CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [18]
Information Policies
Information policies refer to the various aspects of information security, including access, classifications, marking and storage, and the transmission and destruction of sensitive information. If your company records audio communications, that should be addressed as well.
The development of information policies is critical to security. It is not uncommon for such a policy to include a data classification matrix that defines various classification levels. The levels are usually similar to the following examples:
Public For all advertisements and information posted on the Web
Internal For all intranet-type information
Private Personnel records, client data, and so on
Confidential Public Key Infrastructure (PKI) information and other items restricted to all but those who must know them
The terms used for data classification might differ with different organizations—many used top secret, secret, and sensitive, for example—but the most important concept for the organization is that a matrix of levels exist.
As with all other policies, the key is to be as comprehensive as possible. Little should be left to chance or conjecture when you’re writing information policies.
Security Policies
Security policies define the configuration of systems and networks, including the installation of software, hardware, and network connections. Security policies also define computer room and data center security as well as how identification and authentication (I&A) occurs. These policies determine how access control, audits, reports, and network connectivity are handled. Encryption and antivirus software are usually covered. Security policies also establish procedures and methods used for password selection, account expiration, failed logon attempts, and related areas.
Although each security policy is intended for a specific purpose, there may be scope overlap in many of the different policies. It is not uncommon as well to have overlap between information policies and security policies.
Software Design Requirements
Software design requirements outline what the capabilities of the system must be. These requirements are typically part of the initial design and greatly affect the solutions you can use. Many vendors will respond to every bid and assure you that they’re secure. You can use the requirements to have vendors explain proposed solutions. A software design policy should be specific about security requirements. If your design doesn’t include security as an integral part of the implementation, you can bet that your network has vulnerabilities.
Design requirements should be viewed as a moving target. The requirements that exist today shouldn’t be the same in two years when the network environment has been significantly modified.
Usage Policies
Usage policies cover how information and resources are used. You need to explain to users how they can use organizational resources and for what purposes. These policies lay down the law about computer usage. Usage policies include statements about privacy, ownership, and the consequences of improper acts. Your usage policies should clearly explain usage expectations about the Internet, remote access, and e-mail.
They should also address how users should handle incidents—whom they should contact if they suspect something is awry. The policy should spell out the fact that monitoring can take place and that users agree to it. Consequences for account misuse, whether termination or something less severe, should also be stated.
User Management Policies
User management policies identify the various actions that must occur in the normal course of employee activities. These policies must address how new employees are added to the system as well as training, orientation, and equipment installation