Hands-On Project 13-2: Conducting Security Policy Analysis
Objective: Evaluate security policy clauses, identify deficiencies, and update policies in response to events or changes.
Description: Security policies should be revised to address security breaches or new threats. In this project, you evaluate the theft of proprietary information and identify some obvious deficiencies in a security policy. Then you recommend changes to the security policy to prevent similar incidents from recurring.
A local branch office of a major national stock brokerage had no policy that required the termination of user ID and password privileges after employees leave. A senior trader left the brokerage and was hired by a competing brokerage. Shortly thereafter, the first brokerage lost two clients who said they were moving to a competing firm; their personal data files disappeared mysteriously from the company's databases. In addition, a year-end recommendations report that the senior trader had been preparing was released two weeks early by the competing brokerage. An investigation of the company's access logs revealed that the employee records file had been accessed by someone outside the company. The job records, however, did not reveal whether the report had been stolen because they had not been set up to record object accesses in a log.
The existing security policy states the following:
"On termination, employees shall surrender any laptops, disks, or computer manuals they have in their possession. They are no longer authorized to access the network, and they shall not take any hardware or software when they leave the office."
1. What changes would you make to the existing security policy so that security is improved after employees are terminated?
2. Brainstorm for ideas to develop a security policy clause that covers access of company records and helps track when files are accessed.