Resources of a company vital assets, therefore required to be utilized with great caution, as well as administered and monitored by a responsible entity. This article comprises of resource usages, such as a computer, networks, the internet, phone, software application, and management policy related contents to provide insight into the subject that might be included in a general security policy of a typical organization. Such policies streamline the understanding of employees how exactly the company expects them to use the computing resources.
Each company must implement the concept of least privileges and separation of duties for the employees by dictating appropriate categories for example Administrator, Management, Operator, General User, etc… which consists of a grouping of responsibilities that entail different levels of access to resources. Management must also administer the approval is required for the new employees and change in access privileges as per the job description, moreover, should ensure that employees must sign a usage agreement.
All employees must sign a nondisclosure of information agreement (NDA) which specify the rigorous prohibition from revealing the information outside the company. Apart from that, employees must be duly aware of the consequence of violating the agreement. The clients and business partners must also sign an NDA about not revealing sensitive data of the company.
It is strictly stipulated usage policy that employees could not run any personal or social media websites during working hours on company equipment’s to protect itself from being infected. In fact, irrelevant surfing of websites must be banned immediately by the network administrator by applying firewall, IDS, or IPS filters and he should also keep an eye on inbound and outbound traffic frequently to ensure the compliance of policies as a blocked website can still be operated via a proxy server.
As the sensitive servers and end-user machine typically undergo vulnerability assessment and penetration testing in a bid of sustaining foolproof protection by detecting an anomaly. However, a vulnerability scan should be performed by an individual after getting clearance from higher authority due to the sensitive nature of such a task. Normal end-user should strictly be prohibited to perform VA/PT. Instead, it ought to be done under the supervision of privileged authorities.
It is highly recommended not to authorize the normal end-user as a system administrator user. Rather, its credentials should be generated accordingly to the nature of job and responsibility. Overall, end-users should not be granted root or administrator privileges.
The corporate telephone may be utilized for local and official communication, overall, in a very limited manner, as long as this usage does not affect the performance of the normal business. Also, corporates phones should not be used for long distance calls which expense exceeds defined limits.
New software installation or configuration rights at the server or end-user machine should not be provided to desktop users. Instead, this right should only be provided to those who possess root or administrator privileges. Moreover, administrator always monitors any unauthorized access attempt meticulously in the case of disgruntled or malicious users somehow managing to subvert it or neglect to abide by the policies.
Internet usage by the employee must be monitored by the network administrator for attempts to access restricted websites, transfer of larger size of file or company sensitive data, or excessive useless web browsing for personal affairs. Employees should only have given access to unidirectional communication of personal emails. However, it can be bidirectional for the official point of view but in a restricted manner.
The firewall must be set up at the server end to be secure from unsolicited connection requests by defining rule filters which dictate what port or connection will be allowed and what not. Filter rules ought to be defined by the person who has only administrator privileges, and apart from that rest must be strictly forbidden to manipulate firewall rules. Besides, unprivileged users should not also have access to view log files that typically generated by firewall front end.
All end-user machines and sensitive server activities such as Root account usage, privilege escalation, unauthorized access attempts, surfing irrelevant or decommissioned sites, bypassing farewell filters and more must constantly be under surveillance by traffic or security analyst to detect abnormal usage of resources.
It is the ultimate responsibility of the HR team to enforce and make the employees aware of company rules and policies for compliance and take suitable action against the violation of policies. In the case of hiring, the HR team must ensure the protection of sensitive employee information such as salary by isolating it from the rest of the network. As far as the termination case, on the other hand, HR must inform the system administrator within the week.
The roles such as Security Manager, Facility Security Officer, Tech Security Manager, etc., for security officials to sustain discipline and the principle of least privilege along with physical security into the premises, should be defined that consists of a grouping of responsibility based on job function.
Corporate crucial data or documents must be preserved in a protected manner; only an authorized individual can access or manipulate it after getting the mandatory clearance. End-users neither have the permission of its access to normal access. Instead, employees may be only permitted access to the document that suits to his profile along with clearance from higher authority.
All corporate employees are liable for the security of the computer they use and bound to adhere the usage policies of resources stipulated by the organization as it has expectations for employees use of resources, but these must be circulated in advance to be effectively enforced. This articles also explained the responsibility and roles of management to draft, implement, and compliance of policies in the context of resource usage.