5.1 Policy and Process and Employee Background Investigations

00:01

okay. With Model four, we reviewed various ways to stop insider tax or at least reduce the risk. In Module five, we will review the concept of creating a policy and process to deal with the insider threat problem.

00:18

Okay, let's talk about policy and process. So the foundation of a security program is a policy. It is the structure. It is a repeatable structure that you define for your information security program. So the policy defines a process for implementing

00:38

and

00:39

operating a security infrastructure.

00:41

Further details for implementing a policy are outlined in a standard operating some Orin S O P s o the S. O. P. Is kind of more of a detailed checklist of how you do, for instance, how you set up a rule set for a firewall.

00:56

But the policy will tell you you must have a firewall. So there's overarching Policy says you haven't have a firewall. The S. O P tells you how to specifically configure a final, so that's kind of the difference between the two. But you put them all together, and you have this over Archie program

01:12

that governs and defines your information security

01:17

process. So best practice processes such as the NIST risk management framework, provide exhaustive details from implementing these kinds of policies. So NIST is we had a little diagram here. It's going the next page. So this is

01:37

the risk

01:38

management framework. It is an example of one of these pre coin predefined

01:45

processes that were created for general use. This one is kind of created and used mostly by the government and the military and so on. But some commercial companies were in are picking up in a lot of we're actually a lot of commercial companies supposedly are picking up that are M f the responsive framework as a general guy.

02:05

So

02:05

let me explain what the risk management framework is. So you have six steps here, okay? And this is how you structure your security process. So the first step is you want to bring a system onto the network,

02:20

okay? And you must make sure that that system is secure before you can bring it on the network. Okay. So you don't introduce more risk into your city, your network.

02:30

So the first step is to categorize the system.

02:34

So this is where you determine how important is the system and the data that is on this system. If it's super super important and the company will fold or die if this system goes down, then it needs tohave. Ah, lot more security controls.

02:52

If the system is not very important and you could wait six months before you fix it, if it goes down,

02:55

then it needs to have the minimal security controls. Okay, but it still needs controls. So when I'm talking about these controls, I'm talking about

03:07

configurations. Rule says things that implement security measures within the environment so it control could be how you do your firewall configuration. It could be that you need to do scanning. It could be that you need to do passion. It could be

03:25

that you need to have a a backup and recovery plan.

03:30

It's not just specific technical controls, but there's also administrative controls and so on.

03:36

So anyway, so

03:38

the categorization of the system defines how much work in resource is need to be devoted to the system to make sure that it is secure.

03:49

Okay,

03:50

so step two, now that you've defined,

03:53

categorized the system, then you go to step to. This is where you select the security controls. So based on how important the system is,

04:01

that tells you, um, the type of controls or the group of controls that need to be applied to the system to make sure it's secure commensurate with its importance.

04:16

Okay, then we go to step three. Step three is where we implement This is where the fun starts to happen.

04:23

This is where we implement the controls. So someone some third party or some other person has said we need to implement these 400 different controls

04:33

on this, uh,

04:35

Lennox server.

04:36

And so we go, and we do all that work we do, all the patching will do. The configuration would do the file file level, security, older level security. We do all the, you know, deleting unnecessary software. We do. We put on,

04:54

um, you know, application white listing software on there was

04:59

we put on

05:00

all these different things in place to make sure that the system is secure on and on and on and on. And

05:08

then once we've done that, we say, Okay, we're done. You guys check it out and see if we're good. That's where we go to step for. And this is where you assess the security controls. Okay, this is typically a different group, so that was a check and balance there. So you don't just pencil whip say you're done,

05:26

But this would be a different

05:28

Okay, if, obviously, if your company has the resource is in the number of people to do this. Um,

05:33

so this other group number at step for they will go look at everything you did, and they'll ask you to show them what you did, and they'll ask for evidence and all these different things. And when they're done, they will say they may say yes. We agree you have met all of these requirements or they may say,

05:54

Oh,

05:55

you will have met all the requirements. Once you do A, B, C and D, there's a few last just finishes up, and you're good. So whatever they do, that's where that's where they make that judge.

06:04

Okay,

06:05

I know this goes together into a package called Security Access Assessment report, a security assessment report or a star. Then it gets passed over to the evaluators are typically a group that is all part of the system does office,

06:21

and under the guidance of This is so and this is where they take a look at the package. Look at all the work that was done. Listen to all the testimony about what was done, and then they say Yet, boom, You are allowed to be on the network or no, you're not allowed to be on network until you fix these three things.

06:41

So whatever it is, that's that next step.

06:43

And then finally, once the system is finally made it to the network, it's It's been approved to be on the network. This is where it's plugged in. It's spun up. It's now it's computing, communicating and doing its job. And

06:59

this is where we start the continuous monitoring process.

07:03

And that is a process of exactly that continuously monitoring security status of the system so it doesn't fall back into a state of disrepair because of ah, easy system administrators like we talked about before. So, um,

07:21

this is where a checking bounces applied

07:25

and a you know, an independent group does the security scanning on a monthly or weekly or whatever basis. This is where they look at the logs and they look for vulnerabilities, and they ensure that the patch is done and that things are done that need to be done. And this is a continual cycle through the life cycle of the system.

07:45

And that is the six steps of the risk management framer.

07:54

Okay, so now we here we are at employee background investigations. This is an important one.

08:03

Okay,

08:03

The goal of unemployed background investigation is to attempt.

08:09

Attempt is a key work to establish. Trust

08:13

it, uh, assists and narrowing down the field of candidates to those

08:20

who are the lowest risk. That is the goal. You want to try to get the most trustworthy people

08:26

based on all the evidence you confined

08:30

to work for you. Okay. If you do that, you're probably decrease the risk that someone's gonna try to do execute an insider threat attack.

08:39

Okay,

08:41

So background investigations include things that criminal check this kind of like an electronic check to see if you're in any database. Is out their credit history also in electronic check

08:52

drug screening. That's actually a medical appointment type thing. Or will you go give a sample et cetera on, then work and education verification. You know, if you say you went to Harvard and got a computer science degree. You should be able to prove that. And that's where you verify. Did you actually go too hard and get a computer science degree?

09:11

Um, that is a valid ah,

09:15

line in question.

09:18

Polygraph. Now, a polygraph is probably only gonna be reserved for Mork critical sensitive positions that have,

09:26

you know, exposure to really sensitive company secrets, classified information in the government or the military, et cetera. And that's where you sit down and you put on these leads all over your body and you sit in a chair and you can't move. You can't flex any muscles and you have to answer a battery of questions,

09:46

and it helps them establish how trustworthy you are, OK? And next we have field investigations. This is where again, one of the more extreme scenarios where you want you trust everything that they've told you about their background in their life and everything where they've been, what they've done.

10:05

But you verify it.

10:05

You actually send people out into the field to ask questions to verify fax, to verify that they lived in that apartment in New Yorker that they grew up in Indiana, whatever. So that is the purpose of the field investigation. Okay,

10:26

The goal of the employee background investigation is to establish trust so that you can hire the most trustworthy people that you could possibly find

10:37

and lower the risk that one of your employees is going to execute an insider threat hat.

10:45

Okay, so now let's talk about employee awareness training. So an insider threat training program insures that the employee population is aware,

10:56

uh, of the threat, the indicators of such a threat and the potential legal ramifications

11:03

if you take part in something like an inside threat. Uh,

11:09

activity. Okay, So, um, the training that you deliver in this type, of course, in includes of some of these some of the following things define the threat. You want to define the threat and explain what it is.

11:26

But pencil indicator you wanted You wanted to find

11:28

what might lead you to believe that someone is doing some of these inside of threat activities. Recruitment. You want to make people aware that someone may try to recruit them

11:43

to do these things. They may try to entice them into doing these things with money and et cetera, et cetera. Targeted data assets. You want to explain what kind of things bad guys might be trying to go after within the company's environment?

11:58

Collect a collection of targeted data. You want to understand what it means or what the indicators are when someone is starting to collect the pieces slowly so they can steal the data. What is reportable now? You don't want to train your employees to harass everybody. So everybody wants to quit.

12:18

You want them

12:20

to Onley report something when it really is valid.

12:22

Okay. And so So you want to find what exactly is reportable? Okay, so a user monitoring awareness, that is the concept of, um

12:37

letting everybody know that they're being watched on their work computer and on their phone they could be listen to on the phone. There were computer. What they're typing on there could be monitored just for security purposes and someone for the company or for the organization of the military organization. You want to make sure that they're aware of that,

12:56

so that so you get them to,

13:00

uh, to understand that they're being monitored.

13:03

Along with that

13:05

goes a consent to monitoring, which is a document they sign a legal document that signs that they understand that they are being monitored

13:13

so that they can't, sue said. So then you also want to do a nondisclosure agreement that makes that also tries, tries to legally bind them from disclosing

13:26

company secrets or organizations secrets except okay.

13:33

And you want to make it clear what the penalties are

13:37

if you do break these rules if you break the consent. If you break the nondisclosure agreement, if you release information if you leak information. If you steal information, what are the company and the legal penalties that you could be faced with if you do these things

13:58

so again, Employees Awareness Training is there to make sure that your employee base understands the concept,

14:05

understands the motivations, understands the problems,

14:11

and it understands the penalties that could be father.

14:18

Okay, so now let's check

14:20

the foundation of a security infrastructure

14:24

and program is

14:26

Blink

14:33

answer policy.

14:37

The details for implementing a policy are outlined in

14:41

blank, blank blank

14:52

answer. Standard operating procedures.

14:58

The goal of en blank blank blank is to attempt to establish

15:03

trust,

15:15

answer

15:16

employee background investigation.

15:22

Okay, so here we are, Module five. Okay, so this module reviewed the foundation of an insider threat program

15:31

known as a policy and the process for employing such a program.

15:37

IT policy is simply an organized approach to dealing with the problem of the insider threats.

15:45

A process reveals the details about that. How to implement your policy into the real world. Things like standard operating procedures

15:56

explained how to do the detail, step by step things to actually implement

16:03

what you've outlined in your overarching policy,