5.1 Explain the importance of policies, plans and procedures related to organizational security.
job rotation
Job rotation serves two functions: it provides a type of knowledge redundancy, and moving personnel around reduces the risk of fraud, data modification, theft, sabotage, and misuse of information.
mandatory vacations
Mandatory vacations of one to two weeks are used to audit and verify the work tasks and privileges of employees. This often results in detection of abuse, fraud, or negligence.
NDA
An NDA (nondisclosure agreement) is a contract that prohibits specific confidential, secret, proprietary, and/or personal information from being shared or distributed outside of a specific prescribed set of individuals or organizations.
Acceptable Use Policy
An acceptable use policy defines what is and what is not an acceptable activity, practice, or use for company equipment and resources.
exit interviews
An exit interview is a controlled and respectful process of termination or employee firing. The goal of an exit interview is to control the often emotionally charged event of a termination in order to minimize property damage, information leakage, or other unfortunate or embarrassing occurrences.
ISAs
An interconnection security agreement (ISA) is a formal declaration of the security stance, risks, and technical requirements of a link between two organizations' IT infrastructures.
security
Education means security training, usually focused on teaching a user to perform their work tasks securely. Security education is broader and has the ultimate goal of certification.
BPAs
A business partners agreement (BPA) is a contract between two entities, dictating their business relationship.
clean-desk policy
A clean-desk policy is used to instruct workers how and why to clean off their desks at the end of each work period.
MOUs
A memorandum of understanding (MOU) is an expression of agreement or aligned intent, will, or purpose between two entities.
security policy
A security policy is the overall purpose and direction of security in an environment, as well as the detailed procedural documents that indicate how various activities are to be performed in compliance with security.
SLAs
A service-level agreement (SLA) is a contract between a supplier and a customer.
SOP
A standard operating procedure (SOP) is an organizational policy that provides detailed or granular step-by-step instructions to accomplish a specific task. The goal of an SOP is to improve consistency in worker activities, especially as related to performance and security compliance.
role-based training
Role-based training involves teaching employees to per form their work tasks and to comply with the security policy.
importance of separation of duties
Separation of duties is the division of administrator or privileged tasks into distinct groupings, with each group in turn assigned to unique administrators. The application of separation of duties results in no single user having complete access to or power over an entire network, server, or system.
security implications of integrating systems and data with third parties
Whenever a third party is involved in your IT infrastructure, there is an increased risk of data loss, leakage, or compromise. The security implications of integrating systems and data with third parties need to be considered carefully before implementation.
background checks
Background checks are used to verify that a worker is qualified for a position but not disqualified.
user habits
Implementing proper security involves using technology but also mandates the modification of user behaviors. If personnel do not believe in and support security, they are often opposed to the best security efforts of the organization. This includes addressing the issues of password behaviors, data handling, clean-desk policies, preventing tailgating, and personally owned devices
interoperability agreements
Interoperability agreements are formal contracts (or at least written documents) that define some form of arrangement where two entities agree to work with each other in some capacity.
user awareness
User awareness is an effort to make security a common and regular thought for all employees. Unfortunately, user security awareness is generally the most overlooked element of security management. The lack of security awareness is the primary reason social engineering attacks succeed.