05信息系统安全管.pptVIP

* Employee security training begins during new-employee training, with the explanation of general security policies and procedures. That general training must be amplified in accordance with the position’s sensitivity and responsibilities. Promoted employees should receive security training that is appropriate to their new positions. The company should not provide user accounts and passwords until employees have completed required security training. * Enforcement consists of three interdependent factors: responsibility, accountability, and compliance. First, the company should clearly define the security responsibilities of each position. The design of the security program should be such that employees can be held accountable for security violations. Procedures should exist so that when critical data are lost, it is possible to determine how the loss occurred and who is accountable. Finally, the security program should encourage security compliance. Employee activities should regularly be monitored for compliance, and management should specify disciplinary action to be taken in light of noncompliance. * Systems Procedures Figure shows a grid of procedure types—normal operation, backup, and recovery. Procedures of each type should exist for each information system. For example, the order-entry system will have procedures of each of these types, as will the Web storefront, the inventory system, and so forth. The definition and use of standardized procedures reduces the likelihood of computer crime and other malicious activity by insiders. It also ensures that the system’s security policy is enforced. * Backup procedures concern the creation of backup data to be used in the event of failure. Whereas operations personnel have the responsibility for backing up system databases and other systems data, departmental personnel have the need to back up data on their own computers. Employees should ensure that they back up critical business data on their computers. The IS de