Information Technology Reference
In-Depth Information
table 8.3
operations Security Guidelines (Continued)
Rule
Description
Laws protect
livelihoods.
Pirate is a romanticized term for thief. Do not copy
licensed and copyrighted software, documents,
music, books, pictures, videos, etc. Someone making
a living from these documents likely worked hard for
the revenue they will produce.
Enforce access controls.
Protect access to buildings, floors, rooms, offices, and
technology. Activate password-protected screen
savers when leaving systems unattended. Enforce a
policy of automatic logoff for inactivity.
Business use only
Use information technology for business use only.
This includes not using PCs for personal activities
(e.g., games, balancing checkbooks, running a side
business). Check the news like you check your hair in
the mirror—usually a quick fix will do—but then back
to work.
identifies lessons learned, and provides feedback for CSIRT as well as organiza-
tional operations improvement.
8.10.1
Compliance Requirements
Legislative requirements for a CSIRT include the Federal Information Security Act
2002 (FISMA), which addresses the need for a federal information security incident
center (§ 3546), and the need for procedures for detecting, reporting, and respond-
ing to security incidents. Although FISMA addresses the U.S. civilian government,
it does highlight an IA service of interest to commercial organizations as well.
Commercial compliance requirements (primarily legislative) are likely not to
have explicit requirements for CSIRT; however, deriving implicit CSIRT require-
ments in support of explicit HIPAA, Sarbanes-Oxley, and other legislative require-
ments is highly probable.
8.10.2
CSIR Policy
A computer security incident response policy (CSIRP) should be part of a compre-
hensive set of enterprise security policies. The CSIRP addresses CSIRT responsibili-
ties in so far as preparing and planning for incident management, preestablishing
priorities (e.g., preserving existing revenue streams), incident notification, incident
identification, incident response, and recording incident details and lessons learned.
