1 User Policy (slides from Michael Ee and Julia Gideon)

1

User PolicyUser Policy

(slides from Michael Ee and Julia Gideon)(slides from Michael Ee and Julia Gideon)

2

What are End-User Policies?What are End-User Policies?

Gives users rules that they must Gives users rules that they must follow as end-users of a follow as end-users of a particular systemparticular system

Covers Covers allall information security information security topics that end-users need to topics that end-users need to know for:know for: ComplianceCompliance ImplementationImplementation

3

What are End-User Policies?What are End-User Policies?

Sets ‘expected behavior’ by usersSets ‘expected behavior’ by users Single resource for system usersSingle resource for system users Supports organization’s governing Supports organization’s governing

policiespolicies Closely aligned with existing and future Closely aligned with existing and future

HR policies for all employeesHR policies for all employees Important to the mission, value, and Important to the mission, value, and

culture of a companyculture of a company All associates ‘on the same page’All associates ‘on the same page’

4

Why are End-User Policies Why are End-User Policies Important?Important?

Sets expectationsSets expectations Foundation for security Foundation for security

environmentenvironment Human error is one of the major Human error is one of the major

security challengessecurity challenges Security versus usabilitySecurity versus usability Workarounds by employeesWorkarounds by employees Unfamiliar with computer systemUnfamiliar with computer system

5

Why are End Use Policies Why are End Use Policies Important?Important?

Very Strict PoliciesVery Strict Policies Use of assets only for company Use of assets only for company

businessbusiness Can create climate of distrustCan create climate of distrust

Very Lenient PoliciesVery Lenient Policies Organization loses money in Organization loses money in

terms of equipment and terms of equipment and resourcesresources

6

Why are End-User Policies Why are End-User Policies Important?Important?

““Acceptable behavior” Acceptable behavior” ambiguousambiguous Information Security is a Information Security is a

new fieldnew field End user policies help End user policies help

decrease ambiguitydecrease ambiguity

7

Writing End-User PoliciesWriting End-User Policies

Address the ‘what’ aspect of Address the ‘what’ aspect of security policy in more detailsecurity policy in more detail Give rationale for policiesGive rationale for policies Separate background informationSeparate background information

Consult during development phaseConsult during development phase Human ResourcesHuman Resources Compliance/AuditCompliance/Audit User groupsUser groups

8


Human ResourcesHuman Resources Assists in making sure that Assists in making sure that

overlapping policies agreeoverlapping policies agreeHiringHiringFiringFiringCorrective MeasuresCorrective Measures

9


ComplianceComplianceGroup that monitors employee Group that monitors employee actionsactions

Follows through with corrective Follows through with corrective measuresmeasures

Assist in writing enforceable Assist in writing enforceable policiespoliciesEnsure that written policies can Ensure that written policies can be made compulsorybe made compulsory

10


User GroupsUser Groups Facilitates prioritizationFacilitates prioritization

Should provide focus for Should provide focus for business goalsbusiness goals

UnderstandableUnderstandable Compliance relies on the ability Compliance relies on the ability to understandto understand

11

Impacts of User PolicyImpacts of User Policy

Establish logical controls to prevent Establish logical controls to prevent unauthorized accessunauthorized access Identify authorized usersIdentify authorized users Define access to resourcesDefine access to resources Create audit trailsCreate audit trails Should aid in defending upon Should aid in defending upon

intrusionintrusion Enhance resiliencyEnhance resiliency

12


Assist in discouraging misuse of Assist in discouraging misuse of company resourcescompany resources BrowsersBrowsers

Net accessNet access GamesGames

Software PiracySoftware Piracy Under reporting installationsUnder reporting installations Making unauthorized copiesMaking unauthorized copies Legal and economic issuesLegal and economic issues

13


Assist in discouraging misuse and Assist in discouraging misuse and theft of company resourcestheft of company resources Personal computersPersonal computers Library resourcesLibrary resources Telephones and wireless Telephones and wireless

communicationcommunication CopiersCopiers Office SuppliesOffice Supplies

14

User Keys/PasswordsUser Keys/Passwords Typically associated with password Typically associated with password

(e.g. PGP, hardisk encryption etc)(e.g. PGP, hardisk encryption etc) Dictates rules for end-users when Dictates rules for end-users when

creating passwordscreating passwords Critical policyCritical policy


15

Establishes best Practices (case Establishes best Practices (case by case varies)by case varies)

Procedures (forgotten password, Procedures (forgotten password, suspected compromised etc )suspected compromised etc )

Equivalent treatment to ALL.Equivalent treatment to ALL.


16


Dealing with E-mailDealing with E-mail Recognized method of Recognized method of

communication within communication within organizations as well as a new organizations as well as a new vehicle for external communication vehicle for external communication

More tangible than voice mail and More tangible than voice mail and faster than paper mail faster than paper mail

User groups will list it high on User groups will list it high on prioritiespriorities

17


Similar guidelines to Internet Similar guidelines to Internet All emails remain property of All emails remain property of

organization (no expectation of organization (no expectation of privacy) - inform end-usersprivacy) - inform end-users

Duration of retention (check with Duration of retention (check with local laws)local laws)

18

Impacts of User PolicyImpacts of User Policy Professional conduct Professional conduct Using company email for Using company email for

personal usage ? All work-related personal usage ? All work-related issues ?issues ?

Define explicitly what is Define explicitly what is unacceptable and prohibitedunacceptable and prohibited

Web-based email ?Web-based email ?

21

Other User Policy IssuesOther User Policy Issues

Contractors/consultants and Contractors/consultants and vendors ?vendors ?

Media and law-enforcement ?Media and law-enforcement ? External end-users (e.g. event External end-users (e.g. event

attendees etc)attendees etc) Procedures for exceptionsProcedures for exceptions

22

Other User Policy IssuesOther User Policy Issues

Remote AccessRemote Access Within network ? Within network ? Requirement of job function ?Requirement of job function ? Logical extension of organization Logical extension of organization

network – implications ?network – implications ? SecuritySecurity Office-issued equipmentOffice-issued equipment

23

Final ThoughtsFinal Thoughts

User policy must reflect the User policy must reflect the organizational cultureorganizational culture

Must be comprehensive, Must be comprehensive, understandable, and enforceableunderstandable, and enforceable

Set the foundation for the entire Set the foundation for the entire security environmentsecurity environment

1 User Policy (slides from Michael Ee and Julia Gideon)

Documents

Transcript of 1 User Policy (slides from Michael Ee and Julia Gideon)