Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  677

                 Because users need special hardware with this method of authentication, a
                 restricted access policy would be used to specify the criteria for determining who
                 is issued equipment as well as access.
                    Restricted access policies are used to control access, and make it understandable
                 as to how and why these limitations exist.They dictate who is able to acquire
                 restricted access, how they obtain it, what the different levels of access provide, time
                 limitations that may be involved, and other elements involved in the restrictions
                 placed on users.While some situations may involve subscriptions for increased
                 access, most organizations will base the requirements for restricted access on a
                 member’s need for classified information and controlled resources.
                    A restricted access policy addresses not only addresses access to data, but also
                 admittance to various locations. Most companies do not allow everyone freedom of
                 movement to every area of a facility. Businesses will generally limit unaccompanied
                 public access to a common area (such as a reception area), and may restrict
                 employees from entering certain sections of a building or property.The reasons for
                 such restrictions vary, but are usually logical and valid.A server room will be
                 restricted to protect servers, networking equipment, and data, a computer forensics
                 lab will seek to prevent contamination of evidence, while a medical lab will strive
                 to protect patient privacy and the health and safety of other employees.To enforce
                 these restrictions, identification cards may be used to classify access levels, and mea-
                 sures of physical security may be implemented.As we’ll see in a following section,
                 physical security policies are often a counterpart of restricted access policies.

                 Workstation Security Policies

                 In any networking environment, workstations are the most widely used pieces of
                 equipment, so they should also be addressed in a policy.A workstation is any com-
                 puter that is connected to a network (inclusive to desktop and laptop computers)
                 and utilizes network resources. If a user has unlimited access to the computer they
                 are working with, they can store files on the local hard drive, floppy disks, or other
                 drives. By not addressing workstations in a security policy, a user may consider it
                 permissible to store non-work-related files on the local drive or copy sensitive data
                 to removable media.
                    Another issue involving workstation security is a user’s ability to install pro-
                 grams or change settings on a workstation. Potential issues to consider are:
                      ■  Users could inadvertently alter their display settings so they are unable to
                         view anything.





                                                                              www.syngress.com