5.3: Explain the importance of policies to organizational security. Flashcards
Personnel
A significant portion of human-created security problems results from poor security practices. These poor practices may be those of an individual user who is not following established security policies or processes, or they may be caused by a lack of security policies, procedures, or training within the user’s organization. Through the establishment, enforcement, and monitoring of personnel-related policies—personnel management—an organization can create a framework that empowers its workers to achieve business objects yet keeps them constrained within recommended security practices. This section covers a dozen security topics related to the management of personnel.
Acceptable Use Policy
An acceptable use policy (AUP) outlines what the organization considers to be the appropriate use of its resources, such as computer systems, e-mail, Internet, and networks. Organizations should be concerned about any personal use of organizational assets that does not benefit the company.
The goal of the policy is to ensure employee productivity while limiting potential organizational liability resulting from inappropriate use of the organization’s assets. The policy should clearly delineate what activities are not allowed.
EXAM TIP
Make sure you understand that an acceptable use policy outlines what is considered acceptable behavior for a computer system’s users. This policy often goes hand-in-hand with an organization’s Internet usage policy.
Job Rotation
Another policy that provides multiple benefits is job rotation. Rotating through jobs provides individuals with a better perspective of how the various parts of the organization can enhance (or hinder) the business. Since security is often of secondary concern to people in their jobs, rotating individuals through security positions can result in a much wider understanding of the organization’s security problems. A secondary benefit is that it also eliminates the need to rely on one individual for security expertise. If all security tasks are the domain of one employee, security will suffer if that individual leaves the organization. In addition, if only one individual understands the security domain, should that person become disgruntled and decide to harm the organization, recovering from their attack could be very difficult.
Mandatory Vacation
Organizations have been providing vacation time for their employees for many years. Until recently, however, few organizations forced employees to take this time if they didn’t want to. Some employees are given the choice to either “use or lose” their vacation time, and if they do not take all of their time, they’ll lose at least a portion of it
Separation of Duties
eparation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone. This means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened.
EXAM TIP
Another aspect of the separation of duties principle is that it spreads responsibilities out over an organization so no single individual becomes the indispensable individual with all of the “keys to the kingdom” or unique knowledge about how to make everything work. If enough tasks have been distributed, assigning a primary and a backup person for each task will ensure that the loss of any one individual will not have a disastrous impact on the organization.
Least Privilege
One of the most fundamental principles in security is least privilege, which means that an object (which may be a user, application, or process) should have only the rights and privileges necessary to perform its task, with no additional permissions. Limiting privileges limits the amount of harm the object can cause, thus limiting the organization’s exposure to damage. Users should only have access to the information and systems necessary to perform their job duties. Enforcing the principle of least privilege helps an organization protect its most sensitive resources and helps ensure that whoever is interacting with these resources has a valid reason to do so.
Nondisclosure Agreement (NDA)
Nondisclosure agreements (NDAs) are standard corporate documents used to explain the boundaries of company secret material, information over which control should be exercised to prevent disclosure to unauthorized parties. NDAs are frequently used to delineate the level and type of information, and with whom it can be shared. NDAs can be executed between any two parties where one party wishes that the material being shared is not further shared, enforcing confidentiality via contract.
Gamification
Gamification is the use of games to facilitate user training. This methodology has several interesting advantages. First, it makes rote learning of training material less boring. Second, it enables a more comprehensive situation-based approach to training, with consequences of bad decisions being shared with those taking the training.
Computer-Based Training (CBT)
Computer-based training (CBT) is the use of a computer program to manage training of users. Self-paced modules can facilitate skill development across a wide range of skills, and the flexibility of CBT is very attractive. Not all learners learn well under these circumstances, but for those who do, CBT provides a very affordable, scalable training methodology.
Memorandum of Understanding (MOU)
A memorandum of understanding (MOU) and memorandum of agreement (MOA) are legal documents used to describe a bilateral agreement between parties. They are written agreements that express a set of intended actions between the parties with respect to some common pursuit or goal. Typically, an MOU has higher-level descriptions, whereas an MOA is more specific; however, the boundary between these two legal terms is blurry and they are often used interchangeably. Both are more formal and detailed than a simple handshake, but they generally lack the binding powers of a contract.
Measurement Systems Analysis (MSA)
. Measurement systems analysis (MSA) is a field of study that examines measurement systems for accuracy and precision. Before an enterprise relies on measurement systems, it is important to understand whether the chosen measurement system is acceptable for its intended use, to understand the different sources of variation present in it and to identify and understand sources of bias, errors, and factors associated with repeatability and reproducibility.
Business Partnership Agreement (BPA)
A business partnership agreement (BPA) is a legal agreement between partners that establishes the terms, conditions, and expectations of the relationship between the partners. These details can cover a wide range of issues, including typical items such as the sharing of profits and losses, the responsibilities of each partner, the addition or removal of partners, and any other issues.