Page 710 - StudyBook.pdf
P. 710
694 Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery
Administrator Accounts
Administrator passwords are another important issue that should be covered in a
password policy, as anyone using an administrative account is able to make changes
and access all data on a system. Because of the importance of this account, there
should be limits on who knows the password to this account. If there are numerous
people in IT who perform administrator duties, they should have their own
accounts with the minimum access needed to perform their tasks, and follow the
same rules as other user accounts (e.g., changing passwords regularly, using strong
passwords, and so forth).The password for the administrator account should be
written down, sealed in an envelope, and stored in a safe. Should the administrator
leave, or this account be needed, others in the IT staff can still use the account and
make necessary system changes.
SLA
Service Level Agreements (SLAs) are agreements between clients and service
providers that outline what services will be supplied, what is expected from the ser-
vice, and who will fix the service if it does not meet an expected level of perfor-
mance. In short, it is a contract between the parties who will use a particular
service and the people who create or maintain it.Through an SLA, the expecta-
tions and needs of all parties are clearly defined so that no misunderstandings about
the system will occur at a later time.
A SLA is often used when an organization uses an outside party to implement
a new system. For example, if a company wanted Internet access for all its
employees, they might order a wide area network (WAN) link from an Internet
Service Provider (ISP).An SLA would be created to specify expected amounts of
uptime, bandwidth, and performance.The SLA could also specify who will fix cer-
tain problems (such as the T1 line going down), who will maintain the routers
connecting the company to the Internet, and other issues related to the project.To
enforce the SLA, penalties or financial incentives may be specified to deal with
failing or exceeding the expectations of a service.
SLAs can also be used internally, specifying what users of the network can
expect from IT staff and procedures relating to the network.
■ The SLA may specify that all equipment (such as printers, new computers,
and so forth) must be purchased through the IT department. If this is not
done, the IT staff is under no obligation to fix the equipment that is pur-
chased improperly.
www.syngress.com
