Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 User Policy (slides from Michael Ee and Julia Gideon)

Published byJeremy Baldwin Modified over 9 years ago

Similar presentations

Presentation on theme: "1 User Policy (slides from Michael Ee and Julia Gideon)"— Presentation transcript:

1 1 User Policy (slides from Michael Ee and Julia Gideon)

2 2 What are End-User Policies? Gives users rules that they must follow as end-users of a particular system Gives users rules that they must follow as end-users of a particular system Covers all information security topics that end-users need to know for: Covers all information security topics that end-users need to know for: Compliance Compliance Implementation Implementation

3 3 What are End-User Policies? Sets ‘expected behavior’ by users Sets ‘expected behavior’ by users Single resource for system users Single resource for system users Supports organization’s governing policies Supports organization’s governing policies Closely aligned with existing and future HR policies for all employees Closely aligned with existing and future HR policies for all employees Important to the mission, value, and culture of a company Important to the mission, value, and culture of a company All associates ‘on the same page’ All associates ‘on the same page’

4 4 Why are End-User Policies Important? Sets expectations Sets expectations Foundation for security environment Foundation for security environment Human error is one of the major security challenges Human error is one of the major security challenges Security versus usability Security versus usability Workarounds by employees Workarounds by employees Unfamiliar with computer system Unfamiliar with computer system

5 5 Why are End Use Policies Important? Very Strict Policies Very Strict Policies Use of assets only for company business Use of assets only for company business Can create climate of distrust Can create climate of distrust Very Lenient Policies Very Lenient Policies Organization loses money in terms of equipment and resources Organization loses money in terms of equipment and resources

6 6 Why are End-User Policies Important? “ Acceptable behavior” ambiguous “ Acceptable behavior” ambiguous Information Security is a new field Information Security is a new field End user policies help decrease ambiguity End user policies help decrease ambiguity

7 7 Writing End-User Policies Address the ‘what’ aspect of security policy in more detail Address the ‘what’ aspect of security policy in more detail Give rationale for policies Give rationale for policies Separate background information Separate background information Consult during development phase Consult during development phase Human Resources Human Resources Compliance/Audit Compliance/Audit User groups User groups

8 8 Writing End-User Policies Human Resources Human Resources Assists in making sure that overlapping policies agree Assists in making sure that overlapping policies agree Hiring Hiring Firing Firing Corrective Measures Corrective Measures

9 9 Writing End-User Policies Compliance Compliance Group that monitors employee actions Group that monitors employee actions Follows through with corrective measures Follows through with corrective measures Assist in writing enforceable policies Assist in writing enforceable policies Ensure that written policies can be made compulsory Ensure that written policies can be made compulsory

10 10 Writing End-User Policies User Groups User Groups Facilitates prioritization Facilitates prioritization Should provide focus for business goals Should provide focus for business goals Understandable Understandable Compliance relies on the ability to understand Compliance relies on the ability to understand

11 11 Impacts of User Policy Establish logical controls to prevent unauthorized access Establish logical controls to prevent unauthorized access Identify authorized users Identify authorized users Define access to resources Define access to resources Create audit trails Create audit trails Should aid in defending upon intrusion Should aid in defending upon intrusion Enhance resiliency Enhance resiliency

12 12 Impacts of User Policy Assist in discouraging misuse of company resources Assist in discouraging misuse of company resources Browsers Browsers Net access Net access Games Games Software Piracy Software Piracy Under reporting installations Under reporting installations Making unauthorized copies Making unauthorized copies Legal and economic issues Legal and economic issues

13 13 Impacts of User Policy Assist in discouraging misuse and theft of company resources Assist in discouraging misuse and theft of company resources Personal computers Personal computers Library resources Library resources Telephones and wireless communication Telephones and wireless communication Copiers Copiers Office Supplies Office Supplies

14 14 User Keys/Passwords User Keys/Passwords Typically associated with password (e.g. PGP, hardisk encryption etc) Typically associated with password (e.g. PGP, hardisk encryption etc) Dictates rules for end-users when creating passwords Dictates rules for end-users when creating passwords Critical policy Critical policy Impacts of User Policy

15 15 Establishes best Practices (case by case varies) Establishes best Practices (case by case varies) Procedures (forgotten password, suspected compromised etc ) Procedures (forgotten password, suspected compromised etc ) Equivalent treatment to ALL. Equivalent treatment to ALL. Impacts of User Policy

16 16 Impacts of User Policy Dealing with E-mail Dealing with E-mail Recognized method of communication within organizations as well as a new vehicle for external communication Recognized method of communication within organizations as well as a new vehicle for external communication More tangible than voice mail and faster than paper mail More tangible than voice mail and faster than paper mail User groups will list it high on priorities User groups will list it high on priorities

17 17 Impacts of User Policy Similar guidelines to Internet Similar guidelines to Internet All emails remain property of organization (no expectation of privacy) - inform end-users All emails remain property of organization (no expectation of privacy) - inform end-users Duration of retention (check with local laws) Duration of retention (check with local laws)

18 18 Impacts of User Policy Professional conduct Professional conduct Using company email for personal usage ? All work-related issues ? Using company email for personal usage ? All work-related issues ? Define explicitly what is unacceptable and prohibited Define explicitly what is unacceptable and prohibited Web-based email ? Web-based email ?

19 19

20 20

21 21 Other User Policy Issues Contractors/consultants and vendors ? Contractors/consultants and vendors ? Media and law-enforcement ? Media and law-enforcement ? External end-users (e.g. event attendees etc) External end-users (e.g. event attendees etc) Procedures for exceptions Procedures for exceptions

22 22 Other User Policy Issues Remote Access Remote Access Within network ? Within network ? Requirement of job function ? Requirement of job function ? Logical extension of organization network – implications ? Logical extension of organization network – implications ? Security Security Office-issued equipment Office-issued equipment

23 23 Final Thoughts User policy must reflect the organizational culture User policy must reflect the organizational culture Must be comprehensive, understandable, and enforceable Must be comprehensive, understandable, and enforceable Set the foundation for the entire security environment Set the foundation for the entire security environment

Download ppt "1 User Policy (slides from Michael Ee and Julia Gideon)"

Similar presentations

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.

Information Security Domains Computer Operations Security By: Shafi Alassmi Instructor: Francis G. Date: Sep 22, 2010.
Board Governance: A Key to Quality Organizations

Board Governance: A Key to Quality Organizations
A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.

A Reliable and Secure Network TM105: ESTABLISHING SANE TECHNOLOGY POLICIES FOR YOUR PROGRAM.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
BUSINESS B2 Ethics.

BUSINESS B2 Ethics.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Security and Personnel

Security and Personnel
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.

ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
Information Security Policies and Standards

Information Security Policies and Standards
Business Plug-In B7 Ethics.

Business Plug-In B7 Ethics.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security Fundamentals

Computer Security Fundamentals

Similar presentations

Ads by Google