ch3 Flashcards
(25 cards)
the important parts of any organization’s approach to implement security include: / established to detail what users and administrators should be doing to maintain the security of the system and network:
1- policies
2- procedures
3- standards
4- guidelines
Policies
are high-level, broad statements of what the organization wants to
accomplish. They are made by management when laying out the
organization’s position on some issue.
Procedures
are the step-by step instructions on how to implement policies in
the organization. They describe exactly how employees are expected to act in
a given situation or to accomplish a specific task.
Standards
are mandatory elements regarding the implementation of a policy.
They are accepted specifications that provide specific details on how a policy
is to be enforced.
Guidelines
are recommendations relating to a policy. The key term in this case
is recommendations—guidelines are not mandatory steps.
The operational process and policy lifecycle steps:
- Plan (adjust) for security in your organization: you develop the policies, procedures, and
guidelines that will be implemented and design the security components that will protect your
network. - Implement the plans: Part of the implementation of any policy, procedure, or guideline is an
instruction period during which those who will be affected by the change or introduction of this
new document can learn about its contents. - Monitor the implementation: you monitor to ensure that both the hardware and the software,
as well as the policies, procedures, and guidelines, are effective in securing your systems. - Evaluate the effectiveness: Finally, you evaluate the effectiveness of the security measures you
have in place. This step may include a vulnerability assessment and a penetration test of your
system to ensure the security is adequate.
Organizational Policies: / determine how security will be implemented in the organization:
1- Change Management Policy
*The purpose of change management is to ensure proper procedures are followed when
modifications to the IT infrastructure are made.
* A change management process should include various stages: including a method to
request a change to the infrastructure, a review and approval process for the request, an
examination of the consequences of the change, resolution (or mitigation) of any
detrimental effects the change might incur, implementation of the change, and
documentation of the process as it relates to the change.
2- Change Control
* Change control is the process of how changes to anything are sourced, analyzed, and
managed.
* Change control is a subset of change management, focused on the details of a change and
how it is documented.
3- Asset Management
* Asset management involves the policies and processes used to manage the elements of
the system, including hardware, software, and the data contained within them.
security policies:
- is a high-level statement produced by senior management
that outlines both what security means to the organization and the
organization’s goals for security. - also describe how security is to be handled from an
organizational point of view (such as describing which office and corporate
officer or manager oversees the organization’s security program)
example of a security policy
Statements such as: “this organization will exercise the principle of
least access in its handling of client information”
Security Policies
1- Data Policies:
* System integration with third parties frequently involves the sharing of data. Data can be
shared for the purpose of processing or storage. Control over data is a significant issue in
third-party relationships.
* Data Policies include: data ownership, unauthorized data sharing, data backups,
classification of information, data governance, data retention, disposal and destruction
policy, as well as data labeling, handling and disposal.
2- Credential policies:
* Credential policies refer to the processes, services, and software used to store, manage,
and log the use of user credentials.
* Credential policies include personnel, third party, and devices.
3- Password and account policies:
* Passwords are as ubiquitous as users; in fact, more so.
* Password and account policies include password complexity, account expiration, account
recovery, account disablement, account lockout, password history, password reuse,
password length, and protection of passwords.
Human Resources Policies(1)
1- Code of Ethics:
* Code of ethics established by professional organizations describes the expected behavior of their
members from a high-level standpoint.
2- Job Rotation:
* By rotating through various jobs in organization’s IT department, individuals gain a better perspective
on how the various parts of IT can enhance (or hinder) the business.
3- Separation of Duties:
* Separation of duties is a principle employed in many organizations to ensure that no single individual
has the ability to conduct transactions alone.
3- Employee Hiring (Onboarding) and Promotions
* It is becoming common for organizations to run background checks on prospective employees and to
check the references prospective employees supply. Frequently, organizations require drug testing,
check for any past criminal activity, verify claimed educational credentials, and confirm reported work
history and even social media behavior.
Human Resources Policies(2)
1- Retirement, Separation, or Termination (Offboarding)
* Offboarding refers to the processes and procedures used when an employee leaves an
organization such as termination or disablement of all accounts.
2- Adverse Actions
* Adverse actions with respect to punishing employees when their behaviors violate
policies is always a difficult subject.
3- Acceptable Use Policy
* outlines what the organization considers to be the appropriate use of company
resources, such as computer systems, e-mail, Internet access, and networks.
4- Internet Usage Policy
* The goal of the Internet usage policy is to ensure maximum employee productivity and
to limit potential liability to the organization from inappropriate use of the Internet in a
workplace.
5- E-mail Usage Policy
* deals with what the company will allow employees to send in, or as attachments to, e-mail messages
Human Resources Policies(3)
1- Social Media Analysis
* It is common for firms to use AUPs to restrict employee personal use of things like social media.
2- Clean Desk Policy
* specify that sensitive information must not be left unsecured in the work area when the worker is not
present to act as custodian.
3- Bring-Your-Own-Device (BYOD) Policy
* What policies are appropriate before a firm allows employees’ personal devices to connect to the
corporate network and access company data.
4- Privacy Policy
* Customers place an enormous amount of trust in organizations to which they provide personal
information.
* These customers expect their information to be kept secure so that unauthorized individuals will not
gain access to it and so that authorized users will not use the information in unintended ways.
* Organizations should have a privacy policy that explains what their guiding principles will be in
guarding personal data to which they are given access
Security Awareness and Training
1- Security awareness and training programs can enhance an
organization’s security posture in two direct ways:
* They teach personnel how to follow the correct set of actions to perform their
duties in a secure manner.
* They make personnel aware of the indicators and effects of social engineering
attacks.
2- Properly trained employees are able to perform their duties in a more
effective manner, including their duties associated with information
security.
3- Initial employee security training at the time of being hired is
important, as is periodic refresher training.
Diversity of Training Techniques
1- Not all people learn in the same fashion:
* some learn by seeing,
* some learn better by hearing.
* Almost everyone learns better by doing, but in some areas, doing a task is not practical
or feasible.
2- Several different training methods, including gamification, capture-the-flag
exercises, and simulations, can be effectively used to improve training.
3- There are even more methods to round out a wide diversity of training
solutions, including in-person lectures, online content, and practice-based skill
development.
4- The key is to match the material to the method and to the learners, and then
test outcomes to ensure successful training has been achieved.
Security Policy Training and Procedures
- If employees are going to be expected to comply with the organization’s security
policy, they must be properly trained in its purpose, meaning, and objectives. - Training with respect to the information security policy, individual responsibilities,
and expectations is something that requires periodic reinforcement through
refresher training. - Because the security policy is a high-level directive that sets the overall support and
executive direction with respect to security, it is important that the meaning of this
message be translated and supported. - Second-level policies such as password, access, information handling, and
acceptable use policies also need to be covered. - The collection of policies should paint a picture describing the desired security
culture of the organization. - The training should be designed to ensure that people see and understand the
whole picture, not just the elements.
User Training
is important to ensure that users are aware of and are following appropriate
policies and procedures as part of their workplace activities.
As in all personnel-related training, two elements need attention:
- Retraining over time is necessary to ensure that personnel keep proper levels of
knowledge. - As people change jobs, a reassessment of the required training basis is needed, and
additional training may be required.
User Training Methods:
- Gamification is the use of games to facilitate user training.
- A capture-the-flag event is hands-on computer skill training where users are tested to
see if they can perform specific actions. - Phishing campaigns are a series of connected phishing attacks against an organization.
- To help users learn and identify phishing attacks, there are methods of running
phishing simulations against users. - Computer-based training (CBT) is the use of a computer program to manage training
of users.
Role-Based Training
- For training to be effective, it needs to be targeted to the user with regard to their role
in the subject of the training. - Role-based training with regard to information security responsibilities is an important
part of information security training. - If a person has job responsibilities that may impact information security, then rolespecific training is needed to ensure that the individual understands the responsibilities
as they relate to information security. - Some roles, such as developer and system administrator, have clearly defined
information security responsibilities. - The roles of others, such as project manager and purchasing manager, have information
security impacts that are less obvious, but these roles require training as well. - In fact, the less-obvious but wider-impact roles of middle management can have a large
effect on the information security culture, and thus training is required.
Role-Based Training roles:
- Data Owner: People who have data responsibilities such as data owners need
specific training in how to respond to these responsibilities. - System administrators: are administrative users with the responsibility of
maintaining a system within its defined requirements. - System Owner: System ownership is a business function, where the requirements
for security, privacy, retention, and other business functions are established. - User: Normal users need limited access based on their job role and tasks
assigned. - Privileged user: has more authority than a standard user.
- Executive users: are a special type of user. Their business responsibility may be
broad and deep, covering many levels and types of business functions.
Continuing Education
- Technology and security practices are far from static environments;
they advance every year, and relevant skills can become outdated in
as little as a couple of years. - Maintaining a skilled workforce in security necessitates ongoing
training and education. - A continuing education program can assist greatly in helping
employees keep their skills up to date.
Compliance with Laws, Best Practices, and Standards
- A wide array of laws, regulations, contractual requirements,
standards, and best practices is associated with information security. - Each places its own set of requirements on an organization and its
personnel. - The only effective way for an organization to address these
requirements is to build them into their own policies and procedures. - Training to one’s own policies and procedures would then translate
into coverage of these external requirements.
Individual user responsibilities vary between organizations and the type of
business each organization is involved in, but there are certain very basic
responsibilities that all users should be instructed to adopt: / user habits:
- Lock the door to your office or workspace, including drawers and
cabinets. - Do not leave sensitive information inside your car unprotected.
- Keep storage media containing sensitive information in a secure storage
device (such as a locked cabinet or drawer). - Shred paper containing organizational information before discarding it.
- Do not divulge sensitive information to unauthorized individuals
(including other employees). - Do not discuss sensitive information with family members.
- Training and awareness programs can yield much in the way of an
educated and knowledgeable workforce. - Simply conducting training is not sufficient.
- Following up and gathering training metrics to validate compliance
and the security posture is an important aspect of security training
management.
