Posted by: Yasir Irfan
Cisco, DataCenter, Microsoft Windows, Network Documentation Policy, Network Policies, Networking, Physical Security, Policies, Security
In my previous post on IT Securty Policy I did discussed about the Physical Security, now we will continue our journey and lets see what things should be considered while drafting the Human Security Policy.
“IS” CONSIDERED THE FOLLOWING:
1. Several studies and experiences indicate that employee and other persons who are authorized to be on the company premises or who are in a trusted relationship commit most computer crimes.
2. Do complete background checks before hiring someone or allowing someone access to Organisaton resources.
3. In new employee indoctrination, stress the importance of proprietary data and that any compromise of proprietary data will result in discipline, termination, or prosecution.
4. Advise departing employees that it is against the law to take proprietary material, and that you will prosecute anyone caught taking any type of proprietary information.
5. Set up an easy-to-use system that allows employees to covertly or anonymously report suspicious behavior.
6. Develop a method to combat the belief by many employees that anyone who has worked on something has a right to take a copy. This feeling of ownership occurs regardless of the signing of non-disclosure agreements and ownership/invention agreements. One of the most common criminal defenses used is that the ex employee just wanted a sample of their work.
7. Control and approve any articles written about the Organization by employees.
8. Access to information shall rise with pay and with proven loyalty.
9. Employees are responsible for immediately reporting lost, misplaced, or unaccounted for networked systems.
10. When audit policy monitoring reveals that an employee is a security risk, that employee’s access to sensitive information shall immediately be downgraded.
11. Off-Site computer usage whether at home or at other locations may only authorized by the Manager.
12. Assignment of portable systems shall be limited to those who require portability to perform their work. Portable equipment is not perquisite due to the inherent security risk and the cost of replacement.
I.S concern is
a. It must be used for business only.
b. The use for unlicensed SW way be put the Organization in critical Condition.
c. Viruses, Worms, Trojans and other malicious code can corrupt both data and the system files.
d. Theft of the portable computer exposed Organization to the threat of disclosure of sensitive data.
e. A laptop connected to any network is open to hacking and is unlikely to have any effective security features enabled. Files and data could be stolen, damaged or corrupted.
f. Where a laptop is used by several persons old/State data may still present, risking unintentional actions / reactions to inaccurate data
13. Sudden changes in Appearance that might indicate an external factor at work in the employee’s life shall be noted and monitored by security personnel. Sudden changes in lifestyle, apparent income, or attitude may necessitate a security evaluation.
14. Personnel issued with Mobile Phones by the Organization are responsible for using them in manner consistent with the confidentially level.
15. Security checks in/check out and name tags are required for all personnel on the premises. Employees shall be issued permanent badges. Visitors shall be issued temporary badges for the duration of their visit only.
16. Employees shall not have access to secret or higher systems or information for a period of ninety days from their initial employment. The purpose of this policy is to prevent the employment of spies from competing organizations.
17. Animosity, aggression, or violence towards the Organization, its assets, or its employees is an indicator of serious security risk. Audit policy shall be used to monitoring the behavior of suspect individuals without alerting them to the fact that they are under observation. Instances of sabotage or other security violations are grounds for immediate dismissal.
18. Sensitive or confidential information must not record in answer machine or voice mail.