Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Information Security
In This Chapter
Understanding the risk of data breaches
Planning to protect information assets
Devising a security policy
Employing security technology
Acceptable use
The policy should include an acceptable-use policy so that
appropriate use of technology is clearly defined
Authorized software
The policy should cover procedures for software installation, including
whether end users are allowed to install software on their own.
Data disposal
The policy dictates the procedures to follow when disposing of
storage media that may contain data.
Firewall
Rules for how the organizations firewalls will manage network
traffic should be incorporated into the policy, including procedures
for updating and changing rules.
Incident management
The security policy should include clearly defined procedures for
security incident handling and reporting.
Passwords
The policy should state the organizations requirements for creating
and managing passwords. Remember to include requirements for
administrative and service account passwords.
Social media
The policy should specify how the organization uses social media and how
employees are expected to represent the organization on social networking sites.
Telephone procedures
The policy should include what type of information can be provided over the
telephone and under what circumstances.
Waste disposal
Because attackers can gain valuable information from corporate trash, proper
waste disposal must be addressed.
Training employees
After the policies are in place, employees must be educated about the policies
and the reasons behind them. They must also have clear instructions for
reporting suspicious behavior or events. This training should be conducted
regularly, to help keep employees alert and up-to-date on new procedures.
Employee training can be performed electronically using existing information
portals, or in person in small units or larger classes. Having properly trained
staff leading these events is critical in order to increase the likelihood of
employees both understanding the presented material and accepting the
trainings validity. Larger organizations usually have training staff available
through their human resources office. An organization lacking experienced
training staff should consider hiring an outside firm to provide this support.
Issues may come up in training sessions that arent addressed in the security
policy. Trainers should note these issues in an after-action review so that the
related policies can be reviewed and updated, if necessary
Remain flexible
Making changes to production architecture is difficult, at best,
particularly with regard to mission critical architecture. In a
production environment, you should expect that there have been
changes to the resources involved since the initial review was
conducted, and plans must be updated accordingly in order to
avoid disruption of services.
Flexibility is just as necessary for long-term planning, but remaining
adaptable becomes more complex as the environment fluctuates
from year to year due to changes in technology, operations,
business focus, and regulatory or legislative mandates..
Inclusion of entirely new vistas of computational capability can
require significant changes to existing strategies and policies.