1 User Policy (slides from Michael Ee and Julia Gideon)
-
Upload
jeremy-baldwin -
Category
Documents
-
view
217 -
download
2
Transcript of 1 User Policy (slides from Michael Ee and Julia Gideon)
1
User PolicyUser Policy
(slides from Michael Ee and Julia Gideon)(slides from Michael Ee and Julia Gideon)
2
What are End-User Policies?What are End-User Policies?
Gives users rules that they must Gives users rules that they must follow as end-users of a follow as end-users of a particular systemparticular system
Covers Covers allall information security information security topics that end-users need to topics that end-users need to know for:know for: ComplianceCompliance ImplementationImplementation
3
What are End-User Policies?What are End-User Policies?
Sets ‘expected behavior’ by usersSets ‘expected behavior’ by users Single resource for system usersSingle resource for system users Supports organization’s governing Supports organization’s governing
policiespolicies Closely aligned with existing and future Closely aligned with existing and future
HR policies for all employeesHR policies for all employees Important to the mission, value, and Important to the mission, value, and
culture of a companyculture of a company All associates ‘on the same page’All associates ‘on the same page’
4
Why are End-User Policies Why are End-User Policies Important?Important?
Sets expectationsSets expectations Foundation for security Foundation for security
environmentenvironment Human error is one of the major Human error is one of the major
security challengessecurity challenges Security versus usabilitySecurity versus usability Workarounds by employeesWorkarounds by employees Unfamiliar with computer systemUnfamiliar with computer system
5
Why are End Use Policies Why are End Use Policies Important?Important?
Very Strict PoliciesVery Strict Policies Use of assets only for company Use of assets only for company
businessbusiness Can create climate of distrustCan create climate of distrust
Very Lenient PoliciesVery Lenient Policies Organization loses money in Organization loses money in
terms of equipment and terms of equipment and resourcesresources
6
Why are End-User Policies Why are End-User Policies Important?Important?
““Acceptable behavior” Acceptable behavior” ambiguousambiguous Information Security is a Information Security is a
new fieldnew field End user policies help End user policies help
decrease ambiguitydecrease ambiguity
7
Writing End-User PoliciesWriting End-User Policies
Address the ‘what’ aspect of Address the ‘what’ aspect of security policy in more detailsecurity policy in more detail Give rationale for policiesGive rationale for policies Separate background informationSeparate background information
Consult during development phaseConsult during development phase Human ResourcesHuman Resources Compliance/AuditCompliance/Audit User groupsUser groups
8
Writing End-User PoliciesWriting End-User Policies
Human ResourcesHuman Resources Assists in making sure that Assists in making sure that
overlapping policies agreeoverlapping policies agreeHiringHiringFiringFiringCorrective MeasuresCorrective Measures
9
Writing End-User PoliciesWriting End-User Policies
ComplianceComplianceGroup that monitors employee Group that monitors employee actionsactions
Follows through with corrective Follows through with corrective measuresmeasures
Assist in writing enforceable Assist in writing enforceable policiespoliciesEnsure that written policies can Ensure that written policies can be made compulsorybe made compulsory
10
Writing End-User PoliciesWriting End-User Policies
User GroupsUser Groups Facilitates prioritizationFacilitates prioritization
Should provide focus for Should provide focus for business goalsbusiness goals
UnderstandableUnderstandable Compliance relies on the ability Compliance relies on the ability to understandto understand
11
Impacts of User PolicyImpacts of User Policy
Establish logical controls to prevent Establish logical controls to prevent unauthorized accessunauthorized access Identify authorized usersIdentify authorized users Define access to resourcesDefine access to resources Create audit trailsCreate audit trails Should aid in defending upon Should aid in defending upon
intrusionintrusion Enhance resiliencyEnhance resiliency
12
Impacts of User PolicyImpacts of User Policy
Assist in discouraging misuse of Assist in discouraging misuse of company resourcescompany resources BrowsersBrowsers
Net accessNet access GamesGames
Software PiracySoftware Piracy Under reporting installationsUnder reporting installations Making unauthorized copiesMaking unauthorized copies Legal and economic issuesLegal and economic issues
13
Impacts of User PolicyImpacts of User Policy
Assist in discouraging misuse and Assist in discouraging misuse and theft of company resourcestheft of company resources Personal computersPersonal computers Library resourcesLibrary resources Telephones and wireless Telephones and wireless
communicationcommunication CopiersCopiers Office SuppliesOffice Supplies
14
User Keys/PasswordsUser Keys/Passwords Typically associated with password Typically associated with password
(e.g. PGP, hardisk encryption etc)(e.g. PGP, hardisk encryption etc) Dictates rules for end-users when Dictates rules for end-users when
creating passwordscreating passwords Critical policyCritical policy
Impacts of User PolicyImpacts of User Policy
15
Establishes best Practices (case Establishes best Practices (case by case varies)by case varies)
Procedures (forgotten password, Procedures (forgotten password, suspected compromised etc )suspected compromised etc )
Equivalent treatment to ALL.Equivalent treatment to ALL.
Impacts of User PolicyImpacts of User Policy
16
Impacts of User PolicyImpacts of User Policy
Dealing with E-mailDealing with E-mail Recognized method of Recognized method of
communication within communication within organizations as well as a new organizations as well as a new vehicle for external communication vehicle for external communication
More tangible than voice mail and More tangible than voice mail and faster than paper mail faster than paper mail
User groups will list it high on User groups will list it high on prioritiespriorities
17
Impacts of User PolicyImpacts of User Policy
Similar guidelines to Internet Similar guidelines to Internet All emails remain property of All emails remain property of
organization (no expectation of organization (no expectation of privacy) - inform end-usersprivacy) - inform end-users
Duration of retention (check with Duration of retention (check with local laws)local laws)
18
Impacts of User PolicyImpacts of User Policy Professional conduct Professional conduct Using company email for Using company email for
personal usage ? All work-related personal usage ? All work-related issues ?issues ?
Define explicitly what is Define explicitly what is unacceptable and prohibitedunacceptable and prohibited
Web-based email ?Web-based email ?
19
20
21
Other User Policy IssuesOther User Policy Issues
Contractors/consultants and Contractors/consultants and vendors ?vendors ?
Media and law-enforcement ?Media and law-enforcement ? External end-users (e.g. event External end-users (e.g. event
attendees etc)attendees etc) Procedures for exceptionsProcedures for exceptions
22
Other User Policy IssuesOther User Policy Issues
Remote AccessRemote Access Within network ? Within network ? Requirement of job function ?Requirement of job function ? Logical extension of organization Logical extension of organization
network – implications ?network – implications ? SecuritySecurity Office-issued equipmentOffice-issued equipment
23
Final ThoughtsFinal Thoughts
User policy must reflect the User policy must reflect the organizational cultureorganizational culture
Must be comprehensive, Must be comprehensive, understandable, and enforceableunderstandable, and enforceable
Set the foundation for the entire Set the foundation for the entire security environmentsecurity environment