Specifications that prohibit classified information from being transmitted via the Internet (for example, e-mail, short message service [SMS] or File Transfer Protocol [FTP]).Personally Identifiable Information
User Education and Awareness Training
In organizations, policies are used to outline rules and expectations, while procedures outline courses of action to deal with problems. These policies and procedures allow everyone to understand the organization’s views and values on specific issues, and what will occur if they are not followed.
In some instances, additional rules may be required in the form of legislation that controls certain activities of the organization. For example, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 defines requirements for protecting patient information during and after being transmitted electronically. Any hospital, doctor’s office, clinic, or other office that maintains patient information must comply with these requirements. In situations where the company must adhere to certain laws or standards that directly impact their area of business, the policies must be written to coexist with existing legislations.
A policy is used to address concerns and identify risks. For example, a policy may be created to deal with physical security to an office building and the potential threat of unauthorized access. It may state that members of the public are permitted in the lobby and front desk area, but points beyond this are for employees only. Through the policy, an issue that is pertinent to the organization is explained and dealt with.
Well thought out plans provide information that is used to create a successful security system. Without them, organizations would find it difficult to deal with incidents when they occur, or avoid problems that can adversely affect a company. As a Security+ technician, you are expected to understand the fundamental concepts of different policies, procedures, and documentation that make up the foundation on which computer security is built.
Nothing lasts forever. After a while, equipment becomes outdated and data is no longer needed. When this occurs, you need to determine what to do with it. You do not want people recovering data on hard disks that are thrown away, reading printed materials they find in the garbage, or acquiring other information that has been removed from service. Because of the sensitive nature of some data, a policy dealing with the safe disposal and destruction of data and equipment is necessary.
The first step regarding disposal and destruction is deciding what needs to be disposed off and destroyed. Because data can become obsolete or is legally required to be removed after a period of time, certain data needs to be removed from a system. Organizations often incorporate a data retention policy, which outlines the period of time when data and printed records become obsolete.
When files, records, or paperwork are destroyed, a policy dealing with disposal and destruction of data should be used. Such a policy can also be referred to when determining what to do with data that is destroyed daily, such as forms that are incorrectly filled out or corporate memos that are read but no longer needed. This policy provides clear guidelines of how an organization expects this material to be discarded.
There are different options available for destroying paper documents. As we discussed in Chapter 14, you don’t want to simply throw out sensitive documents, as they can be pulled from the garbage and read. Smaller organizations may use shredders to cut up the documents into strips, while larger organizations may hire businesses that specialize in destroying paper documents. Banks, government institutions, law firms, and so forth often use these shredding companies, which are bonded and will pick up documents from a site and guarantee their destruction.
Data can be destroyed in a number of ways, with some being more effective than others. If data is simply deleted, any number of data recovery or computer forensic tools can be used to restore the data. Even formatting the hard disk is not a suitable solution when you consider that certain tools and data recovery methods can still access the data. The only way to be certain that data cannot be recovered using software solutions is to overwrite it with other data.
Disk erasing software wipes the disk clean by erasing all of the files and overwriting the disk space with a series of ones and zeros. In doing so, every sector of the disk is overwritten, making the data unrecoverable. If anyone attempted to recover data on the disk, they wouldn’t be able to retrieve anything because the data is completely destroyed. Shredder utilities such as Active@ Kill Disk (www.killdisk.com) are widely used to wipe the disks before they are disposed.
EXAM WARNING Using a degausser, also called a bulk demagnetizer, can effectively destroy data stored on magnetic media such as backup tapes. Software can be used to overwrite data on hard disks so that it can’t be recovered, but some media may need to be completely destroyed (as in the case of CDs, DVDs, and so forth).
A degausser or bulk demagnetizer is a hardware that can be used to destroy data stored on magnetic media such as floppy disks and backup tapes. A degausser is a powerful magnet that erases all data from magnetic media so that no one can retrieve information from it. Hard disks can also have data erased with a degausser, performing a low-level format that erases all data from the disk.
If there are concerns over particularly sensitive information being seen by outside sources, an additional measure of security is physically scarring or destroying the media. For floppy disks and backup tapes, this involves shredding the media into pieces. There are many paper shredders on the market that also provide the feature of inserting CDs and DVDs into it to totally destroy it, and other tools that will scrape the data layer off of the CD/DVD. For hard disks, you would open the hard drive, remove the platter inside, and physically scar or destroy it. Tools are also available for hard disks that will crush the hard disk, and that can punch the spindle and warp the platters of the disk. Acid can also be used to destroy magnetic media. From this, you can see that there are many options available for totally destroying media.
As we mentioned earlier, policy regarding the retention of data decides how long a company will retain data before destroying it. If everyone kept every scrap of paper or record stored in a database, organizations would quickly run out of hard disk space and have rooms filled with paperwork. For this reason, administrators need to determine whether certain records should be destroyed after a series of months or years. A retention policy clearly states when stored data is to be removed.
The length of time data is stored can be dictated by legal requirements or corporate decision-making. Using this policy, certain data will be kept for a specified length of time, so that it can be referred to if needed. For example, a police department will retain data related to a case for indeterminate lengths of time, so that it can be used if a person convicted of a crime appeals or if questions related to the case need to be addressed. Contrary to this are medical records, which a doctor’s office will keep throughout the life of the patient. In other situations, data is kept for an agreed upon time and then destroyed, as when backed-up data is retained for a year to allow users the ability to restore old data for a specific use.
Retention and storage documentation is necessary to keep track of data, so that it can be determined what data should be removed and/or destroyed once a specific date is reached. Such documentation can be as simple as backup logs, which list what was backed up and when. By referring to the date the data was backed up, administrators can determine if the necessary period of time has elapsed to require destruction of this data.
EXAM WARNING An organization should have clear policies on how long data and documentation are to be retained, and how this is to be stored. These policies ensure that data isn’t destroyed too soon, and that it is stored in a safe and secure manner.
When a retention period is reached, data needs to be destroyed. Legal requirements or policy may dictate how data is to be destroyed. When destroying data, it is important to follow procedures that dictate how information is to be destroyed. Even if data is destroyed on magnetic media, additional actions may be needed to destroy the media itself. Destroying the hard disks, floppy drives, backup tapes, and other media on which data is stored ensures that unauthorized persons are unable to recover data. Standard methods of physically destroying magnetic media include acid, pulverization, and incineration.
When destroying data or equipment that is outdated, it is important that a log is kept of what items have been destroyed, and when and how the destruction was accomplished. This provides a reference that also serves as proof that data and equipment were actually destroyed, should anyone request information on the status of the data or equipment. A log may also be required for legal or corporate issues, such as when audits of equipment are performed for tax or insurance reasons.
When destroying equipment and data, it is important that logs, inventory, and documentation are subsequently updated. Failing to remove equipment from a systems architecture document and equipment inventory could be misleading and cause problems, as they would indicate that the old equipment is still part of the system. The same applies to data, as failing to indicate that backup tapes have been destroyed would provide false information in a backup inventory.
TEST DAY TIP Remember that how data is destroyed is as essential to maintaining privacy as storing it securely. Procedures need to be established on how to properly dispose of equipment, destroy data, and consistently purge systems of information. It’s vital that outside individuals can’t access data after equipment is sold for auction or media is thrown away.
An acceptable use policy establishes guidelines on the appropriate use of technology. It is used to outline what types of activities are permissible when using a computer or network, and what an organization considers proper behavior. Acceptable use policies not only protect an organization from liability, but also provide employees with an understanding of what they can and cannot do using company resources.
In an organization, employees act as representatives of the company to the public. How they conduct themselves and the actions they perform reflect upon the organization and can either enhance or damage the reputation of the company. Because employees have greater access to clients and other members of the public through e-mail, Web pages, and other technologies, acceptable use policies are used to ensure that users conduct themselves appropriately.
Acceptable use policies also restrict the types of Web sites or e-mail an employee is allowed to access on the Internet. When employees access pornography over the Internet, not only does it use up bandwidth and fill hard disk space on non–work-related activities, but it also creates an uncomfortable work environment for the other employees. Under the Civil Rights Act of 1964 and other legislation, a company can be liable for creating or allowing a hostile work environment. For this reason, businesses commonly include sections in their acceptable use policies that deal with these issues.
Damage and Defense
Hostile Work Environments
Work environments are considered hostile when the conduct of employees, management, or nonemployees becomes a hindrance to an employee’s job performance. A hostile work environment may exist when situations involving sexual harassment, discrimination, or other events that offend someone occur in the workplace. In terms of computers and the Internet, such situations may involve downloading and viewing pornographic or other offensive materials on company computers. If these materials are accessed through company computers and printed or distributed in the workplace, the company can be sued for creating a hostile work environment.
Additional problems may occur if the materials that are accessed, printed, or distributed within the company are illegal. For example, it is illegal to produce, possess, send, or receive child pornography. If someone downloads such material, a crime has been committed. This means the computer equipment could be subject to seizure and forfeiture because it was used in the commission of the crime.
Beyond dealing with potentially offensive materials, acceptable use policies also deal with other online activities that can negatively impact network resources or sidetrack users from their jobs. For example, a user who installs game software or other technologies is often distracted from the duties they were hired to perform. These distractions are activities the company did not intend to pay the user to perform. For this reason, restrictions on installing software and other technologies on company computers can be found in acceptable use policies.
With many companies providing users with laptop computers, wireless handheld devices (such as Blackberry or Palm devices), cell phones, and other equipment, the propensity of employees to use these devices for their own personal use is a problem. For example, an employee may use a company’s wireless phone to call home, or use a laptop to pay their personal bills online. Acceptable use policies routinely include sections that restrict users from using equipment for their own personal use, home businesses, or other methods of financial gain.
Acceptable use policies should also specify methods of how information can be distributed to the public to avoid sensitive information from being “leaked.” Imposing rules on the dissemination of information may include:
Specifications that prohibit classified information from being transmitted via the Internet (for example, e-mail, short message service [SMS] or File Transfer Protocol [FTP]).
Provisions on how content for the Web site is approved.
Rules on printing confidential materials.
Restricting who can create media releases, and so on.
Through these rules, important information is protected and employees have an understanding of what files they can or cannot e-mail, print, or distribute to other parties.
Head of the Class
Enforcing Acceptable Use Policies
It has become commonplace for organizations to require new employees to sign an acceptable use policy upon acquiring employment with a company. The acceptable use policy outlines computer business usage limitations and other expectations of a company. Having new employees sign this document serves as acknowledgment and understanding of the rules within the policy.
By signing, employees enter into the agreement that violating the policy (such as by accessing data or systems without proper authorization, providing data that could be used for illegitimate endeavors, or other infractions) may lead to dismissal or even prosecution. However, signing the acceptable use policy does not absolve a company from responsibility or liability for an employee’s actions. The acceptable use policy could be used in court in the company’s defense, but it does not mean that they will not be found responsible for the employee’s actions.
If the policy is not generally enforced, the courts could find that the company gave tacit approval of the employee’s behavior, making them vicariously liable for the employee’s actions. For example, an employee downloaded pornographic images from the Internet and then e-mailed them to a coworker who decided to sue the company for creating a hostile work environment. The signed acceptable use policy could be used in defense of the company, but the court may decide that because the company had never enforced the policy, they, in essence, created an environment that allowed this kind of behavior to occur.
Many organizations implement acceptable use policies as contracts between the company and the employee, and require workers to sign a copy of the policy to show that they agree to abide by it. Because schools teach computer skills in early grades, parents and guardians are routinely asked to sign such policies on behalf of minors. Through these contracts, organizations have justifiable reason to fire employees or (in the case of schools) expel students who violate the agreement. In extreme cases, it can be used as evidence for prosecution. Because the responsibility of adhering to the policy is placed on the person signing it, organizations can also use the signed acceptable use policy as part of their defense from litigation. For example, if an employee hacks a competitor’s Web site, a company could use the signed policy to show the onus of responsibility rests with the employee and not the company itself.
What is the best way to enforce an acceptable use policy? Audits should be conducted on a regular basis, inclusive of audits of data stored in personal directories and local hard disks and audits of firewall and system logs, to determine what has been accessed. In cases where suspected breaches of policy have occurred, e-mail messages may also be audited. Because courts have generally held that employees have no reasonable expectation to privacy regarding data stored on computers belonging to a company, such audits can occur regularly and without warning. To ensure users are aware that these audits occur, and to inform them that the organization takes its acceptable use policy seriously, mention of such measures should be included in the policy.
Passwords are used to prevent unauthorized access to computers, networks, and other technologies by forcing anyone who wants access to provide specific information. Password management involves enacting policies that control how passwords are used and administered. Without good password management, security could be compromised by passwords that are easy to guess, repeatedly used, or have characteristics that make them insecure.
Passwords act as a secret between the system and the person, allowing entry only to those with the correct password and denying entry to those who fail to provide one. Unfortunately, although the system can keep a secret, people often cannot. For example, a secretary may give a temporary employee his or her password so they do not have to go through the trouble of applying for additional access. Another may write a password down on a piece of paper and tape it to the monitor. In both of these cases, people obtain unauthorized access by sharing a password. Because of the importance of password protection, a policy should state that the users are responsible for their accounts and anything that is done with them.
Even if a user is protective of their password, it can still be cracked through the use of tools or by simply guessing the password. Passwords that are words can be cracked using a dictionary hacking program, which goes through words found in a dictionary. In addition to this, hackers can easily guess names of family members, pets, or other interests. Strong passwords are more difficult to guess and cannot be cracked using dictionary hacks. Using a combination of two or more of the following keyboard character types can create strong passwords:
Lower case letters (a through z)
Upper case letters (A through Z)
Numbers (0 through 9)
Special characters (({}[],.<>;:’”?/|\‘~!@#%^&*()_–+=)
Strong passwords can still be cracked using a program that performs a brute force attack, which tries to determine the password using all possible combinations of characters in a password, but hacking a password in this manner can take a considerable amount of time.
Longer passwords make it more difficult for brute force hackers to crack a password, so the policy should specify a minimum password length. For example, a policy may state that passwords must be at least 8 characters long.
TEST DAY TIP Remember that password complexity makes it more difficult for a password to be cracked. It should consist of a combination of uppercase letters, lowercase letters, numbers, and/or special characters. Just in case someone has your password, the password should be changed at intervals (such as every 90 days) and not be reused for a period of time.
Passwords should be changed after a set period of time, so that anyone who has a particular password will be unable to use it indefinitely and others will have more difficulty guessing it. A common recommendation is forcing users to change passwords every 45 or 90 days, at the most. Although changing it often is more secure, it will make it more difficult for users to remember their passwords. As with any security measure, you want authorized users to easily access the system and unauthorized users to find it difficult. For this reason, the time limit set should allow users to memorize their new passwords before forcing them to change.
In addition to changing passwords, it is important that a policy states that passwords cannot be reused until a certain number of password changes have occurred. It does no good to force users to change their password and then allow them to change it back to the previous password again. If an old password has been compromised, a hacker could keep trying it until the user changes back to the old password.
Password changes and not reusing old passwords are particularly important when strong passwords cannot be used. A good example would be a bankcard with a personal identification number (PIN) for accessing accounts through an automated teller machine (ATM). A PIN is a series of numbers, so combinations of alphanumeric and special characters are not possible. Another example might be a door lock to a server room, in which people type in a several-digit code on a keypad to unlock the door. When an authorized user enters the code, it is possible that unauthorized users could see it. Changing the numeric code on a regular basis prevents unauthorized users from utilizing a code they have seen others successfully use.
Because passwords are not always the most secure method of protecting a system, there are other methods that can be used to enhance security. For example, SecurID tokens are small components that can fit on a key ring and be carried by the user in their pocket. The token has a digital display that shows a number of changes at regular intervals. When a person logs into a SecurID server, they must enter the number on the token in addition to the appropriate username and PIN.
Another method that may be suitable for a network’s security is biometric authentication. Biometric authentication uses a measurable characteristic of a person to control access. This can be a retinal scan, voiceprint, fingerprint, or any number of other personal features that are unique to a person. Once the feature is scanned, it is compared to a previous reading on file to determine whether access should be given. As with tokens, this method can be combined with passwords or other security methods to control access. Because of the expense of purchasing additional equipment and software, biometrics is generally used on high-security systems or locations.
EXAM WARNING Passwords and passphrases are the most common method of authenticating users, but are not the most effective way of securing systems. In secure environments, they are often used with other security devices and methods.
Administrator passwords are another important issue that should be covered in a password policy, as anyone using an administrative account is able to make changes and access all data on a system. Because of the importance of this account, there should be limits on who knows the password to this account. If there are numerous people in Information Technology (IT) who perform administrator duties, they should have their own accounts with the minimum access needed to perform their tasks, and follow the same rules as other user accounts (for example, changing passwords regularly, using strong passwords, and so forth). The password for the administrator account should be written down, sealed in an envelope, and stored in a safe. Should the administrator leave, or this account be needed, others in the IT staff can still use the account and make necessary system changes.
TEST DAY TIP Remember that gaining access to an administrator account or elevating privileges to that of the administrator group is a primary goal in hacking systems. Administrator accounts have the widest scope of access, meaning that administrator passwords must be stringently protected.
Nothing stays the same and change is inevitable. These are the reasons why change documentation is so important. Change management is the process of planning and implementing changes in systems. As an IT department plans upgrades, replaces servers, deploys new software, and makes other proactive changes, documentation is created to control how these changes take place.
Change control documentation provides information on changes that have been made to a system, and often provides back out steps that show how to restore the system to its previous state. Without this, changes made to a system could go unrecorded causing issues in the future. Imagine starting a job as the new network administrator, and finding that the only documents about the network were the systems architecture documentation that your predecessor created 7 years ago when the system was first installed. After years of adding new equipment, updating software, and making other changes, the current system would barely resemble its original configuration. If change documentation had been created, you would have had a history of those changes, which could have been used to update the systems architecture documentation.
Change documentation can provide valuable information, which can be used when troubleshooting problems and upgrading systems. First, it should state why a change occurred. Changes should not appear to be for the sake of change but be for good reason, such as fixing security vulnerabilities, hardware no longer being supported by vendors, new functionality, or any number of other reasons. The documentation should also outline how these changes were made and detail the steps that were performed. At times, an administrator may need to justify what was done, or need to undo changes and restore the system to a previous state because of issues resulting from a change. In such cases, the change documentation can be used as a reference for backtracking the steps taken.
In order for users to be aware of what information they can share with certain members of their organization, distribute to the public, or keep to themselves, a system of classification must be used. If you have ever seen any military or spy movies, you are probably familiar with the concept of “classified documents.” You can use such a method to specify that certain documents are “top secret,” “classified,” or “for your eyes only” to control which documents are to be kept private and uncopied. In many cases, however, you will come up with your own system.
A system of classification should be explained through a corporate policy, which defines the terms used and what they mean. When creating these classifications, the following levels should be included:
Public or unclassified It can be viewed by people outside of the organization.
Classified It is only for internal use, not for distribution to outside parties.
Management only Only managers and supervisors can view the information. This can be further broken down so that only certain levels of management can view it. For example, certain information may be suitable for top management but not for supervisors of individual departments.
Department specific People outside of a particular department do not view the information.
Private or confidential This denotes that the information is only for the person to whom it was specifically sent.
High security levels Levels, such as top secret or other classifications, that stress the importance of the information. For example, the secret recipe of a product would fall into this category, as leaking this information could ruin a company.
Not to be copied Denotes that hard copies are not photocopied, and data files are not printed or copied to other media (such as floppy disk or USB flash drive).
By providing a scheme of classification, members of an organization are able to understand the importance of information and less likely to leak sensitive information. Incorporating such a scheme will also make other policies more understandable, as they can describe what information is being discussed. For example, a code of ethics could state that the private information of employees is classified and not to be shared with outside parties. This lessens the risk of sensitive data being shared with others, transmitted over insecure technologies, or other security risks.
EXAM WARNING Document management systems are increasingly used in organizations that need to maintain and track large stores of documents. Classification of these documents are important to ensuring that documents are not disseminated to unauthorized individuals, their importance is quickly understood by readers, and that information isn’t leaked by people who don’t understand whether the document contains classified information.
Some organizations may also require documents to be classified for certain systems to function as expected. For example, a growing number of organizations use Microsoft SharePoint to create document libraries to manage and share documents on a network. In such an environment, a user might create a document in Office 2007, and add it to the document library. In doing so, he or she would select a classification, which would be saved as a metadata property of the document. Other users who had access to documents with this classification could then view the document through a Web browser and (depending on their level of access) check it in and out, edit it, and so on. Without proper classification, an organization would be unable to effectively control access to certain types of documents, making it difficult for users to retrieve them.
NOTE The Rainbow Series is a collection of books created by the National Computer Security Center, with each book dealing with a different aspect of security. Each of the books in the series has a different colored cover, which is why it is called the Rainbow series. The Orange book is the Trusted Computer System Evaluation Criteria (TCSEC), which establishes criteria used in grading the security offered by a system or product. The Red book is the Trusted Network Interpretation and is similar to the Orange book in that it establishes criteria used in grading security in the context of networks. These books are often referred to in the classification of systems and networks.
A common policy that organizations have deals with vacation time. Such policies dictate how and when an employee may take a vacation. Components of a mandatory vacation policy include:
How much time a person may have based on the number of years they’ve worked.
Whether an employee can only take vacations at certain times of the year.
If the employee must take all of their vacation time at once, or can split it up throughout the year.
Mandatory vacation policies exist for a number of reasons. Contracts may require specific amounts of time off from work. By having employees take time off of work, they tend to be able to do their jobs better when they get back. Another reason is to prevent employees from carrying their vacation time over to subsequent years. If an employee kept moving vacation days owed to them ahead to the next year, eventually they’d be able to take off months of paid leave before retiring. Such golden handshakes were common in previous decades, and caused issues with positions being unfilled, as the company was unable to hire a new person until the current person in the job retired.
Before having individuals take time off of work, it is important to ensure that the job can still be performed without their presence. This means having multiple people trained in different tasks.
EXAM WARNING Mandatory vacation policies are covered in the exam, so don’t skim over the information provided here believing it won’t appear on the test. Vacations are important as they have implications to the business, can be legislated or contractually agreed on, and have security requirements for ensuring that individuals are available to cover the duties of employees who are unavailable.
Separation of duties ensures that tasks are assigned to personnel in a manner that no single employee can control a process from beginning to end. Separation of duties is a common occurrence in secure environments and involves each person having a different job, thus allowing each to specialize in a specific area. This provides a number of benefits to the security of an organization.
In an organization that uses a separation of duties model there is less chance of people leaking information because of the isolated duties that each employee performs in contribution to the whole. If a user does not know something, they cannot discuss it with others. Because the needs of persons performing separate duties would not require the same access to the network and other systems, each person (or department) would have different security needs. In other words, the data of one person or department would not need to be viewed, deleted, or modified by another. A good example of this would be the Internal Affairs office of a police department, which investigates infractions of officers. Because other officers are being investigated, you would not want them having access to the reports and data dealing with their case. Doing so could jeopardize the integrity of that data.
Another benefit of separating duties is that each person (or group of people) can become an expert in their job. Rather than trying to learn and be responsible for multiple tasks, they can focus their expertise on a particular area. This means, theoretically, you always have the best person available for a job.
Separation of duties does not mean that there is only one person in an organization who can perform a specific duty, or that people are not accountable for their actions. It would be inadvisable to have only one person know a particular duty. If this were the case and that person were injured or left the company, no one else would be able to do that particular job. Thus, each task should be documented, providing detailed procedures on how to perform duties.
Supervisors and managers should be aware of the duties of each subordinate so that they can coordinate jobs effectively. This is particularly important in crisis situations such as those involving disaster recoveries (discussed later in this chapter). By separating duties, each person is able to focus on their individual tasks, with each fixing a piece of the problem. Not only does this provide a more effective method of dealing with a crisis, but it also allows the situation to be successfully resolved faster.
Privacy has become a major issue over the last few years, as the people who use technology are increasingly fearful of unauthorized persons or employers viewing personal information transmitted across networks, saved on machines, or stored in databases. People often have an expectation of privacy when using various technologies and are unaware that actual privacy may not exist.
Personally identifiable information (PII) is private information that identifies you, members of your organization, and your clients. PII can be found in numerous places. It can exist in databases used by your company, directory services used in your network, and various other sources that contain names, phone numbers, addresses, credit card numbers, and so on. If such information became available to unauthorized users, it could result in embarrassment, liability, and possibly even criminal charges.
EXAM WARNING PII falls hand-in-hand with privacy policies. Policies within the company should adhere to legislation that ensures personal data is secure.
Privacy policies spell out the level of privacy that employees and clients can expect, and an organization’s perspective of what is considered private information. Areas typically covered in a privacy policy are as follows:
Unauthorized software
E-mail
Web site data
Although companies may voluntarily incorporate a privacy policy, some industries are required by law to maintain specific levels of privacy for client information. The HIPAA Act mandates hospitals, insurance companies, and other organizations in the health field to comply with security standards that protect patient information. The Gramm–Leach–Bliley (GLB) Act is another piece of legislation that mandates banks, credit unions, brokers, and other financial institutions to protect information relating to their clients. The GLB Act requires these institutions to inform clients of their policies regarding the information collected about them, and what will be shared with other organizations. If organizations that require privacy policies fail to comply with the legislation, they are in violation of federal or state laws.
Privacy policies commonly state that an organization has the right to inspect the data stored on company equipment. This allows an organization to perform audits on the data stored on hard disks of workstations, laptops, network servers, and so forth. By performing these audits on a regular basis, an organization can determine if employee resources are wasted on non–work-related activities, or if network resources are being wasted on old data. For example, if an organization is considering purchasing an additional file server, performing an audit on their current file server may reveal that employees are using up hard disk space by saving outdated files, games, personal photos, duplicated data, and other items that can be deleted. Although employees may assume that the data stored in their personal directories on equipment that is issued to them is private, a privacy policy could state that the equipment and any data stored on it are the property of the organization.
Privacy policies may also authorize such audits on the basis of searching for installations of pirated or unauthorized software. Pirated software is software that is not licensed for use by the person or company and can cause liability issues resulting in fines or prosecution. Unauthorized software may include such things as games or applications for personal use (photo software, online bill paying software, and so on) installed on workstations and laptops. Unauthorized software can cause a plethora of problems including causing conflicts with company software or containing viruses or Trojan horses.
Trojan horses are applications that appear to be legitimate programs, such as a game or software that performs useful functions but contain code that perform hidden and/or unwanted actions. For example, an employee may install a calculator program that he/she has downloaded from the Internet, not knowing that it secretly sends data regarding the person’s computer or network to a hacker’s e-mail address. Not only can such programs reveal information about the system, but the (Trojan horse) may also acquire information from the network (such as sensitive information about clients).
Just as data stored on a computer or network is considered the property of an organization, e-mail (another form of data) may also be considered corporate property. Privacy policies often state that e-mail sent or received through business e-mail addresses belongs to the organization and should not be considered private. The organization can then examine the e-mail messages, ensuring that the business e-mail account is being used properly. Although this seems like a blatant violation of personal privacy, consider how e-mail can be abused. A person can make threats, reveal sensitive information, harass, or perform any number of immoral and criminal actions while posing as a representative of an organization. The organization uses the privacy policy to ensure that each employee is representing the organization properly while using corporate e-mail.
As Internet access has become common in organizations, monitoring Web sites that have been visited has also become common. Firewalls are used to prevent unauthorized access to the internal network from the Internet, but also enable organizations to monitor what their employees are accessing on the Internet. Companies can check firewall logs to determine what sites an employee visited, how long they spent there, what files they downloaded, and other information that the employee may consider private. Again, because the Internet access is provided through the company and is therefore their property, the company should inform users through the privacy policy of their privilege to investigate how employees are using this resource.
Companies may also stipulate the privacy of client information, or those with a presence on the Web may include or create a separate policy that deals with the privacy of a visitor to their Web site. In terms of actual clients (those people with whom a company does business), the policy should state what level of privacy a client can expect. This may include the protection of client information, including information on sales, credit card numbers, and so forth. In the case of law enforcement, this might include information on a person’s arrest record that cannot be concealed under the Public Information Act and Open Records laws, personal information, and other data. For both clients and visitors to Web sites, a company may stipulate whether information is sold to third parties, which may send them advertisements, spam, or phone solicitations.
Damage and Defense
Ensuring a policy is Legal and can be Enforced
Once a policy is written, you need to ensure that leaders in the company will support it. Authorization needs to be acquired from management before the policy becomes active, so it is established that the company backs the policy and will enforce it if necessary. Having senior management sign off on a policy ensures that users will not be confused as to whether the policy is part of the company’s vision and will result in disciplinary actions if violated.
The policy also needs to be reviewed by legal council to ensure that it does not violate any laws, and that its content and wording is not misleading or unenforceable in any way. For example, many countries have legislation dealing with privacy, so it is important that whatever privacy policy you create adheres to those laws if your business operates in those countries. As with other policies mentioned here, you should have legal counsel review your policy before publishing it to the Internet or internally.
Due care is the level of care that a reasonable person would exercise in a given situation and is used to address problems of negligence. Due care may appear as a policy or concept mentioned in other policies of an organization. Put simply, an organization and its employees must be careful with equipment, data, and other elements making up the electronic infrastructure. Irresponsible use can cause liability risks for an organization, or result in termination of a careless employee.
Computer software and equipment is expensive, so employers expect staff members to take care when using it. Damage caused by irresponsible use can void warranties, meaning the company must pay for any repairs. Using assets in a way they were not intended, or breaching the recommendations or agreements established in the licensing or documentation (such as the owner’s manual), are considered irresponsible uses. For example, using security software for hacking purposes or using equipment to hold open a door would be considered irresponsible. Users are expected to take reasonable levels of care when using the equipment and software that is issued to them. What is considered reasonable often depends on the equipment or software in question, but generally involves following the recommendations and best practices included in the equipment or software’s documentation. Primarily, it involves using common sense and taking care of the assets as a reasonable person would.
Maintaining equipment and software is not solely the responsibility of the user; employers must also acknowledge their part in due care. Technologies need to be maintained and updated regularly. For this reason, due care policies exist for the purpose of outlining who is responsible for taking care of specified equipment. This may be an IT staff member who ensures that users have the hardware, software, and access to resources to do their jobs properly. Because technology changes, the IT staff responsible for due care needs to determine the life spans of various technologies and upgrade them after specified periods of time.
Due care also applies to data. Irresponsibly handling data can destroy it, unintentionally modify it, or allow sensitive information to fall into the possession of unauthorized users. It can also result in privacy issues. Irresponsibility on the part of a company can infringe on an employee’s right to privacy, such as when information in a personnel database or permanent record can be accessed without authorization. Irresponsibility on the part of users can also result in sensitive information becoming available to unauthorized parties, such as when a salesperson e-mails a client’s credit card information over the Internet to another department or person. As will be seen in the next section, privacy policies may also be a legislated requirement of conducting business in certain industries, such as those involving health care or finance.
Reasonable efforts must be made to ensure the integrity of data, including regular checks for viruses, Trojan horse attacks, and malicious programs. Efforts must also be made to deal with the possibility of problems occurring, such as maintaining regular backups of data. By setting up proper procedures for protecting data and ensuring damaged data can be recovered, a system’s integrity and security are drastically enhanced.
The methods of practicing due care can be found through the recommended or “best” practices offered by manufacturers of equipment, operating systems (OSes), and other software. For example, pushing the power button on a computer will shut it down, but may also corrupt data on the machine. OS manufacturers recommend that users shut down their OS in a specific way (such as by clicking Shut Down on the Windows Start menu). For users to follow best practices for using hardware and software, they must be educated in how to practice due care.
Due process is the act of notifying an employee being notified that he or she has violated existing policies of legislation, and also refers to the employee’s right to a fair and impartial inquiry into the incident. For example, if a person were accused of a violation of an acceptable use policy, he or she might be notified verbally and/or in writing. In some organizations or military, a tribunal or court martial might be held to address the person’s misconduct. The inquiry into the policy violation must be impartial and fair, allowing the person to defend his or herself against the alleged offense. Due process ensures that the employee’s rights have not been violated. If his or her rights were violated, it is possible that the company itself would then face litigation.
Due diligence refers to the practices of an organization in identifying risks and implementing strategies to protect the assets of a company. Assets can include data, equipment, employees, and other elements that are of value to the company. By practicing due diligence, the company proves that it has taken reasonable steps to prevent an incident.
A policy is just a piece of paper, until it is shown to be a set of standards and rules that are valued by the company. Organizations need to show that they are diligent in upholding their policies by sharing them with employees (so they are aware of the rules), keeping them up-to-date, and enforcing them when necessary. A company can be seen as negligent if they don’t take steps to ensure that policies addressing incidents are legally binding, topical, and are enforced when necessary.
In some cases, employees may be found to have violated legislation, and third parties may become involved. For example, if an employee hacked a competitor’s Web site, the person could be criminally charged. In such a situation, the company might conduct a tribunal to dismiss the person, but should also call the police to notify them of the incident. By being forthcoming when criminal violations occur, the company can show further due diligence. In doing so, they can protect themselves from litigation.
TEST DAY TIP Don’t get confused between due care, due process, and due diligence. Due care is used to show whether a reasonable level of care was given to protect data and equipment by an individual or company. Due process is the idea that laws and legal proceedings must be fair. Due diligence shows that the company has consistently maintained and enforced their policies. In cases where policy violations occur, a fair and impartial inquiry into the incident and a person’s misconduct is held. This protects the rights of the accused, and protects the company from litigation.
Service level agreements (SLAs) are agreements between clients and service providers that outline what services will be supplied, what is expected from the service, and who will fix the service if it does not meet an expected level of performance. In short, it is a contract between the parties who will use a particular service and the people who create or maintain it. Through an SLA, the expectations and needs of all parties are clearly defined so that no misunderstandings about the system will occur at a later time.
An SLA is often used when an organization uses an outside party to implement a new system. For example, if a company wanted Internet access for all its employees, they might order a wide area network (WAN) link from an Internet service provider (ISP). An SLA would be created to specify expected amounts of uptime, bandwidth, and performance. The SLA could also specify who will fix certain problems (such as the T1 line going down), who will maintain the routers connecting the company to the Internet, and other issues related to the project. To enforce the SLA, penalties or financial incentives may be specified to deal with failing or exceeding the expectations of a service.
EXAM WARNING The Security+ exam expects that you understand that an SLA is used to establish an agreement between customers and the service provider as to the services available, and the requirements and conditions in providing them. Remember that SLAs are not only used between companies and third parties, but also as a commitment between internal IT staff and the organization’s user base.
SLAs can also be used internally, specifying what users of the network can expect from IT staff and procedures relating to the network.
The SLA may specify that all equipment (such as printers, new computers, and so forth) must be purchased through the IT department. If this is not done, the IT staff is under no obligation to fix the equipment that is purchased improperly.
An SLA may also be used to specify the services the organization expects the IT staff to provide, to support applications that are developed internally, or to address other issues related to the computers and network making up the organization’s electronic infrastructure.
An SLA often includes information on the amount of downtime that can be expected from systems, where customers will be unable to use a Web site, server, or other software and equipment. This information usually provides the expected availability of the system in a percentage format, which is commonly called the Number of Nines. As Table 15.1 shows, the Number of Nines can be translated into the amount of time a system may be down in a year’s time. If this estimate is longer than specified in the SLA, additional losses may be experienced because employees are unable to perform their jobs or customers are unable to purchase items from an e-commerce site.
Table 15.1 Availability Expectations (Number of Nines) |
|
Percentage Availability (%) |
Allowed Downtime per Year |
99.9999 |
32 s |
99.999 |
5.3 min |
99.99 |
53 min |
99.9 |
8.7 h |
99.0 |
87 h |
An SLA will also provide information on coverage of services and may include estimated costs and response times for various types of issues. For example, it may state that the IT department’s Help Desk is available for calls 24 h a day, 7 days a week. In other cases, it may state that someone from the IT department will respond within a specific number of hours. The response time will often depend on the amount of staffing in the IT department, and the type of request being made. For example, a small IT staff for a large company might respond within 24 to 48 h, while a better staffed IT department might respond within hours. If the IT department charges its services back to individual departments within the company, then it may give an hourly dollar amount for specific services.
An SLA serves as a commitment to customers, and provides an understanding of what is expected. The document gives focus to the service providers, giving them a firm understanding as to what their roles and responsibilities are. It can also provide customers with a catalogue of various services provided by an IT department or other service provider. Because customers and service providers have an agreement of what’s provided, when, and (in some cases) how much it will cost, it can create a more positive relationship between the parties.
Head of the Class
Don’t Reinvent the Wheel
Many people attempt to create policies from scratch. They spend hours or even days trying to hammer out a new policy, trying to think of everything necessary to include in the document to avoid any legal issues or loopholes. When done, they can only hope that the policy and procedures within will hold up when a problem occurs.
It is better to use a policy belonging to another organization as a template. The Internet is filled with examples of policies, which you can examine and use. For example, you can find policy templates at the SANS Institute’s Web site (www.sans.org/resources/policies/) that can assist you in making policies for your own organization. In some cases, you can also ask similar organizations for copies of their policies. By reviewing a similar policy, you can determine which elements are useful to your own policy, and you may also find other issues that should be included, but that you did not think of. Also, if you use a policy that has existed for a period of time, you can minimize the risk of your policy not living up to the challenge of real world issues.
Education and documentation is a vital part of any secure system. Knowledgeable users can be an important line of defense, as they will be better able to avoid making mistakes that jeopardize security, identify problems, and report them to the necessary persons. Proper documentation is imperative to security as good diagrams, well thought out procedures, quality knowledge bases, and other papers dealing with security can be the difference in solving problems quickly. The following sections look at a number of ways to create an environment that enhances security through these methods.
Communication is important to educating users on different elements of a system, and allowing them to be able to contact you in case of problems. If no one can reach you, how will you know when problems occur? Similarly, if you do not have mechanisms in place to communicate with users, how will they have the information you want them to have? Communication is the key to understanding the issues users are facing when incidents occur, and getting information to the parties that need it. To deal with issues and convey what an organization expects from users, administrators need to create a system that promotes and supports good communication.
The first step to creating good methods of communication is determining what methods are available. This differs from business to business, but multiple avenues of contacting people are always available. These may include:
Internal or Internet e-mail
Internal phone extensions, home phone numbers, and cell phone numbers
Pagers
Corporate intranets and public Web sites
Internal mail (memoranda) and snail mail (public postal services)
Public folders and directories containing documents that can be viewed by users across the network
Instant messaging, text messaging, SMS, and live chat
Once all of the methods available to communicate with users are identified, the administrator can decide which ones will be used and how.
Obviously administrators will want to control the ways in which users can contact them. Although you wouldn’t want to provide your personal contact information to everyone, home phone numbers, cell phone numbers, and pager numbers can be provided to certain people in an organization. For example, administrators could provide dispatchers, management, or certain departments with these numbers, so they can be contacted when major incidents occur (such as hacking attempts, server crashes, and so forth). Providing contact information for IT staff ensures that incidents will not remain unattended and possibly grow worse before the next scheduled workday.
In addition to having people provide notification, administrators can configure systems to automatically contact them. Some systems provide the ability to send out alerts when certain events occur (such as a system shutdown). The system can send an e-mail message to specific e-mail addresses, or send out messages to alphanumeric pagers. In some cases, administrators may become aware of a problem and deal with it before any of the users on the network notice.
Providing contact information for general users of a network is another positive component of a communicative environment. Users should have multiple methods of contacting IT staff, so they can acquire help and notify them of problems they are experiencing. This allows users to inform administrators of a seemingly minor problem that could grow into a major one. For example, a user may complain of specific symptoms his or her computer is experiencing that are indicative of a virus infestation. Early warning through users can catch such problems at an initial stage, before any real damage is done.
There are many possible methods for users to contact IT staff. Help desks are commonplace in companies, providing a single phone extension that users can call when they are experiencing problems. A designated e-mail address and voicemail are other methods of enabling users to report problems. Methods of contacting a help desk should be advertised internally, through memos, internal e-mail, or on the corporate intranet.
Signatures on e-mails can be used to provide alternative methods of contacting individual users. The signature is text or a graphic that is automatically added by the user’s e-mail client software to each message sent by a person. The signature can state the name of the sender, the company phone number, an extension, fax number, business address, e-mail address, and the URL of the public Web site, along with any other information a person specifies. Not only is this useful for internal users who need to respond immediately, but also for vendors and other people external to the company.
Users cannot be expected to follow rules if they are not aware of them. Organizations sometimes make the mistake of imposing policies and procedures while failing to provide effective methods of sharing that information. This has the same effect as if the policies and procedures were never created.
User awareness involves taking steps to make users conscious of and responsive to security issues, rules, and practices. To make users aware, administrators can use a number of the communications methods previously mentioned. For example, policies and procedures can be made available on a mapped drive that everyone has access to, allowing users to double-click on files to open and review read-only copies of the policies and procedures. A corporate intranet is another common method used to provide access to documentation and information on changes. This allows users to understand what is expected of them, and how they are supposed to carry out specific tasks.
If users are kept informed, they will be more open to the rules imposed on them. If users are aware of the rules and practices but are unaware of their importance, they may view these methods as bothersome and not follow them adequately. For example, the administrator may implement a mandatory policy forcing users to change their passwords every 30 days to a new password that has not been used by them before. Users may balk at having to make such changes every month, especially at times when they forget their new passwords. If the administrator informs the users that this will protect their data and private information, they understand that doing so is in their best interest, and will be more willing to cooperate.
Users should be made aware of how they can assist in security issues, so that mistakes made on a user level do not impact the network as a whole. They should know how to change their passwords to strong passwords, as discussed earlier in this chapter. They should also be aware that procedures must be followed when security changes are needed. A common problem in organizations is that users share passwords with one another to provide another person access to certain systems or data. By logging on as another person, an unauthorized user will appear as the actual user and be able to send e-mail, make mistakes, or perform malicious actions. Members of an organization must know that they are responsible for anything done with their accounts, and that security change requests must be made to the network administrator.
It is also important that administrators inform users of events that do not require their active participation, but will impact them directly. When creating a secure environment, the administrator needs to perform upgrades on server software, update equipment, and other tasks that will affect the network. When the network is affected, the users are affected. Servers may be shut down for maintenance, generator tests might cause momentary losses of power, or other events can occur that affect a user’s ability to work. When performing such tasks, administrators should inform users, so they will know what is happening and can make arrangements to continue working. Bulk e-mail or broadcast messages should be sent to all users, informing them of what will occur and how long it will affect them. When users are involved and aware of what is going on, they are better able to deal with these events.
An added benefit of informing users about when upgrades to software and hardware will occur is that they can provide information on problems that occur afterwards. At times, service packs and patches to software on a server can result in unexpected problems. If users are unaware that these changes have occurred, or if they are unaware of the need to report possible problems, the administrator may think that the update was successful and without incident when in effect it was not.
Educating users is the primary method of promoting user awareness and improving the skills and abilities of employees. When users are taught how and why certain activities need to be performed, they are generally more willing and better able to perform those tasks. In addition to enhancing work performance, education also provides the added benefit of lowering support costs, as users who are able to fix simple problems will not be as likely to call the help desk for assistance.
In terms of security, users who know how to perform certain tasks properly are less likely to unknowingly put security at risk. Users who have an understanding of confidentiality and nondisclosure policies will not be as likely to reveal sensitive information, transmit classified data over the Internet, or provide access to unauthorized users. In addition, users who know how to change their passwords monthly know that they should not use previously used passwords, and they understand that creating strong passwords will also make the system more secure. Because users are often the largest, least controlled variable in network security, education makes this variable more stable so that they are less likely to perform actions that compromise security.
Educating users is commonly done through training sessions. This can be done in a classroom setting or one-on-one. In many other situations, training handouts are given to new hires that detail how certain actions are performed, and procedures that should be followed. These handouts can be referred to when needed, but may prove disastrous if this material falls into the wrong hands. In either case, a designated trainer or member of the IT staff teaches users the proper methods and techniques that should be used to perform their jobs. As will be seen in the next section, online resources can also be a practical approach to educating users.
Notes from the Field
Educating People on What Not to Do
With so many people having computers and Internet access at home, users of a company network not only need to be educated on what to do, but also on what not to do. Many users may have installed software, printers, or modified settings on their home PCs. In many cases, they will even use the same OS at home as is used at work. Because they have done certain tasks successfully at home, they may assume that they are able to, and have permission to perform the same actions on network computers at work.
Because the systems may be locked down or have unique configurations, a user’s actions could cause the system to function in an unexpected manner (or not at all). Users must be taught that they are not allowed to perform certain actions on the Internet, use equipment for personal use, install software or hardware without permission, or perform any other actions restricted by policy. For example, a user owned a computer business outside of work. Because he felt he was an expert in computers, he decided to install software on a company machine, not realizing that it was locked down to prevent reconfiguration. Only part of the software installed before the installation failed. “Expert” that he was, he thought the problem was with that particular computer, so he proceeded to try installing it on other machines. The partial installations caused conflicts on these machines. When told of the problem, this person still did not comprehend why users were not allowed to install software. He argued that he should be given the administrator password so that he could install software and fix problems. Although the problem was partially ignorance, a larger issue was the arrogance and unwillingness to understand what he was not allowed to do.
It is important to remember that in the wrong hands, a little knowledge can be a dangerous thing. Users can be dangerous if they have too much knowledge of a system, just as they can be if they have too little. If they have proper access, users may attempt to perform unauthorized actions using information that was passed along to them. Security is always a tradeoff, so administrators need to be careful as to what information they pass onto users of their network. As mentioned earlier in this chapter, security policies may be used to control a user’s actions by specifying what they can and cannot do on a system.
With the resources available on a local network, it would be remiss not to include them in the scheme of providing education and access to documentation. Policies, procedures, and other documentation should be available through the network, as it will provide an easy, accessible, and controllable method of disseminating information. For example, administrators can make a directory on a server accessible to everyone through a mapped drive, allowing members of an organization to view documents at their leisure. A directory that is only accessible to IT staff can also be used to provide easy access to procedures, which may be referred to when problems arise. By using network resources this way, members of an organization are not left searching for information or left unaware of its existence.
Many companies utilize Web technologies internally to provide a corporate intranet for members of the organization. Sections of the internal Web site may be dedicated to a variety of purposes, for example, providing read-only copies of policies, procedures, and other documentation. A section of the site may even provide access to interactive media, so that users can train themselves by viewing PowerPoint presentations, AVI and MPEG movies, and other resources for self-training.
IT staff and support specialists can also benefit from online resources. No one in the field of computer technology knows about every piece of software or hardware created. There are too many current and legacy systems to understand, so relying on the expertise of others is important. When in doubt, consulting resources on the Internet can be essential to solving problems correctly.
Knowledge bases are databases that provide information on the features of various systems and solutions to problems that others have reported. For example, if a user were experiencing a problem with Microsoft software, they could visit their knowledge base at http://support.microsoft.com. If they were experiencing problems with Novell software, they could visit their knowledge base at http://support.novell.com. Many software and hardware manufacturers provide support sites that contain valuable information. Not using these sites when needed is a mistake.
Manufacturers’ Web sites are also valuable to the security and effectiveness of a network and its systems, as they provide service packs and patches. Service packs and patches are software that fixes known problems and security vulnerabilities. Failing to install these may cause certain features to behave improperly, or leave a system open to attacks from hackers or viruses.
Human Resources (HR) departments deal with a large variety of issues and need to work closely with IT departments to ensure that the security needs are met. HR performs such tasks as hiring, firing, retirement, and transferring employees to different locations. HR also maintains personnel files of employees and may be responsible for assisting in the distribution of identification cards, key cards, and other items relating to security. Because of the tasks they each perform, it is important that good communication exists between HR and IT staff.
Upon hiring a person, HR may be responsible for issuing ID cards designed by IT staff, which are used to identify employees. This is important to physical security in the building, as the cards provide visual recognition of who is supposed to be in certain areas. HR may also be responsible for issuing key cards.
When a person is hired or experiences a change in employment with an organization, HR needs to notify the network administrator so that network access can be administered accordingly. Without a proper HR policy, network administrators will be uninformed of changes and will be unable to perform these tasks.
Adding or revoking passwords, privileges, and changes in a person’s employment status can affect the person’s security needs dramatically. A person may need to have a network account added, disabled, or removed, and other privileges (such as access to secure areas) may need to be modified. As will be seen in the following paragraphs, adding or revoking passwords, privileges, and other elements of security may need to occur under such circumstances as:
Resignation
Termination
New hires
Changes in duties or position within the company
Investigation
Leave of absence
HR plays an important role in the security, as they need to contact the IT staff immediately of a person’s employment status. When a person is hired, HR needs to contact the IT staff to set up a new network account and password for the person as well as the necessary privileges to access systems and data. In addition, the employee may need a corporate ID card, keycard, or other items necessary for the job. When a person’s employment is terminated, they either quit the company, or are suspended, or are under investigation, it is equally important to immediately remove any access they have to the system. Keeping a person’s account and password active allows them to continue to access systems and data. If a terminated person has an active keycard and ID, they are also able to enter secure locations. In both cases, the person will have the ability to cause massive damage to a company, so network accounts should be immediately disabled or deleted, and ID and keycards should be removed from the person’s possession or at least rendered inactive.
Disabling accounts and passwords should also occur when a person is away from a job for extended periods of time. When people are away from the job on parental leave, sabbaticals, and other instances of prolonged absence, they do not need their accounts to remain active. To prevent others from using the person’s account while they are away, the account and password should be disabled immediately after the person leaves.
When employees are hired, change jobs, or have modified duties, their needs for network access also change. When setting up network privileges, it is important that employees only receive the minimum access necessary to do their jobs. Any additional access is a security risk, as they could purposefully or accidentally view, modify, or delete important data or improperly make changes to a system. A good method of determining what level of security a person needs is to match the new person’s security level to that of someone else in the same job, or to use the same settings as the employee that is being replaced by the new employee. It is also important to determine whether a person was issued any equipment that belongs to the company that should be returned. If a person was issued a laptop, wireless handheld device, mobile phone, pager, or other equipment, the items belong to the company and must be returned. Failure to do so could be considered theft, and may leave the former employee open to prosecution.
Many companies have a code of ethics, or a statement of mission and values, which outlines the organization’s perspective on principles and beliefs that employees are expected to follow. Such codes generally inform employees that they are expected to adhere to the law, the policies of the company, and other professional ethics related to their jobs. As is the case with acceptable use policies, many companies require employees to sign a code of ethics as an agreement. Anyone failing to adhere to this code could face dismissal, disciplinary actions, or prosecution.
Policies provide information on the standards and rules of an organization, and are used to address concerns and identify risks. They are used to provide a reference for members of an organization, and are enforced to ensure that they are followed properly. Procedures provide instructions on how policies are to be carried out and may also be used to inform users on how to perform certain tasks and deal with problems. When used in an organization, policies provide a clear understanding of what they expect from employees and how issues are to be handled.
There are many different types of policies that may be used within an organization. An acceptable use policy establishes guidelines on the appropriate use of technology, a code of ethics outlines proper behavior, and privacy policies provide an understanding of the level of privacy employees and/or customers can expect from a company. Many other policies may also be created, based on the needs and expectations of the organization. It is important that employees are aware of these policies, so they understand their rights according to the policy and what is expected of them.
User education and awareness provide people with the ability to perform actions securely, identify problems, and report issues to the necessary persons. Proper documentation should contain step-by-step procedures, diagrams, and other information necessary to perform tasks and solve problems. Different methods of communication should be provided to allow users to contact the administrator when needed, or for the administrator to educate them on different issues. By implementing different methods of reaching users, the administrator can make them aware of problems and proper procedures.
Policies address concerns and identify risks, while procedures provide guidance on how these issues are to be addressed.
Disposal and destruction policies address how data and equipment are to be properly disposed of or destroyed after they are no longer of use, outdated, or past a specified retention date.
An acceptable use policy can be signed by employees and serve as a contract acknowledging how equipment and technology is to be properly used.
Password management involves enacting policies that control how passwords are used and administered.
Passwords are combinations of letters, numbers, and special characters that are used to authenticate a person logging onto a system. The more complex the password, the harder it is to crack.
Strong passwords consist of a combination of lower case letters (a through z), upper case letters (A through Z), numbers (0 through 9), and special characters (({}[],.<>;:’”?/|\`~!@#;%$^&*()_−+=).
Biometric authentication uses a measurable characteristic of a person to control access. This can be a retinal scan, voiceprint, fingerprint, or any number of other personal features that are unique to a person.
Change documentation can provide valuable information, which can be used when troubleshooting problems and upgrading systems.
Mandatory vacation policies are used to control how and when people are able to take off time from work.
Separation of duties involves each person having a different job, thus allowing each to specialize in a specific area. It is a common occurrence in secure environments, as it ensures that the tasks are assigned to personnel in a manner that no single employee can control a process from beginning to end.
PII is private information that identifies you, members of your organization, and your clients.
Privacy policies address the level of privacy that employees and clients can expect, and an organization’s perspective of what is considered private information.
Due care is the level of care that a reasonable person would exercise in a given situation and is used to address problems of negligence.
Due process is the act of notifying an employee that he or she has violated existing policies of legislation and also refers to the employee’s right into a fair and impartial inquiry into the incident.
Due diligence refers to the practices of an organization in identifying risks and implementing strategies to protect the data, equipment, and other assets of a company.
SLAs are agreements between clients and service providers that outline what services will be supplied, what is expected from the service, and who will fix the service if it does not meet an expected level of performance.
Classification is a scheme that allows members of an organization to understand the importance of information and is less likely to leak sensitive information.
Educating users is the primary method of promoting user awareness, and improving the skills and abilities of employees. By teaching users how and why certain activities need to be performed, they are generally more willing and better able to perform those tasks.
HR policies deal with issues related to employees. HR department perform such tasks as hiring, firing, retirement, and transferring employees to different locations, so it is important that policy stipulates that network administrators are informed of changes so proper changes can be made to user accounts.
A code of ethics is a statement of mission and values, which outlines the organization’s perspective on principles and beliefs that employees are expected to follow.
Q: I’m concerned that a user may be using e-mail for non–work-related use, and may be sending confidential information over the Internet. What policy would allow me to audit the content of his e-mail?
A: A privacy policy can stipulate that corporate e-mail accounts are the property of the company, and any e-mail sent or received with these accounts can be audited at any time.
Q: We are replacing the servers on our network and have formatted the hard disks. Isn’t this enough to remove the data, so that we can now dispose of the equipment?
A: No. There are data recovery and forensic tools that can recover the data from a hard disk, even after you’ve formatted it. To ensure that data is completely removed, you should use software that will overwrite every sector of the disk.
Q: When secretaries take a vacation, they tend to give their temporary replacement their password. They believe it is easier to simply share the password than contact the network administrator. How can we maintain security with people sharing passwords like this?
A: Contact HR and have them notify you when these users take their vacations. When the user goes on vacation, temporarily disable the person’s account. This will force the temporary employee to go through the procedure of getting proper access.
1. You are developing a policy that will address that hard disks are to be properly erased using special software, and that any CDs or DVDs are to be damaged by scarring or breaking them before they are thrown away. It is the hope of the policy that any information that is on the media will not fall into the wrong hands after properly discarding them. What type of policy are you creating?
A. Due care
B. Privacy policy
C. Acceptable use policy
D. Disposal and destruction policy
2. An organization has just installed a new T1 Internet connection, which employees may use to research issues related to their jobs and send e-mail. Upon reviewing firewall logs, you see that several users have visited inappropriate sites and downloaded illegal software. Finding this information, you contact senior management to have the policy relating to this problem enforced. Which of the following policies would you recommend as applicable to this situation?
A. Privacy policy
B. Acceptable use policy
C. HR policy
D. SLAs
3. You are configuring OSes used in your organization. Part of this configuration involves updating several programs, modifying areas of the registry, and modifying the background wallpaper to show the company’s new logo. In performing these tasks, you want to create documentation on the steps taken, so that if there is a problem, you can reverse the steps and restore systems to their original state. What kind of documentation will you create?
A. Change control documentation
B. Inventory
C. Classification
D. Retention and storage documentation
4. You are concerned about the possibility of hackers using programs to determine the passwords of users. You decide to create a policy that provides information on creating strong passwords and want to provide an example of a strong password. Which of the following is the strongest password?
A. Strong
B. PKBLT
C. ih8Xams!
D. 12345
5. In your organization, users in similar positions often give each other their passwords. This is a common practice when a user goes on vacation and another user temporarily takes over that person’s job. There is a corporate policy that prohibits this practice, but it still goes on. Currently, users are required to use alphanumeric combinations for their passwords, but don’t have other restrictions on their passwords due to the previous network administrator’s belief that frequent changes will cause users to forget their passwords. Which of the following will you implement to prevent unauthorized users from indefinitely using known passwords?
A. Set a policy that forces users to use strong passwords
B. Set a policy that forces users to change their password once every 60 days
C. Require users to use PINs
D. Use SecureID tokens for remote logons, so that it requires users to enter a PIN that is synchronized with the server and changes frequently
6. Your organization uses its intranet to disseminate information to employees. Part of the intranet includes an employee database, so that users can look up the name, department, and phone extension of members of the organization. For morale purposes, birthdates of employees are available to view with this information, so that other employees can wish them a happy birthday. Employees also have the capability to post their own information on blogs allowing social networking between users. Users have used this information to post information on corporate softball tournaments, previous employment experience within the organization, and other information. Which of this information is PII that should be removed?
A. Blogs
B. Employee database information that provides the full name of employees
C. Employee database information that provides the date of birth
D. Employee database information that provides departments and work extensions
7. You are developing a new password policy for your company, and identifying elements that should be included to control unauthorized users guessing a user’s password. Which of the following will you include in your policy?
A. Allow users to change their passwords to something similar, so they are less likely to forget the new passwords
B. Passwords should not expire after a specified number of days and can be reused
C. Passwords should be used on their own, and not part of a multifaceted security system
D. Passwords should automatically expire every 45 to 90 days
8. An organization has decided to implement a policy dealing with the disposal and destruction of data and other materials that may contain sensitive information. They have consulted you to determine what elements should be included in the policy. Which of the following will you tell them?
A. Data on hard disks should be deleted before hard disks are disposed of
B. Hard disks should be shredded before being disposed of
C. Nonclassified materials, such as media releases, should be shredded before being disposed of
D. Classified documents should be shredded before being disposed of
9. An employee complains that his or her coworker has pornography on his or her computer. Upon investigating, IT staff finds illegal pornography on the hard drive of his or her workstation. There is a concern that the employee who made the complaint may file a law suit against the company for it being a hostile workplace on these grounds. The company further tries to protect itself by calling the police and suspending the employee from work until an internal inquiry is conducted. Which of the following is being practiced here?
A. Change control
B. Due care
C. Due diligence
D. Due process
10. An employee has accessed a social networking site and made some complaints about his or her job on a blog. In doing so, he or she has violated an internal policy that prohibits the company’s equipment from being used for personal use. Because the policy has been violated, the person is told that he or she will need to go before an internal tribunal and is informed of his or her rights in the matter. Which of the following has been practiced?
A. Change control
B. Due care
C. Due process
D. Due diligence
11. You are preparing to destroy a selection of CD-Rs that have been previously used to store sensitive data. Which of the following will you do to ensure that the data is destroyed?
A. Delete the files and erase the data from the CDs
B. Use a degausser
C. Scrape the CD so the data layer is removed
D. Throw away the CD
12. You are the administrator of a network running Novell NetWare and are having problems with a server’s ability to connect to other servers. The server was able to connect to the network before you installed a recent bug fix. After attempting to solve the problem, you decide to check and see if anyone else has had this problem. Where is the best place to find this information?
A. The manual that came with the server
B. The vendor’s Web site
C. Service pack
D. Microsoft knowledge base
13. Your organization wants to control the distribution of documents. In doing so, they plan to classify the documents so that only those who are specifically meant to view the documents are allowed to do so. In creating this system, which of the following would you use to specify that anyone internal to the organization can view the document, but limit public dissemination?
A. Classified
B. Unclassified
C. Confidential
D. Department specific
14. You are concerned about the possibility of sensitive information developed by your company being distributed to the public and decide to implement a system of classification. In creating this system, which of the following levels of classification would you apply to sensitive information that is not to be disseminated outside of the organization?
A. Unclassified
B. Classified
C. Public
D. External
15. Changes in the law now require your organization to store data on clients for 3 years, at which point the data are to be destroyed. When the expiration date on the stored data is reached, any printed documents are to be shredded and media that contains data on the client is to be destroyed. What type of documentation would you use to specify when data is to be destroyed?
A. Disaster recovery documentation
B. Retention policies and logs
C. Change documentation
D. Destruction logs
1. D
2. B
3. A
4. C
5. B
6. C
7. D
8. D
9. D
10. C
11. D
12. B
13. B
14. B
15. B