Time
1 hour 27 minutes
Difficulty
Advanced
CEU/CPE
5

Video Description

This unit covers administrative protection which are the management controls used to provide written policy and procedure guidance for workers. The main focus of this unit is Information Security Management which consists of the following: - Chief Information Security Office - Chief Privacy Officer - Information Systems Security manager Participants also learn about the following types of IT Security Clearances: 1. Public 2. Sensitive 3. Private; internal use only 4. Confidential This unit also covers data retention policies and the following physical access controls: - Sensitive areas - Service Ports - Computer consoles Participants also learn about physical asset management and compensating controls. [toggle_content title="Transcript"] Okay, so let's move along now to administrative protection. So what we're talking about here is making sure that we've got the proper management controls in-place to protect the users, protect the assets of the organization and ultimately protect the bottom line. If we want to think about how we manage information security we've got some different components here. We start off with our security office, chief information security office, or the CISO. This means that we've got a high-level security officer who has the authority to make decisions regarding other components within the IT security program. You might have a chief privacy officer. This is something that's a more recent development, having a CPO, because we've got a lot of concerns about personally identified information, personal privacy, financial privacy, identity theft, these might all be addressed by proper procedures being in-place and policies, of course that are enforced to make sure that privacy details are handled correctly. Then we've got our ISSM, the information systems security manager. They're making sure that all of the systems are compliant with policies and regulations as well as guidelines, and ultimately to support the bottom line. The ISSM will work with the chief security officer and chief privacy officer to make sure that everything they're responsible for is compliant. Now let's think about governance a little bit. Knowing how the information is classified within your organization is vital. We have public information, which is intended for the public. So nothing should be designated as public that might have sensitive information contained in it. Public information would be things like product announcements or merger announcements, or initiatives that say that you're offering new products and services. These are things the public wants to know, especially the public that's investing in the organization, or its customers. Then we have information that might be designated as sensitive. So this is the beginning of the need-to-know basis. This information is not extremely valuable, but it's at least sensitive. Maybe things like employee contact info. Something you wouldn't want to be public so you want to keep that somewhat protected for only those people that need it. Then we've got private information. So this is how the business does what it does its internal workings. Policies and procedures, maybe some of the business strategy, the business logic might be considered private. For internal use only. And then we have confidential, which means that we're trying to protect this at the very highest level because it's vital to the organization, it's critical to the organization and could be very damaging if confidential information becomes leaked. So thinking about the different roles in the organization in regards to data protection. We can start with the data owner. So data owners have some discretionary control over access to the information that they are responsible for. They can define a classification level. They can specify the appropriate controls to use. They can also appoint custodians to take care of that information. Custodians might be back-up operators or persons of that nature. Then we move on to the data user. The data user has to deal with the controls that were put in-place by the data owner. So they're trying to use the data for their business software requirements, or for growing the business, or for dealing with the business challenges. They also have to deal with the acceptable use of that data, which is somewhat dictated by the data owner but more often dictated at a level higher than the data owner. We are a data custodian. This individual or group is responsible for making sure that the controls that are implemented match the classification level of the data itself. You wouldn't want to use the controls for sensitive data when the data is really classified as private or confidential. That would be insufficient controls in that case. They're also trying to make sure that the data integrity can be guaranteed, or assured. Also related to back-ups. Being able to provide a restoration of data as quickly as possible when it's requested is an important part of this role. We move on to the data retention policy. Different organizations might have different policies that they've designed themselves, or they're subject to some regulations in this regard. Ultimately they're trying to decide how long do we need to keep certain data around? In some cases, data might be kept until the organization is dissolved. It might be kept effectively forever. Other data might only be needed for one year, or maybe seven years, or maybe six months. It just depends on its classification level and its importance to the organization overall. Now we can think about document access paths. So this means that we're looking at all of the different ways to get at the information in the organization. Those should be known, they should be documented, they should be verified that they are appropriate and that the appropriate security controls are in-place. This is part of your risk assessment, knowing that there's different ways to get at the information and making sure that each one of those is studied carefully to look for problems or violations. We have to think about managing personnel. Doing background checks, making sure that new hires are properly oriented, that they go through security awareness training, that they sign all of the required paperwork, maybe a non-disclosure agreement. Making sure that we can provide continuity of operations because we've got the appropriate staff in-place with people who can do some job rotation. This person does that job, then this person does that job, and occasionally they switch places so that you've got more than one person to handle the critical functions within the organization. We have to think about physical security as well. I mentioned gates, guns and guards, but we need to go beyond that as well. We know that the data center and the systems it contains, the databases that are there, back-up tapes, all these are enticing targets for intruders or hackers. So we need to understand that there could be cases where some of the technical or logical controls might be bypassed. Maybe someone's able to get into the network through an analog modem and that wasn't considered during your risk analysis or your penetration testing exercises. We need to think about service ports. Analog modems used to be much more common as a service port, but maybe you've got a USB connection to something, or a serial port, a direct attached console. These are all areas where a study of their use and access to that resource needs to be well understood. The computer console is directly attached to a system. You typically have a display and a keyboard, maybe a mouse as well. So that needs to be protected so that only people that have a need to use that resource can actually get to it physically. Speaking of physical resources, we have to think about how we manage our physical assets. Some assets are digital. This is our data. We also have to deal with our software licenses. These are typically digital as well but they might be in hard copy. Maybe you've got both. You might keep some hard copy licenses in a safe, or off-site, to make sure that they're properly protected. We have to track our back-up media. Knowing that each back-up tape or back-up device has a unique label, maybe some indication as to what the contents might be, where it's stored, how long it's stored, where that might be found in the event of an emergency. And then what about terminating access? When people leave the organization, voluntarily or involuntarily, whatever access they had needs to be examined. We need to understand how to remove that access in case the person tries to do something after their employment has been terminated. A typical example would be the disgruntled employee who gets fired and now wants revenge and they try to get connected to something to cause problems. So let's talk about some of our compensating controls that we'd like to consider. One thing, as I was just talking about a minute ago, is job rotation. This means that we have multiple people that can do those critical things that the organization requires. As far as the frequency of job rotation, that's up to management, of course. It also gives the organization an opportunity to investigate the activities of someone when they rotate into a different position. Maybe they go to a different job and now you audit their past activities to make sure that they haven't committed any fraud, to make sure that they did their job correctly. Make sure that there's no suspicious behavior there. Sometimes certain organizations even have mandatory vacation where you're required to take your two weeks or three weeks a year, and while you're gone they do an audit of your activities to make sure that everything is on the up and up. So auditing the information that we produce is also a really vital compensating control. We want to be able to know that we can find the information we need relating to any transactions or any activities within the organization, that it's being preserved and that it's accessible when it's required. If there are problems that are discovered during an audit, then we must have a reconciliation process. So we want to make sure that if we run some numbers or run some reports. If we run them again we should get the same result. If there's issues, then how did that issue come about and how do we decide how to fix it? Some other compensating controls to think about are exception reports. So we do some processing, something doesn't go right, there's an error or there's information that gets skipped over somehow, the exception report should detail what those things are that did not conform and also show or point to the proper procedures to rectify the situation. We need to think about transaction logs, especially financial transactions. Ultimately that's the lifeblood of the organization, correct and auditable, verifiable financial transactions. Really any particular transaction should be something that might need to be audited at some point, so we need to think about how that should be accomplished according to best practices and the policies and procedures that the organization already has in-place. We need to think about supervisors. What kind of review are they required to perform? If the supervisor is not doing the proper reviews, then that might constitute negligence, which of course could be a problem to itself. For instance, if there's fraudulent activity, or suspicious activity, and supervisors are aware of it and they don't do anything about it, they look the other way, now they might be complicit in some investigation of illegal activity. So, definitely something to be aware of. [/toggle_content]

Video Transcription

00:04
Okay, so let's move along now, too.
00:06
Administrative protection.
00:09
So what we're talking about here is making sure that we've got the proper management control in place
00:15
to protect the user's, protect the assets of the organization and ultimately protect the bottom line.
00:21
You want to think about how we manage
00:24
information security?
00:25
We've got some different components here. We start off with our
00:29
security office,
00:31
chief information, Security office or the C I s O.
00:34
This means that we've got a high level security officer who has the authority to make decisions regarding
00:41
other components within the security program.
00:45
You might have a chief privacy officer.
00:49
This is something that's a more recent development having a CPO
00:53
because we've got a lot of concerns about
00:56
personally identified information
00:59
personal privacy, financial privacy, identity theft.
01:03
You might all be addressed by proper procedures being in place
01:07
and policies of course that are enforced. To make sure that
01:11
privacy details air handled correctly.
01:14
We've got our I S S and information systems security manager.
01:19
They're making sure that all the systems are compliant with policies and regulations as well as guidelines
01:26
and ultimately to support
01:29
the bottom line.
01:30
The I s awesome.
01:32
We'll work with the chief security officer and chief privacy officer to make sure that everything that they're responsible for is compliant.
01:41
Now let's think about governance a little bit.
01:44
Knowing how the information is classified within your organization
01:48
is vital.
01:49
We have public information, which is intended for the public,
01:53
so nothing should be designated as public. That might.
01:57
I have sensitive information contained in it.
02:00
Public information will be things like
02:01
product announcements or merger announcements
02:05
or initiatives that say they're offering new products. And service is These are things the public wants to know
02:12
specially public
02:14
the public that's investing in the organization or are its customer,
02:19
that we have information that might be designated as sensitive.
02:23
So this is the beginning of the need to know basis.
02:28
This information is not extremely valuable, but it's at least sensitive. Maybe things like employee contact info,
02:35
something you wouldn't want to be public.
02:38
So you want to keep that somewhat protected
02:39
for only those people that need it.
02:43
We've got private information.
02:46
So this is how the business does what it does, its internal workings, policies and procedures,
02:53
maybe some of the business strategy, the business logic might be considered private
02:58
for internal use on Lee.
03:00
And then we have confidential,
03:01
which
03:02
means that we're trying to protect this at the very highest level because it's vital to the organization. It's critical to the organization
03:09
and could be very damaging if confidential information becomes
03:14
week.
03:15
So thinking about the different roles in the organization in regards to data protection, we can start with the data owner.
03:23
So data owners have some discretionary control over access to the information that they are responsible for.
03:30
That can define a classification level.
03:34
They can specify
03:36
the appropriate controls to use.
03:38
They can also appoint custodians to take care of that information.
03:42
Custodians might be backup operators
03:45
or persons of that nature
03:47
that we move on to the data user.
03:50
The user has to deal with the controls that were put in place by the data owner.
03:54
So there,
03:55
trying to use the data for their business
03:59
software requirements or for growing the business or dealing with business challenges.
04:04
We also have to deal with the acceptable use of that data,
04:09
which is somewhat dictated by the data owner but more often dictated at a level higher than the date owner
04:15
we are data custodian.
04:16
This
04:17
individual or group is responsible for making sure that
04:21
the controls that are implemented match the classification level
04:26
of the data itself.
04:28
You wouldn't want to use
04:29
the controls for sensitive data when the data really should be when it's classified as private or confidential. That would be insufficient controls. In that case,
04:39
we're also trying to make sure that the data integrity can be
04:42
guaranteed or sure
04:45
also related to backups.
04:47
Being able to provide
04:49
a restoration of data as quickly as possible when it's requested is an important
04:55
part of this role,
04:57
and we move on to the data retention policy.
05:00
Different organizations might have different policies
05:02
that they've designed themselves,
05:05
or they're subject to some regulations in this regard.
05:10
Ultimately, they're trying to decide
05:12
how long do we need to keep certain data around?
05:15
In some cases, data might be kept until the organization is dissolved. It might be kept effectively forever.
05:21
Other organ, other data might only be needed for one year, maybe seven years,
05:26
maybe six months. It just depends on its classification level and its importance to the organization. Overall,
05:32
Now we could think about document access paths
05:36
so This means that we're looking at all the different ways to get at the information in the organization.
05:43
Those should be known that should be documented. They should be verified that they are appropriate
05:47
and that the appropriate security controls are in place.
05:51
This is part of your risk assessment,
05:55
knowing that there's different ways to get at the information and making sure that each one of those has studied carefully toe look for problems or violation.
06:03
We have to think about managing personnel,
06:06
doing background checks, making sure that that new hires are properly oriented, that they go through security awareness training
06:14
that they signed all the required paperwork, maybe a nondisclosure agreement,
06:18
making sure that we can provide
06:21
continuity of operations because we've got the appropriate staff in place
06:26
with people who can
06:28
do some job rotation. This person does. That job in this person does that job and occasionally they switch places
06:33
so that you've got more than one person to handle the critical functions within the organization.
06:40
We have to think about physical security as well.
06:43
I mentioned Gates, guns and guards,
06:45
but that goes beyond or we need to go beyond that as well.
06:48
We know that
06:49
the data center and the systems that contains the databases that air their backup tapes.
06:55
All these are enticing targets
06:58
four intruders or hackers.
07:00
So we need to understand
07:02
that there could be cases where
07:04
some of the technical or logical controls might be bypassed.
07:10
Maybe someone's able to get into the network through an analog modem, and that wasn't considered
07:14
during your risk analysis or your penetration testing exercise.
07:19
We need to think about service ports.
07:21
Analog modems used to be much more common as a service port,
07:26
but maybe you've got a USB connection to something or serial port,
07:30
a direct attached console.
07:33
These are all areas where
07:35
study of their use and access to that
07:40
resource needs to be well understood.
07:43
The computer consoles directly attached to a system
07:46
you typically have a display in a keyboard, maybe a mouse as well,
07:50
so that needs to be protected so that
07:53
only people that have a need to use that resource can actually get to it physically.
07:58
Speaking of physical resource that we have to think about how we manage our physical asset,
08:03
some assets are digital. This is our data.
08:07
We also have to
08:07
deal with our software licenses.
08:11
These air typically digital as well, but they might be a hard copy.
08:15
Uh, maybe you've got both. You might keep some
08:18
hardcopy. License is in a safe or off site.
08:22
Make sure they're properly protected.
08:24
We have to track our backup media
08:28
knowing that each backup tape or backup device has a unique label, maybe some indication as to what the contents might be, where it's stored, how long it's stored,
08:39
where that might
08:41
be found in the event of an emergency.
08:46
And then what about terminating access
08:50
when people leave the organization voluntarily or involuntarily,
08:54
whatever access they had needs to be examined.
08:58
We need to understand
09:00
how to
09:01
remove that access in case the person
09:03
tries to do something after their employment has been terminated.
09:07
A typical example would be the disgruntled employee who gets fired and now wants revenge and try to
09:16
get connected to something to cause problems.
09:18
So let's talk about some of our compensating controls that we'd like to consider.
09:22
One thing is, I was just talking about a minute ago. His job rotation.
09:26
This means that we have multiple people that can do those critical things that the organization requires,
09:33
As far as the
09:35
the frequency of job rotation, that's up to management. Of course,
09:39
it also gives the organization and opportunity
09:43
to investigate the activities of someone when they rotate into a different position.
09:48
Maybe they go to a different job, and now you audit their past at activities
09:52
to make sure that they haven't committed any fraud to make sure they did their job correctly.
09:58
Make sure that there's no suspicious behavior there.
10:01
Sometimes
10:03
certain organizations even have mandatory vacation
10:07
where you're required to take your two weeks or three weeks a year. And while you're gone, they do an audit of your activities to make sure that everything is on the up and up.
10:16
So ordering
10:18
the information that we produce is also
10:24
really vital compensating control.
10:28
I want to be able to know that
10:30
we can find the information we need really related to any transactions
10:35
or any activities within the organization, that it's being preserved and that it's accessible when it's required.
10:41
If there are problems that are discovered
10:45
during an audit, then we must have a reconciliation process.
10:48
So we want to make sure that that if we run some numbers, Urinson reports. If we run them again, we should get the same result. If there's issues that had that issue come about, and how do we decide how to fix it?
11:01
Some other compensating controls. I think about our
11:03
exception reports.
11:05
So we do some processing.
11:07
Something doesn't go right there. There's a error or theirs
11:11
information that gets that gets skipped over some somehow
11:18
exception report should
11:20
detail what those things are that did not conform
11:24
and also show
11:26
or point to the proper procedures
11:28
to rectify the situation.
11:31
We need to think about transaction logs,
11:33
especially financial transactions. Ultimately, that's
11:37
the lifeblood of the organization. Is correct
11:39
inaudible, verifiable financial transactions?
11:43
Really, any particular transaction should be something that I need to be audited at some point. So we need to think about how that should be accomplished
11:52
according to best practices and the policies and procedures that the organization already has in place.
12:01
We need to think about supervisors.
12:03
What kind of review
12:05
are they required to perform
12:07
if the supervisor is not doing the proper reviews than that might constitute negligence,
12:13
which, of course, could be a problem all to itself.
12:16
If there's, for instance, if there's fraudulent activity
12:20
or suspicious activity,
12:22
and supervisors are aware of it and they don't do anything about that. Look the other way
12:26
Now. They might be complicit in some investigation of illegal activity,
12:31
so that was something to be
12:33
aware of.

Up Next

Auditing Information Systems Operation, Maintenance, and Support

Domain 4 covers information systems operation, maintenance, and support

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor