Page 734 - StudyBook.pdf
P. 734
718 Chapter 12 • Operational and Organizational Security: Policies and Disaster Recovery
cies and procedures can be made available on a mapped drive that everyone has
access to, allowing users to double-click on files to open and review read-only
copies of the policies and procedures.A corporate intranet is another common
method used to provide access to documentation and information on changes.This
allows users to understand what is expected of them, and how they are supposed to
carry out specific tasks.
If users are kept informed, they will be more open to the rules imposed on
them. If users are aware of the rules and practices but are unaware of their impor-
tance, they may view these methods as bothersome and not follow them adequately.
For example, the administrator may implement a mandatory policy forcing users to
change their passwords every 30 days to a new password that has not been used by
them before. Users may balk at having to make such changes every month, espe-
cially at times when they forget their new passwords. If the administrator informs
the users that this will protect their data and private information, they understand
that doing so is in their best interest, and will be more willing to cooperate.
Users should be made aware of how they can assist in security issues, so that
mistakes made on a user level do not impact the network as a whole.They should
know how to change their passwords to strong passwords, as discussed earlier in this
chapter.They should also be aware that procedures must be followed when security
changes are needed.A common problem in organizations is that users share pass-
words with one another to provide another person access to certain systems or
data. By logging on as another person, an unauthorized user will appear as the
actual user and be able to send e-mail, make mistakes, or perform malicious actions.
Members of an organization must know that they are responsible for anything
done with their accounts, and that security change requests must be made to the
network administrator.
It is also important that administrators inform users of events that do not
require their active participation, but will impact them directly.When creating a
secure environment, the administrator needs to perform upgrades on server soft-
ware, update equipment, and other tasks that will affect the network.When the
network is affected, the users are affected. Servers may be shut down for mainte-
nance, generator tests might cause momentary losses of power, or other events can
occur that affect a user’s ability to work.When performing such tasks, administra-
tors should inform users, so they will know what is happening and can make
arrangements to continue working. Bulk e-mail or broadcast messages should be
sent to all users, informing them of what will occur and how long it will affect
them.When users are involved and aware of what is going on, they are better able
to deal with these events.
www.syngress.com
