CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [235]
Don’t think that a BIOS-based password will keep your data safe when you’re throwing away old equipment. Most data within the BIOS can be overwritten (it is flash based) and maintained by a battery. By removing and reinstalling the battery, it is often possible to wipe BIOS settings and get prompted for new values at boot. Doing so can allow someone with one of your old computers to access the data that you thought was secure when you tossed the workstation in the trash.
Security Policy
A security policy defines what controls are required to implement and maintain the security of systems, users, and networks. This policy should be used as a guide in system implementations and evaluations. Security policies have been extensively discussed throughout the book, and you should be aware of their key aspects at this point.
Use Policy
Use policies describe how the employees in an organization can use company systems and resources: both software and hardware. This policy should also outline the consequences for misuse. In addition, the policy (also known as an acceptable use policy) should address installation of personal software on company computers and the use of personal hardware such as USB devices.
Even secure workstations that contain no traditional media devices (CD, DVD, floppy, and so forth) usually contain USB ports. Unless those ports are disabled, a user can easily connect a flash drive and copy files to and from it. Not only should you make every attempt to limit USB ports, but you should also have the use of such devices spelled out in the acceptable use policy to circumvent the “I didn’t know” defense.
A few years ago, an employee in a large company was using corporate computer systems to run a small accounting firm he had started. He was using the computers on his own time. When this situation was discovered, he was immediately fired for the misuse of corporate resources. He sued the company for wrongful discharge and won the case. The company was forced to hire him back and pay his back wages, and he was even awarded damages. The primary reason the company lost the case was that its acceptable use policy didn’t say he couldn’t use the company computers for personal work, only that he couldn’t use them for personal work during work hours. The company wasn’t able to prove that he did the personal work during work hours.
Every acceptable use policy today should include a section on cell phone usage (and even presence) within the workplace. While a cell phone can be convenient for employees (they can now more easily take personal calls at work), it can be a headache for the security administrator. Most cell phones can store files the same as any USB device and can be used to copy files to and from the workstation. Additionally, the camera feature of most phones make it possible for a user to take pictures of such things as documents, your servers, your physical security implementation, and many others things you probably don’t want to share. For this reason, most secure facilities have stringent restrictions on the presence of cell phones within the vicinity.
Make sure your acceptable use policies provide you with adequate coverage regarding all acceptable uses of corporate resources.
Backup Policy
An organization’s backup policy dictates what information should be backed up and how it should be backed up. Ideally, a backup plan is written in conjunction with the business continuity plan.
Backup policies also need to set guidelines for information archiving. Many managers and users don’t understand the difference between a backup and an archive.