Page 79 - DCAP516_COMPUTER_SECURITY
P. 79

Unit 7: Designing Trusted Operating System




          Any policy must include a provision for waivers; that is, what to do when the provisions of the  Notes
          policy conflict with a pressing business need. When a project manager requests a waiver of the
          company security policy, it must be documented formally. Items to include are the system in
          question, the section of the security policy that will not be met, how the non-compliance will
          increase the risk to the company, the steps being taken to manage that risk, and the plans for
          bringing the system into compliance with the policy.

          Computer Use Policy

          The policy should state clearly that an employee enters into an implicit agreement with the
          company when using a computer issued by the company. Some important items are:
          1.   All computers and network resources are owned by the company,
          2.   The acceptable use (if any) of non-company-owned computers within the company business
               environment,
           3.  With the exception of customer data (which are owned by the customer), that all information
               stored on or used by the company computers is owned by the company.

          4.   That the employee is expected to use company-owned computers only for purposes that
               are related to work, and
          5.   That an employee has no expectation of privacy for information stored on company
               computers or network assets.

          System Administration Policies

          These should specify how software patches and upgrades are to be distributed in the company
          and who is responsible for making these upgrades. There should also be policies for identification
          and correcting vulnerabilities in computer systems.




             Notes  There should also be a policy for responding for security incidents, commonly
             called an IRP or Incident Response Policy. There are a number of topics to be covered:

             1.  how to identify the incident,
             2.  how to escalate the response as necessary until it is appropriate, and
             3.  who should contact the public press or law-enforcement authorities.

          Self Assessment

          State whether the following statements are:

          1.   The audit policy should specify what events are to be logged for later analysis.
          2.   A trusted system connotes one that meets the intended security requirements, is of high
               enough quality, and justifies the user’s confidence in that quality.

          3.   Programmers make mistakes, but inefficient code is never implemented into programs
               after testing.
          4.   There should also be a policy for responding for security incidents, commonly called an
               IRP or Incident Response Policy.





                                           LOVELY PROFESSIONAL UNIVERSITY                                   73
   74   75   76   77   78   79   80   81   82   83   84