Page 763 - StudyBook.pdf
P. 763

Operational and Organizational Security: Policies and Disaster Recovery• Chapter 12  747

                 Summary of Exam Objectives


                 Policies provide information on the standards and rules of an organization, and are
                 used to address concerns and identify risks.They are used to provide a reference for
                 members of an organization, and are enforced to ensure they are followed properly.
                 Procedures provide instructions on how policies are to be carried out, and may also
                 be used to inform users on how to perform certain tasks and deal with problems.
                 When used in an organization, policies provide a clear understanding of what they
                 expect from employees and how issues are to be handled.
                    There are many different types of policies that may be used within an organiza-
                 tion.An acceptable use policy establishes guidelines on the appropriate use of tech-
                 nology, a code of ethics outlines proper behavior, and privacy policies provide an
                 understanding of the level of privacy employees and/or customers can expect from
                 a company. Many other policies may also be created, based on the needs and
                 expectations of the organization. Before implementing these policies, they should
                 be authorized by senior management to ensure approval by the company, and
                 reviewed by legal representation to ensure that they correspond to existing laws.
                 Once this is done, they should be made available to those the policy applies to, so
                 they understand their rights according to the policy and what is expected of them.
                    Privilege management involves administration and control of the resources and
                 data available to users and groups in an organization.This can be done on a user
                 level to specify privileges for each account, or by associating the accounts with
                 groups and roles to control access on a larger scale.To apply the security settings
                 across a network, a single sign-in can be used.When the user logs onto any server,
                 the privileges to any other servers they have access to are also applied.To increase
                 the security of servers that are logged into, the administrator should consider cen-
                 tralizing them in one area.Auditing each of these servers and other systems can be
                 performed to monitor for lapses in security.
                    Education and documentation provide people with the ability to perform
                 actions securely, identify problems, and report issues to the necessary persons.
                 Proper documentation should contain step-by-step procedures, diagrams, and other
                 information necessary to perform tasks and solve problems. Different methods of
                 communication should be provided to allow users to contact the administrator
                 when needed, or for the administrator to educate them on different issues. By
                 implementing different methods of reaching users, the administrator can make
                 them aware of problem and proper procedures.
                    Disaster recovery plans provide procedures for recovering after a disaster occurs,
                 and provides insight into methods for preparing for the recovery should the need



                                                                              www.syngress.com
   758   759   760   761   762   763   764   765   766   767   768