Page 706 - StudyBook.pdf
P. 706

690    Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery

             different job, thus allowing each to specialize in a specific area.This provides a
             number of benefits to the security of an organization.
                 In an organization that uses a separation of duties model, there is less chance of
             people leaking information, because of the isolated duties that each employee per-
             forms in contribution to the whole. If a user does not know something, they
             cannot discuss it with others. Because the needs of persons performing separate
             duties would not require the same access to the network and other systems, each
             person (or department) would have different security needs. In other words, the
             data of one person or department would not need to be viewed, deleted, or modi-
             fied by another.A good example of this would be the Internal Affairs office of a
             police department, which investigates infractions of officers. Because other officers
             are being investigated, you would not want them having access to the reports and
             data dealing with their case. Doing so could jeopardize the integrity of that data.
                 Another benefit of separating duties is that each person (or group of people)
             can become an expert in their job. Rather than trying to learn and be responsible
             for multiple tasks, they can focus their expertise on a particular area.This means,
             theoretically, you always have the best person available for a job.
                 Separation of duties does not mean that there is only one person in an organi-
             zation that can perform a specific duty, or that people are not accountable for their
             actions. It would be inadvisable to have only one person know a particular duty. If
             this were the case and that person were injured or left the company, no one else
             would be able to do that particular job.Thus, each task should be documented,
             providing detailed procedures on how to perform duties.
                 Supervisors and managers should be aware of the duties of each subordinate so
             they can coordinate jobs effectively.This is particularly important in crisis situations
             such as those involving disaster recovery (discussed later in this chapter). By sepa-
             rating duties, each person is able to focus on their individual tasks, with each fixing a
             piece of the problem. Not only does this provide a more effective method of dealing
             with a crisis, but it also allows the situation to be successfully resolved faster.

             Need to Know

             A “need to know” basis refers to people only being given the information or access
             to data that they need to perform their jobs.The less information someone has, the
             less they have to share with others. It also decreases the risk of accidents or mali-
             cious actions, which can occur when people have access to more information than
             they need to perform their jobs.






          www.syngress.com
   701   702   703   704   705   706   707   708   709   710   711