Page 707 - StudyBook.pdf
P. 707
Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12 691
An idiom of World War II was “loose lips sink ships,” meaning that people
sharing information could cause a disaster.This same philosophy applies to security
issues today. Each piece of sensitive information a person has about a process,
system, or company can be told to others. For example, someone who knows about
corporate stock going up could tell others, resulting in insider trading. By mini-
mizing the number of facts each employee knows, the risk of leaking information
also decreases.
To prevent sensitive data from leaking outside of an organization, non-disclo-
sure agreements may also be used.A non-disclosure agreement is a formal agree-
ment between a company and an employee, in which the employee agrees not to
reveal classified information to third parties. For example, a police officer would
not be able to discuss sensitive information about an ongoing investigation, or a
programmer would not be allowed to reveal information about a new process
being developed by the company. On the other hand, if the information was non-
classified, such as a media release that was sent to newspapers, the employee could
discuss these non-classified elements of the project.Violating a non-disclosure
agreement could leave a company legally liable, and may be grounds for termina-
tion or prosecution of the employee.
When setting up security on a network, it is important that each user does not
receive more access than needed to perform their job. If users can access sensitive
data, they can potentially view, alter, or delete it.This could have a devastating
effect on a network and a company.
Policies and procedures should be implemented that require written requests
for network access. Employees should submit a written request, reasons for addi-
tional access should be justified, and supervisors or managers should sign the docu-
ment.As will be seen later in this chapter, access requests from new employees
should be submitted to the network administrator by the Human Resources (HR)
department.This provides accountability through a paper trail that shows access was
requested for a valid reason and who approved the request.
Password Management
Passwords are used to prevent unauthorized access to computers, networks, and
other technologies, by forcing anyone who wants access to provide specific infor-
mation. Password management involves enacting policies that control how passwords
are used and administered.Without good password management, security could be
compromised by passwords that are easy to guess, repeatedly used, or have charac-
teristics that make them insecure.
www.syngress.com
