They want to be able to get their work done without restrictive security controls.
They are concerned about the ease of managing systems under tight security controls.
They are concerned about cost of security protection for attacks that may not materialize.
They want to manage how users react to security policies.
Policies may be helpful in the event that it is necessary to prosecute violators.
Policies identify what tools and procedures are needed.
Policies define what appropriate behavior for users is.
Policies communicate a unanimous agreement of judgment.
State reasons why the policy is necessary
Be able to implement and enforce it
Be concise and easy to understand
Balance protection with productivity
Member of management who can enforce the policy
Member of the legal staff
Representative from an antivirus vendor
Senior level administrator
Notify users in advance that a new security policy is being developed and explain why the policy is needed
Provide a sample of people affected by the policy with an opportunity to review and comment
Prior to deployment, give all users at least two weeks to review and comment
Require all users to approve the policy before it is implemented
Internet use policy
User permission policy
End user policy
Acceptable use policy
Do not use a password that is a word found in a dictionary
Do not use the name of a pet
Do not use alphabetic characters
Do not use birthdays
Outlines how the organization uses information it collects
Is required on all Internet Web sites
Must be certified before it can be used
Is identical to an AUP
The information itself remains on the hard drive until it is overwritten by new files
The last character of the file name is changed
The file contents are physically overwritten with zeros
It is physically removed from the disk once the Recycle Bin is emptied
Scope of the work to be performed
Exclusions and exceptions
Requirements for PII
Penalties for failure to fulfill obligations
Types of policies
User password violations
Free hard drive
Relies on tricking and deceiving someone to provide secure information
Is illegal in the U.S.
Requires a computer and Internet connection
Is rarely used today
Keyboard observation (KO)
Trust authorized individuals only.
Trust everyone all of the time.
Trust some people some of the time.
Trust all people all the time.