Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  689

                 Companies can check firewall logs to determine what sites an employee visited,
                 how long they spent there, what files they downloaded, and other information that
                 the employee may consider private.Again, since the Internet access is provided
                 through the company and is therefore their property, the company should inform
                 users through the privacy policy of their privilege to investigate how employees are
                 using this resource.
                    Companies may also stipulate the privacy of client information, or those with a
                 presence on the Web may include or create a separate policy that deals with the
                 privacy of a visitor to their Web site. In terms of actual clients (those people with
                 whom a company does business), the policy should state what level of privacy a
                 client can expect.This may include the protection of client information, including
                 information on sales, credit card numbers, and so forth. In the case of law enforce-
                 ment, this might include information on a person’s arrest record that cannot be
                 concealed under the Public Information Act and Open Records laws, personal
                 information, and other data. For both clients and visitors to Web sites, a company
                 may stipulate whether information is sold to third parties, which may send them
                 advertisements, spam, or phone solicitations.


                   Ensuring a Policy is Legal and Can Be Enforced
               Damage & Defense…  will support it. Authorization needs to be acquired from management
                   Once a policy is written, you need to ensure that leaders in the company


                   before the policy becomes active, so it is established that the company
                   backs the policy and will enforce it if necessary. Having senior manage-
                   ment sign off on a policy ensures that users will not be confused as to
                   whether the policy is part of the company’s vision and will result in disci-
                   plinary actions if violated.
                        The policy also needs to be reviewed by legal council to ensure it does
                   not violate any laws, and that its content and wording is not misleading
                   or unenforceable in any way. For example, many countries have legislation
                   dealing with privacy, so it is important that whatever privacy policy you
                   create adheres to those laws if your business operates in those countries.
                   As with other policies mentioned here, you should have legal counsel
                   review your policy before publishing it to the Internet or internally.



                 Separation of Duties

                 Separation of duties ensures that tasks are assigned to personnel in a manner that no
                 single employee can control a process from beginning to end. Separation of duties
                 is a common occurrence in secure environments, and involves each person having a


                                                                              www.syngress.com