My workplace physical security includes an alarm which needs to be disarmed by the first person entering the building who has a pass-code and re-set by the last person leaving for the night who also has a pass-code. There is also a second door which is permanently locked which does not require a pass-code but if you don't have your key, you will have to wait for someone to let you in. Both doors use a deadbolt lock. I learned that there are 9 steps to achieve best security which includes: inspect all locks on a regular basis, issue keys only to authorized persons, keep records of who uses and turns in keys, and to keep track of keys issued with their number and identification for both master keys and duplicates. I am one of the people who has a pass-code to disarm the alarm and am almost always the one who disarms the alarm every morning. I know my office follows most of the steps to achieve best security.
In addition to deadbolt locks, there is something called a cipher lock which I have never heard of. These are locks using buttons that must be pushed in the proper sequence to open the door. A cipher lock can be programmed to allow a certain person's code to be valid on specific dates and times. I found that to be very interesting and a smart way to control access. The downside is somebody could be looking over your shoulder so a person would need to be careful to conceal which buttons are being pushed.
In past jobs I have used an ID badge with a bar-code to swipe my way through a secured entrance. I learned that the ID badge is a type of physical token. At another company I worked for, I used an ID badge that could be detected by a proximity reader which meant I only needed the badge to be in my purse and as soon as it was detected by the reader I was allowed entrance into the building. In my current job, I must use a personal identification number and a password to clock in when I arrive to work, and clock out when I leave for the night. This is called multifactor authentication. I also use multifactor authentication when logging onto the network and the mainframe.
I learned about the various aspects of security policies. My company's security policy seems to be basic but effective. It's somewhat restrictive as it blocks certain websites and content such as YouTube and Facebook. We do not have authorization to install or update software. We have access to areas of the network that enable us to do our jobs and nothing more. Emails are supposed to be business only but everybody uses it to send personal messages outside of the company. There is at least one person I work with that spends too much time surfing the internet that is not business related which is frowned upon by the security/internet policies. We are expected to use the company's computers strictly for business purposes and that all information is confidential and to be handled as such. We are required (actually we are forced) to change our passwords to the network and to the mainframe every 60 days. Our text book describes several other policies such as acceptable encryption policy, automatically forwarded email policy, server security policy, and wireless communication policy to name a few. The wireless communication policy defines standards for wireless systems used to connect to the organization's networks.
I learned that there are best practices for access control which are procedures rather than part of a technology. These procedures can be used to limit access control. They include separation of duties, job rotation, mandatory vacations, and the principle of least privilege. Following these procedures can prevent workplace fraud.
The most interesting part of the chapter was the section on computer forensics. Computer forensics uses digital technology to search for evidence of a crime, and can attempt to retrieve information from digital devices even if it's been altered or erased that can be used in the pursuit of the attacker or criminal. It is very interesting that according to the FBI, 85% of crimes committed today leave behind digital evidence that can be retrieved through computer forensics!
No comments:
Post a Comment