Lesson 1, Topic 1
In Progress

1.9. The organisation`s security regulations

ryanrori February 1, 2021

[responsivevoice_button rate=”0.9″ voice=”UK English Female” buttontext=”Listen to Post”]

A computer security policy defines the goals and elements of an organisation’s computer systems. The definition can be highly formal or informal. Security policies are enforced by organisational policies or security mechanisms. A technical implementation defines whether a computer system is secure or insecure. These formal policy models can be categorised into the core security principles of: Confidentiality, Integrity and Availability.

The administrative controls are defined by the top management in an organisation:

Policy and Procedures

  • A security policy is a high-level plan that states management’s intent pertaining to how security should be practiced within an organisation, what actions are acceptable, and what level of risk the company is willing to accept. This policy is derived from the laws, regulations, and business objectives that shape and restrict the company.
  • The security policy provides direction for each employee and department regarding how security should be implemented and followed, and the repercussions for noncompliance. Procedures, guidelines, and standards provide the details that support and enforce the company’s security policy.

Personnel Controls

Personnel controls indicate how employees are expected to interact with security mechanisms, and address noncompliance issues pertaining to these expectations.

  • Change of Status: These controls indicate what security actions should be taken when an employee is hired, terminated, suspended, moved into another department, or promoted.
  • Separation of duties: The separation of duties should be enforced so that no one individual can carry out a critical task alone that could prove to be detrimental to the company.

Example: A bank teller who has to get supervisory approval to cash checks over R20 000 is an example of separation of duties. For a security breach to occur, it would require collusion, which means that more than one person would need to commit fraud, and their efforts would need to be concerted. The use of separation of duties drastically reduces the probability of security breaches and fraud.

  • Rotation of duties means that people rotate jobs so that they know how to fulfil the obligations of more than one position. Another benefit of rotation of duties is that if an individual attempts to commit fraud within his position, detection is more likely to happen if there is another employee who knows what tasks should be performed in that position and how they should be performed.

Supervisory Structure

  • Management must construct a supervisory structure which enforces management members to be responsible for employees and take a vested interest in their activities. If an employee is caught hacking into a server that holds customer credit card information, that employee and her supervisor will face the consequences?

Security-Awareness Training

  • This control helps users/employees understand how to properly access resources, why access controls are in place and the ramification for not using the access controls properly.

Testing

  • This control states that all security controls, mechanisms, and procedures are tested on a periodic basis to ensure that they properly support the security policy, goals, and objectives set for them.
  • The testing can be a drill to test reactions to a physical attack or disruption of the network, a penetration test of the firewalls and perimeter network to uncover vulnerabilities, a query to employees to gauge their knowledge, or a review of the procedures and standards to make sure they still align with business or technology changes that have been implemented.

Examples of Administrative Controls would include:

  • Security policy
  • Monitoring and supervising
  • Separation of duties
  • Job rotation
  • Information classification
  • Personnel procedures
  • Investigations
  • Testing
  • Security-awareness and training