Part 6 - Policies and procedures

00:04

password management.

00:06

You want to establish account management policies and procedures for all accounts created on information Systems

00:12

on those policy should address out cancer created reviewed in Terminator.

00:16

In addition, the policy should address who authorizes the account and what they can access.

00:21

Next you want perform audits of account creation password changes by system administrator. So it's essentially who watches the watchers.

00:29

The account management process should include creation of a triple ticket behind the help desk.

00:34

And then your organization could confirm the legitimacy of the request to reset passwords or create counts by correlating request with your help desk logs

00:45

next year to find Pash with requirements and training users on creating strong password to think a lot of organizations are going to this. But you know still the most common passwords and use right now. Like 123456

00:57

If you don't have something on your organization that prohibits users from creating weak passwords,

01:03

might want thio

01:06

enable that on your systems and then encourage users and instruct him on how to create strong passwords. So they're not using these these

01:17

very weak passwords. That being said that when you start creating too long the passwords or making the password requirements to stringent. One of the first things that you were going to do is write that password down. So maybe single sign on technology, so they only have to remember one password. But again, you want to educate that user on

01:37

immigration of the password, that one. It's secure.

01:40

But you don't want them to have

01:42

too difficult to the password. Too many passwords, because that's essentially going to defeat the purpose.

01:47

And then, lastly, security training should include instruction

01:51

to block visual access to others as usual, type their pass code. So essentially putting one of those

01:57

screens on your computer

01:59

to prevent someone from seeing

02:00

what's going on.

02:02

The next is the

02:04

the principle of least privilege. So you want to carefully audit user access permissions when employees changes Rolls organization to avoid privilege creep as they moved through other organization, they may start amassing cripple, just so when they do, you simply want to reevaluate what they need access to.

02:23

So in addition, returning audit user access permissions at least annually. That way you're ensuring that you're removing permissions that are no longer needed.

02:32

Then you want to establish count management policies and procedures. Just so you have something that follow, you want to audit account maintenance operations regularly. Account activity should reconcile with health best documentation

02:46

next door to require privilege. User to have both an administrative account with the minimum necessary privileges to perform their duties and a standard account for everyday use.

02:54

So for their non privileged activity, so that what you can keep track of of the information that they're doing

03:02

and then last late review positions in the organization handled, sensitive information are performed. Critical functions

03:08

ensure these employees cannot perform these critical functions about oversight. And so having a two person rule first doing certain activities or a three person rule for doing certain activities helps prevent someone from from doing things unchecked within the organization.

03:29

Cloud service is A lot of folks are going to these things. However, if you do conduct a risk assessment, the data service is that your organization plans to outsource to cloud Service provider for entering into the agreement.

03:40

Your organization must insure Service provider possesses an acceptable level of risk. It has implemented mitigating controls to reduce residual risk. So, like we talked about hiring an outside contractor outside organization. You also want to bet your cloud service provider

03:59

and then verify the cloud service providers hiring practices to ensure it conducts a thorough background security investigation on any and all personnel. So, just like we talked about, you don't want to let the old into your hen house just because you happen to trust someone. So everyone across the board should have the same level.

04:18

Love

04:18

clear. It's a background check.

04:20

Next control. Eliminate remote administrative access to host, providing cloud our virtual service's. And then, lastly,

04:29

I understand how the cloud service provider protects data and other organizational assets or entering into an agreement.

04:35

Knowledge is power. You don't want to enter into these agreements and find out they're not doing what you expect them to do to protect your data. So you want to verify the party responsible, restricting a logical and physical access to your organization's cloud assets.

04:55

Next is monitoring privilege users. You want to conduct periodic account reviews to avoid privilege creeps.

05:01

What kind of touched on that? Already

05:03

when employees changed roles, the organization should review the employee's account and recent permissions that employed no longer needs, especially for your larger organizations.

05:13

You want to implement separation of duties for all roles that affect the production system and require at least two people to perform any action that may alter the system

05:21

and the next used multi factor authentication for privilege, Fuser or System Administrator account.

05:30

And then a note to that. Requiring multi factor authentication will reduce the risk of a user abusing privileged access after administrator lied through organization. And the increased accountability of multi factor authentication may inhibit some

05:44

currently employed privilege users from committing acts of malfeasance. So more types of security that you can implement on that network without completely restricting people's ability to work, the better off you're going to pay,

06:00

review, change control. So you want to periodically review configuration baselines against the actual production systems and determine any discrepancies were approved.

06:08

The changes were not approved. You want to verify a business need for those changes on the next you want to implement change management program within the organization, and that process should ensure change control work. That's all changes to your system networks, artwork, configurations. You want to document the changes in the business needs

06:28

and then

06:29

pose changes should be vetted by your security team, system owners, data owners, users and other stakeholders. And then, lastly,

06:35

configuration manager must review and submit to the change control for any software developed in house as well as any plan changes

06:46

controlling remote access this able remote access to the organization's systems when an employer contractor separates from the organization a lot of times this doesn't happen. Terminate someone and then you find out they still have something ghost account out there, and they still have access to your BP end. So you want to

07:05

be sure, disable access to BP and service

07:08

applications email and then be sure to cleanse all open sessions as well.

07:14

Next. Mobile devices with a listening listing of their features as a part of the enterprise risk assessment. So you want to limit our identify those mobile devices what can what can cannot connect to your network

07:30

and you want to prohibit or limit personally devices. So again, I think we've talked about the four past lessons that B. Y. O D devices great increase productivity. But personally owned equipment such a laptop or home computer computer is permitted to access the corporate network. It should be allowed

07:47

to do so only through an application gateway,

07:50

and this will limit what applications are available to untrusted connection.

07:56

Next, you want to prohibit devices with cameras and sensitive areas. That's common sense. I would hope, obviously, if you have proprietary data are you're working in a very sensitive area. You don't want information going outside of the area. Someone who has a camera phone

08:15

are one of those old men. Ox cameras could come in and

08:18

start taking photographs of your data and walking out the door with it.

08:22

Next, you want to implement a central management system for mobile devices. That way, you just can control all of the devices on your network, and you have a central point that does that. And then, lastly, monitoring controlling access to the corporate infrastructure. So VPN tunnel should terminate at the furthest perimeter

08:41

device and in front of ideas. And Barbara