Workplace Security Policies and Examples Flashcards
Note-worthy Premises
When creating an Access Control Policy, you are not only attempting to restrict the access of individuals, but services as well.
Services must access other services in order to properly function.
Access Control Policy
Access Control Policies are instituted in regard to what personnel and which services should retain access to what information or services w/in a network.
Remote Access Policy
Defines acceptable methods of remotely connecting to the internal network.
This sort of thing is absolutely essential in large organization where networks are geographically dispersed and extend into insecure network locations (like a coffee shop’s wifi or an unmanaged home network).
Firewall Management Policy
Defines which personnel should monitor the firewall and the ways of which they should go about doing it.
Network Connection Policy
ex. “when using a company laptop, you must always connect via VPN when going online”
Password Policy
Akin to when an organization requires that you have a password w/ 8 characters that includes letters, numbers, and symbols.
Having these sorts of requirements in place drastically decreases the likelihood of a password being cracked, being that the possible combinations become so stupidly vast.
User Account Policy
- Defines how users may be grouped up (based upon their permissions, levels of access, department, ect)
- Defines steps and requirements regarding account creation processes (also defines what permissions a user should be allowed by default once they’ve created their account)
(note this: default permissions can become a means of compromising security if not managed properly)
Information Protection Policy
- Sets the level of sensitivity for sets of information (i.e. where it lies in a list of security priorities).
- Dictates which personnel should have access to which sets of information
(similar to access control policy)
(who or what has access to what)
Special Access Policy
Grants waivers and creates custom rulings for specific scenarios for specific individuals or services.
You can create a general outline of policies to use throughout a system but it’s less rare than not to have a few oddities that’ll require specialized access policies in order to properly manage them and make certain that they remain efficient in their tasks.
Email Security Policy
Defines how personnel should interact w/ Emails and how they should behave regarding them.
ex. always verify that there is an eligible signature provided when receiving an email from a colleague, never click on a link that could redirect you to an external site or source.
Acceptable Use Policy
Defines the maximum amount of a company resource that an individual is allowed to consume (be that server space, cafeteria food, ect).
ex. an ISP provider could say “you are allowed an infinite amount of bandwidth for the next 30 days” when in reality, there is a clause that states that you are prohibited from consuming 50% of maximum potential bandwidth.
Workspace privacy polices:
These policies dictate:
- the information that is gathered in regard to employees
- what employees may share between themselves and outside the company (and more importantly, what they cannot share)
- how employees should behave in general
Primary Principles:
- inform employees regarding what information is being collected on/from them and why
- collect only necessary information
- obtain consent before using collected employee information
- allow employees to access their information at any time
- keep the collected information secure
(note that you should always remain certain that the information being collected on you is not being misused.
Honestly, you can practically expect to be taken advantage of at some point, just always remain wary)
(in the US, our laws are impressively loose in regards to this subject)
(In Europe, the laws are much, much stricter. You won’t normally go to prison for breaking laws regarding information collection, but there are some pretty extreme financial fines)
