1 / 23

User Policy

User Policy. (slides from Michael Ee and Julia Gideon). What are End-User Policies?. Gives users rules that they must follow as end-users of a particular system Covers all information security topics that end-users need to know for: Compliance Implementation. What are End-User Policies?.

jminter
Télécharger la présentation

User Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User Policy (slides from Michael Ee and Julia Gideon)

  2. What are End-User Policies? • Gives users rules that they must follow as end-users of a particular system • Covers all information security topics that end-users need to know for: • Compliance • Implementation

  3. What are End-User Policies? • Sets ‘expected behavior’ by users • Single resource for system users • Supports organization’s governing policies • Closely aligned with existing and future HR policies for all employees • Important to the mission, value, and culture of a company • All associates ‘on the same page’

  4. Why are End-User Policies Important? • Sets expectations • Foundation for security environment • Human error is one of the major security challenges • Security versus usability • Workarounds by employees • Unfamiliar with computer system

  5. Why are End Use Policies Important? • Very Strict Policies • Use of assets only for company business • Can create climate of distrust • Very Lenient Policies • Organization loses money in terms of equipment and resources

  6. Why are End-User Policies Important? • “Acceptable behavior” ambiguous • Information Security is a new field • End user policies help decrease ambiguity

  7. Writing End-User Policies • Address the ‘what’ aspect of security policy in more detail • Give rationale for policies • Separate background information • Consult during development phase • Human Resources • Compliance/Audit • User groups

  8. Writing End-User Policies • Human Resources • Assists in making sure that overlapping policies agree • Hiring • Firing • Corrective Measures

  9. Compliance Group that monitors employee actions Follows through with corrective measures Assist in writing enforceable policies Ensure that written policies can be made compulsory Writing End-User Policies

  10. Writing End-User Policies • User Groups • Facilitates prioritization • Should provide focus for business goals • Understandable • Compliance relies on the ability to understand

  11. Impacts of User Policy • Establish logical controls to prevent unauthorized access • Identify authorized users • Define access to resources • Create audit trails • Should aid in defending upon intrusion • Enhance resiliency

  12. Impacts of User Policy • Assist in discouraging misuse of company resources • Browsers • Net access • Games • Software Piracy • Under reporting installations • Making unauthorized copies • Legal and economic issues

  13. Impacts of User Policy • Assist in discouraging misuse and theft of company resources • Personal computers • Library resources • Telephones and wireless communication • Copiers • Office Supplies

  14. Impacts of User Policy • User Keys/Passwords • Typically associated with password (e.g. PGP, hardisk encryption etc) • Dictates rules for end-users when creating passwords • Critical policy

  15. Impacts of User Policy • Establishes best Practices (case by case varies) • Procedures (forgotten password, suspected compromised etc ) • Equivalent treatment to ALL.

  16. Impacts of User Policy • Dealing with E-mail • Recognized method of communication within organizations as well as a new vehicle for external communication • More tangible than voice mail and faster than paper mail • User groups will list it high on priorities

  17. Impacts of User Policy • Similar guidelines to Internet • All emails remain property of organization (no expectation of privacy) - inform end-users • Duration of retention (check with local laws)

  18. Impacts of User Policy • Professional conduct • Using company email for personal usage ? All work-related issues ? • Define explicitly what is unacceptable and prohibited • Web-based email ?

  19. Other User Policy Issues • Contractors/consultants and vendors ? • Media and law-enforcement ? • External end-users (e.g. event attendees etc) • Procedures for exceptions

  20. Other User Policy Issues • Remote Access • Within network ? • Requirement of job function ? • Logical extension of organization network – implications ? • Security • Office-issued equipment

  21. Final Thoughts • User policy must reflect the organizational culture • Must be comprehensive, understandable, and enforceable • Set the foundation for the entire security environment

More Related