Académique Documents
Professionnel Documents
Culture Documents
Objectives
Define organizational security policy List the types of security policies Describe how education and training can limit the impact of social engineering
Deciding on the level of control for a specific policy is not always clear
The security needs and the culture of the organization play a major role when deciding what level of control is appropriate
Security+ Guide to Network Security Fundamentals, Third Edition 5
Guideline
A collection of suggestions that should be implemented
Policy
Document that outlines specific requirements or rules that must be met
The second phase of the security policy cycle is to use the information from the risk management study to create the policy The final phase is to review the policy for compliance
Security+ Guide to Network Security Fundamentals, Third Edition 9
10
12
14
15
The AUP usually provides explicit prohibitions regarding security and proprietary information Unacceptable use may also be outlined by the AUP Acceptable use policies are generally considered to be the most important information security policies
Security+ Guide to Network Security Fundamentals, Third Edition 17
Due process
The principle of treating all accused persons in an equal fashion, using established rules and principles
Due diligence
Any investigation into suspicious employee conduct will examine all material facts
Security+ Guide to Network Security Fundamentals, Third Edition 18
19
20
21
22
23
24
25
26
Generally, this involves creating classification categories such as high, medium, or low
And then assigning information into these categories
27
28
Ethics Policy
Values
A persons fundamental beliefs and principles used to define what is good, right, and just
Morals
Values that are attributed to a system of beliefs that help the individual distinguish right from wrong
Ethics
The study of what a group of people understand to be good and right behavior and how people make those judgments
Security+ Guide to Network Security Fundamentals, Third Edition 29
30
31
Organizational Training
All computer users in an organization share a responsibility to protect the assets of that organization
Users need training in the importance of securing information, the roles that they play in security, and the steps they need to take to ward off attacks
33
Phishing
One of the most common forms of social engineering Involves sending an e-mail or displaying a Web announcement that falsely claims to be from a legitimate enterprise in an attempt to trick the user into surrendering private information Both the e-mails and the fake Web sites appear to be legitimate
Security+ Guide to Network Security Fundamentals, Third Edition 35
36
Some organizations have turned to creating regular reminders to users regarding phishing attacks
38
39
Shoulder surfing
Watching an individual enter a security code or password on a keypad
Computer hoax
An e-mail message containing a false warning to the recipient of a malicious entity circulating through the Internet
Security+ Guide to Network Security Fundamentals, Third Edition 40
Summary
A security policy is a written document that states how an organization plans to protect the companys information technology assets A standard is a collection of requirements specific to the system or procedure that must be met by everyone, while a guideline is a collection of suggestions that should be implemented A policy is a document that outlines specific requirements or rules that must be met, and is the correct means to be used for establishing security
Security+ Guide to Network Security Fundamentals, Third Edition 41
Summary (continued)
Because a security policy is so comprehensive and often detailed, most organizations choose to break the security policy down into smaller subpolicies A personally identifiable information (PII) policy outlines how the organization uses information it collects To provide users with the knowledge and skills necessary to support information security, users need to receive ongoing training Social engineering relies on tricking and deceiving someone to provide secure information
Security+ Guide to Network Security Fundamentals, Third Edition 42