Topic - If you were writing a code of ethics, what would be the most important practices to include in your company's acceptable use policy, internet use policy, or acceptable conduct policy?
As a cybersecurity focused professional, my primary objective for the code of ethics is to prevent intrusions into my network and guard the intellectual property which resides on it. Drive by downloads, phishing, and random, dirty pieces of software downloaded by employees are all dangerous, but real danger to the network resides with targeted attacks. Insiders and spear phishing are threats that require the most focused coverage in the drafted policies.
From the class module, I extracted basics of each policy to attempt to address each one correctly. The Acceptable Use Policy consists of enumerating unacceptable uses of the information systems and network. The Internet Use Policy sets out constraints on the allowable motivation behind web use to limit it to official business use only as well as prohibiting, in broad descriptions, uses which can expose private information, endanger the network, or violate copyright laws. (University of Maryland University College, 2012)
Targeted network attacks can be mitigated through carefully drafting, implementing, and enforcing these policies. The most important practice to be forbidden in the Acceptable Use Policy is that email is to be primarily used for text-based communication and scheduling. Because documents will inevitably need to be emailed, enforcement of this will not be mandatory restricting of emails to only text and scheduling.Targeted attacks often involve email attachments which are malware or infected documents containing malware. (Schwartz, 2011) To prevent this, the Acceptable Use Policy will be enforced by quarantining and reviewing all email attachments. A dropbox system will be used for internal file transfers so the attachment policy will apply even to internal emails.
Also aimed at email, the most important feature of my Internet Use Policy would be forbid personal internet use, especially and primarily webmail. Since the employees will have their company email address, there is no need to allow access to personal webmail. Such sites will be blocked by policy and enforced through DNS blacklist. This helps protect against both insiders and malware sending out IP through encrypted webmail.
I felt as though this weeks posts were really weak they scored very well. Here is the first one.
Schwartz, M. J. (June 08, 2011) Spear Phishing Attacks On The Rise. InformationWeek. Retrieved 12 October 2012 from http://www.informationweek.com/security/attacks/spear-phishing-attacks-on-the-rise/230500025
University of Maryland University College, N. A. (2012). Cyber Ethics: Csec 620, module 2. Informally published manuscript, Retrieved 12 October 2012 from http://tychousa11.umuc.edu/cgi-bin/id/FlashSubmit/fs_link.pl?class=1209:CSEC620:9083&fs_project_id=344&xload&tmpl=CSECfixed&moduleSelected=csec620_02
No comments:
Post a Comment