5.3 Explain the Importance Of Policies to Organizational Security

Question 1

Personnel

Answer 1

Personnel accounts could use a shared account, where all members of the customer service team use the same account to email customers. The downside of this is that you cannot audit or monitor individual users. The other type of personnel account is the user account, which should be subjected to the principle of least privilege.

Question 2

Acceptable User Policy (AUP)

Answer 2

The purpose of the AUP is to let employees or contractors know what they can or cannot do with company computers and BYOD devices. It lays out the practices relating to how you can access the company network and the internet. It also outlines practices that are forbidden, such as using blogs and social media sites such as Facebook or Twitter while at work or installing pirated software.

Question 3

Job Rotation

Answer 3

Job rotation is used for two main reasons – the first is so that all staff can be trained in all aspects of the jobs in the company. Employees may change departments every 6 months; this way, they get a better training experience. The second reason is that by rotating jobs, any theft or fraudulent activities can be discovered by the new person coming in.

Question 4

Mandatory Vacations

Answer 4

Mandatory vacations help detect whether an employee has been involved in fraudulent activities by forcing them to take holidays of a week or more. When people are involved in fraudulent activities, they tend not to take many holidays so that the fraud cannot be discovered. This is especially rife in jobs in which people have fiscal trusts, such as someone working in finance or someone who can authorize credit card payments.

Question 5

Separation of Duties

Answer 5

Separation of duties is having more than one person participate in completing a task; this is an internal control to prevent fraud or error. Say a single person worked in the finance department, collects all money coming in, and authorizes all the payments being paid out. This could lead to fraud or theft. This would be better if there were two distinct finance jobs, where one person received money and another authorized payments, preventing embezzlement. A charity in the United Kingdom was defrauded out of £1.3 million over a period of 6 years this way. Separation of duties aims to have no one person doing the entirety of a task.

Question 6

Least Privilege Policy

Answer 6

This policy states that access to data should be restricted and that employees should be given the minimum access required for them to perform their job. In the military, it is known as the need-to-know principle, where if you don’t need access, then you have no access.

Question 7

Clean-Desk Policy

Answer 7

A clean-desk policy (sometimes known as a clear-desk policy) is a company policy that specifies that employees should clear their desks of all papers at the end of each day. This prevents the cleaning staff or anyone else from reading those papers.

Question 8

Background Checks

Answer 8

Completing background checks on new employees may involve looking into criminal records and employment and education history, as well as driving license and credit checks. This is to ensure that what the person has stated on their CV (or resume) is correct. More stringent background checks are needed for those working with children or handling finances.

Question 9

Non-Disclosure Agreement (NDA)

Answer 9

An NDA is a legally binding contract made between an employee or a business partner, where they promise not to disclose trade secrets to others without proper authorization. The reason for this is to stop trade secrets or proprietary information from being sold on to competitors.

Question 10

Social Media Analysis

Answer 10

We need a good company policy on what we post on social media as we need to prevent useful information from being accessed by attackers.

Question 11

On-Boarding Policy

Answer 11

Companies can allow a Bring Your Own Device (BYOD) policy for employees, and part of that process is carrying out on-boarding and off-boarding. An on-boarding policy states that any device must be checked for viruses, and any application that could cause damage to the company’s network should be removed before the device is given access to the network. If someone fails to carry out onboarding properly, then the company could be infected by a virus.

Question 12

Off-Boarding Policy

Answer 12

When someone leaves your company, then the business data used on BYOD devices need to be removed before departure. If off-boarding is not carried out properly, an ex-employee could leave with company business data on their device.

Question 13

User Training

Answer 13

User training is vital to reducing the risk of being exploited by cybercriminals. (In the next section, we are going to look at different types of user training, starting by looking at the diversity of training techniques.) Exam TipIf you install pirated software onto a company computer, then you are in violation of the AUP.

Question 14

Computer-Based Training (CBT)/Gamification

Answer 14

This is where employees watch a video and are given questions after each section of the video to ensure that they understand the training. This is a form of gamification.

Question 15

Capture the Flag

Answer 15

These events are where red team members (posing as attackers) will have an exploitation-based exercise or blue team members (defenders) will have a threat that they need to deal with. Each member tackles their particular exercises, achieving one objective at a time until they meet their overall aim (which is known as capturing the flag). At this point, they can move on to another level of the exercise. Once they have completed a sufficient number of levels, they are fit to join their relevant teams.

Question 16

Phishing Campaigns/Simulations

Answer 16

Here the company sends phishing emails to their employees to see how they react. Personnel who fall victim to them are then given remedial training on phishing attacks.

Question 17

Role-Based Training

Answer 17

Here the company carries out security awareness training and ensures that all employees are sufficiently trained for their job roles. Exam TipCapture the Flag exercises help to train both red and blue team members. They complete tasks and every completion of a task moves them up one level at a time. When all of the training is complete, this is known as capturing the flag.

Question 18

Diversity of Training Techniques

Answer 18

Due to the increase in the number and sophistication of different types of attacks, companies must provide a diverse range of user security training and regular seminars. User training is vital to reducing the risk of being exploited by cybercriminals, and we are going to look at different types of user training here. Let’s start by looking at Capture the Flag

Question 19

Third-Party Risk Management

Answer 19

Companies use a vast amount of third parties either for software or to provide a service, and since we do not control those third parties, we need to carry out risk assessments that look at the way we interact with those companies.

Question 20

Vendors

Answer 20

When you purchase software, you must ensure that it is from a reputable vendor because if the vendor cannot be trusted, they could be installing malware such as remote access trojans or spyware with the software. They could also have a backdoor built-in. The more you integrate the products from a single vendor, the more you are reliant on them. If they go bankrupt, it could leave you vulnerable.

Question 21

Supply Chain

Answer 21

Your supply chain comprises the companies that you rely on to provide the materials you need to carry out business functions or make a product for sale. Let’s say that you are a laptop manufacturer, and Company A provides the batteries and Company B provides the power supplies. If either of these companies runs short of batteries or power supplies, it stops you from manufacturing and selling your laptops. They could also be sub-contractors or carry out different types of maintenance.

Question 22

Business Partners

Answer 22

A Business Partnership Agreement (BPA) is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day-to-day running of the business, who makes the decisions, and how the profits are shared. It also has rules for the partnership ending either at a given point or if one of the partners dies or moves on.

Question 23

Service Level Agreement (SLA)

Answer 23

An SLA is a contract between a service provider and a company receiving the service. The agreement can be for either a fix or a response over a certain period of time and is measured by metrics.

Question 24

Memorandum of Understanding (MOU)

Answer 24

An MOU is a formal agreement between two or more parties. MOUs are stronger than a gentlemen’s agreement and both parties must be willing to make a serious commitment to each other, but they are not legally binding.

Question 25

Measurement Systems Analysis (MSA)

Answer 25

MSA is a process wherein systems are evaluated by the collection of statistics to ensure that the quality of the systems is effective.

Question 26

Business partnership agreements (BPA)

Answer 26

Business Partners: A Business Partnership Agreement (BPA) is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day-to-day running of the business, who makes the decisions, and how the profits are shared. It also has rules for the partnership ending either at a given point or if one of the partners dies or moves on.

Question 27

End of Life (EOL)

Answer 27

This is where a vendor stops selling a product and the availability of replacement parts and technical support is limited. Warranties are still honored.

Question 28

End of Service Life (EOSL)

Answer 28

This is where the vendor believes that the product has reached the end of its usefulness, maybe due to a new version of the product being released. They will not commit any more time or resources to maintain the product. Users can still use the product but must take into consideration that there will be no more security updates or technical support available from the vendor. This will mean that over time, such products will become vulnerable and pose a huge security risk to any company still using them.Exam TipAn SLA lays down how quickly a supplier should respond to an incident such as a failed printer. It is measured using metrics.

Question 29

Non-Disclosure Agreement (NDA)

Answer 29

An NDA is a legally binding contract made between an employee or a business partner where they promise not to disclose trade secrets to others without proper authorization. The reason for this is to stop trade secrets or proprietary information from being sold on to competitors.

Question 30

Data

Answer 30

Data is one of the most important assets that a company has, and it is important to ensure that policies are in place to ensure that it is classified, handled, stored, and disposed of in accordance with regulations such as GDPR or HIPAA.

Question 31

Classification

Answer 31

This is the process of labeling data with relevant classifications, so that we know if it is top secret, secret, confidential, or sensitive data. The classification determines how the data is handled.

Question 32

Governance

Answer 32

Data governance is the oversight and management that describes the security controls that are applied at each stage of the data-handling process, from creation to destruction. These procedures detail the processes used to manage, store, and dispose of data to ensure that you are compliant.

Question 33

Retention

Answer 33

Companies do not want to hold data any longer than they need to, as it reduces their liability; however, they may have to keep data in an archive after its usefulness to remain compliant. An example of this is medical data in the UK, which needs to be retained for 25 years.

Question 34

Credential Policies

Answer 34

Credentials must be kept safe to prevent unauthorized access to systems; therefore, it is vital that policies are in place to prevent vulnerabilities and unauthorized access. Let’s look at the policies we need to put in place, starting with personnel-related policies

Question 35

Personnel

Answer 35

Personnel accounts could use a shared account, where all members of the customer service team use the same account to email customers. The downside of this is that you cannot audit or monitor individual users. The other type of personnel account is the user account, which should be subjected to the principle of least privilege.

Question 36

Third-Party

Answer 36

A third-party credential could be a SAML token given by a cloud provider or a Security as a Service (SECaaS) vendor, where the cloud provider manages your identity management. If we are doing remote administration, we could use SSH keys for Secure Shell, where the public key is installed on the target server.

Question 37

Devices

Answer 37

Devices have generic accounts with default password settings. As soon as you purchase a device, you need to change the default settings, as these are published on websites. Please go to https://cirt.net/passwords to see these passwords.

Question 38

Service Accounts

Answer 38

Service accounts are used to run applications such as anti-virus. They can run as local service accounts with the same rights as a user. A system account gives you a higher level of privilege, giving you full control.

Question 39

Administrator/Root Accounts

Answer 39

Administrative and root accounts in Linux need to be protected as they allow you to install software, make configuration changes, and access any file. These accounts should be restricted to a few IT personnel. When we install new systems, we need to ensure that we change the default account settings. The root account in Linux is called superuser and is not restricted; this account should not be used unless it is absolutely necessary. The administrator should have two accounts: a normal user account for day-to-day use and an admin account for administrative duties.

Question 40

Organizational Policies

Answer 40

Organizational policies need to be in place to deal with changes in technology, risk, or security to maintain a secure working environment. Let’s look at some of these policies, starting with change management

Question 41

Change Management

Answer 41

When an audit is carried out and reports show that the controls in place are not secure enough, we either implement change management or write a new policy. A new policy changes an entire process, and change management amends existing processes.

Question 42

Change Control

Answer 42

Change control is where someone requests those managing the implementation of a change to an existing control. Let’s say that management would like to know about the financial benefits of a change, and the savings that would be gained either in labor time or monetary value. Such changes need to be sent to the Change Advisory Board (CAB) to ensure that it is beneficial to the company.

Question 43

Asset Management

Answer 43

This is a process where each asset that belongs to the company has been tagged and is recorded in an asset register. Annual audits need to be carried out to ensure that all assets are accounted for. It will also help to identify unauthorized devices on your network.