Time
3 hours 47 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

We now provide an overview on the importance of security as it relates to establishing policies and procedures why communication with user is important to having a secure environment. We'll provide examples of how easily security policies and procedures are compromised and how those breaches occur when user simply don't know and understand why certain security policies are in place. [toggle_content title="Transcript"] Security Module 2.6 part 1-Importance of security. Now I will be looking at Section 2.6 of the syllabus. This has do with explain the importance of security related awareness and training - section 2.6 of the security plus syllabus. The first topic we see here is security policy training and procedures, security policy training and procedures, management sets of policies. What is a policy? A policy is a high leveled statement dictated by management. It is simply a set of rules management will put these rules together and we call it a policy. Whatever the policy addresses is how we name the policy. So if we say security policy; this policy is addressing how rules that govern security for the organization. It could be a rule or set of rules for how users interact with the system in terms of security or rules that govern account creation, rules that govern password creation, rules all relating to security policies within the organization. How security relates to everything within the organization. The security policies are broken down into procedures for users to carry out their activities within their environment. Our users, when we create the security policy, the users need to be trained to understand these policies because you do not just create the policies document it and leave it on the shelf. The users have to be trained to understand the requirements of the policies, to understand how to put these polices in their everyday work so that they are following management's directive of how activities should be carried out. Users should understand these policies and sometimes we have to do role play, we have to do see a scenario training, people don't just say okay this is the policy do you understand? Yes, at the end of the day they don't understand. So you have to do the training to meet the target audience. Some people explain to them they understand, some people involve them with role play so that they better understand the requirement of the policies. When you do role based training you're able to bring the training down to the required understanding of the individual users because if we do certain training what if I don't do the job? That training is of no good to me because I don't understand how it applies to my job but you should do role based training such that you are able to break down policies and procedures to individuals users as it needs their job description. Then they understand because this is something they do and then they know that these rules only affect them as it relates to their job that it's for role based training. Personally identifiable information; we need to train our users so that they know how to handle personally identifiable information things such as social security numbers, credit card numbers, addresses that are private to users so if users are dealing with this sort of information they have to be very careful so they don't disclose they do not disclose unauthorized information to unauthorized persons. This way we're able to guarantee confidentiality. Information classification is another topic very important for this exam. We should classify information whether it's in hard copy or soft copy. Information is giving different levels of classification; private, confidential, top secret, secret. This way when users are dealing with information they know what is private they know what is confidential secret or top secret. That way they can better handle such information they can better safe guard this information if it is properly classified. With proper classification even systems can also be given classification so that we can tell what systems or what users can access what data because everything is been classified. If we don't have proper data classification data would be handled carelessly. With proper data classifications people know when to stop other people having access to their desk, people know when to carry around or not carry around information in hard copy because it's being properly classified. With proper data classification we can also monitor access to data while it is on our desk in hard copy or while it is on our systems soft copies. Data labeling, handling and disposal. Proper data classification will ensure that we do data labeling. If we do data labeling, we label everything clearly so we know how to manage it on our servers, we know how to manage it on our systems, we also know how to handle data carefully. If data has been properly labeled: confidential, secret or top secret, we know not to post it under the door because anybody can have access to it. We know not to leave it lying around on our desk because anybody can have access to it and if data has been carefully labeled when we have to destroy it we can destroy it at the appropriate sensitivity level. Data that has been classified secret should be disposed off or destroyed at that level as well. When you want to destroy data, if you don't destroy at the level of its sensitivity it means that other mean could still be available to compromise that data. So if you destroy it at its level of sensitivity that way you limit compromise for either confidentiality and integrity. Let's look at compliance with laws best practices and standards. Organizations should ensure that their users, their infrastructures, their configurations, and their practices are in compliance with laws, best practices and standards. What are some of these laws or best practices or standards? We have the hipper standards to protect against unauthorized disclosure of medical information. We have disturbance awfully act the socks to protect against disclosures or financial information: We have the payment card industry P.C.I.D.S.S to protect against the disclosure of credit card numbers. P.C.I.D.S.S these are standards to protect information about our customers personally identifiable information. Organizations should put procedures in place to protect against these standards so that we don't allow unauthorized disclosure of information, unauthorized change of data within our networks. What are some user habits that are of concern here; passwords behaviors. It is common practice for users to want to share their passwords. Maybe under duress a user password will share his password or her password with another user. Please log onto the system for me while I'm away so they think I'm online but your user should be better educated as to how they use their passwords or share their passwords users should be discouraged from sharing passwords. What about what sort of passwords they create your users should be educated as to best practice for creating their passwords. It is common practice that our users would want to make very easy passwords. Yes the password should be easy to remember but difficult to guess. So they must conform to password best practice maybe the minimum length of the password. Best practice dictate that the password should be minimal it's characters and above not too short. If it is too short it can easily be compromised by malicious persons. Our password should also password complexity so the user should be trained on password complexity. Password complexity dictates that we have uppercase, lowercase, special characters and numbers so your users should be educated how to generate such passwords so that one it is also easier to remember and yet meets the password requirements or uppercase, lowercase special characters and numbers. Such passwords are much more difficult to compromise because the malicious persons would have big issues trying to guess these passwords. Our users should also be educated to keep a clean desk policy. These days many people carry around smart phones. A smart phone has a camera. This could be used to take copies of your desk in two minutes or in fact in one minute somebody could quickly take a picture of documents of your desk. Some people think oh, the more papers I have on my desk the more important I appear. Please we have to keep a clean desk policy, information could leak off your desk maybe your organization is working on a new product and you have papers lying around and another person could come with a camera in one minute they've got all that information and they walk away. So by keeping a clean desk policy we don't need papers or documents hanging around on our own desk. Some other people are responsible for licenses. Maybe you buy software from multiple manufacturers and the licenses are scattered down on your desk, best practice lock them away in a safe so you keep a clean desk policy people cannot walk away with documents from your desk carrying sensitive information. [/toggle_content]

Video Transcription

00:04
I will be looking at Section 2.6 off the syllabus.
00:08
This has to do with
00:10
explain the importance of security related awareness and training. Section 2.6 of the security plus syllables.
00:16
The first topic we see here is security policy training on procedures,
00:22
security policy training on procedures.
00:25
Um,
00:26
management sets off policies.
00:29
What is a policy? A policy is a high level statement dictated by management. It is simply a set of rules. Management will put these rules together on we call it a policy. Whatever the policy addresses is how we name the policy. So if we say security policy, this policy is addressing how
00:50
rules that govern security for the organization. It could be a rule or set of rules for how users interact with the system in terms of security or rules that govern account creation rules that govern password creation rules
01:07
all relating to security policies
01:10
within the organization. How security? Let's tow everything within the organization.
01:15
The security policies are broken down into procedures for user's to cut out their activities within the environment. Our users, when we create the security policy, the user's need to be trained to understand this policies because you do not just create the policies documented on leave it on the shelf. The users have to be trained
01:34
toe, understand the requirements of the policies,
01:37
to understand how toe put these policies in their everyday work so that they are following management's directive off how activities should be carried out.
01:49
User should understand these policies on. Sometimes we have to do role play. You have to do scenario training so people don't just say OK, this is the policy. Do you understand? Yes, At the end of the day, they don't understand. So you have to do the training to omit the target audience.
02:07
Some people explained to them they understand some people involved them with rule play so that the better understand the requirements of the policies.
02:15
When you do roll based training, you are able to bring the training down to the understanding off the individual users.
02:23
Because if we do something training, what if I don't do that job?
02:30
That training is off no good to me because I don't understand how it applies to my job. But you should do world based trainings like that. You are able to break down policies and procedures toe individual. Use us as it meets their job description. Then they understand because this is something they do
02:46
on then they know that this rules only affect them
02:50
as it relates to their job.
02:53
That is, for gold based training,
02:54
personally identifiable information. We need to train our users so that they know howto handle personally identifiable information things such as Social Security numbers, credit card numbers, addresses that are private to users. So if use us are dealing with
03:13
this sort of information, they have to be very careful,
03:15
so they don't disclose they do not disclose unauthorized information toe unauthorized persons. This way, we're able to guarantee confidentiality
03:25
Information. Classifications is not a topic very important for this exam. We should classify information whether it's in hard copy or soft copy information is giving different levels off classifications.
03:38
Private,
03:40
Confidential Top secret
03:43
secret.
03:45
This way, When users are dealing with information, they know what is private. Don't know what is confidential secret or top secret.
03:52
That way they can better hundreds of information. They can better save God this information if it is properly classified with proper classifications. Even systems can also be given classifications so that we can tell what systems or what users can access. What data? Because everything has been classified.
04:13
If we don't have proper data classifications that I would be handled carelessly
04:17
would proper that a classification? People know when to stop other people having access to their desk. People know when to carry around or not carry around information in hard copy because it's been properly classified. Would proper that a classification? We can also monitor access
04:35
to data while it is on our desk in hard copy or while it is on our systems
04:40
soft copy that are leveling, handling and disposal. Proper data classifications will ensure that we do that are labeling. If we do that are labeling. We label everything clearly so
04:51
we know how to manage it on our servers. We know how to manage it on our systems. We also know howto handle that are carefully.
05:00
If that I was being properly labeled
05:02
confidential, secret or top secret, we know not to post it on at the door because anybody can have access to it. We know not to leave it
05:12
lying around on our desk because anybody can have access to it. on Eve data has been carefully labeled.
05:18
When we have to destroy it, we can destroy it at the appropriate sensitivity level.
05:24
Data that has been classified secret should be disposed off or destroyed at that level as well.
05:30
When you want to destroy data, if you don't destroy it at the level of its sensitivity, it means that other means could still be available. Toe compromise that data. So if you destroy it at its level of sensitivity, that way you limit
05:45
compromise for the confidentiality on integrity. Let's look at compliance with laws, best practices and standards. Organizations should ensure that
05:58
they're used us, their infrastructures there. Configurations on their practices are in compliance with laws, best practices and standards. What are some of these laws or best practices? All standards. We have the keeper standards to protect against all authorized disclosure off medical information.
06:17
We have the suburbs awfully act the socks to protect against disclosures or financial information. We have the peace payment cut industry PC Idea says to protect against the disclosure off credit card numbers.
06:33
PC idea says these are standards to protect information about our customers. That's not identifiable information
06:42
organizations should put procedures in place.
06:45
Toa protect against these standards so that we don't allow unauthorized disclosure off information.
06:54
All notarized
06:55
change off
06:57
that I wouldn't. Our networks. What are some users are bits that off concern here.
07:01
Possible behaviors. It is
07:05
common practice for user's toe. Want to share their passwords?
07:10
Maybe on that dress and user would share is possible or her password with another user. Please log onto the system for me while I'm away so they think I'm online.
07:20
But your users should be better educated as to how they use their passwords or share their passwords. User should be discouraged from sharing passwords.
07:30
What about what sort of passwords they create? Your users should be educated
07:34
as toe best practice for creating their passwords. It is common practice that our users would want to make very easy passwords. Yes, the past. What should be easy to remember but difficult to guess? So they must conform. Toe password, best practice, maybe the minimum length off the password.
07:51
Best practice dictates that the password should be minimum it correct us
07:57
on above not too short. If it is too short, it can easily be compromised by malicious persons
08:03
about past what should also have password complexity so the user should be trained on possible complexity. Password complexity dictates that we have up our case. Lower case, special characters and numbers so your users should be educated how to generate such passwords. So that one it is also easier to remember
08:22
yet meets the password requirements or Pakis lower case
08:26
special characters on numbers. Such parts what are much more difficult to compromise? Because the militias persons would have the issues tryingto guess these passwords are. Users should also be educated to keep a clean desk policy.
08:41
These days, many people carry around smartphones. A smart phone has a camera.
08:46
This could be used to take copies off your desk
08:50
in two minutes. Or in fact, in one minute, somebody could quickly take a picture of documents of your desk. Some people think, Oh, the more papers I have on my desk, the more important I appear.
09:01
Please, we have to keep a clean desk. Policy
09:03
information could leak off your desk. Maybe organization is working on a new product.
09:09
You have papers lying around on. Another person could come with a camera from pumping, pumping in one minute. They've got all that information and they walk away. So by keeping a clean this policy, we don't leave papers or documents hanging around on our desk. Some other people are responsible for licenses.
09:28
Maybe you buy software from one. Multiple manufacturers on the licenses are on your desk.
09:33
Best practice locked them away in a safe, so you keep it clean. This policy people cannot walk away with documents from your desk carrying sensitive information.

Up Next

IT Security Governance

IT Security Governance is a type of risk management process that can be applied to business operations, identifying critical information and protecting that information from enemies

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor