Information Security Policies

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Let's move ahead and talk about security policies.
00:00
In this section, we're going to
00:00
talk about organizational policies,
00:00
issue-specific policies,
00:00
and then system-specific policies.
00:00
As I mentioned, we have three basic types of policy.
00:00
Your corporate policy comes
00:00
>> down from senior leadership.
00:00
>> That corporate policy is
00:00
leadership's way of stamping
00:00
their vision on the organization as a whole.
00:00
This is how we feel about security,
00:00
this is our commitment to it,
00:00
this is the business reason
00:00
that security is important to us,
00:00
here are our expectations,
00:00
here are the results of noncompliance.
00:00
That's what your organizational
00:00
security policy is going to
00:00
be and then we're going to break it
00:00
down further into specific issues
00:00
we're going to deal with and specific systems.
00:00
Actually, I'm just going to mention
00:00
system-specific policies first because the idea is for
00:00
every system you have in your environment
00:00
or every role of systems in your environment,
00:00
you may have different security policies.
00:00
What I mean by that is
00:00
you're going to have a different set of
00:00
policies for domain controllers
00:00
than you are for web servers.
00:00
You're going to have certain policies that impact
00:00
user and user workstations
00:00
that are going to be very different
00:00
than how you would protect your database or whatever.
00:00
I've given you a couple of examples on
00:00
this slide of what
00:00
a system-specific policy would look like.
00:00
This first point, web servers
00:00
must be configured according to
00:00
a consistent image with
00:00
baseline configuration approved by
00:00
the director of IT and of marketing.
00:00
So what I want you to notice is that's a broad statement,
00:00
doesn't have any details as to what
00:00
that baseline image is going to
00:00
include but it just basically says,
00:00
"Hey, we're going to have an image for these systems,
00:00
they have to get sign-off from marketing and sales."
00:00
That's policy.
00:00
I'm not getting into
00:00
all the details, all the particulars.
00:00
Remember, standards and procedures
00:00
are going to fill in those details.
00:00
As a general rule,
00:00
policy should be able to be
00:00
written and not have to be revised for a couple of years.
00:00
It's not something that you're going to
00:00
change every time the wind blows.
00:00
Those are your system-specific policies,
00:00
I've given you a couple of other examples here.
00:00
Let's talk for just a minute
00:00
about issue-specific policies.
00:00
Really do think that you're going to
00:00
see questions on these policies.
00:00
I would encourage you to know them all and to really
00:00
understand what they bring to me in a secure environment.
00:00
We'll start out with the change management policy.
00:00
I cannot stress enough
00:00
that nothing should happen on the fly.
00:00
Even if things are on fire,
00:00
there's a process for how we
00:00
handle certain situations that might arise.
00:00
If there are necessary changes to our environment,
00:00
we should have a change control process that's in place,
00:00
that's followed to the T
00:00
in the event of a recommended change.
00:00
Like I said, even if something's on fire,
00:00
there's an emergency change control process
00:00
because what we don't want to do is
00:00
create an unstable environment.
00:00
When people start making changes,
00:00
they forget to document,
00:00
they don't always do their due diligence,
00:00
and sometimes you fix one problem just to cause
00:00
another like we talked about secondary risks.
00:00
Our change management policy make sure
00:00
that we have a specific procedure in
00:00
place to ensure that
00:00
the changes that are made has been considered,
00:00
approved, tested, scheduled for roll-out,
00:00
they get rolled out,
00:00
they get documented,
00:00
lessons learned are collected,
00:00
all of those pieces,
00:00
and that should be included in
00:00
our change management policy.
00:00
Now the acceptable use policy.
00:00
The acceptable use policy is
00:00
a resource policy meaning
00:00
it's aimed at protecting company resources.
00:00
Questions like, "Can I print
00:00
personal material to the company printer?
00:00
Can I browse the Internet while I'm working?
00:00
Can I make phone calls on the company dime?"
00:00
Those would be considered to be
00:00
part of an acceptable use policy.
00:00
Now, after that, privacy policy.
00:00
Now, we're not talking about in
00:00
this instance privacy of customer data,
00:00
what we're talking about here is employee privacy.
00:00
If I were to ask you,
00:00
do I have to guarantee
00:00
privacy for my employees in the workforce?
00:00
I've had different answers or if I ask the question,
00:00
do employees have an expectation of privacy?
00:00
The truth is, they do expect privacy.
00:00
Now whether or not I have to guarantee that's
00:00
a different story but the bottom line
00:00
is my employees expect privacy,
00:00
right, wrong or indifferent and if
00:00
I'm going to infringe upon that privacy,
00:00
they need to be notified.
00:00
That's one of the most important elements of
00:00
your employee privacy program, notification.
00:00
For instance, when a new employee comes in,
00:00
I go over the employee handbook,
00:00
the high level with them,
00:00
and then I'm going to include in that you have
00:00
no expectation of privacy
00:00
while you're within this building,
00:00
on these computers, at this time.
00:00
Here are the ways that we might infringe upon privacy,
00:00
we might monitor phone calls for quality assurance,
00:00
we might record keystrokes or view web history.
00:00
Whatever it is,
00:00
they're our systems, technically we can do it,
00:00
but we want to do it in
00:00
a manner that is compliant with laws and
00:00
regulations but also just best practices, just fairness.
00:00
We're not trying to sneak up and
00:00
catch our employees doing something wrong,
00:00
we're protecting our assets.
00:00
Sometimes just telling people, "Hey,
00:00
we're watching," is enough of a deterrent.
00:00
Certainly keeps the honest people honest.
00:00
That's our privacy policy,
00:00
make sure that we have notification.
00:00
Now for data in system ownership.
00:00
Data ownership wins every time.
00:00
When we talk about who is
00:00
accountable for the protection of data?
00:00
Who determines the security of data?
00:00
Who determines access to data?
00:00
Who determines data's value?
00:00
All of those go to the data owner and usually we don't
00:00
really think about classifying systems
00:00
except based on the data that's stored on those systems.
00:00
This computer doesn't mean anything to me,
00:00
it's really valuable to me
00:00
based on the data that's stored on the system.
00:00
Watch for tricky questions like
00:00
user A is the owner of
00:00
data on a system that's owned by user B,
00:00
who controls the security.
00:00
The idea is one person owns the data,
00:00
the other person owns the system.
00:00
The data owner is always the one accountable,
00:00
always the one that makes
00:00
the decisions on the protection of data.
00:00
When you're ever in doubt,
00:00
data owner is the decision-maker,
00:00
they're our ultimate customer.
00:00
Another big topic is separation of duties.
00:00
Expect to see this on the exam.
00:00
A couple of ideas with separation of duties.
00:00
>> First of all, separation of duties keeps
00:00
any one individual from being
00:00
too powerful within an organization.
00:00
There's that old phrase,
00:00
absolute power corrupts absolutely.
00:00
I say that and I say that with a smile on my face
00:00
because I remember one of the first jobs in IT I had,
00:00
and I was very new,
00:00
and even at the point in time,
00:00
I knew this was ridiculous,
00:00
but it was a medium small-sized company
00:00
and they had a single network admin.
00:00
Everybody considered him to just be the guru of
00:00
the organization and he was just extremely smart,
00:00
but he had way too much power in that organization.
00:00
I kid you not, if you are in
00:00
a discussion with him and you ticked him off,
00:00
he seriously would go lock out your account,
00:00
and he wouldn't pick up his phone for 30 minutes.
00:00
The guy was a jerk, but above and beyond that,
00:00
how does that happen in an organization that
00:00
one person has that much power?
00:00
Separation of duties might say,
00:00
this one person can lock accounts,
00:00
this other person can unlock them.
00:00
We don't want one person sitting
00:00
on the keys to make everything in the company work.
00:00
Now, another idea with separation
00:00
of duties is I want you
00:00
to have the phrase forcing collusion.
00:00
Separation of duties forces collusion.
00:00
Well, the first time I heard that I thought, what?
00:00
Because collusion isn't a good thing.
00:00
Collusion is multiple people coming together
00:00
to create fraud or to perpetrate fraud.
00:00
Collusion is never people coming together to
00:00
hold hands and sing we are the world,
00:00
collusion is always negative.
00:00
My thought was, why in the world would you
00:00
want to force collusion?
00:00
Well, the idea is,
00:00
I would rather you have to collude with someone to commit
00:00
fraud than to be able to do it on your own.
00:00
For instance, at your company,
00:00
the person that prints paychecks
00:00
is not the same person that signs paychecks.
00:00
If they were to commit fraud,
00:00
they'd have to collude together and think about that.
00:00
If I'm not able to commit fraud on my
00:00
own and I have to collude with someone else,
00:00
how well would I have to know that person to say,
00:00
hey Bob, I've got this great idea.
00:00
Do you want to risk 15 years in
00:00
prison because I've got a great idea?
00:00
It's hard to find another party
00:00
to collude with and that's what we want.
00:00
Separation of duties forces collusion.
00:00
Now, of course, we don't want
00:00
collusion to happen at all.
00:00
We implement lots of
00:00
other compensating policies like job rotation.
00:00
We make sure that people
00:00
rotate their positions so that we
00:00
don't have time to build those collusive relationships.
00:00
We also monitor employee activity and we audit.
00:00
Separation of duties is a good start.
00:00
It's a preventive control.
00:00
Now, from separation of duties, now,
00:00
another policy we can put in
00:00
place is mandatory vacations.
00:00
This is something you're only going to
00:00
see in the financial industry.
00:00
As a matter of fact,
00:00
if you see a scenario question where
00:00
they're talking about you working for a bank,
00:00
mandatory vacations probably should
00:00
pop into your mind to say,
00:00
hey, are they going down this trail?
00:00
Because here's what mandatory vacations does for us.
00:00
Let's say that I get hired for a bank and I say,
00:00
congratulations Ms. Handerhan you have the job,
00:00
you're going to get 10 days paid vacation.
00:00
Five of those days must be taken in order
00:00
consecutively and during those five days,
00:00
you cannot come to work,
00:00
you can't check your e-mail,
00:00
you can't remotely connect to the office,
00:00
you can't call people,
00:00
you can't show up in person,
00:00
you must be 100 percent absent from this organization.
00:00
If the bank is coming up
00:00
a couple of 100 bucks short every single week,
00:00
and all of a sudden the one week Kelly's on
00:00
vacation in the Cayman Islands,
00:00
everything balances to the penny, well,
00:00
then you may see this gives us
00:00
some reasonable idea that
00:00
maybe there's fraudulent activity coming along.
00:00
In this case, when we have mandatory vacations,
00:00
that's a detective control.
00:00
I've already mentioned job rotation going around where we
00:00
don't allow individuals to stay in one job too long.
00:00
At some point in time,
00:00
when people know all the ins and outs,
00:00
all the tricks, all the workarounds,
00:00
then it's probably time to move
00:00
them on to the next department,
00:00
the next role, the next function,
00:00
and then ultimately,
00:00
we bring someone else in so that they can observe
00:00
the environment and make sure that there
00:00
wasn't any fraudulent activity.
00:00
It's also really good to cross-train your employees.
00:00
You can think about that in
00:00
the event of disaster recovery,
00:00
business continuity planning, we don't want
00:00
that one individual that can't be missing in action.
00:00
Principle of least privilege
00:00
and need to know both do the same thing.
00:00
They're both for the same purpose.
00:00
They're slightly different in that,
00:00
principle of least privilege has to do with action
00:00
whereas need to know has to do with knowledge.
00:00
For instance, I don't allow users
00:00
to install applications on their systems.
00:00
They'll install garbage or
00:00
it'll be improperly installed or just whatever,
00:00
it just introduces a risk that isn't worth it.
00:00
That's principle of least privilege.
00:00
I'm only going to give you privilege to what you
00:00
absolutely have to have to do your job.
00:00
Principle of least privilege, need to know,
00:00
you're not on the sales team,
00:00
so I don't give you access to the sales folder.
00:00
One's about knowledge, the other
00:00
is about action and activity.
00:00
I don't let you change system date and
00:00
time, least privilege.
00:00
I don't let you have access to a top-secret folder
00:00
because they have clearance
00:00
of secret, that's need to know.
00:00
Then dual control and M of N control go
00:00
together and they're back to
00:00
the ideas of separation of duties,
00:00
limiting the power for instance, with dual control,
00:00
if you've seen those movies where there's a madman that's
00:00
overtaken the oval office
00:00
and he's going to launch the bomb.
00:00
Then down in the bunker,
00:00
there are two keys,
00:00
one on each side of the room.
00:00
Two people would have to be present to turn
00:00
the keys in order to launch the missile.
00:00
That's a way of preventing one person from
00:00
being all-powerful. That's dual control.
00:00
Now, technically,
00:00
dual control is a form of M of N control,
00:00
but M of N control is a little more flexible.
00:00
With dual control, I might say
00:00
administrator 1 and administrator 2
00:00
must be present in order to recover
00:00
a private key and it's dual control.
00:00
But with M of N control,
00:00
I'm not naming specifics,
00:00
I'm saying so many out of a total,
00:00
M and N are just variables.
00:00
What I mean by that is,
00:00
let's say in my company I have seven network admins,
00:00
I might say any three out of
00:00
seven need to be present to recover a private key.
00:00
With dual control, you dictate specific individuals.
00:00
Bob and Alice must be there.
00:00
But what if Bob's out or Alice isn't available?
00:00
M of N control is much more
00:00
flexible in a three out of five,
00:00
four out of 10,
00:00
two out of eight but it just gives that flexibility
00:00
that I have so many individuals in a specific role,
00:00
a certain number have to be there
00:00
rather than certain individuals.
00:00
That wraps up our security policy.
00:00
We talked about corporate policy,
00:00
which comes down from senior
00:00
management where they dictate
00:00
their vision and their view of
00:00
security within the organization.
00:00
Then we talked about specific issues with our employees,
00:00
as well as system-specific policies as well.
Up Next