on a regular basis. This will help detect and deter fraudulent activities within the business.
Besides from that, Job Rotation will help employees to expose them to all verticals of an organization. It is a pre-planned approach with an objective to test the employee skills and competencies in order to place him or her at the right place. In addition to it, it reduces the monotony of the job and gives them a wider experience and helps them gain more insights.
Personnel Management - Separation of Duties
Separation of duties is the concept that critical job functions should be divided into multiple tasks with a different employee performing each of the different tasks.
For example, the person who writes the check cannot sign the check—this ensures that multiple persons are involved in the process to help avoid fraudulent activity by an employee.
Personnel Management - Clean Desk
Many organizations implement a clean desk policy that requires users to ensure that any sensitive documents are stored away in a secure location at all times and not left in plain view on someone’s desk. It is important to stress to employees what the ramifications of not following the clean desk policy are and to be sure to perform periodic checks in the evening by walking around the office to see if anyone has left sensitive documents in plain view.
Personnel Management - Background Checks
The hiring policy may specify the types of background checking that are to be performed on candidates. During this phase of the hiring process, information on the applicant’s résumé should be verified. Any indication that the candidate has lied on their résumé is a good reason not to hire the candidate. The goal of the background check is to ensure that the candidate actually has the education and job experience claimed on their résumé. The policy may also require doing criminal background checks and Google searches on the candidate.
Personnel Management - Exit Interviews
A friendly termination typically involves an employee leaving the company on good terms and normally for noncompetitive reasons.
With a friendly termination, the termination policy should specify that HR host an exit interview and document the reasons for the employee leaving the company. More importantly, HR needs to remind the employee of the NDA they signed when joining the company and inform them that they still need to adhere to the agreement even though they will no longer be working for the company.
HR should be sure to collect any pass cards and keys from the employee and instruct the network team to disable their accounts after they have left the company.
Personnel Management - Role-based Awareness Training
Your first major decision when designing a security training program is to identify which content is appropriate to present to the different employee roles or departments within the organization. Because security is such a critical concept and an area where you want to captivate your audience during the training and awareness seminars, you want to make sure that you keep the training relevant to the audience and based on job roles.
For example, you do not want to put the business users to sleep with complex discussions on how a firewall is implemented, so reserve technical security training for the technical team. Any members in that job role would be required to take the detailed technical training.
Personnel Management - Role-based Awareness Training - Data Owner
The data owner is responsible for the data and should be trained on how to protect that data. That includes training the data owner on determining the classification label for the data, determining permissions needed, and determining if encryption should be used.
