Security and Privacy in a Networked World/Procedures: Thou shalt not...: erinevus redaktsioonide vahel
WikiHaldur (arutelu | kaastöö) Resümee puudub |
WikiHaldur (arutelu | kaastöö) |
||
| 13. rida: | 13. rida: | ||
=== Facilities === | === Facilities === | ||
As seen from previous topics, many kinds of cybercrime actually benefit from physical access to the facilities (good examples include the Levin/Citibank case and many feats of Kevin Mitnick). | As seen from previous topics, many kinds of cybercrime actually benefit from physical access to the facilities (good examples include the Levin/Citibank case and many feats of Kevin Mitnick). Therefore, adequate policies must be defined for the infrastructure, including | ||
* methods of physical access | |||
* access change procedures (grant/modify/deny) | |||
* status-based access restrictions | |||
* time-based restrictions (hours of operation) | |||
* points of contact | |||
* incident handling | |||
-- | |||
* Acceptable Use | * Acceptable Use | ||
| 22. rida: | 34. rida: | ||
* Change control | * Change control | ||
* Disaster recovery | * Disaster recovery | ||
== Additional reading and links == | == Additional reading and links == | ||
* ANONYMOUS. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. 3rd ed. Sams Publishing, 2001. | * ANONYMOUS. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. 3rd ed. Sams Publishing, 2001. | ||
Redaktsioon: 3. mai 2014, kell 12:19
Introduction
As illustrated by the title above, any larger community of humans throughout the history has had "the rules of game" (written or unwritten). The larger the difference between the "initiates" and the "mere mortals", the more vital are written, universal and enforced rules (they are usually called laws) - and security of a larger organization tends to have large difference here. And due to the the principle of the weakest link determining the strength of the whole chain, the axiom of ignorantia juris non excusat also applies, necessitating efforts both training to promote security awareness and policies to maintain and enforce it.
That said, while not everyone can be a security professional in an organization, universal security awareness, shared responsibility and active participation (understanding and following the policies rather than complying mechanically) should be the goals.
Site and infrastructure policies
This is the most physical aspect of security policies, covering the security of premises (building(s), offices) as well as computing infrastructure (servers, desktops, laptops, mobile devices, networking equipment etc).
Facilities
As seen from previous topics, many kinds of cybercrime actually benefit from physical access to the facilities (good examples include the Levin/Citibank case and many feats of Kevin Mitnick). Therefore, adequate policies must be defined for the infrastructure, including
- methods of physical access
- access change procedures (grant/modify/deny)
- status-based access restrictions
- time-based restrictions (hours of operation)
- points of contact
- incident handling
--
- Acceptable Use
- Data value classification
- Data disclosure and destruction
- Roles and responsibilities
- Change control
- Disaster recovery
Additional reading and links
- ANONYMOUS. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. 3rd ed. Sams Publishing, 2001.
