As an end-user of the ERP system developed in-house, you accidentally came across a system error when typing some combination of data; the system then recovered and redirected you to a new page with an unexpected privilege escalation, a system vulnerability nobody knows before. Which of the following is the best instrument for you to handle this situation? (Wentz QOTD)
A. Acceptable use policy
B. Incident report procedure
C. Responsible disclosure policy
D. Vulnerability classification standard
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. Incident report procedure.
An acceptable use policy (AUP) is signed before an employee is given access to its information systems. “It is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems.” (Wikipedia)
It’s common for a user to come across system bugs or incidents when operating the system. The user just needs to follow the incident report procedure, step-by-step instructions to report the situation.
The end-user is not a developer or security researcher, so he or she doesn’t have the expertise and doesn’t need to classify the vulnerability or follow the responsible disclosure policy.
Vulnerability disclosure is the practice of reporting security flaws in computer software or hardware. Vulnerabilities may be disclosed directly to the parties responsible for the flawed systems by security researchers or by other involved parties, including in-house developers as well as third party developers who work with the vulnerable systems. Typically, vendors or developers wait until a patch or other mitigation is available before making the vulnerability public.
Source: Linda Rosencrance
In computer security, responsible disclosure (also known as coordinated vulnerability disclosure), is a vulnerability disclosure model in which a vulnerability or an issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched or mended.
Acceptable Use Policy
Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems. For this reason, an AUP must be concise and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization. It should refer users to the more comprehensive security policy where relevant. It should also, and very notably, define what sanctions will be applied if a user breaks the AUP. Compliance with this policy should, as usual, be measured by regular audits.
- Acceptable use policy
- Full disclosure (computer security)
- Ethical principles of vulnerability disclosure
- Ask an Ethicist
- Responsible disclosure
- Ethics of Disclosure
- Talos Responsible Disclosure Policy Update
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
作為內部開發的ERP系統的最終用戶，您在鍵入某些數據組合時偶然遇到了系統錯誤。 系統隨後恢復，並以意外的特權升級將您重定向到新頁面，這是以前沒人知道的系統漏洞。 以下哪項是您應對這種情況的最佳工具？(Wentz QOTD)
A. 可接受的使用政策 (Acceptable use policy)
B. 事故回報程序 (Incident report procedure)
C. 負責任的披露政策 (Responsible disclosure policy)
D. 漏洞分類標準 (Vulnerability classification standard)