| To ensure that disaster recovery planning is managed and maintained , it is important to establish clear and detailed security policies that are ratified by an organization's management and brought to the attention of its users. Policies of which the users have no knowledge are rarely effective, whereas those that lack management support may prove to be unenforceable. Security policy planning details many areas, including the following: -
Risk assessment The security policy team must perform a detailed risk assessment to determine the scope of assets to be protected by the policies, along with the identification of users and vendors who must abide by these policies. -
Security Considerations must include the specification of physical security requirements, network security planning details such as equipment and protocol specifications, and a detailed agreement of approved software that may be installed within the network, including provisions for testing and approving new software packages. -
Acceptable use Details must be provided that specify what users may do with their network access, from email and instant messaging usage for personal purposes through limitations on access times and the storage space available to each user . It is important to provide users the least possible access rights while allowing them to fulfill legitimate actions. -
Compliance Policy planning must include detailed sanctions that may be imposed in the event of a violation of each security policy. Sanctions must have management approval and support and may include measures ranging from loss of network privileges to legal action, depending on the severity of the breach. Additional considerations that may be required by security policy planning might include the following: -
Due care Due care is based on best practices and what a prudent organization would do in a similar case. In other words, it involves doing the right thing and acting responsibly. -
Privacy Users and administrators must be made aware of privacy issues that may arise, including adequate notice of access rights claimed by the organization over file, email, and instant messaging traffic within the organization's network. -
Separation of duties It is important to include a separation of duties when planning for security policy compliance. Without a clear separation between review tasks , all areas of access control and compliance review may be left in the hands of a single individual for whom the check-and-balance process has not applied. The loss of a key individual may also pose difficulties if planning for assumption of duties is not performed. This policy might include such details as the identification of which group is responsible for updating security hotfixes and which is responsible for updating data records in an organization's database. Another method used to separate duties is data aggregation , which is the process of combining separate pieces of data that by themselves may be of no use, but when they're combined with other bits of data, they provide greater understanding. -
Need to know The nature of network data access includes the possibility for broad distribution of all possible data, which may place an organization's data and trade secrets at risk. Users should only have access to the resources and information necessary to perform their roles. Any request to access information must be justified. Just because the information is there doesn't necessarily mean a user should have access to it; he should only have access to the information he needs to know. -
Password management Weak passwords pose many security risks that may be exploited by an attacker. It is important that password duration and complexity requirements are established and that users are made aware of these requirements along with the reasons why they exist. Regular review of existing passwords using auditing tools is also important in order to ensure that users are in compliance with these policies. -
Disposal and destruction Outdated or failed hardware and discarded reporting may often be exploited by attackers to obtain access to a network. Dumpster-diving and other forms of access to discarded materials are common during tiger team assessments to identify user account details, potential security flaws, and details of backup and recovery planning. Many businesses require shredding of all documents and security-erasure of storage media before they may be discarded. -
Human Resource policies Security planning must include procedures for the creation and authorization of accounts for newly hired personnel as well as the planned removal of privileges following employment termination. When termination involves power users who enjoy high levels of access rights or knowledge of service administration account passwords, it is critical to institute password and security updates to exclude known avenues of access while also increasing security monitoring for possible reprisals against the organization. The hiring process should also include provisions for making new employees aware of acceptable use and disposal policies, along with the sanctions that may be enacted if violations occur. An organization should also institute a formal code of ethics to which all employees should subscribeparticularly power users with broad administrative rights. -
Incident response Incident response planning policies should be documented, including the identification of required forensic and data-gathering procedures along with proper reporting and recovery procedures for each type of security- related incident.  | Users must be made aware of security policies, potential methods of social engineering attacks, and expectations for disposal and proper use to minimize potential weaknesses in network security. Without this education and regular testing and reminders, users may fail to perform simple tasks that can be exploited to grant an attacker access to your network. |
 |
