Page 700 - StudyBook.pdf
P. 700

684    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery

             ment, the propensity of employees to use these devices for their own personal use
             is a problem. For example, an employee may use a company’s wireless phone to call
             home, or use a laptop to pay their personal bills online.Acceptable use policies rou-
             tinely include sections that restrict users from using equipment for their own per-
             sonal use, home businesses, or other methods of financial gain.
                 Acceptable use policies should also specify methods of how information can be
             distributed to the public to avoid sensitive information from being “leaked.”
             Imposing rules on the dissemination of information may include:

                  ■   Specifications that prohibit classified information from being transmitted
                      via the Internet (e.g., e-mail, Short Message Service (SMS), or File
                      Transfer Protocol (FTP)

                  ■   Provisions on how content for the Web site is approved
                  ■   Rules on printing confidential materials

                  ■   Restricting who can create media releases, and so on
                 Through these rules, important information is protected and employees have an
             understanding of what files they can or cannot e-mail, print, or distribute to other
             parties.


                Enforcing Acceptable Use Policies
           Head of the Class…  pany. The acceptable use policy outlines computer business usage limita-
                It has become commonplace for organizations to require new employees
                to sign an acceptable use policy upon acquiring employment with a com-

                tions and other expectations of a company. Having new employees sign
                this document serves as acknowledgement and understanding of the
                rules within the policy.
                     By signing, employees enter into the agreement that violating the
                policy (such as by accessing data or systems without proper authorization,
                providing data that could be used for illegitimate endeavors, or other
                infractions) may lead to dismissal or even prosecution. However, signing
                the acceptable use policy does not absolve a company from responsibility
                or liability for an employee’s actions. The acceptable use policy could be
                used in court in the company’s defense, but it does not mean that they
                will not be found responsible for the employee’s actions.
                     If the policy is not generally enforced, the courts could find that the
                company gave tacit approval of the employee’s behavior, making them
                vicariously liable for the employee’s actions. For example, an employee
                downloaded pornographic images from the Internet and then e-mailed

                                                                                    Continued

          www.syngress.com
   695   696   697   698   699   700   701   702   703   704   705