Overview of Control 14

00:01

everyone Welcome back to the core. So in the last video, we wrapped up our discussion on control 13 data protection and this video We're to talk about control number 14

00:09

which is controlled access based on the need to know

00:13

we'll also talk about the some controls a little bit as well.

00:16

So when we're talking about access based on the need to know we're talking about things like data loss prevention as well as people, just accessing data they shouldn't be one place in is health care where you see this quite a bit. So we get a lot of training on hip, a high tech in the past when I was a nurse and

00:34

one of the things I would notice is a lot of nurses that I work with in certain environments would look up because I knew, like their neighbor was in the hospital, say they would go try to look at the chart. I'd have to go report them, of course, right. And so we want to try to control the access based on the need to know. So somebody doesn't need actually

00:52

know what's going on on the on the nursing floor below them

00:55

with the patients, then we need to figure out a way to try to control them from accessing that. So one thing we implemented at a health care company I worked at that did various doctors offices around the country,

01:07

as we basically gave the nurses and other clinicians access to on Lee

01:12

the specific location. They were working at it. So if they were like a traveling nurse, for example, going to different locations, what they would have to do is reach out to one of us in advance and say, Hey, I'm going to be at this location tomorrow. Can you give me access? And that way we could make sure we change their access for that particular location.

01:33

So it was. It was a little bit of a manual process, but it was good because it controlled the access of what they could get

01:38

to just what they needed to know. Now the row. It was always that chance that they could look up basically any chart of the site. So if they want to look up somebody's information, that wasn't necessarily a patient they were care for. But it was at that location. They could still do so, but again just putting things in place to make sure that you control access as much as possible, based off the actual need to know of the individual.

01:59

So some control. 14 1 We're talking about segmenting the network based on sensitivity. We kind of talked about network segmentation of the lands in previous videos, and we're doing the same thing here, right? If we understand it's sensitive information. For example, if HR has a listing of everyone salaries,

02:16

that's not something that say, Joey and I t should be looking at right or Sally in the accounting department

02:24

or Jennifer that see an executive, right or Tameka That's an executive.

02:29

They shouldn't be accessing that information. Usually. Ah, about everybody's salary, right. That's normally just hr a select group of individuals. So we need to segment that network out that HR accesses from everybody else, right? Because they've got more sensitive data. They're working within a lot of other entities in our organization.

02:49

Some control 14 to enable firewall filtering between those V land. So making sure that if an attacker takes over, one V lander was able to compromise systems of one V land, we are controlling the traffic between those V lands

03:01

so again, making sure that only authorized systems can communicate with the other systems on that other villain to fulfill whatever specific responsibilities. Right? So maybe I'm an administrator and my machine can talk between those freelance because I've got that access. But let's say that you don't and you're not in admin. You try to talk to one of those machines just cause you know the I P address. It's gonna deny you

03:23

some control. 14 3 Disabling any workstation to workstation communication Kind of going back to segmenting stuff out

03:31

has really just were trying to limit the Attackers ability to move laterally throught Network from system the system

03:38

Some control. 14 4 Encrypting all sensitive information in transit. We talked about this several times, right, encrypting the data in transit and encrypting it at rest.

03:49

Some control 14 5 Utilizing and active discovery tool to help us identify the sensitive data because what we can do is we can put certain quarry terms in and say Look, if it's got if it mentions blood pressure, right, If it mentioned it's a Social Security number date of birth that sensitive data and in some capacity, and so

04:09

we can get alerted to that, and it automatically will encrypt that. There's many tools out there,

04:14

especially in the cloud and warmer, the an environment that you can use with your cloud infrastructure to go ahead and

04:20

do a skin and have it automatically scanning. So when somebody tries to send like a file and they and they shouldn't be, you've got a rule in place that says no, there's sensitive data in this file. You can't send that, and it gives an alert, and it also send you an alert as well.

04:35

Sub control 14 6 This where we're talking about protecting information through access control This again, part of that segmentation, right? We wanna make sure that only people that should access this can actually access

04:47

some control. 14 7 Enforcing access control to the data through the automated tool. So instead of us manually saying, Hey, you can't do that or creating your access, we do it all through automation.

05:01

Some control. 14 8 Talking about encrypting the sense of data address. So again we talked about transmitting data and encrypting it, and now we're talking about data had rest and encrypting it.

05:14

And finally, some control. 14 9 enforcing detailed logging for any access, changes or changes to the sensitive data itself.