CIA Policies

Video Activity

In this lesson, instructor Kelly Handerhan will explain the policies that we use to protect the organizations C-I-A. Separation of duties: works very closely with the idea of least privilege and "need to know." An employee will only be given the rights to perform the activities that are necessary for their job. It mitigates the success of exploits ...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

3 hours 54 minutes
Video Description

In this lesson, instructor Kelly Handerhan will explain the policies that we use to protect the organizations C-I-A. Separation of duties: works very closely with the idea of least privilege and "need to know." An employee will only be given the rights to perform the activities that are necessary for their job. It mitigates the success of exploits such as social engineering. Acceptable Use Policy (AUP): the organization dictates what the acceptable use of company resources is. Mandatory Vacations - is an effective detective tool. If there has been a spate of unexplained security breaches or other untoward activity; sometimes separating an employee from the company for a specified period will demonstrate who the culprit is. Job rotation - is an effective way to cross-train staff to ensure redundancy in the event a particular staff member is absent for some reason. Least privilege - is much like separation of duties and ensures data security by preventing any one employee from being to access more information or resources than they are required to in order to perform their assigned duties. Need to know: ensures that no staff member possesses more information than they are required to in order to efficiently perform their job. Dual control: is used when a task or function is so sensitive that it is more secure to split the task between two team members. Computer ownership: who owns a company laptop? Onboarding/offboarding: how do we bring people in and let them go from the organization?

Video Transcription
Okay, so we've talked about some of the basics of policy, will get more specific into that in just a little bit. But let's look at some part of some security policies and those that are specifically designed to help protect the C. I. A. Confidentiality, integrity and availability.
All right, So the very first policy we talked, that is a very important policy and that separation of Judy's and it really works very closely with the principles of least privilege and the ideas of need to know. So at least privilege
Onley gonna give you the rights to perform activities that are necessary for your job. No more
or less need to know. I'm only gonna give you access to information You have to have to do your job.
And separation of duties means that based on your role within the organization, you have just the bare minimum abilities and access to information so you can see that goes very closely with least privilege and need to know, and really all three of them come together to work Now. What that prevents is,
or at least what that mitigates
is the success, perhaps, of social engineering attempts to compromise confidentiality. Um, you know, for instance, even if I may be able to trick your receptionist into letting me in to the office building, she can't put let me into the server room because she doesn't have a key.
And the reason she doesn't have a key is that isn't hurting. That isn't her role. So what we're looking to do is preventing any one individual from having more rights, privileges or knowledge than they should. It's a way that we enforce confidentiality.
Separation of Judy's is also important because it allows for singleness of purpose. You know, if you've ever heard that phrase Jack of all trades, that sounds pretty good till you hear the rest of it. And thats master of none,
right, Jack of all trades, Master of Non. I do a whole bunch of things. Not very well,
um, so the reason for that is we won't allow that singleness of purpose so I can focus in, and I can do that. One thing that I'm responsible for very well.
If we look, maybe at network administration rolls versus Security Administration, those Air two roles that absolutely must be isolated from each other. The network administrator has so much power and privilege on the network that they need to be audited. Two. That's the job of the security personnel.
And if you have the security team
the same as the network team, then obviously you don't really have that system of checks and balances. Not to mention the fact that network team really focuses on availability of resource is
the reason um, you know the way I know I'm doing a good job as a network. Admin. My phone is not ringing,
right? But a security admin That's not their main goal. Their main go is protecting those assets, and sometimes they're cross purposes. All right, acceptable use policy. A u. P.
Um, these acceptable use policy dictates, um,
acceptable years. It dictates how my employees are to use company resources. You know? Can you make long distance phone calls on our phones? Can you browse the Internet? Can you, uh, use the fax machine for personal usage? What can be sent to the printer?
You know, all the things that as an employer, I provide mine policed work with
How do I expect those resource is to be treated and to be utilized that you're a u P. All right. Mandatory vacations. Now, we don't necessarily think of that. Vacations is being a security mechanisms. But you see this A lot in financial institutions were maybe an employer. Um,
let's say I work for a bank.
And for the last six weeks, that bank has been coming up short a couple 100 bucks every week.
All right, so the manager may come in and say, Kelly,
how about a vacation starting right now for 14 days? You're not to come into the building. You're not to contact anyone that works here. You're not to access your mail. You're not Logan remotely. You are totally disconnected from the organization.
You go have a great vacation. We'll let you know a TTE the end of 14 days how to pick up and come on back. So basically, it's a detective mechanism.
Job rotation job rotation is has a lot of benefits, you know, For one thing, job rotation will help me have a well trained staff in a cross training, and that's very important for redundancy of personnel. If you've ever been that person at an office that can't miss a day because the company just
everybody just wants to call and email and text you.
That's not very good redundancy of staff. So job rotation does Give me that. Job rotation is also a detective mechanism. No one gets too comfortable in any role because they know someone will be coming in behind that.
I've already mentioned principle of least privilege and need to know. So with dual control, there are some functions on a network that air so sensitive we wouldn't want a single administrator to be responsible for them. So maybe two administrators must be there. You know, maybe there's a 20 character password.
Admin one has the 1st 10 characters. Admin to you has the 2nd 10
and that being away, forcing multiple administrators to work together. And the idea there is that we want to be able to make sure no one individuals of using their power again. It kind of goes back to separation of beauties And that idea
data ownership policies as well as computer ownership.
You know who owns the data that I work with?
Um, if you work at Facebook and people put their Facebook data up on Facebook servers Well, now Facebook owns it.
But what about if I as a patient, go to a medical facility, I maintain ownership of my health care information. So it's very important that employees understand who owns the data, that they're working with
computer ownership. You know, when we have company issued laptops that people can take home and travel with. Sometimes that line of who owns this laptop gets blurred.
This is a company laptop. What can I do with it in the building? What can I do with it? Outside of the bill
and then last but not leave least on boarding and off board? How do we bring people into our organization to work? And then, at the end of their employment, have we terminate that relationship, making sure that we have good policies in place and that can also certainly apply to third party vendors as well?
So these are just some of the policies that we want to consider,
Ah, those specifically focusing on confidentiality, integrity and availability of our informational assets
Up Next