CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [219]
Acceptable-Use Policies
Acceptable-use policies (AUP) deal primarily with computers and information provided by the company. Your policy should clearly stipulate what activities are allowed and what activities aren’t allowed. This policy can be as simple as a blanket statement such as “Computers provided by the company are for company business use only.”
From a security perspective, you should make sure the people using your systems and accessing your information aren’t using them in ways inconsistent with the policy. This usually includes some type of monitoring package or log file examination.
Many companies have developed comprehensive policies concerning Web access, e-mail usage, and private usage. Acceptable-use policies should also include rules regarding telephone-system usage, information usage, and other related issues. Having an acceptable-use policy in place eliminates any uncertainty regarding what is and what isn’t allowed in your organization. After these policies are put into place, enforcing them is critical. If an employee is using your corporate computer systems for an unacceptable purpose such as downloading pornography, you must consistently enforce company policy to stop the behavior and discourage future abuses. If your organization fails to enforce its policies consistently, it’s opening itself to potential lawsuits because inconsistent enforcement could be perceived to be linked to discriminatory practices.
Privacy and Compartmentalized Information Policies
Privacy policies for corporate information are essential. You must clearly state what information can and can’t be disclosed. Privacy policies must also specify who is entitled to ask for information within the organization and what types of information are provided to employees.
The process of establishing boundaries for information sharing is called compartmentalization. It’s a standard method of protecting information.
Your policies must clearly state that employees should have no expectations of privacy. Employers are allowed to search desks, computers, files, and any other items brought into the building. Your policy should also state that e-mails and telephone communications can be monitored and that monitoring can occur without the employee’s permission or knowledge. Many employees wrongly assume they have a right to privacy when in fact they don’t. By explicitly stating your policies, you can avoid misunderstandings and potentially prevent employees from embarrassing themselves.
Need-to-Know Policies
Need-to-know policies allow people in an organization to withhold the release of classified or sensitive information from others in the company. The more people have access to sensitive information, the more likely it is that this information will be disclosed to unauthorized personnel. A need-to-know policy isn’t intended to prohibit people from accessing information they need; it’s meant to minimize unauthorized access.
Many naturally curious individuals like to gain sensitive information just for the fun of it. No doubt you’ve known someone who is a gossip—they will tell everybody the secrets they know. This can prove embarrassing to the organization or the people in the organization.
The need-to-know section of most policies usually contains a statement to the effect of “Data containing any confidential information shall be readily identified and treated as confidential.”
Conducting Background Investigations
Background investigations potentially involve more than checking references. A good background investigation should include credit history and criminal-record checks as well as information about work experience and education. These checks must be done with the permission of the employee