Items Commonly Found in the User Domain

The User Domain contains several common items or components. You should consider each component when evaluating activities for compliance. People and documentation are the most common items in the User Domain. Each of these two broad categories includes several smaller types of items with unique characteristics. The following are different types of people in the User Domain:

• Employees—This group has the greatest stake in the organization. Most long-term employees feel a greater sense of responsibility toward their employer than shorter term personnel do. Employees generally have more privileges and access to organization resources. Although you can trust most employees, an unethical employee can cause substantial damage because of access to information and knowledge of the organization.

• Contractors—Contractors may bring specialized skills to an organization, but they also pose potential risks. Because contractors may have access to sensitive information, you must monitor them and give them only enough access to do their jobs. Contractors may be less loyal to the organization than employees are due to contractors’ limited employment. All these reasons present contractors as a greater risk for security violations.

• Guests/third parties—Other parties might have no duties related to sensitive information but might still have access to an organization’s network. Many organizations commonly provide Internet access to visitors. You should use strict controls to ensure guests do not have access to any sensitive information.

Figure 8-3 illustrates items commonly found in the User Domain.

The User Domain contains more than just people. People who are resources for an organization must have formal directions for how they carry out activities. These activities should support the meeting of business goals. You need a collection of documents that outlines activities that support business activities to determine whether an action is acceptable or unacceptable. The User Domain also needs documented policies to direct the actions of people. The following are distinct types of documentation in the User Domain that affect compliance:

• Human resources (HR) manuals—HR acquires and manages an organization’s personnel. Personnel management includes security awareness and education. Because many security incidents involve users, it is important to provide written documentation of an organization’s policies and procedures. HR manuals provide information on how people within an organization should conduct themselves in any situation.

• IT asset AUPs—AUPs provide guidance for personnel on the proper use of resources. They also define what constitutes improper use. An IT asset AUP covers the use of all IT assets, such as computers, wireless access points, networks, and printers.

• Internet AUPs—Internet AUPs define proper and improper use of an organization’s Internet access.

• Email AUPs—Email AUPs define proper and improper use of an organization’s email capability.

A solid basis for compliant activity requires a well-organized User Domain with clear roles and expectations. In the following sections, you will learn about important concepts to build a secure environment of compliant behavior.