When implementing a Network Security policy, it is important to consider how the values of confidentiality, availability, and integrity of the organization will impact organizational security policy. There are benefits and disadvantages. These values can be implemented into the security plan by instilling them into your employees and intense monitoring of network and employee activities. The network and employees can be monitored for suspicious activity by observation and record keeping.
Confidentiality ensures that sensitive information, i.e. proprietary company information; personally identifiable information, will not leak out. Availability of information means that all company knowledge is at the user’s fingertips. Integrity of people and a system keeps secrets and settings intact and credible.
However, confidentiality can mean that too few people can see necessary information and cannot perform the actions that must be taken to conduct business. Too much availability of information and system access will cause sensitive information to get out and into the wrong hands. Intense integrity can cause too little flexibility in the need to change system parameters and policies. For example, certain information may not need to be shielded from view of the public and can be released.
An organization must train its employees to have and live the values confidentiality, availability, and integrity. The organization has to define these values in the network training to give them meaning. In the network training employees should observe scenario examples and be advised as to what is the right choice in the scenario. Once the training is over the employees should take a written test and pass the test. This action should be repeated each year.
The organization’s network and employee actions should be monitored in order to ensure these values. Employees should be authorized access to the network only for certain work hours; anything outside of those hours special permission must be granted by their supervisor and the network administration. Also, a log of sites visited and actions taken at each computer on the network should be kept. In this way if anything not work-related or illegal actions occur. Actions against the responsible party can be taken. Employees should keep their user names and passwords to themselves and not share them with anyone. Security cameras can provide facial identification of persons working during hours at the office.
If an organization is concerned about information being leaked, if can use the “carney trap”. Issue different sets of information to the suspected individuals. The information that leaks will show the organization the responsible party.
References:
Schiesser, Rich; IT Systems Management
Wright, Peter Spy Catcher: The Candid Autobiography of a Senior Intelligence Officer