Page 691 - StudyBook.pdf
P. 691

Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  675

                 are no longer applicable to the company, organizations will have up-to-date policies
                 that are meaningful and relevant.


                   Do Not Reinvent the Wheel
               Head of the Class…  thing necessary to include in the document to avoid any legal issues or
                   Many people attempt to create policies from scratch. They spend hours
                   or even days trying to hammer out a new policy, trying to think of every-

                   loopholes. When done, they can only hope that the policy and proce-
                   dures within will hold up when a problem occurs.
                        It is better to use a policy belonging to another organization as a
                   template. The Internet is filled with examples of policies, which you can
                   examine and use. For example, you can find policy templates at the SANS
                   Institute’s Web site (www.sans.org/resources/policies/) that can assist you
                   in making policies for your own organization. In some cases, you can also
                   ask similar organizations for copies of their policies. By reviewing a sim-
                   ilar policy, you can determine which elements are useful to your own
                   policy, and you may also find other issues that should be included, but
                   that you did not think of. Also, if you use a policy that has existed for a
                   period of time, you can minimize the risk of your policy not living up to
                   the challenge of real world issues.
                 Security Policies


                 Security policies address the need to protect data and systems within an organiza-
                 tion. In other words, this not only includes files on a server, but also the server
                 itself.A good security policy should:

                      ■  Dictate how employees acquire access to an organization’s data
                      ■  Determine the level of access employees are given to specific data
                      ■  Offer instructions on how to best provide physical security for an organi-
                         zation’s equipment

                    In some organizations, these issues may be separated into multiple policies that
                 address each topic separately. Some of the policies that may be needed when cre-
                 ating security standards for an organization include:
                      ■  Restricted access policies

                      ■  Workstation security policies
                      ■  Physical security policies





                                                                              www.syngress.com
   686   687   688   689   690   691   692   693   694   695   696