We help IT Professionals succeed at work.

IT support confidentility of information

ounisz
ounisz asked
on
Medium Priority
324 Views
Last Modified: 2012-05-12
Any IT support Network administration/ Backup administration / Desktop technical  etc. have certain access to users resource, information and confidentiality  etc.

I am looking for a good written acceptable use of policy that they must respect and would like to implement among the IT support.
unfortunately I found a lot of IT acceptable policy in the net but non concerning the IT support.
Thank's
Comment
Watch Question

Commented:
Yes policy is important, but ensure the access is appropriate is the first step.
All access should be by named users, not by generic name, i.e. don't user administrator, root or sysadmin, use delegation (or sudo in linux / unix) to allow admin_jsmith to do the admin work.
All access should be least privilege, so if you have one team looking after AD and another looking after Exchange, if they don't need admin  access on each others systems, don't give it.

Auditability - all admin access should be audited (SCOM, auditd, loginlog, sulog etc), so in the event of inappropriate access, disciplinary action can follow.

You must be open with the business, so they know that admins do have access, but that that access is appropriate and audited

Author

Commented:
I have all these setup properly, however as part of ethical we want to ensure that an acceptable policy should be signed by the team to make sure that they do not disclose download , take disclose confidential data.
Commented:
I feel with any policy you should be as broad as possible, the more prescriptive it is the more loopholes there can be, so something like:

As part of your role you may become exposed to sensitive information*, you may not copy, use or disclose this information for any purpose without the explicit written consent of your manager or Information Compliance Officer.

Then define sensitive information as some thing like
*sensitive information includes, but is not limited to: Personally Identifiable Information (PII), Credit Card data, Intellectual Property, Information that may affect the company's share price, any data covered by NDA or other contracts with third parties.

Author

Commented:
Well as a start it's very good
thank you for sharing

Explore More ContentExplore courses, solutions, and other research materials related to this topic.