Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
We now provide an overview on the importance of security as it relates to establishing policies and procedures why communication with user is important to having a secure environment. We'll provide examples of how easily security policies and procedures are compromised and how those breaches occur when user simply don't know and understand why certain security policies are in place. [toggle_content title="Transcript"] Security Module 2.6 part 1-Importance of security. Now I will be looking at Section 2.6 of the syllabus. This has do with explain the importance of security related awareness and training - section 2.6 of the security plus syllabus. The first topic we see here is security policy training and procedures, security policy training and procedures, management sets of policies. What is a policy? A policy is a high leveled statement dictated by management. It is simply a set of rules management will put these rules together and we call it a policy. Whatever the policy addresses is how we name the policy. So if we say security policy; this policy is addressing how rules that govern security for the organization. It could be a rule or set of rules for how users interact with the system in terms of security or rules that govern account creation, rules that govern password creation, rules all relating to security policies within the organization. How security relates to everything within the organization. The security policies are broken down into procedures for users to carry out their activities within their environment. Our users, when we create the security policy, the users need to be trained to understand these policies because you do not just create the policies document it and leave it on the shelf. The users have to be trained to understand the requirements of the policies, to understand how to put these polices in their everyday work so that they are following management's directive of how activities should be carried out. Users should understand these policies and sometimes we have to do role play, we have to do see a scenario training, people don't just say okay this is the policy do you understand? Yes, at the end of the day they don't understand. So you have to do the training to meet the target audience. Some people explain to them they understand, some people involve them with role play so that they better understand the requirement of the policies. When you do role based training you're able to bring the training down to the required understanding of the individual users because if we do certain training what if I don't do the job? That training is of no good to me because I don't understand how it applies to my job but you should do role based training such that you are able to break down policies and procedures to individuals users as it needs their job description. Then they understand because this is something they do and then they know that these rules only affect them as it relates to their job that it's for role based training. Personally identifiable information; we need to train our users so that they know how to handle personally identifiable information things such as social security numbers, credit card numbers, addresses that are private to users so if users are dealing with this sort of information they have to be very careful so they don't disclose they do not disclose unauthorized information to unauthorized persons. This way we're able to guarantee confidentiality. Information classification is another topic very important for this exam. We should classify information whether it's in hard copy or soft copy. Information is giving different levels of classification; private, confidential, top secret, secret. This way when users are dealing with information they know what is private they know what is confidential secret or top secret. That way they can better handle such information they can better safe guard this information if it is properly classified. With proper classification even systems can also be given classification so that we can tell what systems or what users can access what data because everything is been classified. If we don't have proper data classification data would be handled carelessly. With proper data classifications people know when to stop other people having access to their desk, people know when to carry around or not carry around information in hard copy because it's being properly classified. With proper data classification we can also monitor access to data while it is on our desk in hard copy or while it is on our systems soft copies. Data labeling, handling and disposal. Proper data classification will ensure that we do data labeling. If we do data labeling, we label everything clearly so we know how to manage it on our servers, we know how to manage it on our systems, we also know how to handle data carefully. If data has been properly labeled: confidential, secret or top secret, we know not to post it under the door because anybody can have access to it. We know not to leave it lying around on our desk because anybody can have access to it and if data has been carefully labeled when we have to destroy it we can destroy it at the appropriate sensitivity level. Data that has been classified secret should be disposed off or destroyed at that level as well. When you want to destroy data, if you don't destroy at the level of its sensitivity it means that other mean could still be available to compromise that data. So if you destroy it at its level of sensitivity that way you limit compromise for either confidentiality and integrity. Let's look at compliance with laws best practices and standards. Organizations should ensure that their users, their infrastructures, their configurations, and their practices are in compliance with laws, best practices and standards. What are some of these laws or best practices or standards? We have the hipper standards to protect against unauthorized disclosure of medical information. We have disturbance awfully act the socks to protect against disclosures or financial information: We have the payment card industry P.C.I.D.S.S to protect against the disclosure of credit card numbers. P.C.I.D.S.S these are standards to protect information about our customers personally identifiable information. Organizations should put procedures in place to protect against these standards so that we don't allow unauthorized disclosure of information, unauthorized change of data within our networks. What are some user habits that are of concern here; passwords behaviors. It is common practice for users to want to share their passwords. Maybe under duress a user password will share his password or her password with another user. Please log onto the system for me while I'm away so they think I'm online but your user should be better educated as to how they use their passwords or share their passwords users should be discouraged from sharing passwords. What about what sort of passwords they create your users should be educated as to best practice for creating their passwords. It is common practice that our users would want to make very easy passwords. Yes the password should be easy to remember but difficult to guess. So they must conform to password best practice maybe the minimum length of the password. Best practice dictate that the password should be minimal it's characters and above not too short. If it is too short it can easily be compromised by malicious persons. Our password should also password complexity so the user should be trained on password complexity. Password complexity dictates that we have uppercase, lowercase, special characters and numbers so your users should be educated how to generate such passwords so that one it is also easier to remember and yet meets the password requirements or uppercase, lowercase special characters and numbers. Such passwords are much more difficult to compromise because the malicious persons would have big issues trying to guess these passwords. Our users should also be educated to keep a clean desk policy. These days many people carry around smart phones. A smart phone has a camera. This could be used to take copies of your desk in two minutes or in fact in one minute somebody could quickly take a picture of documents of your desk. Some people think oh, the more papers I have on my desk the more important I appear. Please we have to keep a clean desk policy, information could leak off your desk maybe your organization is working on a new product and you have papers lying around and another person could come with a camera in one minute they've got all that information and they walk away. So by keeping a clean desk policy we don't need papers or documents hanging around on our own desk. Some other people are responsible for licenses. Maybe you buy software from multiple manufacturers and the licenses are scattered down on your desk, best practice lock them away in a safe so you keep a clean desk policy people cannot walk away with documents from your desk carrying sensitive information. [/toggle_content]