Page 698 - StudyBook.pdf
P. 698

682    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery

             Security Procedures


             Procedures are sets of detailed instructions that describe how to accomplish an
             objective, and provide guidance on how to perform certain actions to achieve a
             particular result. Security procedures are necessary, because they describe the
             methods necessary to implement a policy. For example, a policy may require data
             on servers to be backed up, but procedures will inform members of the IT staff
             how to perform the backups, providing step-by-steps instructions on how to per-
             form the task.Without procedures, a policy would simply be a goal without a
             strategy.
                 Procedures are different from policies in a number of other ways.While policies
             are available to view throughout an organization, procedures are available only to
             those who need them.This is because, although they address specific technologies,
             they are written in a way that a novice could follow.A procedure may provide
             instructions on programs to use, IP addresses of resources on a network, usernames
             and passwords, and other information needed to perform a series of tasks that will
             reconfigure equipment. In the wrong hands, this could make procedures a dan-
             gerous tool.
                 Because procedures document each step in a process, they only need to be
             updated when a particular step or the process itself changes. For example, a new
             version of a program may change its menus, requiring a procedure to be updated to
             indicate the new menus and menu items used. Similarly, if a company no longer
             supports the program, then the entire process may change to accommodate a new
             program with similar functionality.While a procedure may be changed, it will con-
             tinue to exist as long as a policy demands certain tasks to be performed.

             Acceptable Use Policies

             An acceptable use policy establishes guidelines on the appropriate use of technology. It
             is used to outline what types of activities are permissible when using a computer or
             network, and what an organization considers proper behavior.Acceptable use poli-
             cies not only protect an organization from liability, but also provide employees with
             an understanding of what they can and cannot do using company resources.
                 In an organization, employees act as representatives of the company to the
             public. How they conduct themselves and the actions they perform, reflect upon
             the organization, and can either enhance or damage the reputation of the company.
             Because employees have greater access to clients and other members of the public
             through e-mail,Web pages, and other technologies, acceptable use policies are used




          www.syngress.com
   693   694   695   696   697   698   699   700   701   702   703