CRISC

Course
Time
5 hours 20 minutes
Difficulty
Advanced
CEU/CPE
7

Video Description

This lesson focuses on the best practices to protect the C-I-A Triad; which stands for confidentiality, integrity and availability. These include: - Separation of duties (SOD) - Mandatory vacations - Job rotation - Least privilege - Need to know - Dual control

Video Transcription

00:04
Now, when we talk about the context of the CIA again confidentiality, integrity and availability, we have to look at some ways that we can enforce those elements. And a lot of times I t professionals, we go straight to technology. But I will tell you a balanced, layered approach is infinitely more efficient
00:22
and is much more comprehensive.
00:25
So when we talk about technical security and crypt and firewalls and intrusion detection in all those elements, yes,
00:31
but administrative controls are also important.
00:34
So the 1st 1 I've just mentioned separation of duty separation of duties is important because every individual has a specific role within the organization and a set of responsibilities and knowledge within that role. So, for instance, we shouldn't have a network administrator. We should have a network administrative team,
00:52
and each member of that team may have administrative privileges
00:56
for specific function, But that's gonna keep any one person from becoming all powerful within the organization.
01:02
It also allows what I like to think about as singleness of purpose. So, for instance, is gonna help me avoid conflict of interest in my job.
01:11
So, uh, smaller companies will sometimes have the network administrative team and the security team be the same people.
01:19
They do that because of calls. They do that cause there's an overlap in skill set, and I can understand the drive for that. The problem with that is it's the security Kane team that monitors and audits with the network administrators do. So if they're the same people, that doesn't work very well. Also, you'll find that network administrators focus
01:38
is on availability,
01:40
as in, they want things available. They want to keep their users happy. We used to joke. That is a network admin. You knew you were doing a good job because your phone wasn't ringing.
01:49
Now security admin is on the other side of the spectrum. My job of a security administers say no. No, you can't access that. Nope, it would be a violation of security. No, you don't get to install an application. No, you don't get to change system dating time,
02:02
right? So they really are two purposes.
02:06
All right, mandatory vacations. That's a detective control. And that's a way of evaluating the environment with an employee and without them. So the organization, like a bank, for instance, which use mandatory vacations, would ah say maybe for the past six months, the bank's been off a couple $100. Every month
02:24
I'm gonna send you out of the office
02:28
for 14 days. You can't call. You can't check your email. You can have no access to the physical facility itself. Let's see how the bank balances without a specific individual there. So it's detective
02:39
job rotation can also be detective as well. Because what we would do in that instance is maybe every six months, positions change or rotate, or a year or whatever we decide that to be. So we get that detective control of somebody stepping in and your role behind you. But it's also good for cross training purposes,
03:00
personnel, redundancy.
03:01
There are a lot of benefits to job rotation. People like to learn new things as well. For his career, advancement goes
03:07
least privilege and need to know we're gonna let people have the fewest rights and the smallest amount of knowledge that they need to do to do their jobs.
03:17
So, for instance, I don't let my users change system dating time, principal police privilege. They have no need to do that. I'm not gonna let him.
03:25
Hey, I'm not gonna let somebody is not in the sales department. Read the sales folder that's need to know
03:31
and then dual control. Dual control kind of goes back up with separation of duty's kind of comparable ideas. There are some functions within a Net network
03:40
that would prevent, prove, oppose such a risk that we can assign that ability to just a single individual.
03:49
So, like, for instance, if you're gonna deposit a check more than $10,000 there have to be two signatures. You know, that would be an example of dual control. We'll talk about that a little bit when we talk about cryptography and we talk about key archival in recovery. We'll talk about how important your private keys to you if I let an administrator
04:08
back up everybody's keys and be able to recover it.
04:11
Now your private, he isn't private. You and the administrator have it.
04:15
So maybe will make three administrators
04:17
that have to be present in order to recover or two or five or however many. That's the concept.
04:24
Okay, so these air some important controls. We know that it's easier to think technical because we're in the technical realm, but usually the best defense is a layer defense. Consider administrative controls like policies and procedures. Yes, technical controls like your encryption and firewalls and so on.
04:42
And then also think about physical security controls, which will talk about a little bit later.

Up Next

CRISC

Archived Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor