Companies frequently develop policies to specifically define and clarify issues related to personnel management. If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of common security policies.
For example, can you answer this question?
Q. After a major data breach, Lisa has been tasked with reviewing security policies related to data loss. Which of the following is MOST closely related to data loss?
A. Clean desk policy
B. Legal hold policy
C. Job rotation policy
D. Background check policy
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Clean Desk Policy
A clean desk policy directs users to keep their areas organized and free of papers. The primary security goal is to reduce threats of security incidents by ensuring the protection of sensitive data. More specifically, it helps prevent the possibility of data theft or inadvertent disclosure of information.
Imagine an attacker goes into a bank and meets a loan officer. The loan officer has stacks of paper on his desk, including loan applications from various customers. If the loan officer steps out, the attacker can easily grab some of the documents, or simply take pictures of the documents with a mobile phone.
Beyond security, organizations want to present a positive image to customers and clients. Employees with cluttered desks with piles of paper can easily turn off customers.
However, a clean desk policy doesn’t just apply to employees who meet and greet customers. It also applies to employees who don’t interact with customers. Just as dumpster divers can sort through trash to gain valuable information, anyone can sort through papers on a desk to learn information. It’s best to secure all papers to keep them away from prying eyes. Some items left on a desk that can present risks include:
- Keys
- Cell phones
- Access cards
- Sensitive papers
- Logged-on computer
- Printouts left in printer
- Passwords on Post-it notes
- File cabinets left open or unlocked
- Personal items such as mail with Personally Identifiable Information (PII)
Some people want to take a clean desk policy a step further by scrubbing and sanitizing desks with antibacterial cleaners and disinfectants on a daily basis. They are free to do so, but that isn’t part of a security-related clean desk policy.
Remember this
A clean desk policy requires users to organize their areas to reduce the risk of possible data theft. It reminds users to secure sensitive data and may include a statement about not writing down passwords.
Background Check
It’s common for organizations to perform background checks on potential employees and even after employees are hired. A background check checks into a potential employee’s history with the intention of discovering anything about the person that might make him a less-than- ideal fit for a job.
A background check will vary depending on job responsibilities and the sensitivity of data that person can access. For example, a background check for an associate at Walmart will be significantly less than a background check for a government employee who will handle Top Secret Sensitive Compartmented Information.
However, background checks will typically include a query to law enforcement agencies to identify a person’s criminal history. In some cases, this is only to determine if the person is a felon. In other cases, it checks for all potential criminal activity, including a review of a person’s driving records.
Many organizations check a person’s financial history by obtaining a credit report. For example, someone applying for a job in an Accounting department might not be a good fit if his credit score is 350 and he has a string of unpaid loans.
It is also common for employers to check a person’s online activity. This includes social media sites, such as Facebook, LinkedIn, and Twitter. Some people say and do things online that they would rarely do in public. One reason is a phenomenon known as the online disinhibition effect. Just as a beer or glass of wine releases inhibitions in many people, individuals are often less inhibited when posting comments online. And what they post often reflects their true feelings and beliefs. Consider a person who frequently posts hateful comments about others. A potential employer might think that this person is unlikely to work cohesively in a team environment and hire someone else.
Note that some background checks require the written permission from the potential employee. For example, the Fair Credit Reporting Act (FCRA) requires organizations to obtain written permission before obtaining a credit report on a job applicant or employee. However, other background checks don’t require permission. For example, anyone can look at an individual’s social media profile.
Q. After a major data breach, Lisa has been tasked with reviewing security policies related to data loss. Which of the following is MOST closely related to data loss?
A. Clean desk policy
B. Legal hold policy
C. Job rotation policy
D. Background check policy
Answer is A. A clean desk policy requires users to organize their areas to reduce the risk of possible data theft and password compromise.
A legal hold refers to a court order to protect data that might be needed as evidence. A legal hold policy may state that the organization will comply with the court order, but it isn’t related to data theft.
Job rotation policies require employees to change roles on a regular basis and can expose fraudulent activity.
A background check policy typically identifies what to check for when hiring an employee.
See Chapter 11 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on security policies.
Check out the Personnel Policies blog posts for more information about Job rotation, Acceptable use, Mandatory vacations, and Separation of duties.