Security Policies and Procedures for users
Security policies & procedures are a set of written documents that describe exactly how a safe and secure working PC environment is to be created and also maintained inside an organization. You normally have various parts of this policy included in your contract, when you are employed in a new job.
Acceptable use policy.
The acceptable use policy describes the guidelines that users have to follow, so that they use the PCs and the networks, and data appropriately. Acceptable use policy explains which activities are permitted and which are prohibited. There are some guidelines included in an acceptable use policy:
• Users should not take part in activities that will cause damage to the image of the company.
• Users should not take part in computer activities that may consume network resources beyond their limits.
• Users must follow the rules that restricts any visits to web sites and certain email attachments, and programs.
• Users should make sure any confidential documents that are used or printed, are not taken out of the company, and destroyed appropriately.
• Users should never transfer any classified or confidential company information over the Internet.
Due care policy.
A due care policy will describe how the employees should use the computer hardware and the software safely. Since any computer equipment and software bought are expensive, employees need to be given guidelines on how to use them properly. An effort should also be made to protect the integrity of all data by using a regular virus scan. An example of due care in protecting the users operating systems is to use the Shut Down feature correctly instead of just hitting the main power switch. Users must also follow manufacturers guidelines when using any type of equipment.
Separation of duties policy.
The separation of duties policy ensures that any critical tasks are not assigned to just a single person. These tasks are meant to be divided among two or more persons so that no single person can stop the overall completion of the critical tasks are not left to one person. This is also a great way to enforce security, since all the employees who will be involved in the critical task, should not have all the information to purposely enforce this security. The senior supervisors and managers, should break up the duties among their subordinates and they should be responsible for the coordination among them.
need to know policy.
The need to know policy dictates that an employee should be given only as much information as they require to perform their job functions to the fullest of their capabilities. Giving too much information to employees can result in the inappropriate handling of information and data, and even its leakage to competitors. If any employee needs more information than what they are authorized to use, then a written request to their supervisor must be submitted. This ensures that permission to use the classified data is in the control of supervisors and the managers. A company will try to protect the confidential information by having the employees sign a non-disclosure agreement at the time of hiring.
Password management policy.
A password management policy will describe how an employee should manage their passwords safely. A password is the employee’s key to gaining access to the companies resources that are stored on computers. If you don't have a good password policy, employees might make their passwords weak or even disclose them to unauthorized people. Professional hackers can easily exploit a companies confidential resources by guessing passwords that are insecure. Some recommended elements are:
• Employees should not use blank passwords.
• Passwords must be at least eight characters long., and made up of a combination of upper and lowercase letters, and numbers.
• Employees should be forced to change their passwords on a regular basis, which can be done automatically by the network administrator.
• Employees should be discouraged from reusing their old passwords.
• Even an administrator should use a normal user account when they are not performing any administrative tasks.
Service Level Agreements (SLA).
An SLA is an agreement between a company and a third party or supplier that is providing critical services to the company. SLAs will usually describe the expected level of performance and confidentiality within the company. This is important for self employed temporary staff, who might be hired complete certain key network, or data duties. The SLA can also be used inside a company to describe exactly what they expect from their IT employees and what procedures they should follow to perform their duties. SLAs will often include information on the maximum allowed downtime of the network and computer systems.