Page 704 - StudyBook.pdf
P. 704
688 Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery
resources are being wasted on old data. For example, if an organization is consid-
ering purchasing an additional file server, performing an audit on their current file-
server may reveal that employees are using up hard disk space by saving outdated
files, games, personal photos, duplicated data, and other items that can be deleted.
Although employees may assume that the data stored in their personal directories on
equipment that is issued to them is private, a privacy policy could state that the
equipment and any data stored on it are the property of the organization.
Privacy policies may also authorize such audits on the basis of searching for
installations of pirated or unauthorized software. Pirated software is software that is
not licensed for use by the person or company, and can cause liability issues
resulting in fines or prosecution. Unauthorized software may include such things as
games or applications for personal use (photo software, online bill paying software,
and so on) installed on workstations and laptops. Unauthorized software can cause
a plethora of problems including causing conflicts with company software or con-
taining viruses or Trojan horses.
Trojan horses are applications that appear to be legitimate programs, such as a
game or software that performs useful functions but contain code that perform
hidden and/or unwanted actions. For example, an employee may install a calculator
program that they downloaded from the Internet, not knowing that it secretly
sends data regarding the person’s computer or network to a hacker’s e-mail address.
Not only can such programs reveal information about the system, but the Trojan
horse may also acquire information from the network (such as sensitive informa-
tion about clients).
Just as data stored on a computer or network is considered the property of an
organization, e-mail (another form of data) may also be considered corporate prop-
erty. Privacy policies often state that e-mail sent or received through business e-
mail addresses belongs to the organization and should not be considered private.
The organization can then examine the e-mail messages, ensuring that the business
e-mail account is being used properly.While this seems like a blatant violation of
personal privacy, consider how e-mail can be abused.A person can make threats,
reveal sensitive information, harass, or perform any number of immoral and crim-
inal actions while posing as a representative of an organization.The organization
uses the privacy policy to ensure that each employee is representing the organiza-
tion properly while using corporate e-mail.
As Internet access has become common in organizations, monitoring Web sites
that have been visited has also become common. Firewalls are used to prevent
unauthorized access to the internal network from the Internet, but also enable
organizations to monitor what their employees are accessing on the Internet.
www.syngress.com
