Security and Privacy in a Networked World/Procedures: Thou shalt not...: erinevus redaktsioonide vahel
WikiHaldur (arutelu | kaastöö) |
WikiHaldur (arutelu | kaastöö) |
||
| 15. rida: | 15. rida: | ||
As seen from previous topics, many kinds of cybercrime actually benefit from physical access to the facilities (good examples include the Levin/Citibank case and many feats of Kevin Mitnick). Therefore, adequate policies must be defined for the infrastructure, including | As seen from previous topics, many kinds of cybercrime actually benefit from physical access to the facilities (good examples include the Levin/Citibank case and many feats of Kevin Mitnick). Therefore, adequate policies must be defined for the infrastructure, including | ||
* methods of physical access - actual means of access (keys, cards, biometric methods); policies should address eg. proper handling of keys. | * '''methods of physical access''' - actual means of access (keys, cards, biometric methods); policies should address eg. proper handling of keys. | ||
* access change procedures (grant/modify/deny) - these must be clearly defined, including the personnel (who should I contact?) and necessary steps (which forms should I fill out?). | * '''access change procedures (grant/modify/deny)''' - these must be clearly defined, including the personnel (who should I contact?) and necessary steps (which forms should I fill out?). | ||
* status-based access restrictions - different privileges for different positions (vertically; management vs rank-and-file) as well as different forms of work (full-time, part-time, contractors, teleworkers etc). | * '''status-based access restrictions''' - different privileges for different positions (vertically; management vs rank-and-file) as well as different forms of work (full-time, part-time, contractors, teleworkers etc). | ||
* time-based restrictions (hours of operation) - even if there is little practical restrictions for off-hour work, these should be clearly defined in the policy (e.g. the weekend worker must guarantee that no outsiders enter with him/her). | * '''time-based restrictions (hours of operation)''' - even if there is little practical restrictions for off-hour work, these should be clearly defined in the policy (e.g. the weekend worker must guarantee that no outsiders enter with him/her). | ||
* points of contact - staff members responsible for different aspects of security (e.g. Mr A. for networ security incidents, Ms B. for getting access to facilities etc). | * '''points of contact''' - staff members responsible for different aspects of security (e.g. Mr A. for networ security incidents, Ms B. for getting access to facilities etc). | ||
* incident handling - can also include escalation levels that help staff members understand the situation and also make decisions about involving third parties (e.g. a sizable security breach may be reported to the police). | * '''incident handling''' - can also include escalation levels that help staff members understand the situation and also make decisions about involving third parties (e.g. a sizable security breach may be reported to the police). | ||
Redaktsioon: 3. mai 2014, kell 12:34
Introduction
As illustrated by the title above, any larger community of humans throughout the history has had "the rules of game" (written or unwritten). The larger the difference between the "initiates" and the "mere mortals", the more vital are written, universal and enforced rules (they are usually called laws) - and security of a larger organization tends to have large difference here. And due to the the principle of the weakest link determining the strength of the whole chain, the axiom of ignorantia juris non excusat also applies, necessitating efforts both training to promote security awareness and policies to maintain and enforce it.
That said, while not everyone can be a security professional in an organization, universal security awareness, shared responsibility and active participation (understanding and following the policies rather than complying mechanically) should be the goals.
Site and infrastructure policies
This is the most physical aspect of security policies, covering the security of premises (building(s), offices) as well as computing infrastructure (servers, desktops, laptops, mobile devices, networking equipment etc).
Facilities
As seen from previous topics, many kinds of cybercrime actually benefit from physical access to the facilities (good examples include the Levin/Citibank case and many feats of Kevin Mitnick). Therefore, adequate policies must be defined for the infrastructure, including
- methods of physical access - actual means of access (keys, cards, biometric methods); policies should address eg. proper handling of keys.
- access change procedures (grant/modify/deny) - these must be clearly defined, including the personnel (who should I contact?) and necessary steps (which forms should I fill out?).
- status-based access restrictions - different privileges for different positions (vertically; management vs rank-and-file) as well as different forms of work (full-time, part-time, contractors, teleworkers etc).
- time-based restrictions (hours of operation) - even if there is little practical restrictions for off-hour work, these should be clearly defined in the policy (e.g. the weekend worker must guarantee that no outsiders enter with him/her).
- points of contact - staff members responsible for different aspects of security (e.g. Mr A. for networ security incidents, Ms B. for getting access to facilities etc).
- incident handling - can also include escalation levels that help staff members understand the situation and also make decisions about involving third parties (e.g. a sizable security breach may be reported to the police).
--
- Acceptable Use
- Data value classification
- Data disclosure and destruction
- Roles and responsibilities
- Change control
- Disaster recovery
Additional reading and links
- ANONYMOUS. Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network. 3rd ed. Sams Publishing, 2001.
