Page 745 - StudyBook.pdf
P. 745
Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12 729
NOTE
The “Rainbow Series” is a collection of books created by the National
Computer Security Center, with each book dealing with a different
aspect of security. Each of the books in the series has a different colored
cover, which is why it is called the Rainbow series. The orange book is
the “Trusted Computer System Evaluation Criteria” (TCSEC), which
establishes criteria used in grading the security offered by a system or
product. The red book is the “Trusted Network Interpretation,” and is
similar to the orange book in that it establishes criteria used in grading
security in the context of networks. These books are often referred to in
the classification of systems and networks.
Notification
Earlier in this chapter, when communication was discussed, we stressed the need for
notifying the appropriate parties in case of a problem. Notification is vital to dealing
with a crisis swiftly, so that problems are not left unresolved or for a period of time
that makes them increase in severity.When critical incidents, such as system failures
or intrusions occur, it is important that the right person(s) to deal with the situation
be called in. Often, this is the person with expertise in a particular system (such as a
network administrator who deals with servers and other network technologies), or
an on-call person who is designated to deal with issues during off hours.
Notification procedures should also include contact information for certain out-
side parties who are contracted to support specific systems. For example, if there is a
problem with a firewall, the support staff of the software’s vendor may be called in
to fix the system.When such people are called in during a crisis, other security prac-
tices (such as signing them into secure areas) should be followed. Remember that
emergencies are not an excuse to forgo other policies for the sake of expediency.
Retention/Storage
As discussed earlier in this chapter, policy regarding the retention of data decides
how long a company will retain data before destroying it. If everyone kept every
scrap of paper or record stored in a database, organizations would quickly run out
of hard disk space and have rooms filled with paperwork. For this reason, adminis-
trators need to determine whether certain records should be destroyed after a series
of months or years.A retention policy clearly states when stored data is to be
removed.
www.syngress.com
