3 hours 35 minutes
Hello and welcome to P C Security Intermediate Course.
In this video, I will be talking about security. Pour it policies regarding pieces security. So I'm going to talk about its reach. So what? What should they cover and how to implement and maintain security policies? So
once it, let's talk about first what every species security policy must include. So
one of the first things you, as a user in the company sees how long must be your password than what has to contain. So it's usually it's eight or 12 characters. It has to contain letters. Both lower case and upper case, then has to be a least one number and at least one,
uh, special character.
Sometimes it's a least two numbers are so and so
it really doesn't make a difference. You remember when we talk about protecting user dedication? Actually, eight characters or even 12 characters are simply not long enough to prevent people from using some brute force algorithms to crack it.
So it is essential that we suggest people to use
pass phrases instead of passwords. And if you can push through company management that people are basically trained, they get to understand the quality off past praise over password,
and you're not using two factor authentication or something like that, then it's really, really essential that you put it there if you can.
The second thing that every piece of security policy must include if
it has to be successful is to include fishing awareness training for all of please,
it's It's one thing that
is used so effectively and so widely today as a method for hacking PC's is that and it isn't unbelievable. What is so how high the percentage of people are who get fished by the phishing email.
Some researchers say that 26% even even responds toe phishing email in some way. At least open it that even 12% of people, even if they when they're told not to do it, they still do it because they're curious or
because they simply don't care because they understand the consequences or because the company doesn't have the consequences.
So these things are,
uh, this is a must,
then the third thing is some kind of AH guidelines for browsing so essentially explained to people that, uh,
if they're if they're on some site, even if it's known site, and they are accessing some file. They shouldn't open it. They should save it first, then scan it on and then open it. Andi, these things can be sometimes ah, problem for people to do
so. If you can introduce some software that will simply not allow them to
used the file when it's, ah, tool open files directly from this website, but essentially to put it on a hard driving, some kind off
protecting the environment in which you can only view that file. But you cannot use its full potential. Then you have to scan it or unprotected. It's it's a great thing I had experience with such solutions, and they work perfectly. You you simply cannot just do anything unless sir, the file is saved.
So people complain in the beginning. But then it comes. That becomes new routine, and now everybody's happy.
So it works
off course. There should be a some kind of black list of dangerous and the inappropriate website itself. It doesn't have to be Melber cited can be just decided with the content. That
company doesn't feel that you should look at it and I'm not talking about things like
you know something with adult content I'm even talking about, you know, playing online games, so
you should ban these sites completely.
Then you should introduce instant messaging policy, which means, um, you know
how to do it. Is it allowed? Is it not all the details? Because the regarding instant messaging
and then, as I said, regarding browsing guidelines about downloading an attachment policy not only during browsing but also if you're receiving something in email,
or if you're using some FTP to download things, how you should handle them. So these things should be clearly stated and, if possible, to certain level or absolutely automated, so that users employees don't even have to think about this.
So you have defined PC security policy. Of course, there are much more things that should be there. But I'm talking about the basics
and those basics air touching that you know that the ability off users to mess things up because they simply are not where interested or qualified to make decisions about what can be dangerous for their PC, which is completely understandable.
Last majority of people who use BC today
in their everyday business are simply from completely different fields which have nothing to do with I t. And you cannot expect them toe simply understand things by default.
Okay, so now we talk about maintaining policy.
You have established security policy but, for example, is intent is ran it and even Muller softer on every PC. So somebody has to check these things. They're This can be done by some kind of software. But, um,
at certain points, there has to be human intervention. So there has to be a dedicated team or a group within 90
or I t. Security Department, which has authority to implement policy. So if somebody has managed to one install anti wires from that machine, that person should be immediately contacted. Steps should be taken to put the anti members after back on that machine and to explain to the person that they should never do it again.
Then policy is not static thing.
There should be people in some kind of strategic role that should, you know, follow the threat landscape, see what new things are happening and adjust the policy accordingly.
And then there should be somebody who is in charge on the high level to communicate with the business groups. Ah, other I t teams verticals in the company.
Eso they know if some new solution new approach The whitey has been suggested in the company and to see from 90 security policy can be modified to cover this new situation or
to raise a red flag and say, OK, you can implement that, but it's not according toa security policy,
and it's going to be a problem in the future. In terms off, it's not going to work or we're going to be less secure or whatever might be the consequence of that. You think
so? So this is all about policies. I'm not going to go into details because controlling policies, maintaining policies
completely separate subject. It's ah, it's a matter for ah, you know, very huge separate discussion which is not covered by this course. And likely security policy is much bigger than what you have seen here, which which talks just about BC's. So,
this is this is strategic thing regarding I t security and should be handled a separate topic
at the end off this lesson. Let me just check what you have learned. So the question for you is what should not be part of PC security policy.
Is it fishing awareness training? Is it choice off instant messaging application or is it mandatory? Use it your external memory for file exchange.
And the answer is mandatory usage of external memory for fall exchange. Actually using of external memory made like USB flash, it should be prohibited. A za method for file exchange should be. People shouldn't do. Use years bees
in order to exchange files. There are much more secure ways, and using yours bees is definitely not to secure one.
Okay, so in this video, you have learned about security policies, how what should be part of security policies and how to implement them and how to maintain them.
And the next lesson? I'm just going to do a recap of this whole module, which is about protecting operating system.