Employee Privacy Policy
Personal privacy is a cherished value closely linked to concepts of personal freedom and well being. At the same time, personal privacy parallels fundamental principles of the First Amendment to the Constitution, the most important hallmark of personal freedom, the protection of free flow of information in society.
Most organizations require personal information about their employees to carry out business goals and objectives. It is imperative that collected information is safeguarded from intentional or accidental disclosure. Increasingly, automation of personal records permits this information to be used and analyzed in ways that would reduce employee privacy without adequate safeguards.
Organizations must have policies requiring compliance with legal, regulatory, and moral safeguards relative to employee information. These policies should assure that information technologies sustain and do not erode personal information protections in the organization's use, collection, and disclosure of personal information.
It is important that organizations constantly evaluate legislative and regulatory requirements involving the collection, use, and disclosure of personal information
Policies and Procedures Involving Outsourcing
Policies and Procedures Involving Outsourcing: What Is Yours and What Is Mine?
An organization's policies and procedures must govern the interaction between the organization and outside contractors.
Instead of structuring a relationship based on the value of service they are contracted to provide, they base it on the necessity of doing business, as they are the only people who have the source code. In other cases, they have not delivered sufficient documentation for the organization's employees to maintain the system, thereby requiring their continued services. It is essentially a monopoly of one. Because the organization does not have the source code to their custom system, it has lost control of one of its critical assets. Regrettably, this condition is usually brought to the company's attention after it has already happened. The situation grows more desperate as the company is reluctant to notify its lawyers, fearing that the contracted developers might sabotage the source code by modifying it to render it useless at some time. When structuring systems development projects performed by outside contractors, these are a few policy suggestions to reduce risks:
Get the source code. Be certain to investigate the work history of the contractor, and by all means contact all professional references to ascertain if there were any past problems. The organization must ensure it receives the source code, and there are contractual arrangements with strict requirements to this effect. No excuses are acceptable. The source code must be installed according to the organization's certification and accreditation policies.
Licensing and documentation. Purchase the appropriate licenses for the source code. Businesses want to replicate the development environment exactly, having the ability to keep the code up to date during the maintenance development phase. Make certain the contractor is drafting the required documentation of effort. This documentation should be subject to inspection and audit by the organization's representatives before the product is delivered. If the organization has the resources, any agreements must permit a representative of the organization to conduct an ongoing review of the code. This inspection must also include documentation.
Confirmation. Confirm that you are going to receive what you contracted. Force a rebuild of the programs if you are not satisfied. If you have to pay for it, consider it the cost of doing business.
Secondary plan. Have in the wings a backup developer or other reliable resource familiar with the code base and system design. What if the contractor becomes disabled and is unable to complete the project?
Ownership and delivery. The organization's policy should require that the contract stipulates who is going to own what. Who owns the software? Does the organization own the software or merely a license to use it? Does the organization own the software to such an extent it may do what it wants with it? Write the contract carefully, and by all means have an attorney familiar with these issues review it before signing.
The best outcome is one of complete control where the organization has its asset with the system working as intended in the event of a problem with the developer. What does the organization have to do in the event the developer fails? Much will depend on the contract's language, your lawyer, and the developer. If you have to go to litigation in order to enforce the contract, you may not have possession of your application, and litigation takes time. By the end of legal wrangling, it is possible everyone loses.
An organization's policies and procedures must govern the interaction between the organization and outside contractors.
Instead of structuring a relationship based on the value of service they are contracted to provide, they base it on the necessity of doing business, as they are the only people who have the source code. In other cases, they have not delivered sufficient documentation for the organization's employees to maintain the system, thereby requiring their continued services. It is essentially a monopoly of one. Because the organization does not have the source code to their custom system, it has lost control of one of its critical assets. Regrettably, this condition is usually brought to the company's attention after it has already happened. The situation grows more desperate as the company is reluctant to notify its lawyers, fearing that the contracted developers might sabotage the source code by modifying it to render it useless at some time. When structuring systems development projects performed by outside contractors, these are a few policy suggestions to reduce risks:
Get the source code. Be certain to investigate the work history of the contractor, and by all means contact all professional references to ascertain if there were any past problems. The organization must ensure it receives the source code, and there are contractual arrangements with strict requirements to this effect. No excuses are acceptable. The source code must be installed according to the organization's certification and accreditation policies.
Licensing and documentation. Purchase the appropriate licenses for the source code. Businesses want to replicate the development environment exactly, having the ability to keep the code up to date during the maintenance development phase. Make certain the contractor is drafting the required documentation of effort. This documentation should be subject to inspection and audit by the organization's representatives before the product is delivered. If the organization has the resources, any agreements must permit a representative of the organization to conduct an ongoing review of the code. This inspection must also include documentation.
Confirmation. Confirm that you are going to receive what you contracted. Force a rebuild of the programs if you are not satisfied. If you have to pay for it, consider it the cost of doing business.
Secondary plan. Have in the wings a backup developer or other reliable resource familiar with the code base and system design. What if the contractor becomes disabled and is unable to complete the project?
Ownership and delivery. The organization's policy should require that the contract stipulates who is going to own what. Who owns the software? Does the organization own the software or merely a license to use it? Does the organization own the software to such an extent it may do what it wants with it? Write the contract carefully, and by all means have an attorney familiar with these issues review it before signing.
The best outcome is one of complete control where the organization has its asset with the system working as intended in the event of a problem with the developer. What does the organization have to do in the event the developer fails? Much will depend on the contract's language, your lawyer, and the developer. If you have to go to litigation in order to enforce the contract, you may not have possession of your application, and litigation takes time. By the end of legal wrangling, it is possible everyone loses.
Vendor Policies and Procedures
Vendor Policies and Procedures
The size of business operations and the uneven demand for services influence the type and amount of outsource services required. Within the business, available funds are balanced with needs, and often they are not in agreement. Service vendors outside the organization come in a variety of flavors including consultants, technical service and hardware vendors, and contract human resources. Good business sense, based on ethics and morals, is the best policy in dealing with outside vendors.
Several units within the organization come into play when selecting outside services. The organization's purchasing unit should provide information about vendors, their reliability, financial status, reputation in the business community, and whether they will be in business a year from now. This is information that should be at hand before negotiating a contract.
The legal unit must review any vendor contracts before they are signed and large amounts of capital committed. One of the more-important tasks the legal unit performs is the review of the contract's performance language where there are penalties assessed in the event the vendor fails to complete its responsibilities.
The legal units must ensure there is contract language detailing that promised services or products meet the organization's expectations. This language needs to dovetail with SDLC provisions if services or products must be certified and accredited before the contract is fulfilled. If the project involves classified materials, the legal unit is responsible for requiring and verifying that contractors have security clearances.
The organization's audit unit should be included in the contract review to see that important provisions are detailed that will require its involvement. Such details involve auditing of ongoing contract compliance by the vendor. Auditors should be involved if the vendor provides services within the provisions of the SDLC. The contract should allow the review of development procedures and the quality of the services or product.
Outsource Potentials
Following are possible areas for outsourcing efforts:
Consultant Procedures
Outsourcing consultant services can be a valuable asset if the proper relationship is developed. Consultants can just as easily be acquired or employed for all the wrong reasons. Following are several wrong reasons for contracting a consultant:
Not having clear goals and performance expectations. Having very clearly defined goals and performance expectations will permit maximum benefit to be derived from consultants.
If there is bad news for projects in trouble, let the consultant deliver it. Wrong idea. If a project is in trouble, the future of the organization's credibility may be at stake. Handle any internal project problems within the organization. Do not outsource them.
Contracting a "hired gun" from out of town to impress the locals. For some unknown reason, the distance the expert traveled, the cost of the expert, and the perception of the expert's skill set frequently impresses employees. Senior managers have an ability to be impressed with experts who have many titles behind their names. It is not unusual that a consultant came up with a solution that was the same as one developed by your own employees.
Weak senior management. Project managers lacking decisive skills will often attempt to employ consultants to make decisions for them. Consultants are contracted at the staff level of an organization. They should not be substituted for poor managers.
Outsource Vendor Selection Procedures
Choosing vendors for services, software and support, and hardware requires evaluation procedures. When a business decides it requires a vendor to submit proposals, a request for proposal letter is sent to all possible vendor candidates.
In the case of hardware, this request approach details the proposed time period, professional and financial references, hardware and hardware configuration, architecture, and requests a price quote. With software and support, a request defines the target system and asks the vendor to provide a support performance objective for a specific configuration. System operation performance requirements include systems design, configuration and architecture, types and number of users, production volume, maintenance and operation objectives, and price. Outsource service proposals should include at least the following items:
In all request for proposals, there should be a deadline by which proposals must be received by the organization to be considered viable.
Evaluating Proposals
All received vendor proposals should be analyzed in detail. There should be common elements addressing the specific proposal requirements. Organize an ad hoc committee to evaluate the submitted proposals and discuss them. Be mindful that there may be laws and regulations governing the request for proposals and their submission. Most notable are organizations requiring legal adherence of those doing business with federal, state, and local governments. Some governments have requirements where selection preference is granted to vendors doing business within municipal boundaries. In some cases, these restrictions are codified as regulations or laws, and in other cases they merely follow custom or tradition. Failing to observe such restrictions can result in protracted grievance proceedings and litigation.
The size of business operations and the uneven demand for services influence the type and amount of outsource services required. Within the business, available funds are balanced with needs, and often they are not in agreement. Service vendors outside the organization come in a variety of flavors including consultants, technical service and hardware vendors, and contract human resources. Good business sense, based on ethics and morals, is the best policy in dealing with outside vendors.
Several units within the organization come into play when selecting outside services. The organization's purchasing unit should provide information about vendors, their reliability, financial status, reputation in the business community, and whether they will be in business a year from now. This is information that should be at hand before negotiating a contract.
The legal unit must review any vendor contracts before they are signed and large amounts of capital committed. One of the more-important tasks the legal unit performs is the review of the contract's performance language where there are penalties assessed in the event the vendor fails to complete its responsibilities.
The legal units must ensure there is contract language detailing that promised services or products meet the organization's expectations. This language needs to dovetail with SDLC provisions if services or products must be certified and accredited before the contract is fulfilled. If the project involves classified materials, the legal unit is responsible for requiring and verifying that contractors have security clearances.
The organization's audit unit should be included in the contract review to see that important provisions are detailed that will require its involvement. Such details involve auditing of ongoing contract compliance by the vendor. Auditors should be involved if the vendor provides services within the provisions of the SDLC. The contract should allow the review of development procedures and the quality of the services or product.
Outsource Potentials
Following are possible areas for outsourcing efforts:
- Operations that are difficult to staff and manage
- Providing special skills not available within the organization
- Reducing internal operation costs by not having to develop skills that will be used infrequently
- Delivering system improvements or benefits more quickly than can be performed internally
Consultant Procedures
Outsourcing consultant services can be a valuable asset if the proper relationship is developed. Consultants can just as easily be acquired or employed for all the wrong reasons. Following are several wrong reasons for contracting a consultant:
Not having clear goals and performance expectations. Having very clearly defined goals and performance expectations will permit maximum benefit to be derived from consultants.
If there is bad news for projects in trouble, let the consultant deliver it. Wrong idea. If a project is in trouble, the future of the organization's credibility may be at stake. Handle any internal project problems within the organization. Do not outsource them.
Contracting a "hired gun" from out of town to impress the locals. For some unknown reason, the distance the expert traveled, the cost of the expert, and the perception of the expert's skill set frequently impresses employees. Senior managers have an ability to be impressed with experts who have many titles behind their names. It is not unusual that a consultant came up with a solution that was the same as one developed by your own employees.
Weak senior management. Project managers lacking decisive skills will often attempt to employ consultants to make decisions for them. Consultants are contracted at the staff level of an organization. They should not be substituted for poor managers.
Outsource Vendor Selection Procedures
Choosing vendors for services, software and support, and hardware requires evaluation procedures. When a business decides it requires a vendor to submit proposals, a request for proposal letter is sent to all possible vendor candidates.
In the case of hardware, this request approach details the proposed time period, professional and financial references, hardware and hardware configuration, architecture, and requests a price quote. With software and support, a request defines the target system and asks the vendor to provide a support performance objective for a specific configuration. System operation performance requirements include systems design, configuration and architecture, types and number of users, production volume, maintenance and operation objectives, and price. Outsource service proposals should include at least the following items:
- Professional and financial references
- Objective of delivered services
- Security requirements
- Services delivery schedule
- Documentation
- Pricing
In all request for proposals, there should be a deadline by which proposals must be received by the organization to be considered viable.
Evaluating Proposals
All received vendor proposals should be analyzed in detail. There should be common elements addressing the specific proposal requirements. Organize an ad hoc committee to evaluate the submitted proposals and discuss them. Be mindful that there may be laws and regulations governing the request for proposals and their submission. Most notable are organizations requiring legal adherence of those doing business with federal, state, and local governments. Some governments have requirements where selection preference is granted to vendors doing business within municipal boundaries. In some cases, these restrictions are codified as regulations or laws, and in other cases they merely follow custom or tradition. Failing to observe such restrictions can result in protracted grievance proceedings and litigation.
Network Vulnerability Assessment Policies
Network Vulnerability Assessment Policies: Why Am I Hearing about My Network Leaking Sensitive Information on the News?
Every organization contains risks, ranging from finance to procurement. Given the risks in doing business through the Internet, it is surprising how many businesses are not finding more ways to enable safeguards and protect their critical assets
Frequently, there is one technique that is overlooked by organizations when developing systems: the vulnerability assessment policy. This is the process of attempting to exploit system vulnerabilities to gain unauthorized access to sensitive information. Vulnerability assessments are attacks originating from a friendly system assessment team targeting a computer system to discover ways of breaching the system's security controls, penetrating the protection afforded to sensitive information, obtaining unauthorized services, or damaging the system by denying services to legitimate users. These policies form a base of testing discovering features, functions, and system capabilities that may be unspecified and unknown to its developers and users. Vulnerability assessments attempt to discover system capabilities that are flaws in the design, implementation, operation, documentation, change controls, and maintenance.
A vulnerability assessment is as thorough as the talent, training, skills, and diligence of the employees performing it. It can place reasonable limits on the knowledge and experience required for the intruder to gain unauthorized access. That knowledge applied to safeguards and protective measures can restrict intruder access below this limit, and give some degree of assurance that the system is operating securely.
Performing the vulnerability assessment utilizing the organization's own resources has certain advantages in the area of in-house knowledge building, employee control, reliability, and trustworthiness. It may lead to discovering risks before attackers do and assist in highlighting the enterprise's security position. There is a lot of preparation that must be performed in the construction of an effective vulnerability assessment. Policies and procedures must be drafted, approved, and installed; relevant employees must be trained; and there must be stringent compliance auditing, a well-developed change management process, and postmortem critique conducted of the assessment where flaws and improvements are addressed.
As with any job, policies and practices must address the means by which vulnerability assessments are conducted. Before the actual vulnerability assessment, there must be a strong foundation of policies and procedures. It is important to ensure that the underlying policies relevant to the organization's network security are in place, facilitating the process. These documents will be the principles underwriting the actions taken when planning and executing the assessment. The organization's vulnerability assessment policy should address the following active components.
Plan to Conduct Vulnerability Assessments
The planning step will include gathering relevant information, defining the assessment activities, defining roles and responsibilities, and making relevant employees aware of the need to make changes based on the findings of the assessment.
A comprehensive vulnerability test plan will improve the odds of achieving system penetration. Penetration planning establishes the ground rules, limits, and scope of the process. The plan identifies the object being assessed and determines when the test is complete. Some planning steps may include interviewing system administrators, reviewing appropriate hardware and software documentation, and reviewing appropriate policies and procedures relative to targeted systems.
Create and develop a good penetration team. Desirable characteristics for the team members include experienced vulnerability testers, employees knowledgeable of the target system, creative people with unusual ideas, SDLC development methods, access control structures, and programming abilities in several languages. Successful team members are characterized by being patient, detail-oriented, having good people and communications skills. One key requirement is of highly ethical, mature professionals who can protect proprietary, sensitive data and flaws in the target system.
Encourage the assessment team to use a variety of mechanisms to achieve unauthorized access, involving exploiting hardware, software, and human resources vulnerabilities. With senior management's consent, more than one vulnerability assessment team has asked for and received root passwords from an employee.
Identify Exposures
This phase may include a variety of tasks. It may include but not be limited to reviewing the resulting data from the assessment phase, actually deploying mechanisms to discover system vulnerabilities and linking findings to the management process so that individual accountability for assessment findings is established and risk issues can be resolved. Of course, this step must be conducted with a great deal of cooperation from senior managers and employees responsible for the system's development, monitoring, and maintenance.
Vulnerability assessments should be framed in the organization's policy as a method to reduce risks and raise profitability. If there are risks associated with negligence on the part of individual employees, senior managers should weigh the assessment's findings in light of employee accountability.
Resolving Exposures
This phase resolves the risks identified in the previous phase. Before any substantive steps can be taken to address assessment findings, an investigation must be done to determine if the risk is in fact relevant to continued business operation. If risks are identified that do not have bearing or insignificant bearing on business operations, then it is possible they may be excused as irrelevant.
Performing a vulnerability assessment can provide a point-in-time representation of the organization's risk position. In fact, this mechanism is insufficient. There must be a method incorporated into the organization's policies and procedures ensuring that the vulnerability assessment process is conducted on a frequent or continuous basis. Only in this manner can policy minimize network risk. Vulnerability assessments are best employed to discover broad capabilities of the target system and flaws contrary to security policies, rather than resulting in a gaming situation between the target system's administrators and the assessment team trying to penetrate a protected asset.
An organization's vulnerability assessment policy must require that all known flaws are repaired. As part of their postmortem critique, the system assessors may suggest the implementation of corrections or safeguards. After the system has been repaired, policy should require that the system is reevaluated to confirm the fixes and to ensure no other flaws were introduced by the repairs or implemented safeguards. An organization's reevaluation process is a complete repetition of the vulnerability assessment process.
By completing policies requiring continuous vulnerability assessments, you facilitate the identification of potential risks before attackers do. Early detection allows the opportunity to address assessment findings before attackers can exploit the vulnerabilities resulting in damage to the company's critical assets.
Policies requiring continuous vulnerability assessments can deliver a picture of how secure sensitive information is, and go a long way in preventing having to read about critical assets being stolen or compromised in the news.
Every organization contains risks, ranging from finance to procurement. Given the risks in doing business through the Internet, it is surprising how many businesses are not finding more ways to enable safeguards and protect their critical assets
Frequently, there is one technique that is overlooked by organizations when developing systems: the vulnerability assessment policy. This is the process of attempting to exploit system vulnerabilities to gain unauthorized access to sensitive information. Vulnerability assessments are attacks originating from a friendly system assessment team targeting a computer system to discover ways of breaching the system's security controls, penetrating the protection afforded to sensitive information, obtaining unauthorized services, or damaging the system by denying services to legitimate users. These policies form a base of testing discovering features, functions, and system capabilities that may be unspecified and unknown to its developers and users. Vulnerability assessments attempt to discover system capabilities that are flaws in the design, implementation, operation, documentation, change controls, and maintenance.
A vulnerability assessment is as thorough as the talent, training, skills, and diligence of the employees performing it. It can place reasonable limits on the knowledge and experience required for the intruder to gain unauthorized access. That knowledge applied to safeguards and protective measures can restrict intruder access below this limit, and give some degree of assurance that the system is operating securely.
Performing the vulnerability assessment utilizing the organization's own resources has certain advantages in the area of in-house knowledge building, employee control, reliability, and trustworthiness. It may lead to discovering risks before attackers do and assist in highlighting the enterprise's security position. There is a lot of preparation that must be performed in the construction of an effective vulnerability assessment. Policies and procedures must be drafted, approved, and installed; relevant employees must be trained; and there must be stringent compliance auditing, a well-developed change management process, and postmortem critique conducted of the assessment where flaws and improvements are addressed.
As with any job, policies and practices must address the means by which vulnerability assessments are conducted. Before the actual vulnerability assessment, there must be a strong foundation of policies and procedures. It is important to ensure that the underlying policies relevant to the organization's network security are in place, facilitating the process. These documents will be the principles underwriting the actions taken when planning and executing the assessment. The organization's vulnerability assessment policy should address the following active components.
Plan to Conduct Vulnerability Assessments
The planning step will include gathering relevant information, defining the assessment activities, defining roles and responsibilities, and making relevant employees aware of the need to make changes based on the findings of the assessment.
A comprehensive vulnerability test plan will improve the odds of achieving system penetration. Penetration planning establishes the ground rules, limits, and scope of the process. The plan identifies the object being assessed and determines when the test is complete. Some planning steps may include interviewing system administrators, reviewing appropriate hardware and software documentation, and reviewing appropriate policies and procedures relative to targeted systems.
Create and develop a good penetration team. Desirable characteristics for the team members include experienced vulnerability testers, employees knowledgeable of the target system, creative people with unusual ideas, SDLC development methods, access control structures, and programming abilities in several languages. Successful team members are characterized by being patient, detail-oriented, having good people and communications skills. One key requirement is of highly ethical, mature professionals who can protect proprietary, sensitive data and flaws in the target system.
Encourage the assessment team to use a variety of mechanisms to achieve unauthorized access, involving exploiting hardware, software, and human resources vulnerabilities. With senior management's consent, more than one vulnerability assessment team has asked for and received root passwords from an employee.
Identify Exposures
This phase may include a variety of tasks. It may include but not be limited to reviewing the resulting data from the assessment phase, actually deploying mechanisms to discover system vulnerabilities and linking findings to the management process so that individual accountability for assessment findings is established and risk issues can be resolved. Of course, this step must be conducted with a great deal of cooperation from senior managers and employees responsible for the system's development, monitoring, and maintenance.
Vulnerability assessments should be framed in the organization's policy as a method to reduce risks and raise profitability. If there are risks associated with negligence on the part of individual employees, senior managers should weigh the assessment's findings in light of employee accountability.
Resolving Exposures
This phase resolves the risks identified in the previous phase. Before any substantive steps can be taken to address assessment findings, an investigation must be done to determine if the risk is in fact relevant to continued business operation. If risks are identified that do not have bearing or insignificant bearing on business operations, then it is possible they may be excused as irrelevant.
Performing a vulnerability assessment can provide a point-in-time representation of the organization's risk position. In fact, this mechanism is insufficient. There must be a method incorporated into the organization's policies and procedures ensuring that the vulnerability assessment process is conducted on a frequent or continuous basis. Only in this manner can policy minimize network risk. Vulnerability assessments are best employed to discover broad capabilities of the target system and flaws contrary to security policies, rather than resulting in a gaming situation between the target system's administrators and the assessment team trying to penetrate a protected asset.
An organization's vulnerability assessment policy must require that all known flaws are repaired. As part of their postmortem critique, the system assessors may suggest the implementation of corrections or safeguards. After the system has been repaired, policy should require that the system is reevaluated to confirm the fixes and to ensure no other flaws were introduced by the repairs or implemented safeguards. An organization's reevaluation process is a complete repetition of the vulnerability assessment process.
By completing policies requiring continuous vulnerability assessments, you facilitate the identification of potential risks before attackers do. Early detection allows the opportunity to address assessment findings before attackers can exploit the vulnerabilities resulting in damage to the company's critical assets.
Policies requiring continuous vulnerability assessments can deliver a picture of how secure sensitive information is, and go a long way in preventing having to read about critical assets being stolen or compromised in the news.
Subscribe to:
Posts (Atom)
Popular Posts
-
Nessus is a popular open-source scanner for organizations that choose not to spend the money on other proprietary products. There are s...
-
The IMP should be designed to follow some simple principles in order to be most effective. The plan should reflect the nature of the bus...
-
Often crisis responders will initiate a crisis notification through a verbal briefing. As such, it is imperative that a clear and accurate ...
-
The composition of the crisis and incident response teams should reflect the personnel required to analyze and deal with any events, fro... -
The company should either establish a permanent facility in which to manage crisis events (if the frequency and scope of crises facing its ...
-
The inability to effectively gather and share information is a frequent management failure during many crisis events both within the incide... -
Typically, the vulnerability information used by a particular vendor of a VM scanner or analyzer is stored in a database that is des... -
Definition of hazard • A characteristic or group Of characteristics that provides the potential for a loss. • Examples: Internal and e...
-
The first step in implementing a strategy for deploying physical scanners is to select a central location to which all scanners will re...
-
In many descriptions you will see the words "Critical Incident Response Team" associated with critical incidents. Many incident ...