Part 5 - Policy Enforcement

Video Activity

This lesson discusses policy enforcement, which is integral in preserving a company's mission and keeping information safe. In order to work, policies must be easily accessible to all and management must also comply. Without management support, a policy will not work.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Advanced
CEU/CPE
7
Video Description

This lesson discusses policy enforcement, which is integral in preserving a company's mission and keeping information safe. In order to work, policies must be easily accessible to all and management must also comply. Without management support, a policy will not work.

Video Transcription
00:04
>> Moving on to policy enforcement.
00:04
You want to ensure that senior management advocates
00:04
>> and forces and compliance
00:04
>> with all organizational policies,
00:04
>> and then policies
00:04
>> that do not have management buy-in will fail
00:04
>> and will not be enforced equally.
00:04
>> We've all been in these organizations where someone
00:04
provides a lot of lip service that
00:04
this policy is important, however,
00:04
when it comes to them actually abiding by that policy,
00:04
it doesn't occur.
00:04
>> Bottom line is that management
00:04
>> must comply with the policies.
00:04
>> If they don't do it,
00:04
someone sees them not doing so,
00:04
then no one in an organization's
00:04
>> going to follow those policies.
00:04
>> Moving on, ensure management briefs
00:04
all employees on policies and procedures.
00:04
Employees, contractors
00:04
>> and trusted business partners should sign
00:04
>> acceptable use policies upon their hiring
00:04
>> and once every year thereafter
00:04
>> once significant change occurs.
00:04
>> Again, this is just providing that foundation
00:04
>> for firing someone and/or going back
00:04
>> and taking legal action against them.
00:04
It also establishes the policies
00:04
>> so you do have some type of indicator to look for.
00:04
>> Moving on, ensure that management makes policies
00:04
>> for all departments within your organization
00:04
>> easily accessible to all employees.
00:04
Posting policies on
00:04
>> your organization's internal website
00:04
>> can facilitate widespread dissemination of documents
00:04
>> and ensure that everyone has the latest copy.
00:04
>> I would actually, in conjunction with that,
00:04
make them sign that they have read it.
00:04
That way again, when it comes time
00:04
>> for termination proceedings
00:04
>> or it comes time for legal action,
00:04
>> they have a signed document
00:04
>> that says that they have read those policies.
00:04
>> Policy enforcement continued ensure that management
00:04
makes annual refresher training for all mandatory.
00:04
Again, this is just providing
00:04
additional reinforcement of those policies and again,
00:04
having someone sign that they have taken this training.
00:04
Next is ensuring that management enforces policies
00:04
consistently to prevent the appearance
00:04
of favoritism or injustice.
00:04
Again, that goes back to
00:04
equal enforcement of policies
00:04
and adhering to the policies by everyone.
00:04
If someone gets the impression
00:04
that the policies only apply to certain people,
00:04
the policy again will not be followed.
00:04
Awareness and reporting; this is where we get
00:04
into identifying some of those indicators.
00:04
Oftentimes it may not be the IT staff
00:04
>> who find these indicators,
00:04
>> it may be their employees,
00:04
are their co-workers that
00:04
help identify some of these indicators.
00:04
The first part of this is to develop and implement
00:04
an enterprise wide training program that
00:04
discusses various topics related to insider threat.
00:04
Just like what we did today,
00:04
I've given you information on some of the indicators of
00:04
>> what an insider threat might look like.
00:04
>> Then next you would want to train
00:04
all employees and contractors on security awareness,
00:04
including insider threat before giving
00:04
them access to any computer system.
00:04
Make sure to include training for employees
00:04
>> who may not need to access computer systems daily
00:04
>> such as janitorial and maintenance staff.
00:04
Because those users may require
00:04
special training program that covers security scenarios
00:04
they may encounter such as social engineering
00:04
>> and sensitive documents left out in the open.
00:04
>> Going back to this old military
00:04
guidance's that every soldier is a sensor
00:04
and essentially every person is responsible
00:04
>> for being a look out
00:04
>> in a security element within the organization.
00:04
You want to have this training conducted consistently,
00:04
but keep in mind the training
00:04
>> doesn't have to be classroom oriented.
00:04
>> It could be posters, newsletters,
00:04
alerts, brown bag lunches,
00:04
something that continually flashes
00:04
across the monitors in your work environment,
00:04
anything of that such to help reinforce those policies.
00:04
Then lastly, you want to establish
00:04
an anonymous confidential mechanism
00:04
for reporting the security incidents.
00:04
Ideally what you want to do,
00:04
is that you want to encourage people to report things,
00:04
even if they are nonsense.
00:04
That way, you'd get
00:04
the information to you because oftentimes,
00:04
one of these cases may not be nonsense
00:04
and you don't want to discourage people from reporting,
00:04
but you also want to it be confidential
00:04
>> to protect that person
00:04
>> who's come forward
00:04
>> and start to volunteer that information.
00:04
>> If you cannot protect
00:04
that source of information
00:04
>> then they will no longer provide you
00:04
>> what you're looking for.
00:04
>> The next topic's going to be hiring practices,
00:04
and we kind of touched on this earlier.
00:04
You want to ensure that
00:04
potential employees have undergone
00:04
a thorough background investigation
00:04
>> which at a minimum should've include a criminal
00:04
>> background and credit check.
00:04
Whatever standard that you decide to follow
00:04
>> basic criminal background check is important.
00:04
>> You want to ensure employees to report
00:04
suspicious behavior to appropriate
00:04
personnel for further investigation,
00:04
and you want to investigate,
00:04
and document all issues of
00:04
suspicious or disruptive behavior from your employees.
00:04
Next, you want to enforce policies
00:04
and procedures consistently for all employees.
00:04
So kind of rehashing the same idea
00:04
>> and then consider offering
00:04
>> an employee assistance program.
00:04
>> These programs can help employees deal with
00:04
many personal issues and confidentiality.
00:04
If someone may be having a life crisis,
00:04
getting them help could help
00:04
prevent them from going down that road
00:04
>> and being that insider threat.
00:04
>> Next, you want to remove
00:04
any negative influence with
00:04
it's within your organization.
00:04
You want to enhance monitoring of employees
00:04
>> with an impending or ongoing personal issue
00:04
>> in accordance with organizational policy and laws.
00:04
>> Those individuals who you know
00:04
>> have had individual problems,
00:04
>> they could start to turn out to be that insider threats
00:04
so additional monitoring of
00:04
their activities would be warranted.
00:04
You want to enable additional auditing
00:04
>> and monitoring controls outlined
00:04
>> in your organization's policies and procedures,
00:04
>> and regularly review an audit logs to detect activities
00:04
>> outside of the employees normal scope of work.
00:04
>> Then you want to limit access to these log files
00:04
>> to individuals that have need to know.
00:04
>> Then lastly, all levels of management must regularly
00:04
communicate organizational changes to all employees.
00:04
This allows for a more transparent organization
00:04
and employees can better plan for their future.
00:04
That last one is going to
00:04
help prevent that negative influence from starting.
00:04
A lot of time organization that may surprise
00:04
employees with these drastic changes
00:04
and that could cause that negative
00:04
influence in their life which may start them
00:04
>> down the road to being that insider threat.
00:04
>> Know Thy Self.
00:04
>> If you don't know what wrong looks like
00:04
>> or you don't know what right looks like,
00:04
>> it's hard to separate one from the other.
00:04
The first step in that process is
00:04
>> to conduct a physical asset inventory.
00:04
>> You want to identify asset owners
00:04
>> and the assets functions,
00:04
>> and you also want to identify
00:04
>> the type of data on that system
00:04
>> that way you know exactly what you have.
00:04
>> If you don't know what you have,
00:04
it's hard to know if it's missing.
00:04
Understand what data your organization processes
00:04
>> by speaking with the data owners
00:04
>> and users from across your organization.
00:04
>> Especially if you're in a big organization,
00:04
it's hard to know exactly what goes on all the time.
00:04
But if disaster does happen,
00:04
you need to know how to rack
00:04
>> and stack your triage of these systems.
00:04
>> Then you want to identify and document
00:04
software configurations of all assets.
00:04
It's hard to know if something
00:04
changes if you don't know where it started.
00:04
Then lastly, prioritize assets
00:04
>> and data to determine the high-value targets.
00:04
>> Obviously you would want to secure those targets first,
00:04
and/or start your investigation
00:04
>> on those targets should an incident occur.
Up Next