1
00:00:01,560 --> 00:00:05,820
Now we will try to describe mistakes that can make security policy ineffective.

2
00:00:07,990 --> 00:00:13,950
A general rule is that a security policy should define both allowed and forbidden use of the system.

3
00:00:16,380 --> 00:00:19,240
Let's try to visualize an effective security policy.

4
00:00:22,440 --> 00:00:29,350
The barrier you can see in the picture is a good metaphor for such a policy.

5
00:00:29,360 --> 00:00:33,970
It was probably placed there to slow down cars driving on a small street.

6
00:00:34,010 --> 00:00:39,950
However as you can see it's easier for the drivers to drive around the barrier than to wait for it to

7
00:00:39,950 --> 00:00:40,750
go up.

8
00:00:41,860 --> 00:00:45,340
That doesn't really make children playing on the grass nearby safer.

9
00:00:47,730 --> 00:00:53,350
A poorly thought out security policy gives similar results.

10
00:00:53,370 --> 00:00:58,200
The bottom line is that you mustn't create a security policy that would make users look for ways to

11
00:00:58,200 --> 00:00:59,270
bypass it.

12
00:01:06,550 --> 00:01:14,700
Now a few words on privacy policy in general if your firm doesn't have a privacy policy how should you

13
00:01:14,700 --> 00:01:16,100
go about creating one.

14
00:01:19,230 --> 00:01:23,260
First you have to describe the threat.

15
00:01:23,290 --> 00:01:26,100
Next you should define the scope of responsibility.

16
00:01:29,250 --> 00:01:36,120
Then you ought to determine who and under what conditions would gain access to the system.

17
00:01:36,140 --> 00:01:39,980
It means you should also specify how to apply for an account or a log in

18
00:01:42,880 --> 00:01:49,250
a real life experience in order to get a log into the I.T. system in a certain company.

19
00:01:50,340 --> 00:01:54,770
A new employee had to go through a very complicated procedure.

20
00:01:54,930 --> 00:02:00,190
They had to fill in a form then get the signatures of their immediate superior.

21
00:02:00,270 --> 00:02:03,720
The I.T. department manager and the branch manager

22
00:02:07,350 --> 00:02:13,160
the application would then go to the I.T. department and they would create an account.

23
00:02:13,280 --> 00:02:19,690
The procedure seems well thought through it certainly prevents unauthorized people from getting an account.

24
00:02:21,710 --> 00:02:27,560
However in a large corporation one day may not be enough to fund both your immediate superior and the

25
00:02:27,560 --> 00:02:34,020
I.T. department manager to get them to sign your application.

26
00:02:34,100 --> 00:02:38,870
And obviously if you don't get the signatures you can't hand in the application and you won't get the

27
00:02:38,870 --> 00:02:39,450
account

28
00:02:42,460 --> 00:02:46,160
if you don't get an account you can't work.

29
00:02:46,320 --> 00:02:49,170
It may not help you make a good impression and a new job.

30
00:02:49,530 --> 00:02:53,880
If you wait three days to start working because you don't have access to the I.T. system

31
00:02:57,030 --> 00:03:00,360
nobody would like to be in such an awkward situation.

32
00:03:02,990 --> 00:03:07,790
So in order to make it all happen faster you would probably call the I.T. Department asking when you

33
00:03:07,790 --> 00:03:08,770
can get the account

34
00:03:11,480 --> 00:03:14,700
and people in the I.T. Department don't like such phone calls.

35
00:03:17,620 --> 00:03:22,510
Well some may think that preparing a number of plinked applications signed beforehand would be a good

36
00:03:22,510 --> 00:03:23,240
idea.

37
00:03:25,070 --> 00:03:26,960
That's what they did in the company I mentioned

38
00:03:29,610 --> 00:03:36,620
after some time they discovered increased traffic on their WWE w server it turned out that somebody

39
00:03:36,620 --> 00:03:39,410
had been using it to store and share films.

40
00:03:41,520 --> 00:03:46,510
Every film was put there by a user by the name of John Doe.

41
00:03:46,550 --> 00:03:50,070
Obviously there had never been a John Doe working in that company.

42
00:03:53,190 --> 00:03:55,930
Sometimes a user account must be deleted.

43
00:03:56,000 --> 00:04:01,370
Therefore a security policy should also state who when and how an account would be deleted.

44
00:04:04,030 --> 00:04:09,280
In one of the next modules we will discuss the issue of password security which is also a part of security

45
00:04:09,280 --> 00:04:10,250
policy.

46
00:04:14,000 --> 00:04:20,660
Security Policy also includes the issues of using network resources local and remote access and data

47
00:04:20,660 --> 00:04:31,420
security users must know how to categorize data by public private confidential and sensitive.

48
00:04:31,520 --> 00:04:35,750
Otherwise you won't be able to get the users to comply with a security policy.

49
00:04:38,180 --> 00:04:43,160
The rules of a security policy should also include internet identity authentication principles.