Is the use of passwords an effective strategy for securing a system?Ī. Doing so may require policy-makers to think more creatively, but each security guideline needs to be customized to meet the organization's needs anyway (see Chapter 2). While particular countermeasures might need to be adjusted to accommodate non-traditional schedules (e.g., the practice of limiting users to acceptable log-in times and locations), a system with telecommuters, frequent travelers, and other remote access users can still be secure. Is it possible to have a secure system if you have employees who telecommute or work otherwise non-traditional schedules?Ī. By continuing into this system, you are acknowledging that you are aware of and agree to these terms. If you do not have this permission in writing, you are violating the regulations of this network and can and will be prosecuted to the full extent of the law. Use of this network, its equipment, and resources is monitored at all times and requires explicit permission from the network administrator. W A R N I N G ! This is a restricted network. Never include the word "Welcome" as a part of the log-in process-it can be argued that it implies that whoever is reading the word is, by definition, invited to access the system. Thus, the first screen any user sees when logging into a secure computer system should be something to the following effect: By reading a warning like the one that follows, users explicitly accept both the conditions of monitoring and punishment when they proceed to the next screen. If such an effort is not made, the organization may actually be invading the privacy rights of its intruders!Īn excellent way of properly informing users of monitoring activities is through the opening screen that is presented to them. Reasonable efforts must be made to inform all users, even uninvited hackers, that the system is being monitored and that unauthorized activity will be punished and/or prosecuted as deemed appropriate. While there is no question that an organization has the right to protect its computing and information resources through user access security activities, users (whether authorized or not) have rights as well. Very clear to me that I had no business in a file if my password wouldn't get me in."Īn organization cannot monitor user activity unless that user grants implicit or explicit permission to do so! "And you might want to reconsider how our password system works," Fred added. In the meantime, I'm going to send a memo out to staff reminding them what need-to-know really means." I'm not going to make a big deal of it this time, but from now on, limit your browsing to the free- and reduced-price lunch information. "Hmm, I see your point, Fred, but in truth you shouldn't be accessing student record information that isn't related to your legitimate educational duties. Kim paused, realizing that it might be reasonable for Fred to have assumed that he was allowed to read a file if his password gave him access. "I figured that if my password got me into a file, it was fair game." "I didn't know that my access was limited," Fred asserted honestly. "You're authorized to access specific elements that relate to a student's free- and reduced-price lunch eligibility," Kim clarified. "Are you forgetting that I'm authorized to access student records?" I couldn't understand why someone in Food Services would need to be browsing through individual student test scores, so I thought I'd come by and ask you."įred looked up at Kim as he if was surprised to be entertaining such a question. "Fred, my review of our computer logs shows that you have been logging in and looking at confidential student information. As the security manager, she knew how important it was to gather information completely before jumping to conclusions. After all, there is no reason for someone in Staff Payroll to be given clearance to confidential student records. To make this distinction a little more realistic, however, understand that user access security limits even authorized users to those parts of the system that they are explicitly permitted to use (which, in turn, is based on their "need-to-know"). User access security refers to the collective procedures by which authorized users access a computer system and unauthorized users are kept from doing so. A person with a "need-to-know" has been designated by school officials as having a legitimate educational or professional interest
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |