5.3 Explain the importance of policies to organizational security. Flashcards
(30 cards)
What is an acceptable use policy?
Detailed documentation on the rules and behavior for company assets.
Covers internet use, telephones, computers, mobile devices, etc.
Used to limit legal liability
What is least privilege?
Rights and permissions should be set to
the bare minimum
– You only get exactly what’s needed to complete
your objective
* All user accounts must be limited
– Applications should run with minimal privileges
* Don’t allow users to run with administrative privileges
– Limits the scope of malicious behavior
What are some ways to train users?
Gamification
– Score points, compete with others, collect badges
* Capture the flag (CTF)
– Security competition
– Hack into a server to steal data (the flag)
– Can involve highly technical simulations
– A practical learning environment
* Phishing simulation
– Send simulated phishing emails
– Make vishing calls
– See which users are susceptible to phishing attacks
without being a victim of phishing
* Computer-based training (CBT)
– Automated pre-built training
– May include video, audio, and Q&A
– Users all receive the same training experience
What is an SLA
Service Level Agreement (SLA)
– Minimum terms for services provided
– Uptime, response time agreement, etc.
– Commonly used between customers and
service providers
MOU
Memorandum of Understanding (MOU)
– Both sides agree on the contents
of the memorandum
– Usually includes statements of confidentiality
– Informal letter of intent; not a signed contract
MSA
Measurement system analysis (MSA)
– Don’t make decisions based on incorrect data!
– Used with quality management systems,
i.e., Six Sigma
– Assess the measurement process
– Calculate measurement uncertainty
BPA
Business Partnership Agreement (BPA)
– Going into business together
– Owner stake
– Financial contract
– Decision-making agreements
– Prepare for contingencies
NDA
Non-disclosure agreement (NDA)
* Confidentiality agreement between parties
– Information in the agreement should not
be disclosed
* Protects confidential information
– Trade secrets
– Business activities
– Anything else listed in the NDA
* Unilateral or bilateral (or multilateral)
– On-way NDA or mutual NDA
* Formal contract
– Signatures are usually required
What are some secure business policies?
- Job rotation
– Keep people moving between responsibilities
– No one person maintains control for long periods
of time - Mandatory vacations
– Rotate others through the job
– The longer the vacation, the better chance
to identify fraud
– Especially important in high-security environments - Separation of duties
– Split knowledge:
No one person has all of the details
Half of a safe combination
– Dual control:
Two people must be present to perform
the business function
Two keys open a safe (or launch a missile) - Clean desk policy
– When you leave, nothing is on your desk
– Limit the exposure of sensitive data to third-parties
Supply chain assessement
Supply chain assessment
– Get a product or service from supplier to customer
– Evaluate coordination between groups
– Identify areas of improvement
– Assess the IT systems supporting the operation
– Document the business process changes
Data steward
– Manages the governance processes
– Responsible for data accuracy, privacy, and security
– Associates sensitivity labels to the data
– Ensures compliance with any applicable laws and
standards
What are the primary data classifications?
Public
Private
internal data
confidential
restricted
Public data
Public data can be important but is accessible to the public. Since this data is openly shared, it is the lowest level of data classification and its public nature makes it unnecessary to protect its use by unauthorized actors
Examples of public data include:
The names of companies and members of their executive team
Physical and email addresses
Press releases and promotional material
Company organizational charts and job descriptions
Private data
Private data requires a greater level of security than public data. This data should not be available for public access and is often protected through traditional security measures such as passwords. Compromised private data can pose a risk to an individual or an organization
Private data can include:
Email addresses and other personal contact information
Employee identification numbers
Smartphone content
Personal email content
Restricted data
Restricted data is the classification used for an organization’s most sensitive information. Access to this data is strictly controlled to prevent its unauthorized use. It needs to be encrypted for additional protection. The loss of restricted data can severely impact an organization or the individuals whose information is compromised. Examples of restricted data are:
Protected health information (PHI) as defined by regulatory agencies
Financial and tax data
Information that is secured by confidentiality agreements
Intellectual property
Confidential
The next level of data classification is confidential data. This information should only be accessed by a limited audience that has obtained proper authorization. Methods like identity and access management (IAM) tools are used to control access to confidential data. The loss of confidential data is harmful to individuals and organizations. Confidential data includes:
Social Security, driver’s license, and other personally identifying numbers
Credit card and banking information
Medical and health information
Employee records
Biometric identifiers
Internal Data
Internal Data
The use of an organization’s internal data is usually limited to its employees. Internal data can have different security requirements that affect who can access it and how it can be used. Examples include:
Business plans and marketing strategies
System IP addresses
Internal company websites
Financial data and revenue forecasts
change management
How to make a change
– Upgrade software, change firewall configuration,
modify switch ports
* One of the most common risks in the enterprise
– Occurs very frequently
* Often overlooked or ignored
– Did you feel that bite?
* Have clear policies
– Frequency, duration, installation process,
fallback procedures
* Sometimes extremely difficult to implement
– It’s hard to change corporate culture
change control
- A formal process for managing change
– Avoid downtime, confusion, and mistakes - Nothing changes without the process
– Determine the scope of the change
– Analyze the risk associated with the change
– Create a plan
– Get end-user approval
– Present the proposal to the change control board
– Have a backout plan if the change doesn’t work
– Document the changes
asset management
Identify and track computing assets
– Usually an automated process
* Respond faster to security problem
– You know who, what, and where
* Keep an eye on the most valuable assets
– Both hardware and data
* Track licenses
– You know exactly how many you’ll need
* Verify that all devices are up to date
– Security patches, anti-malware signature updates, etc
What is the difference in change control and change management?
Change control is the decision to make a change, whereas change management refers to the aftermath of that decision.
workflow
A workflow is an onboarding process that involves identifying the roles and permissions users need. A workflow is often a visual representation of an organization, organized by permissions and account types.
Privilege bracket
Privilege bracketing is an account management practice that involves giving users permission to a resource for the duration of a specific project or a need-to-know situation.
Training Diversity
Training diversity is a mix of training techniques in the form of workshops, seminars, gamification, etc. to foster user engagement and retention.
