CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [220]
It’s a good idea for employees who deal with sensitive information, such as security professionals, to have a thorough background investigation. This ensures that employees are who they say they are and have the education they say they do. A background check should weed out individuals who have misrepresented their background and experiences.
Business Policies
Business policies also affect the security of an organization. They address organizational and departmental business issues as opposed to corporate-wide personnel issues. When developing your business policy, you must consider these three primary areas of concern:
■ Separation of duties
■ Physical access control
■ Document destruction
The following sections discuss these three areas.
Separation-of-Duties Policies
Separation-of-duties policies are designed to reduce the risk of fraud and prevent other losses in an organization. A good policy will require more than one person to accomplish key processes. This may mean that the person who processes an order from a customer isn’t the same person who generates the invoice or deals with the billing.
Separation of duties helps prevent an individual from embezzling money from a company. To successfully embezzle funds, an individual would need to recruit others to commit an act of collusion (an agreement between two or more parties established for the purpose of committing deception or fraud). Collusion, when part of a crime, is also a criminal act in and of itself.
In addition, separation-of-duties policies can help prevent accidents from occurring in an organization. Let’s say you’re managing a software development project. You want someone to perform a quality assurance test on a new piece of code before it’s put into production. Establishing a clear separation of duties prevents development code from entering production status until quality testing is accomplished.
Many banks and financial institutions require multiple steps and approvals to transfer money. This helps reduce errors and minimizes the likelihood of fraud.
Due Care Policies
Due care policies identify the level of care used to maintain the confidentiality of private information. These policies specify how information is to be handled. The objectives of due care policies are to protect and safeguard customer and/or client records. The unauthorized disclosure of this information creates a strong potential for liability and lawsuits. Everyone in an organization must be aware of and held to a standard of due care with confidential records.
It’s easy to say that everyone else should adhere to policies and then overlook the importance of doing so yourself. As an administrator, you have access to a great deal of personal information, and you need to be as careful with it, if not more so, than anyone else in the organization. In many cases, something as simple as a printed list of user information sitting in plain view on your desk can violate rules of disclosure.
One of the leading ways to handle due care policies is to implement best practices. Best practices are based on what is known in the industry and how others would respond to similar situations.
Physical Access Control Policies
Physical access control policies refer to the authorization of individuals to access facilities or systems that contain information. Implementing a physical access control policy helps prevent theft and unauthorized disclosure of information and keeps other problems from cropping up. Many organizations limit office hours of employees to prevent them from accessing computer systems during odd hours. (This may not be appropriate for some positions, but it may be essential in others.) What would happen in your company if a payroll clerk decided to give himself a raise? In all probability, he wouldn’t do this under the supervision of the payroll manager—he would do