Evaluating the Risks
Risk analysis involves determining what you'll need to protect, what you'll need to protect it from, and how to protect it. This process forces you to examine all of your risks, ranking each one by severity level.
Possible risks to your network include:
- Unauthorized access.
- Unavailable service, which can include some or all network services, corruption of data, or a slowdown due to a virus.
- Disclosure of sensitive information, especially that which gives someone else a particular advantage, or theft of information such as credit card information.
Once you've put the list together, then you'll need a scheme for weighing the risk against the importance of the resource. This exercise will enable the site policy makers to determine how much effort to spend protecting the resource.
Defining a Policy for Acceptable Use
To define a policy for how users will interact with the network, you'll need to consider the following in a policy for acceptable use:
- Who is allowed to use the resources?
- What is the proper use of the resources?
- Who is authorized to grant access and approve usage?
- Who may have system administration privileges?
- What are the users' rights and responsibilities?
- What are the rights and responsibilities of the system administrator vs. those of the user?
- What do you do with sensitive information?
For example, you'll want to cover the following topics when defining the users' rights and responsibilities:
- What guidelines you have regarding resource consumption (whether users are restricted, and if so, what the restrictions are).
- What might constitute abuse in terms of system performance.
- Whether users are permitted to share accounts or let others use their accounts.
- What level of secrecy users should apply to their login/password information.
- How often users should change their passwords and any other password restrictions or requirements.
- Whether you provide backups or expect the users to create their own.
- Disclosure of information that may be proprietary.
- Statement on Electronic Mail Privacy (Electronic Communications Privacy Act). Specifically, does the company consider electronic mail private to each employee, or do they consider it the property of the organization?
- Your policy concerning mail or postings to mailing lists or discussion groups (obscenity, harassment, etc.), and on representing the organization to these areas.
- Policy on electronic communications: mail forging, etc.
You'll also need to define who'll interpret the policy - an individual or a committee. No matter how well written, the policy will require interpretation from time to time, and this body will serve to review, to interpret, and to revise the policy as needed.