Page 702 - StudyBook.pdf
P. 702
686 Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery
Computer software and equipment is expensive, so employers expect staff
members to take care when using it. Damage caused by irresponsible use can void
warranties, meaning the company must pay for any repairs. Using assets in a way
they were not intended, or breaching the recommendations or agreements estab-
lished in the licensing or documentation (such as the owner’s manual), are consid-
ered irresponsible uses. For example, using security software for hacking purposes
or using equipment to hold open a door would be considered irresponsible. Users
are expected to take reasonable levels of care when using the equipment and soft-
ware that is issued to them.What is considered reasonable often depends on the
equipment or software in question, but generally involves following the recommen-
dations and best practices included in the equipment or software’s documentation.
Primarily, it involves using common sense and taking care of the assets as a reason-
able person would.
Maintaining equipment and software is not solely the responsibility of the user;
employers must also acknowledge their part in due care.Technologies need to be
maintained and updated regularly. For this reason, due care policies exist for the
purpose of outlining who is responsible for taking care of specified equipment.This
may be an IT staff member who ensures that users have the hardware, software, and
access to resources to do their jobs properly. Because technology changes, the IT
staff responsible for due care needs to determine the life spans of various technolo-
gies and upgrade them after specified periods of time.
Due care also applies to data. Irresponsibly handling data can destroy it, unin-
tentionally modify it, or allow sensitive information to fall into the possession of
unauthorized users. It can also result in privacy issues. Irresponsibility on the part of
a company can infringe on an employee’s right to privacy, such as when informa-
tion in a personnel database or permanent record is allowed to be accessed without
authorization. Irresponsibility on the part of users can also result in sensitive infor-
mation becoming available to unauthorized parties, such as when a salesperson e-
mails a client’s credit card information over the Internet to another department or
person.As will be seen in the next section, privacy policies may also be a legislated
requirement of conducting business in certain industries, such as those involving
health care or finance.
Reasonable efforts must be made to ensure the integrity of data, including reg-
ular checks for viruses,Trojan horse attacks, and malicious programs. Efforts must
also be made to deal with the possibility of problems occurring, such as main-
taining regular backups of data. By setting up proper procedures for protecting data
and ensuring damaged data can be recovered, a system’s integrity and security are
drastically enhanced.
www.syngress.com
