340
A Practical Guide to Security Assessments
or away from the office. That being said, the impact to the business if a lap-
top is stolen can be significant. For example, a salesperson might have sen-
sitive client information, internal pricing data, or proprietary company
information, which would have a significant impact if lost or stolen. Im-
pact should be thought of in terms of both confidentiality and availability.
•
Confidentiality —
What is the impact if an unauthorized person gains
access to sensitive information? Are there any legal ramifications or
potential damage to the reputation of the company?
•
Availability —
If the information on the laptop was not backed up to
the company network or on some other media, what is the impact
related to recreating the information?
Risk:
Not applicable. The purpose of this question is to determine the im-
pact if a laptop computer is lost or stolen.
Client Response:
CLEAN
DESK AND SCREEN
26. Does the company have a clean desk policy and is it followed and enforced?
Does any security awareness training address a clean desk policy?
Guidance:
A clean desk policy is something that should be ingrained in
companies. Many employees regularly work with sensitive documents,
which if just left out in the open on desks, can present a significant risk.
For example, human resources personnel often deal with sensitive employ-
ee-related matters such as salaries and disciplinary issues. If documents
containing this information are left unattended, unauthorized persons such
as other employees or facilities maintenance people can access this informa-
tion. Similar scenarios are possible in other key areas such as finance,
operations, and executive management. Companies have an obligation to
maintain the confidentiality of this information using a reasonable effort. If
they do not, they are exposed to potential embarrassment, legal trouble, etc.
A clean desk policy that is enforced can go a long way in reducing this risk.
Risk:
Without a clean desk policy, a risk exists of confidential information
being exposed to unauthorized individuals, embarrassment for the company,
and potential legal troubles.
Client Response:
AU1706_book.fm Page 340 Tuesday, August 17, 2004 11:02 AM
Appendix H
341
27. When unattended, are computers protected with screen saver passwords
or other measures? Does any security awareness training address locking
down computers and using screen saver passwords?
Guidance:
Using screen saver passwords when computers are left unat-
tended is an easy way to reduce the risk of unauthorized individuals view-
ing confidential information. Ideally, this should be a part of an overall
security awareness program and be something that everyone does. Periodic
enforcement of the use of screen saver passwords is also very helpful.
Risk: Without screen saver passwords, there is an increased risk of confi-
dential information being exposed to unauthorized individuals.
Client Response:
28. If sensitive information is printed, is there a process to ensure that these
documents are cleared from the printer immediately?
Guidance: It is very common for personnel to send documents to print and
forget to pick them up because something came up. The documents can be
taken or just read by any individuals including other employees within a
company or even by after hours facilities maintenance personnel. If the
documents contain sensitive information, this can be a problem. In some
cases, there may be certain printers where this is a more significant issue;
some examples include printers where:
• Financial data is printed.
•Executives print documents.
• Human resources prints employee-related information.
The burden of ensuring that documents are picked up from printers falls
on the users and this should be incorporated in an awareness agenda. This
is also something that can be in a policy, thereby making individual
employees accountable for what they print.
Risk: If documents are not picked up from printers in a prompt fashion, a
risk of exposure of sensitive or confidential information exists.
Client Response:
AU1706_book.fm Page 341 Tuesday, August 17, 2004 11:02 AM
AU1706_book.fm Page 342 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.