I have to admit it, but I have a real aversion to paper. I can work on computers and networks all day long. But the moment you start making me fill in forms and checklists and meetings and all that stuff, I start to collapse pretty fast. Anyway, with that in mind, guess what? Security plus is full of different types of security policies. Now, there are hundreds and hundreds, I mean, literally hundreds of different types of security policies out there.
But luckily for us, security plus only covers in detail a very few of them, and in this episode, my friends, we're gonna pound every one of them out. So let's go ahead and get started. And taking a look at a number of important security policies you're going to see on security plus, first is the famous acceptable use policy. The acceptable use policy is the most well known simply because just about everybody who gets on as a new hire with a company usually asked to sign this. an acceptable use policy defines what a person can cannot do on company assets. Now, when we talk about IT security, what we're really talking about is what can you do on the computers and on the internet that you're accessing through the company.
So an acceptable use policy is going to be covering things like personal use of the computer, it's going to talk about, you know, you can't look at pornography, you can't be buying and selling things on eBay during company hours, it's going to define where you get to store stuff and where you can't store stuff. The problem with acceptable use policies is that nobody can predict all the things that we don't want you to do. So they tend to use very broad strokes as a policy should to make sure you're being a good little employee. Next, our data sensitivity and classification policies, data sensitivity and classification just means you have to define how important different types of data are. So within an organization, we can classify this data by applying labels to it. In the big federal government, you'll see things like top secret and stuff like that.
But even in the private sector, we'll see stuff like that is highly confidential and a lot of organizations will generate their own gradiation of classification of data sensitivity, and at least gives people an idea of how important different types of data are, and what we are to do with them. Next are access control policies. And Access Control Policy defines how people get access to our data and other resources. So when we're talking about an access control policy that can actually cover a lot of different stuff. For example, it will it could define how do you use passwords or fobs or smart cards or whatever you might want to use for authentication. It can define based on the type of job you have, what type of access to what type of classified data you have access to.
It can define based on your job title, what you can and cannot do so. an accent Control Policy tends to be a fairly big document. In fact, even though it's a big document, a lot of times access control policies will be incorporated into things like acceptable use policies, data classification policies. There's no fixed rule that says you have to have each and every one of these policies, but I assure you this, you will have a policy on access control. Next is a password policy. A password policy defines how you deal with passwords.
Now, a password policy is another one of those policies that can often get snuck into different policies. So it's not real common to see a password policy is its own standing document. Now, the thing about password policies is that it's easy to remember stuff like yeah, we need to use long and complex passwords, but a good password policy will cover more than that. It'll cover things like for example, if someone loses their password, how do we go about getting it back? If someone logs in wrong too many times, how do we deal with that? If we have a password change requirement is Part of this, can they use a password that they use two times before?
So a password policy covers more than just the length and the complexity of passwords because there's a lot to passwords. The next type of policy is care and use of equipment. So without even telling you anything, if you're reading this, you might be going, gee, Karen use of equipment, wouldn't that be kind of under acceptable use policy? Well, yeah. And also, no. First of all, you can put this policy as part of acceptable use, but when we talk about care of equipment, what we're really talking about is not so much the data and what you're doing with the equipment, but how you maintain the equipment, how you borrow the equipment.
Now, you can still have privacy policies in house, but they tend to be kind of boring. In house privacy policies, basically tell the employees, everything you do on the computers here in the office, we can look at, we can snoop on we can do whatever we want to do. where it gets interesting is when we have privacy policies that are applied to our customer base. And probably the best example of this are the many, many different types of web apps we have out there. Facebook, of course, eBay, Google. And whenever you use these, or at least the first time you do, there really is a policy that you have to agree to in order to use Google or Facebook or eBay or whatever it is.
And they're using this stuff to put up different ads, which in essence, it's Google. What are you going to do? I don't know about you guys. But when it comes to privacy policies in house, well, there's not much I can do about it. But when it comes to dealing with these different types of web apps, I read every single line. The last type of policy I want to talk about are personnel policies, a personnel policy has to deal with the people that are dealing with our data.
So what do you do with people well, from For example, one of the things you might want to do is if this is really important information, you might want to do some background checks. Or if this is military, you might want to do some kind of security clearances. And this is where we start dealing with that stuff. That's the job of the personnel policy. personnel policies don't stop there, though. For example, they might handle things like we will use job rotation, we will have mandatory vacations, if it has to do with a person.
And it has to do with a person who's dealing with data, it goes under personnel policy. Yep, that's a lot of different policies. And folks, I hate to tell you this, but you got to memorize every single one of these because security plus goes nuts about what type of policy would be discussing least privilege and what type of policy would be handling different levels of classification of data and they will hit you on this. So you've got to take some time. If there's going to be one episode, you'll probably watch a few times it's going to be this one. Make sure you know all of these different policies in all the detail that's described.