CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [221]
Document Disposal and Destruction Policies
Document disposal and destruction policies define how information that is no longer needed is handled. You should ensure that financial, customer, and other sensitive information is disposed of properly when it’s no longer needed. Most organizations use mountains of paper, and much of it needs to be shredded or burned to prevent unauthorized access to sensitive information. Investigate the process that your organization uses to dispose of business records; it may need to be reevaluated.
Many large cities have businesses that do nothing but destroy paper for banks and other institutions. Using a truck that resembles a mobile shredder on wheels, they will come to your site and guarantee that the paper is destroyed. If your organization works with data of a sensitive nature, you should investigate the possibility of using such a service.
Certificate Policies
The advent of e-commerce has created a grave concern about trust. How does a customer know that they’re working with a legitimate supplier? How does a retailer know they’re dealing with a legitimate customer? One of the major problems facing e-commerce providers, as well as other businesses, is fraud. Fraud, theft, and other illegal transactions cost businesses billions of dollars a year.
Certificate policies aren’t part of the Security+ exam. They are, however, an important aspect of an overall security program and are presented here for your consideration. All you need to know about certificates for the Security+ exam can be found in Chapter 7, “Cryptography Basics, Methods, and Standards.”
There are ways to minimize if not eliminate the losses that organizations and individuals face. One method entails the use of digital certificates and certificate policies.
Certificates allow e-mails, files, and other transactions to be signed by the originator. This digital signing process usually carries close to the same weight as a hand signature. Using digital signatures allows business transactions to occur in a manner that provides a level of trust between the parties involved.
One of the most common certificates in use today is the X.509 certificate. It includes encryption, authentication, and a reasonable level of validity. A certificate issued by a valid certificate authority is valid in almost all cases; exceptions are few and far between. Most e-commerce providers accept the X.509 certificate or equivalent technologies.
Certificate policies refer to organizational policies regarding the issuing and use of certificates. These policies have a huge impact on how an organization processes and works with certificates.
A certificate policy needs to identify which certificate authorities (CAs) are acceptable, how certificates are used, and how they’re issued. An organization must also determine whether to use third-party CAs, such as VeriSign, or create its own CA systems. In either case, the policies have implications about trust and trusted transactions.
A trusted transaction occurs under the security policy administered by a trusted security domain. Your organization may decide that it can serve as its own trusted security domain and that it can use third-party CAs, thus allowing for additional flexibility. Third-party CAs are usually accredited. However, the process of having an internal CA accredited is difficult and requires compliance with the policies and guidelines of the accrediting organization.
Transactions require the involvement of a minimum of two parties. In the CA environment, the two primary parties are identified as the subscriber and the relying party. The subscriber is the individual who is attempting to present the certificate that proves authenticity. The relying party is the person receiving the certificate. The relying party is dependent on the certificate as the primary authentication mechanism. If this