CompTIA® Security+ Exam Notes : Importance Of Policies, Plans And Procedures Related To Organizational Security

5. Risk Management

5.1 Explain the importance of policies, plans and procedures related to organizational security

The following are true in terms of security policy

  • The security policy should clearly state that no one is ever allowed to share his/her password with anyone else.
  • Secondly, the security policy should state that the help desk can only change or assign a new password after positive identification of the individual requesting the information.
  • According to the principle of least privilege, a user should be given only the minimum privileges that are required to do his/her works accurately and completely.

The following policies is best suited to reduce the risk of employees within an organization colluding to embezzle company funds

  • Mandatory vacations help to reduce the possibility of fraud and embezzlement as a person is enforced to take leave.
  • Time of Day (TOD) ensures that a person may sign in only during a selected times.
  • Training helps employees to be aware of policies, and how to use them.

Acceptable use policy: Acceptable use policy specifies what employees can do with their systems, and network access. The policy may put limits on personal use of resources, and resource access time. AUP defines the intended uses of the resources in an organization and the consequences for non-compliance. AUP ensures that the resources are utilized in a proper way. For example, you may restrict that no social websites be visited by the employees during working hours.

Some issues that need to be taken care of, while planning security policies are:

1. Due Care

2. Privacy

3. Separation of Duties

4. Need to Know

5. Password Management

6. Disposal Management

7. Human Resource Policies, and

8. Incident Management

Personnel management

Separation of duties: Separation of duties prevents any single person from performing multiple job functions that might allow the person to commit fraud. Separation of duties happens when the responsibilities have been split between two or more people, thus reducing the incidence of fraud. Separation of duties ensures that the vital activities are bifurcated among several individuals. This ensures that one or two individuals can not perform a fraud.

Clean desk: Clean desk policy ensures that the personnel keeps the desks clean during and after the work. It ensures that login/password information is not inadvertently left on the desk which may lead to hacking or even loss of data or sensitive information.

Job rotation: Job rotation helps in managing the work with different people, thus reducing any down time when one of the employees has quit or on leave. Further, job rotation gives the employee the opportunity to develop skills in a variety of changing jobs.

NDA: It is important to review the NDA (Short for Non-Disclosure Agreement) that Company B has entered into with Company A. It can only enter into NDA with a third party (Company C) only if the NDA between the first and second party permit it. For example, if the NDA rules out sharing data with a third party, then B can not enter into NDA with C. It is important to verify whether the third party provider has relevant experience. However, it is not the first thing to be considered. An NDA with the third party is subject to NDA entered already between the first two parties. Similarly, having security policies in place for C is not relevant at this point.

Example1: A newly hired employee is asked to review security of the computers within the company premises. What he needs to do first?

Solution: He needs to go through the security policy first. A company's security policy outlines the security measures to be taken. Implementing the security policy is the first thing that needs to be done.

Example 2: A security manager observed that the incoming inspection of material as well as payment is done by the same person. He implemented a policy such that one employee does incoming inspection of material and another employee does the payment processing. This is an example of security enhancement by separation of duties.

Agreement Types:

SLA (Service Level Agreement): Service Level Agreement is the formal negotiated document between two parties. It is a legal document that binds both the parties during the tenure of the agreement. SLA usually pertains to performance expectations such as up-time, and mean-time-between-failures.

BPA (Business Partners Agreement): It defines the relationship between business partners, including their roles and responsibilities toward the partnership.

MOU (Memorandum of Understanding): A memorandum of understanding (MoU) describes a bilateral or multilateral agreement between two or more parties.

ISA (Interconnection Security Agreement): It specifies requirements for establishing, maintaining, and disconnecting a secure connection between two parties.

In the context of risk management, three types of control classes are defined. These are Management (or Administrative), Technical, Operational (or Physical). For each of these classes, there are four types of controls, namely, Preventive, Detective, Corrective, and Compensating.

Previous   Contents   Next


Security+ Cram Notes Contents certexams.com ad