Did you know Cybrary's video training is FREE? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This unit covers administrative protection which are the management controls used to provide written policy and procedure guidance for workers. The main focus of this unit is Information Security Management which consists of the following: - Chief Information Security Office - Chief Privacy Officer - Information Systems Security manager Participants also learn about the following types of IT Security Clearances: 1. Public 2. Sensitive 3. Private; internal use only 4. Confidential This unit also covers data retention policies and the following physical access controls: - Sensitive areas - Service Ports - Computer consoles Participants also learn about physical asset management and compensating controls. [toggle_content title="Transcript"] Okay, so let's move along now to administrative protection. So what we're talking about here is making sure that we've got the proper management controls in-place to protect the users, protect the assets of the organization and ultimately protect the bottom line. If we want to think about how we manage information security we've got some different components here. We start off with our security office, chief information security office, or the CISO. This means that we've got a high-level security officer who has the authority to make decisions regarding other components within the IT security program. You might have a chief privacy officer. This is something that's a more recent development, having a CPO, because we've got a lot of concerns about personally identified information, personal privacy, financial privacy, identity theft, these might all be addressed by proper procedures being in-place and policies, of course that are enforced to make sure that privacy details are handled correctly. Then we've got our ISSM, the information systems security manager. They're making sure that all of the systems are compliant with policies and regulations as well as guidelines, and ultimately to support the bottom line. The ISSM will work with the chief security officer and chief privacy officer to make sure that everything they're responsible for is compliant. Now let's think about governance a little bit. Knowing how the information is classified within your organization is vital. We have public information, which is intended for the public. So nothing should be designated as public that might have sensitive information contained in it. Public information would be things like product announcements or merger announcements, or initiatives that say that you're offering new products and services. These are things the public wants to know, especially the public that's investing in the organization, or its customers. Then we have information that might be designated as sensitive. So this is the beginning of the need-to-know basis. This information is not extremely valuable, but it's at least sensitive. Maybe things like employee contact info. Something you wouldn't want to be public so you want to keep that somewhat protected for only those people that need it. Then we've got private information. So this is how the business does what it does its internal workings. Policies and procedures, maybe some of the business strategy, the business logic might be considered private. For internal use only. And then we have confidential, which means that we're trying to protect this at the very highest level because it's vital to the organization, it's critical to the organization and could be very damaging if confidential information becomes leaked. So thinking about the different roles in the organization in regards to data protection. We can start with the data owner. So data owners have some discretionary control over access to the information that they are responsible for. They can define a classification level. They can specify the appropriate controls to use. They can also appoint custodians to take care of that information. Custodians might be back-up operators or persons of that nature. Then we move on to the data user. The data user has to deal with the controls that were put in-place by the data owner. So they're trying to use the data for their business software requirements, or for growing the business, or for dealing with the business challenges. They also have to deal with the acceptable use of that data, which is somewhat dictated by the data owner but more often dictated at a level higher than the data owner. We are a data custodian. This individual or group is responsible for making sure that the controls that are implemented match the classification level of the data itself. You wouldn't want to use the controls for sensitive data when the data is really classified as private or confidential. That would be insufficient controls in that case. They're also trying to make sure that the data integrity can be guaranteed, or assured. Also related to back-ups. Being able to provide a restoration of data as quickly as possible when it's requested is an important part of this role. We move on to the data retention policy. Different organizations might have different policies that they've designed themselves, or they're subject to some regulations in this regard. Ultimately they're trying to decide how long do we need to keep certain data around? In some cases, data might be kept until the organization is dissolved. It might be kept effectively forever. Other data might only be needed for one year, or maybe seven years, or maybe six months. It just depends on its classification level and its importance to the organization overall. Now we can think about document access paths. So this means that we're looking at all of the different ways to get at the information in the organization. Those should be known, they should be documented, they should be verified that they are appropriate and that the appropriate security controls are in-place. This is part of your risk assessment, knowing that there's different ways to get at the information and making sure that each one of those is studied carefully to look for problems or violations. We have to think about managing personnel. Doing background checks, making sure that new hires are properly oriented, that they go through security awareness training, that they sign all of the required paperwork, maybe a non-disclosure agreement. Making sure that we can provide continuity of operations because we've got the appropriate staff in-place with people who can do some job rotation. This person does that job, then this person does that job, and occasionally they switch places so that you've got more than one person to handle the critical functions within the organization. We have to think about physical security as well. I mentioned gates, guns and guards, but we need to go beyond that as well. We know that the data center and the systems it contains, the databases that are there, back-up tapes, all these are enticing targets for intruders or hackers. So we need to understand that there could be cases where some of the technical or logical controls might be bypassed. Maybe someone's able to get into the network through an analog modem and that wasn't considered during your risk analysis or your penetration testing exercises. We need to think about service ports. Analog modems used to be much more common as a service port, but maybe you've got a USB connection to something, or a serial port, a direct attached console. These are all areas where a study of their use and access to that resource needs to be well understood. The computer console is directly attached to a system. You typically have a display and a keyboard, maybe a mouse as well. So that needs to be protected so that only people that have a need to use that resource can actually get to it physically. Speaking of physical resources, we have to think about how we manage our physical assets. Some assets are digital. This is our data. We also have to deal with our software licenses. These are typically digital as well but they might be in hard copy. Maybe you've got both. You might keep some hard copy licenses in a safe, or off-site, to make sure that they're properly protected. We have to track our back-up media. Knowing that each back-up tape or back-up device has a unique label, maybe some indication as to what the contents might be, where it's stored, how long it's stored, where that might be found in the event of an emergency. And then what about terminating access? When people leave the organization, voluntarily or involuntarily, whatever access they had needs to be examined. We need to understand how to remove that access in case the person tries to do something after their employment has been terminated. A typical example would be the disgruntled employee who gets fired and now wants revenge and they try to get connected to something to cause problems. So let's talk about some of our compensating controls that we'd like to consider. One thing, as I was just talking about a minute ago, is job rotation. This means that we have multiple people that can do those critical things that the organization requires. As far as the frequency of job rotation, that's up to management, of course. It also gives the organization an opportunity to investigate the activities of someone when they rotate into a different position. Maybe they go to a different job and now you audit their past activities to make sure that they haven't committed any fraud, to make sure that they did their job correctly. Make sure that there's no suspicious behavior there. Sometimes certain organizations even have mandatory vacation where you're required to take your two weeks or three weeks a year, and while you're gone they do an audit of your activities to make sure that everything is on the up and up. So auditing the information that we produce is also a really vital compensating control. We want to be able to know that we can find the information we need relating to any transactions or any activities within the organization, that it's being preserved and that it's accessible when it's required. If there are problems that are discovered during an audit, then we must have a reconciliation process. So we want to make sure that if we run some numbers or run some reports. If we run them again we should get the same result. If there's issues, then how did that issue come about and how do we decide how to fix it? Some other compensating controls to think about are exception reports. So we do some processing, something doesn't go right, there's an error or there's information that gets skipped over somehow, the exception report should detail what those things are that did not conform and also show or point to the proper procedures to rectify the situation. We need to think about transaction logs, especially financial transactions. Ultimately that's the lifeblood of the organization, correct and auditable, verifiable financial transactions. Really any particular transaction should be something that might need to be audited at some point, so we need to think about how that should be accomplished according to best practices and the policies and procedures that the organization already has in-place. We need to think about supervisors. What kind of review are they required to perform? If the supervisor is not doing the proper reviews, then that might constitute negligence, which of course could be a problem to itself. For instance, if there's fraudulent activity, or suspicious activity, and supervisors are aware of it and they don't do anything about it, they look the other way, now they might be complicit in some investigation of illegal activity. So, definitely something to be aware of. [/toggle_content]