Page 695 - StudyBook.pdf
P. 695
Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12 679
network open to viruses and malicious software installed on the person’s computer.
Beyond this, allowing the personal equipment may exempt the person from other
policies, such as those involving acceptable use that we discuss later in this chapter.
In addition to this, if the person undergoes disciplinary proceedings or termination
of employment, chances are he or she will be unlikely to supply the company with
their computer to ensure any files, software, or other data on the machine has been
properly removed. Due to the issues related to personal equipment being used on a
network, it is often best not to allow personal equipment to be used for business
purposes.
Policies Followed by Everyone
Damage & Defense… position of power wants to ignore aspects of a policy, they can generally
In any organization there are rules for everyone, and those who are
exceptions to the rules. The unfortunate truth is that if someone in a
get away with it. However, unless everyone from the owner of a company
to the lowest level employee follows policies, security holes will exist.
Anyone who has consulted or worked in computers for any length
of time has experiences with individuals who felt they were above the
policies of their organization. In one experience, the problems of such
actions became clear when the assistant manager of an IT department
caused a major incident. Even though she would quote chapter and verse
on policies, procedures and contracts used by the organization, she
ignored a policy regarding personal equipment and used her own laptop
for work. Regrettably though, her house was broken into one day, and
the laptop was stolen.
For some reason, everyone else in the IT department wasn’t
informed until the next day, creating a flurry of activity. The laptop had
software to remotely connect to the internal network, a list of adminis-
trator passwords, copies of procedures, and a wealth of other sensitive
information and tools. Because it wasn’t the company’s computer, there
were no backups made of the laptop, so there was no way of deter-
mining everything that was on the machine. Worse still, it wasn’t config-
ured and locked down like other computers in the organization, so it was
possible whoever stole the machine could access it’s data. Administrator
passwords needed to be changed, certain accounts were replaced by new
ones, access codes used in physical security were modified, and a review
of all systems were conducted. While a security breach was averted, the
potential threat was astronomical. Not only did the person have data
used by management, but administrative access to systems. It was a
worst-case scenario.
Continued
www.syngress.com
