7 hours 36 minutes

Video Description

This lesson continues the discussion of policies and procedures that can be used to safeguard a company's sensitive information and reduce the chances of an incident. These include: · Employee termination procedures · Backup and Recovery · Report behavioral issues to HR (this could indicate sabotage) · Monitor anything which might point to fraud · Establish a baseline

Video Transcription

employee termination procedures. We don't necessarily want determine employees, but oftentimes it's a matter of course, and we're going to have to do that. So when we do, we want to develop a enterprise. White check. Lest you use when someone's separates from the organization,
you want there to be some type of process for tracking all accounts signed to teach a boy,
and at the end of their termination proceeding, you want to reaffirm with them
all. Non disclosure and intellectual property agreements is part of that termination process.
So, yeah,
you're just like re solidifying everything that they have already signed. That way you could take appropriate legal action against a bit unnecessary.
You want to notify all boys about any employees departure or permissible inappropriate.
It doesn't have to be essentially a very
inappropriate are really way of notifying everyone.
You could essentially nicely put. Someone so has departed are left the organization that way. Everyone has informed and they don't find it funny when when this person shows back up at the office and there's some confusion as to why, why this person is here. If they should, should
next, you want archive block access to all accounts, associate it with the departed employees
on. Then you want to collect all the party employees company under equipment before he or she leaves the organization
that way, that's going to limit the amount of access they have to your company's network and data after they leave.
Next, you want to establish a physical inventory system that tracks all assets issued to that employee.
That way, you know what to get. You want to ensure that you get those very sensitive items back. If you have some type of hand re secret list items, you know what you're looking for.
It's hard to figure out what wrong is if you don't know what right looks like
and then, lastly, conduct inventory of all information systems and audit the accounts on those systems.
So especially the employee knows that they were going to get fired or has started planning on leaving. They were working on this high valued project. You want to go in and start auditing those accounts, just total core anomalies in some of those indicators,
back up in recovery.
Obviously, one star backup media off site and sure medias protected from authorized access only be retrieved by small number of individuals were parked on this. Obviously, if this is the information they're going to depend on in the event of emergency, you want to ensure that it's going to be there when you need it.
Utilize professional offsite storage facility. Don't send backup media home employees again. Thesis critical information. You want to make sure that it's ready for your use on encrypting the backup media and managed encryption keys. Shirt back up
backups in recovery or possible. So
again, protect your backup data
living on. Ensure the configuration network infrastructure devices, routers, switches, firewalls, reported party organizations backup recovery plan as well. So in that part of that business continuity planning process, uh, you want to know what's gonna have to be
in operation if you have to start backing up and going to those executing that business Continuity plan.
Next is implemented backup and recovery process that involves at least two people
back administrator and a restore administrator. Both people should be able to perform either roll, but essentially you have two people on site to be able to do that. That way you can ensure a separation of duties
and then regularly test both backup recovery process is so ensuring that your organization can reconstitute all critical data is defined by the Business Continuity Plan or disaster Recovery plan and shrimp. This process is not rely on any single person to be successful,
and it's more than just going through the motions of this process. In the last lesson will talk in depth about some case studies of people who did do business continuity, planning. They just didn't do a good job of doing the business continuity, planning and some of the events they should have foreseen they did not.
I want it came time to execute that plan.
It was done in the manner that was not good, and they were not able to continue operations.
Lastly, sabotage the behavioral issues should be reported by management to HR. So if you see someone continually acting out continually being problem, some of those indicators should be present, and they may begin to start
conducting this subversive activity.
S o The HR should notify the insider threat team, and then they can start doing their investigation hopefully before the fact
of someone actually subverting the system.
And then the insider threat team conducts a quarry past, present on land activity and projects future online activities. Again, it's it's looking for those senators and indicators and trying to come up with a picture of what might occur.
Theft of I. P. An employee who has access to sensitive information. Our intellectual property. Such a trade secret source code engineering. Scientific in the strategic plans The recipe for Colonel Sanders Chicken quits. You want to start doing an investigation of that
employees what they had access to So
HR should notify the Insider Threat Team to conduct of the quiet past impressive online activity and to project future online activity with particular focus on logs and activity for 30 days before and after the insider resigned. That's just covering your basis, making sure that that data
did not leave with that boy
with no more talk about fraud and employee is experiencing extreme financial difficulty or it's had a sudden, unexplained change of financial status. So we've talked about that indicator that undue athletes management should tell security or HR, which would then inform the insider threat Team
of that potential,
indicated that person may be an insider threat on the insider threat team. Would increase monitoring the financial transaction data p I could be susceptible to financial theft or fraud.
Creating this insider threat program. Ensure that legal counsel determines the framework with teamwork in Obviously, you want to be within the confines of the wall that everything that insider threat team does should be legal.
You want to establish policies and procedures for addressing insider threats that include HR. Legal Security Management Information Assurance.
You also want to consider establishing contact with an outside consulting firm that is capable, capable of providing incident response capabilities for all types of incidents if the organization has not yet developed the expertise to conducting illegal objective.
So if you don't know how to do it,
find someone that does.
Formalizing insider Threat program with a senior official. The organization a point is the program manager that could monitor for responsive the insider threats,
implement insider threat detection rules into your detection systems, review logs on a continuous basis and ensure watch list updated
and then lastly, insure the insider threat teammates on a regular basis and maintains a readiness state
establishing a baseline. So again, we talked about you don't know what right looks like It's hard to figure out what's wrong. Looks like
so. Use network monitoring tools to monitor that network for a period of time to establish a baseline, normal activities and friends.
You want to deny the peon access to foreign countries were genuine, genuine business need does not exist,
and you want to Whiteley's countries where genuine business need does exist.
You want to establish which ports and protocols are needed for normal network activity and configure devices to use only those service is
next. You want to determine which firewall and ideas alerts are? No
that what you know what is abnormal,
either. Correct. What causes these alerts are documented normal ranges to include them. Network Baseline Documentation.
You want to establish network activity baselines for individual sub units of the organization,
and you want to determine which devices on the network need to communicate with the others. Implement access control list. Firewall rules. Other technologies to limit communications should
and lastly, understand VPN user requirements. You want to limit access to certain hours and monitor band with consumption because that could be a way someone would easily take data off your network, so establish which resource is will be accessible via VPN and from what remote I P addresses
and you want to alert or anything that is outside of the door.

Up Next

Incident Response and Advanced Forensics

In this course, you will gain an introduction to Incident Response, learn how to develop three important protection plans, perform advanced forensics on the incident, deep dive into insider and malware threats, and commence incident recovery.

Instructed By

Instructor Profile Image
Max Alexander
VP, Cybersecurity Incident Response Planning at JPMorgan