Page 694 - StudyBook.pdf
P. 694

678    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery


                  ■   Users could inadvertently modify protocol settings so they are unable to
                      access the network.

                  ■   If uneducated users have the ability to install programs, they could install a
                      malicious or virus-infected program.

                  ■   Users could install games on their workstation that use up valuable hard
                      drive space, or tie up an inordinate amount of an organization’s network
                      bandwidth.
                  ■   Users could make a variety of mistakes, well meaning or otherwise, that
                      cause additional work for IT staff.
                 To protect resources, a workstation security policy should also address how
             workstations will be configured when initially put into use.This may include speci-
             fying multiple local accounts on workstations; one used by administrators to change
             settings and install programs, and another used by general users that have restricted
             permissions. By implementing such measures, users will be less likely to perform
             malicious or accidental actions that jeopardize security. It will also include strategies
             on protecting data on workstations, such as specifying whether the file system is to
             be encrypted. Encryption will prevent unauthorized persons from being able to
             read files, and deny an intruder from accessing folders and their contents. By using
             a policy to specify how workstations are configured, security is enhanced
             throughout the organization.
                 Because clients have evolved well beyond personal computers wired to a net-
             work, workstation security policies may also be part of a larger equipment policy.
             Such policies may include Personal Digital Assistants (PDAs), cell phones, pagers,
             and other wireless handheld devices (such as a Blackberry), as well as printers, scan-
             ners, and other devices issued to individual users or available on the network.The
             policies should include information on the criteria or procedure for acquiring cer-
             tain equipment (as everyone generally won’t get their own laptop), and the
             approved products that are supported by the organization.After all, if a department
             purchases Palm PDAs for its staff but the organization only supports Blackberry
             devices, then the department will have unusable equipment on their hands.
                 Another aspect to consider when creating such policies is whether personal
             equipment will be supported by the organization. Many employees may have their
             own laptop computers, but generally a company won’t provide technical support or
             allow them to be added to a network.After all, computers or devices owned by
             individuals won’t be configured the same as systems owned by the company, nor
             will they have the same security settings and software installed.This could leave the



          www.syngress.com
   689   690   691   692   693   694   695   696   697   698   699