Page 703 - StudyBook.pdf
P. 703
Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12 687
The methods of practicing due care can be found through the recommended
or “best” practices offered by manufacturers of equipment, operating systems
(OSes), and other software. For example, pushing the power button on a computer
will shut it down, but may also corrupt data on the machine. OS manufacturers
recommend that users shut down their OS in a specific way (such as by clicking
Shut Down on the Windows Start menu). For users to follow best practices for
using hardware and software, they must be educated in how to practice due care.
Privacy
Privacy has become a major issue over the last few years, as the people who use
technology are increasingly fearful of unauthorized persons or employers viewing
personal information transmitted across networks, saved on machines, or stored in
databases. People often have an expectation of privacy when using various tech-
nologies, and are unaware that actual privacy may not exist. Privacy policies spell
out the level of privacy that employees and clients can expect, and an organization’s
perspective of what is considered private information.Areas typically covered in a
privacy policy are:
■ Unauthorized software
■ E-mail
■ Web site data
While companies may voluntarily incorporate a privacy policy, some industries
are required by law to maintain specific levels of privacy for client information.The
Health Insurance Portability and Accountability Act (HIPPA) mandates hospitals,
insurance companies, and other organizations in the health field to comply with
security standards that protect patient information.The Gramm-Leach-Bliley
(GLB) Act is another piece of legislation that mandates banks, credit unions, bro-
kers, and other financial institutions to protect information relating to their clients.
The GLB Act requires these institutions to inform clients of their policies regarding
the information collected about them, and what will be shared with other organi-
zations. If organizations that require privacy policies fail to comply with the legisla-
tion, they are in violation of federal or state laws.
Privacy policies commonly state that an organization has the right to inspect the
data stored on company equipment.This allows an organization to perform audits
on the data stored on hard disks of workstations, laptops, network servers, and so
forth. By performing these audits on a regular basis, an organization can determine
if employee resources are wasted on non-work-related activities, or if network
www.syngress.com
