Access Controls

An access control system is the set of technical controls that govern how subjects may interact with objects.
Subjects in this sense are users or software processes or anything else that can request and be granted access
to a resource. Objects are the resources; these could be networks, servers, databases, files, and so on. In
computer security, the basis of access control is usually an Access Control List (ACL). This is a list of subjects
and the rights or permissions they have been granted on the object.

An access control system is usually described in terms of four main processes:

■ Identification—creating an account or ID that identifies the user or process on the computer system.

■ Authentication—proving that a subject is who or what it claims to be when it attempts to access the resource.

■ Authorization—determining what rights or permissions subjects should have on each resource and enforcing
those rights.

■ Accounting—tracking authorized and unauthorized usage of a resource or use of rights by a subject.

Least Privilege and Implicit Deny

The more privileges and permissions that you allocate to more users, the more you increase the risk that a
privilege will be misused. Authorization policies help to reduce risk by limiting the allocation of privileges as far
as possible. This principle is referred to as least privilege. This means that a user should be granted rights
necessary to perform their job and no more.

As part of least privilege, access controls are usually founded on the principle of implicit deny. This means that
unless there is a rule specifying that access should be granted (explicit authorization), any request for access is
denied.

This principle can be seen clearly in firewall policies. A firewall filters access requests using a set of rules. The
rules are processed in order from top to bottom. If a request does not fit any of the rules, it is handled by the last
(default) rule, which is to refuse the request.

Authorization Access Models

An important consideration in designing a security system is to determine how users receive rights; or, to put it
another way, how Access Control Lists (ACL) are written. Access control or authorization models are generally
classed as one of the following:

■ Discretionary Access Control (DAC) stresses the importance of the owner. The owner is originally the creator
of the resource, though ownership can be assigned to another user. The owner is granted full control over the
resource, meaning that he or she can modify its ACL to grant rights to others.

■ Role-based Access Control (RBAC) adds an extra degree of administrative control to the DAC model. Under
RBAC, a set of organizational roles are defined and users allocated to those roles. You can see a simple version
of RBAC working in the division of Windows user account types into Administrators and Standard Users.

■ Mandatory Access Control (MAC) is based on the idea of security clearance levels. Rather than defining access
control lists on resources, each object and each subject is granted a clearance level, referred to as a label. If the
model used is a hierarchical one (that is, high clearance users are trusted to access low clearance objects),
subjects are only permitted to access objects at their own clearance level or below. Alternatively, each resource
and user can be labeled as belonging to a domain (compartmentalized). A user may only access a resource if
they belong to the same domain. This is an instance of a "Need to Know" or least privilege policy put into practice.
■ Rule-based access control is a term that can refer to any sort of access control model where access control
policies are determined by system enforced rules rather than system users. As such, RBAC and MAC are both
examples of rule-based (or non-discretionary) access control. Another instance of rule-based access control is
continuous authentication. For example, with the Windows User Account Control (UAC) feature, just because
the user has signed in does not mean that Windows fully trusts the account to exercise its privileges. When the
account tries to do something protected by UAC, such as installing an app, the user must confirm the action with
a prompt. This protects against account hijacking by a malicious script or similar.

Accounting and Non-repudiation

The accounting part of the access control system provides an audit log of how users have authenticated to the
network and used their access privileges. Accounting is usually provided for by logging events. Computer
systems support logging of pretty much any kind of event. Examples of events are a user signing in or attempting
to modify a file or install an app. Another example is the history of URLs visited kept by a web browser. This
allows the accounting system to track what users are doing within the system.
Accounting is an important part of ensuring non-repudiation. Non-repudiation is the principle that the user cannot
deny having performed some action. Apart from logging, several mechanisms can be used to provide non-
repudiation:

■ Video—surveillance cameras can record who goes in or out of a particular area.

■ Biometrics—strong authentication can prove that a person was genuinely operating their user account and
that an intruder had not hijacked the account.

■ Signature—similarly, a physical or digital signature can prove that the user was an author of a document (they
cannot deny writing it).

■ Receipt—issuing a token or receipt with respect to some product or service is proof that a user requested that
product and that it was delivered in a timely manner.
User Account Types
Part of the identification process is to allocate each user with their own account on the computer system and
network.

User Accounts

A user account ensures that the identity of someone using a computer is validated by the operating system at
log on. This validation is typically achieved by entering a user account name and a secret password but could
use a different type of credentials. Requiring the user to log on before accessing the computer or network is
called mandatory logon.
When Windows is installed, a number of default user accounts are created. The main ones are:

■ Administrator user account—as a member of the Administrators group this account has complete control over
the local computer. This account should be protected by a strong password. The account is disabled by default.

■ Guest user account—this account is also disabled by default. It can be enabled on "professional" versions of
Windows but should not generally be used. If the guest account is enabled, anyone can use the computer without
needing to enter a password.

■ A user account created during setup—this can either be a local account or a Microsoft account, used to access
Microsoft online services, such as Office 365. By default, it is a member of the local Administrators group and
should be protected by a strong password.
The administrative user created during setup may also create extra user accounts for the people who are going
to use the computer. Generally speaking, these should be configured as standard user accounts.
The administrative user should create a standard user account for themselves. Even with User Account Control,
it is best practice not to use an account with administrative privileges for day-to-day tasks, such as web browsing
or using Office applications.
Group Accounts

User accounts can be assigned directly to security policies, but if there are a large number of users, this can be
difficult to manage. Administration is simplified by the use of group accounts. A user can belong to one or more
group accounts and inherit security permissions through privileges allocated to the groups.

As noted above in the discussion of user accounts, Windows creates several default group accounts. The only
two we need to consider here are administrators and standard users:

■ Administrators—user accounts belonging to this group have complete control over the computer. This group
should be used sparingly.

■ Standard users—this group allows use of Microsoft Store apps and basic configuration of display and input
settings, but tasks such as installing software, configuring hardware, or changing system properties are
restricted.

Windows makes use of a simplified access control system when it is part of a workgroup. The only group
accounts are Computer Administrators and Standard Users. The use of additional group accounts is associated
more with domain networks. You cannot create group accounts in the "home" editions of Windows.

Authentication Factors

Authentication is the process of ensuring that each account is only operated by its proper user. There are many
different authentication technologies. They can be categorized as something you know (such as a password),
something you have (such as a smart card), or something you are (such as a fingerprint). These different ways
of authenticating a subject are referred to as factors. Each factor has advantages and drawbacks.

Something You Know Authentication

The typical "something you know" technology is the logon or sign-in. A sign-in comprises a username and a
password. The username is typically not a secret, though it should not be published openly, but the password
must be known only to the account holder. A passphrase is a longer password comprising a number of words.
This has the advantages of being more secure and easier to remember. A Personal Identification Number (PIN)
is another example of something you know as is the response to a pattern lock.

Another important concept in authentication based on facts that a person knows is Personally Identifiable
Information (PII). PII is often used as security questions for password reset mechanisms and to confirm identity
over the telephone. For example, PII may be defined as responses to challenge questions, such as "What is
your favorite color/pet/movie?"

Something You Have Authentication

Password-type credentials are generally seen as not providing adequate security for high-risk applications, such
as corporate network logons or online banking. One solution is to provide each user with a unique hardware
token to prove their identity.

There are various ways to authenticate a user based on "something they have." The most widely used is the
smart card or USB fob, which contains a chip with authentication data, such as a digital certificate. The card
must be presented to a card reader before the user can be authenticated. This is typically combined with a user
name/password logon or Personal Identification Number (PIN) code. This protects the token against
unauthorized use in the event that it is lost or stolen.
Another hardware authentication device is the SecurID token, developed by RSA. This generates a number code
synchronized to a code on a server for the user to enter to log on, again combined with a secret PIN, in case the
device is stolen. The code changes every 60 seconds or so. This is an example of a one-time password.
A software token is generated by an application and stored on the user's computer or smartphone, as a web
cookie for instance. It is important that such tokens use encryption so that they cannot be misused.
The main concerns with token-based technologies are loss and theft and the chance that the device can be
counterfeited or that a software token can be replayed. There are also extra setup and maintenance costs.

Something You Are Authentication

"Something you are" authentication means employing some sort of biometric recognition system. Many types of
biometric information can be recorded, including fingerprint patterns, iris or retina recognition, or facial
recognition. The chosen biometric information is scanned and recorded and stored as a template in a database.
When the user wants to access a resource, they are re-scanned and the scan compared to the template. If they
match, access is granted.

The main problems with biometric technology are that users find it intrusive and threatening to privacy, the setup
and maintenance costs, and the chance that the technology can be counterfeited. Biometrics can also be prone
to false negatives, where a valid user is refused access, and false positives, where an intruder is misidentified
as a valid user or one user is mistaken for another.

Windows 10 provides support for biometric authentication through the use of an architecture known as Windows
Hello. If your computer is Windows Hello capable, you will see the option in Settings > Accounts > Sign-in options
under the Windows Hello heading.

Somewhere You Are Authentication

Location-based authentication measures some statistic about "where" you are (your presence in a specific
location). This could be a geographic location, measured using GPS (Global Positioning System) and/or IPS
(Indoor Positioning System), or it could be by IP address. The IP address could also be used to refer to a logical
network segment or it could be linked to a geographic location using geoip.
Location-based authentication is not used as a primary authentication factor, but it may be used as a continuous
authentication mechanism or as an access control feature. For example, if a user enters the correct credentials
at a remote network access gateway but their IP address shows them to be in a different country than expected,
access controls might be applied to restrict the privileges granted or refuse access completely.

Multifactor and Two-factor Authentication

An authentication product is considered "strong" if it combines the use of more than one authentication data
type. This is called multifactor authentication. Single-factor authentication systems can quite easily be
compromised: a password could be written down or shared, a smart card could be lost or stolen, and a biometric
system could be subject to high error rates.

Two-factor authentication combines something like a smart card or biometric mechanism with "something you
know," such as a password or PIN. Three factor authentication combines all three technologies. An example of
this would be a smart card with integrated thumb or fingerprint reader. This means that to authenticate, the user
must possess the card, the user's fingerprint must match the template stored on the card, and the user must
input a PIN.

Multifactor authentication requires a combination of different technologies. For example, requiring a PIN along
with Date of Birth may be stronger than entering a PIN alone, but it is not multifactor.
Single Sign-On

Single Sign-On (SSO) means that a user only has to authenticate to a system once to gain access to all its
resources—that is, all the resources to which the user has been granted rights. An example is the Kerberos
authentication and authorization model used on Windows enterprise networks. This means, for instance, that a
user who has authenticated with Windows is also authenticated with the Windows domain's database and email
services.

The advantage of single sign-on is that each user does not have to manage multiple user accounts and
passwords. The disadvantage is that compromising the account also compromises multiple services.
It is critical that users do not re-use work passwords or authentication information on third-party sites. Of course,
this is almost impossible to enforce, so security managers have to rely on effective user training.

Uses of Encryption

Encryption is an ancient technique for hiding information. Someone obtaining an encrypted document, or cipher
text, cannot understand that information unless they possess a key. The use of encryption allows sensitive data
to travel across a public network, such as the Internet, and remain private. Even if an eavesdropper could
intercept and examine the data packets, the content would be unreadable.

The following terminology is used to discuss cryptography:

■ Plain text (or clear text)—this is an unencrypted message.

■ Cipher text—an encrypted message.

■ Cipher—this is the process (or algorithm) used to encrypt and decrypt a message.

It is also important to understand that there are different types of encryption and cryptographic processes. These
include cryptographic hashing, symmetric encryption, and asymmetric encryption. Often two or more of these
three different types are used together in the same product or technology.

Symmetric Encryption

In symmetric encryption, a single secret key is used to both encrypt and decrypt data. The secret key is so-called
because it must be kept secret. If the key is lost or stolen, the security is breached.
Symmetric encryption is also referred to as single-key or privatekey. Note that "private key" is also used to refer
to part of the PKI process (see below), so take care not to confuse the two uses.

The main problem with symmetric encryption is secure distribution and storage of the key. This problem becomes
exponentially greater the more widespread the key's distribution needs to be. The main advantage is speed, as
symmetric key encryption is less processor and system memory intensive than asymmetric encryption.

Symmetric encryption is used to encode data for storage or transmission over a network. Some examples of
symmetric encryption technologies or ciphers are 3DES, AES, RC (Rivest Cipher), IDEA, Blowfish/Twofish, and
CAST.

One of the principal measures of the security of an encryption cipher is the size of the key. Early ciphers used
between 32- and 64-bit keys. Currently, 1024-bit keys would be selected for general use, with larger keys
required for highly sensitive data. The larger the key however, the more processing is required to perform
encryption and decryption.
Asymmetric Encryption
In asymmetric encryption, or Public Key Cryptography, a secret private key is used to decrypt data. A
mathematically related public key is used to encrypt data. This public key can be widely and safely distributed to
anyone with whom the host wants to communicate, because the private key cannot be derived from the public
key. Also, the public key cannot be used to decrypt a message that it has just encrypted.

A key pair can be used the other way around. If the private key is used to encrypt something, only the public key
can then decrypt it. The point is that one type of key cannot reverse the operation it has just performed.
Asymmetric encryption is mostly used for authentication technologies, such as digital certificates and digital
signatures, and key exchange. Key exchange is where two hosts need to know the same symmetric encryption
key without any other host finding out what it is. Symmetric encryption is much faster than asymmetric, so it is
often used to protect the actual data exchange in a session. Asymmetric encryption is more complex, taking
longer for a computer to process, and so typically only used on small amounts of data, such as the authentication
process to set up the session.

Most asymmetric encryption technologies use the RSA cipher.

Public Key Infrastructure (PKI)

Asymmetric encryption is an important part of Public Key Infrastructure (PKI). PKI is a solution to the problem of
authenticating subjects on public networks. Under PKI, users or server computers are validated by a Certificate
Authority (CA), which issues the subject a digital certificate. The digital certificate contains a public key
associated with the subject embedded in it. The certificate has also been signed by the CA, guaranteeing its
validity. Therefore, if a client trusts the signing CA, they can also trust the user or server presenting the certificate.

The client can then send the server (comptia.org for example) data (their credit card details for example)
encrypted using the public key, safe in the knowledge that only that particular server will be able to decrypt it
(using its private key). A similar technique can be used to encrypt the contents of emails. The sender uses the
recipient's public key to encrypt the data with the assurance that only the linked private key can be used to
decrypt the data again. PKI can also be used by mobile applications to encrypt any data sent between the client
and the server.

Digital certificates are also used for secure authentication to computer networks. The certificate is stored with
the private key on a smart card hardware token. To authenticate, the card provides the certificate to the
authentication server, which checks that it is valid and trusted. It then uses the public key in the certificate to
issue an encrypted challenge to the user. The smart card should be able to decrypt this challenge using the
private key and send an appropriate response.

Digital Signatures

Public/private key pairs can use the reverse encryption/decryption relationship to sign messages. In this
scenario, the user uses his or her private key to encrypt a message signature then distributes the linked public
key wrapped in a digital certificate to the message recipient. The fact that the public key embedded in the
certificate can decrypt the signature proves that the sender signed it, because the encryption must have been
performed with the linked private key.
Cryptographic Hashes

A hash is a short representation of data; you take a variable amount of information and the hash function converts
it to a fixed length string. A cryptographic hash is designed to make it impossible to recover the original data from
the hash and ensure that no two pieces of information produce the same hash.

Cryptographic hashing can be used to prove that a message has not been tampered with. For example, when
creating a digital signature, the sender computes a cryptographic hash of the message and then encrypts the
hash with his or her private key. When the recipient receives the message and decrypts the hash, the recipient
computes its own hash of the message and compares the two values to confirm they match.
Cryptographic hashes are also used for secure storage of data where the original meaning does not have to be
recovered—passwords for instance.

Two of the most commonly used cryptographic hash algorithms are SHA-1 and SHA-2 (Secure Hash Algorithm)
and MD5 (Message Digest).

Data States

When deploying a cryptographic system to protect data assets, thought needs to be given to all the ways that
information could potentially be intercepted. This means thinking beyond the simple concept of a data file stored
on a disk. Data can be described as being at rest or in transit:

■ Data at rest—this state means that the data is in some sort of persistent storage media. In this state, it is
usually possible to encrypt the data using techniques such as whole disk encryption, mobile device encryption,
database encryption, and file- or folder-level encryption.

■ Data in transit (or data in motion)—this is the state when data is transmitted over a network, such as
communicating with a web page via HTTPS or sending an email. In this state, data can be protected by a
transport encryption protocol, such as Secure Sockets Layer (SSL)/Transport Layer Security (TLS).

Virtual Private Networks (VPN)

A Virtual Private Network (VPN) connects the components and resources of two private networks over another
public network or connects a remote host with an Internet connection to a private local network. A VPN is a
"tunnel" through the Internet or any other network. It uses special connection protocols and encryption technology
to ensure that the tunnel is secure and the user is properly authenticated.

Password Cracking and Management

"Something You Know" authentication is vulnerable to attempts to learn the password or passwords used to gain
access to a host or network. Passwords can be discovered via social engineering or because a user has written
one down. It is also possible to capture password packets in transit. If the protocol uses clear text credentials,
then the attacker's job is done. Most credentials are only sent using some sort of cryptographic protection
however.
Password Crackers

Even if the credentials are only transmitted with cryptographic protection, the attacker might be able to use
password cracking software to decipher it. This type of software uses different methods to obtain the password
from a cryptographic hash:

■ Dictionary—the software matches the hash to those produced by ordinary words found in a dictionary. This
could also include information such as user and company names, pet names, or any other words or simple
phrases that people might naively use as passwords.

■ Brute force—the software tries to match the hash against one of every possible combination it could be. If the
password is short (under seven characters) and non-complex (using only letters for instance), a password might
be cracked in minutes. Longer and more complex passwords increase the amount of time the attack takes to
run—to years if the password is long and complex enough.

Password Best Practices

For a system to be secure against password crackers, strong passwords are required. The following rules make
passwords difficult to guess or crack:

■ Length—a longer password is more secure. Around 9–12 characters is suitable for an ordinary user account.
Administrative accounts should have longer passwords (14 or more characters).

■ Complexity can improve the security of a password:

● No single words—better to use word and number/punctuation combinations.

● No obvious phrases in a simple form—birthday, user name, job title, and so on.

● Mix upper and lowercase (assuming the software uses case-sensitive passwords).

■ Memorability—artificial complexity makes a password hard to remember, meaning users write them down or
have to reset them often. Using a long phrase, perhaps with one or two symbols and numerals mixed into it, can
offer a good balance between complexity and memorability.

■ Maintain confidentiality—do not write down a password or share it with other users.

■ History/expiration—change the password periodically. Many systems can automatically enforce password
expiration, meaning users have to choose a new password. Such a system may also keep a history of previously
used passwords and prevent the user from choosing the same one again.

■ Reuse across sites—a typical user might be faced with having to remember tens of logons for different services
at work and on the Internet and resort to reusing the same password for each. This is unsecure, as your security
becomes dependent on the security of these other (unknown) organizations. Users must be trained to practice
good password management, or at the very least not to re-use work passwords for web accounts.
Password Managers/Fillers

A password policy should balance ensuring that users select strong passwords, which cannot be cracked by
password-guessing software, and ensuring that they select memorable passwords and do not resort to reusing
them across sites or writing them down.

If users are permitted to write passwords down, they must at the very least be stored securely. If a note containing
a password is lost, the IT department should be informed and the password reset as soon as possible.

There are also various hardware and software password "fillers" that can store passwords for multiple accounts.

Password Reset

A password reset mechanism allows a user who has forgotten a password to self-select a new one. This
mechanism must obviously be well protected to prevent a malicious user from obtaining a new password for the
account. As noted above, reset mechanisms may depend on security question challenges such as, "Who was
your best friend at school?" Another popular mechanism is to register an alternative contact method, such as a
cell phone number or secondary email address. The reset mechanism sends a link or code to this contact to
authorize use.

The reset mechanism should also log the action and inform the user via their registered email address or cell
number that a reset has taken place.

Policies and Procedures

As a vital component of a company's IT infrastructure, employees must understand how to use computers and
networked services securely and safely and be aware of their responsibilities. To support this, the organization
needs to create written policies and procedures to help staff understand and fulfill their responsibilities and follow
best practices.

The value of a comprehensive policy is that it removes any uncertainty that employees may have about what to
do in a given situation. For example, if you work for a large company and meet someone you do not recognize
in your work area, should you smile and say hello or smile, say hello, ask them where they want to be, and then
escort them to that place? If there is a company policy saying that visitors to the workplace must be escorted at
all times, it will be much easier for employees to take it upon themselves to "act the policeman" in this sort of
circumstance.

Standards, Procedures, and Guidance

Policy is an overall statement of intent. In order to establish the correct working practices, three different
mechanisms can be put in place:

■ Standard—a standard is a measure by which to evaluate compliance with the policy.

■ Procedure—a procedure, often referred to as a SOP (Standard Operating Procedure), is an inflexible, step-
by-step listing of the actions that must be completed for any given task. Most critical tasks should be governed
by SOPs.

■ Guidance—guidelines exist for areas of policy where there are no procedures, either because the situation
has not been fully assessed or because the decision-making process is too complex and subject to variables to
be able to capture it in a procedure. Guidance may also describe circumstances where it is appropriate to deviate
from a specified procedure.
Personnel Management Policies

Human Resources (HR) is the department tasked with recruiting and managing the organization's most valuable
and critical resource: people. Personnel management policies can be conceived as applying in three phases:

■ Recruitment (hiring)—locating and selecting people to work in particular job roles. Security issues here include
screening candidates and performing background checks.

■ Operation (working)—it is often the HR department that manages the communication of policy and training to
employees, though there may be a separate training and personal development department within larger
organizations. As such, it is critical that HR managers devise training programs that communicate the importance
of security to employees.
■ Termination or separation (firing or retiring)—whether an employee leaves voluntarily or involuntarily,
termination is a difficult process with numerous security implications.
Operational policies include privilege management, data/information handling, incident response, and the use of
company devices and services, such as Internet access. One function of HR is to draft and communicate these
written policies to employees, including any updates to the policies. Another function is to enforce disciplinary
measures, perhaps in conjunction with departmental managers.

Handling Confidential Information

Any document or information processed by a company must be classified depending on how sensitive it is.
Employees should be trained to understand what information is confidential and how to handle it correctly.

Passwords

Users must keep their work passwords known only to themselves. This means not writing down the password,
not telling it to anyone else, and not using it to authenticate to any other services or websites.

Personally Identifiable Information (PII)

The rise in consciousness of identity theft as a serious crime and growing threat means that there is an increasing
impetus on government, educational, and commercial organizations to take steps to obtain, store, and process
Personally Identifiable Information (PII) more sensitively and securely.
Staff should be trained to identify PII and to handle personal or sensitive data appropriately. This means not
making unauthorized copies or allowing the data to be seen or captured by any unauthorized people. Examples
of treating sensitive data carelessly include leaving order forms with customers' credit card details in view on a
desk or putting a credit card number in an unencrypted notes field in a customer database.

Company Confidential Information

Any of the business information used to run a company could be misused in the wrong hands. This sort of
information includes product designs or plans, marketing plans, contracts, procedures and workflows, diagrams
and schematics, and financial information. This information must not be disclosed to unauthorized people and
should always be stored on media that are subject to network access controls and/or encrypted. Paper or
electronic copies of this sort of information that are no longer needed should be destroyed rather than discarded.

Customer Confidential Information

The same rules apply to information provided by customers (and suppliers or partners for that matter). When a
business requests information from a customer, they should obtain explicit consent to process and store that
information. This consent process should inform the customer how the information will be used and for how long
it will be retained.
Acceptable Use Policies

An Acceptable Use Policy, or Fair Use Policy, sets out what someone is allowed to use a particular service or
resource for. Such a policy might be used in different contexts. For example, an acceptable use policy could be
enforced by a business to govern how employees use equipment and services, such as telephone or Internet
access, provided to them at work. Another example might be an ISP enforcing a fair use policy governing usage
of its Internet access services. Enforcing an acceptable use policy is important to protect the organization from
the security and legal implications of employees (or customers) misusing its equipment. Typically, the policy will
forbid the use of equipment to defraud, defame, or to obtain illegal material. It is also likely to prohibit the
installation of unauthorized hardware or software and to explicitly forbid actual or attempted intrusion (snooping).
An organization's acceptable use policy may forbid use of Internet tools outside of work-related duties or restrict
such use to break times.

Rules of Behavior

The equipment used to access the Internet in the workplace is owned by the employer. Many employees expect
relatively unrestricted access to Internet facilities for personal use. In fact, employees' use of social networking
and file sharing poses substantial risks to the organization, including threat of virus infection or systems intrusion,
lost work time, copyright infringement, and defamation. If an employee breaks copyright laws or libels someone
using an organization's equipment, the organization itself could be held liable.

To avoid confusion, an employee's handbook should set out the terms under which use of web
browser/email/social networking/P2P software is permitted for personal use and what penalties infringements
could incur. Employers are within their rights to prohibit all private use of Internet services.
Users should be aware that any data communications, such as email, made through an organization's computer
system are liable to be stored within the system, on servers, backup devices, and so on. Consequently,
employees should not use computers at work to send personal information, for their own security and privacy if
nothing else.

Use of Personally Owned Devices in the Workplace

Portable devices, such as smartphones, USB sticks, media players, and so on, pose a considerable threat to
data security as they facilitate file copying. Camera and voice recording functions are other obvious security
issues. Network access control/endpoint security and data loss prevention solutions can be of some use in
preventing the attachment of such devices to corporate networks. Some companies may try to prevent staff from
bringing such devices on site. This is quite difficult to enforce though.

Privacy Policy

The right to privacy is one expected by citizens of most countries. However, the right to privacy has to be
balanced against the need for the companies we work for and shop with to receive and process, and in some
cases keep, information about us.

For example, an e-commerce company needs to know your address in order to deliver goods to you. When you
tell them your address, you might expect them to use it only for delivering goods that you have ordered and not
to use it to contact you about other products or to pass it to another company without your permission.
In order to protect their business, employers claim a responsibility to monitor the way employees put business
software and the corporate network to use. Employees claim rights deriving from human rights legislation that
they should not be treated cruelly or unusually. The balance between these rights and responsibilities is not
always clearly defined in law, though as workplace privacy becomes more of an issue, laws and company
guidelines are being instituted to account for it. A contract of employment may set out what an employee must
agree to as a condition of employment.
Workplace surveillance can be divided into several categories:

■ Security assurance—monitoring data communications and employees’ behavior to ensure they do not divulge
confidential information or compromise the security of the organization. Employers may also use security
systems such as CCTV to prevent theft.

■ Monitoring data—analyzing data communications to measure an employee's productivity. For example, a

contact management system may record the frequency and duration of telephone contacts.

■ Physical monitoring—recording employees’ movement, location, and behavior within the workplace, often
using CCTV and drugs/alcohol testing.

A good employer will make the procedures for workplace surveillance clear and unambiguous. To this end, a
contract of employment or staff handbook should make clear the rules for employee conduct, as regards security,
refreshment breaks, and use of equipment. It should likewise define prohibited actions and appropriate
disciplinary procedures and punishments. Each employee should be given the opportunity to read these
guidelines, and the employer should check that the employee understands them. Additionally, some thought
needs to be given to guests and callers, where the issue of consent is even more ambiguous.

Expectations of Privacy

As well as use of the Internet and business/corporate applications in a work setting, you should also understand
privacy issues around use of social networking, communications services (email and Instant Messaging), and
file sharing services.

One privacy issue with such sites is understanding what is published publicly and what is uploaded for private
use only. Any personal information or content you post to such sites can usually either be marked as public and
accessible to anyone or private and accessible only to your contacts or friends, or possibly to a subset of the
closest contacts. Sites should provide tools to allow you to review what information and content you have made
public. If you make something public accidentally, it can be very difficult to stop people from continuing to publish
it elsewhere. Such information can also be archived and continue to appear in web searches. Consequently, you
need to take care when updating your profile and posting messages or new content.

The other major privacy issue is understanding to what uses the service provider may put the data you supply
to it. Most providers of "free" services will take the opportunity to scan any content they process on your behalf
(social media posts, emails, file uploads, and so on) and extract metadata from it. Metadata is "information about
information." Examples of metadata might include the date and time a message was sent, the language it used,
and the regions associated with the sender's and recipient's domains. It might also include keywords or frequency
of keywords. The service provider will aggregate and summarize this data for advertising and
marketing/demographic analysis and may sell it to other companies, typically in an anonymized form.

The processes used to mask or anonymize personal identities from a dataset are not always completely reliable.
There is often the risk that individuals could continue to be identified from information within the dataset.

The acquisition, processing, storage, and transmission of personal data is sometimes governed by laws. If
subject to such laws, you will be able to obtain redress against a company that does not obtain consent for the
ways in which it uses and stores your data. Whether or not there is legislation to comply with, companies should
have a privacy policy setting out what uses they can put your data to. It is in your interest to only use service
providers that properly respect your right to privacy.

Privacy issues do not just affect websites, social media sites, ISPs, and search providers. It is also possible that
this type of data will be collected from mobile apps and desktop software. It is typical for software such as
Windows or Office to prompt you to allow usage and troubleshooting data to be sent back to the vendor
(Microsoft) for analysis for example. Any software allowed to transmit data back to its vendor should be governed
by a privacy policy.