Information Technology Reference
In-Depth Information
9.4.6 Disposal of Devices
Besides the usual legal disposal regulations special attention has to be drawn to
additional aspects concerning company and IT security:
￿ Prior to the disposal all data stored on a device—especially administration
data—have to be deleted or neutralized in such a way that even accomplished
technicians will not be able to re-constitute them.
￿
Indications to the company like type labels and inventory labels have to be
removed. In this way inferences about the original company, where they were in
use, should not be possible.
9.5 Documentation
These are the most important elements to be considered for individual directives:
￿ Subject of the directive (hardware: laptop; software: intranet for example)
￿ Application procedure to obtain usage rights
￿ Responsibilities for usage and costs
￿ Limitations of usage and costs
￿ Interdictions
￿ Liability and
￿ Damages.
Directives are of a general nature or relevant to specific fields of technologies.
They can consist of the directive proper and associated implementation rules.
9.5.1 Processes
Quite similar to other aspects of IT quality management, the Deming Process, so
called after the famous American quality guru W. Edward Deming, plays an
important role for IT security philosophy with respect to verification, compliance
and evolution. Figure 9.2 shows this process schematically:
As always, the same cycle refers to:
system design > implementation > analysis > improvement
A security policy has to be drafted concerning organisation and technology. On
this basis implementation takes place in consultation with all parties concerned.
After a certain time of operation experience is gained resulting finally into new
proposals and improvements. And the whole process starts all over again. It is
important to note that the operational time phase is not the same as a common trial
phase. In fact this is a continuing process with fixed review intervals. The aim is
Search WWH ::




Custom Search