Adherence to Documented IT Security Policies, Standards, Procedures, and Guidelines

Workstation Domain computers and devices are often the most visible components to users. The majority of users access an organization’s applications and information using Workstation Domain computers. That means Workstation Domain computers and devices tend to interact with users a lot. Many security issues result from user errors and can be addressed with proper training. However, training can address only some of the security issues related to users. Eventually, an untrained, unmotivated, or careless user will violate security policy and will perform an action that causes a security incident. The incident might be large, or it might be very small and unimportant. Regardless, it is important to employ multiple layers of controls to ensure security does not rely on any single control. Even organizations with very effective training programs encounter problems that users create.

A solid security policy should define multiple layers of controls working together to keep your information secure. Your security policy should direct security activities and state standards that maintain compliance with legislation, regulations, and any other requirements. Following procedures and guidelines should always result in fulfilling your security policy as well as any other organizational policies.

Periodically, an organization should assess its adherence. To accomplish this, an organization can perform a gap analysis to determine what holes might exist in how it enforces the security policy. Specifically, the organization can compare the present situation with the desired situation. Once identified, the gap between is used to create actionable tasks.

Procedures define the steps necessary to fulfill the intent of the security policy. The Workstation Domain procedures can cover many aspects of maintaining computers and devices but should include the following:

  • Change password procedure

  • Logon/logoff procedure

  • Backup procedure, including handling backup media

  • Recovery procedure

  • Update operating system and application software procedure

  • Maintain private data procedure

  • Malware alert procedure

  • Grant/deny object access procedure

Procedures provide the step-by-step instructions for fulfilling the security policy but cannot include every variable. Sometimes, you have to make decisions based on the information at hand. In these cases, guidelines can help you make decisions that still comply with your security policy and any other organizational policies. Workstation Domain guidelines can include the following:

  • Strong password guideline

  • Document-naming guideline

  • Printer use guideline

  • Software installation guideline

  • Handling backup media guideline

  • Internet use guideline

Use operating system controls whenever possible to enforce Workstation Domain policies. These controls will not fulfill all aspects of the security policy, but they will provide a solid foundation for ensuring your information’s security. Controls you will find in most current operating systems include the following:

  • General object access permissions

  • Shared object access permissions

  • Private object access permissions

  • Printer permissions

  • Audit logging settings

  • Authentication requirements

  • User rights

Taken together, policies, procedures, and guidelines provide the instructions and limits that enable your users to comply with your security policy when using components of the Workstation Domain. Even though you design and deploy controls to limit user actions, you still should deploy additional controls to detect noncompliant behavior. Use your operating system’s access audit logging features to keep log files of interesting object access requests. Carefully consider which objects you want to audit. Auditing access requests for all objects will slow your computers down and waste disk space. Identify the objects that contain sensitive or private information and enable audit logging for those objects.

A second useful technique during an audit is to compare a snapshot, or baseline, of a computer or device as it currently appears with a baseline from a previous point in time. Any differences between baselines could indicate unintended changes and possible vulnerabilities. Your audit plan should include procedures to create periodic baselines that you can use to detect unwanted changes to your computers and devices. A baseline can contain many types of information, but should include the following:

  • Users and settings

  • Groups and members

  • File list with access permissions

  • Access control lists

  • Configuration settings for important applications and services

  • Installed application list

  • Startup/shutdown and logon scripts or batch files

  • Network adapters and configuration

You should include any other information that describes the configuration of a specific computer. One of the easiest ways to create baselines is to include the commands that list the desired information in a script or batch file. You can compare saved output from any baseline to see configuration changes between snapshots. Creating periodic baselines supports the overall audit process to ensure compliance with stated security goals.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.232.239