Part 7 - Policies and procedures (continued)
Video Activity
This lesson continues the discussion of policies and procedures that can be used to safeguard a company's sensitive information and reduce the chances of an incident. These include: · Employee termination procedures · Backup and Recovery · Report behavioral issues to HR (this could indicate sabotage) · Monitor anything which might point to fraud · ...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
This lesson continues the discussion of policies and procedures that can be used to safeguard a company's sensitive information and reduce the chances of an incident. These include: · Employee termination procedures · Backup and Recovery · Report behavioral issues to HR (this could indicate sabotage) · Monitor anything which might point to fraud · Establish a baseline
Video Transcription
00:03
>> Employee termination procedures.
00:03
We don't necessarily want to terminate employees,
00:03
but oftentimes it's a matter,
00:03
of course, and we're going to have to do that.
00:03
When we do, we want to develop
00:03
an enterprise-wide checklist to use what
00:03
someone separates from the organization,
00:03
and you want there to be some type of
00:03
process for tracking all accounts,
00:03
assigned to each employee.
00:03
At the end of their termination proceeding,
00:03
you want to reaffirm with them all
00:03
nondisclosure and intellectual property agreements
00:03
as part of that termination process.
00:03
Again, you're just
00:03
re-solidifying everything that they had already signed.
00:03
That way you can take
00:03
appropriate legal action against them if necessary.
00:03
You want to notify all employees
00:03
about any employee's departure,
00:03
where permissible and appropriate,
00:03
it doesn't have to be essentially
00:03
a very inappropriate or ugly way of notifying everyone,
00:03
but you could essentially,
00:03
nicely put so and so has
00:03
departed or left the organization that way everyone is
00:03
informed and they don't find it
00:03
funny when this person shows back up at
00:03
the office and there's some confusion as to why
00:03
this person is here if they should
00:03
>> or shouldn't be there.
00:03
>> Next, you want to archive,
00:03
block access to all accounts
00:03
associated with that departed employee.
00:03
Then you want to collect all of
00:03
the departing employee's company-owned equipment
00:03
before he or she leaves the organization.
00:03
That way that's going to limit the amount
00:03
of access they have
00:03
to your company's network and data after they leave.
00:03
Next, you want to establish
00:03
a physical-inventory system that
00:03
tracks all assets issued to that employee,
00:03
that way you know what to get.
00:03
You want to ensure that you
00:03
get those very sensitive items back.
00:03
If you have some type of hand receipt in those items,
00:03
you'd know what you're looking for.
00:03
Again it's hard to figure out
00:03
what wrong is if you don't know what right looks like.
00:03
Lastly, conduct an inventory of
00:03
all information systems and
00:03
audit the accounts on those systems.
00:03
Especially if the employee knows
00:03
>> that they were going to
00:03
>> get fired or has started planning on leaving.
00:03
If they were working on this high-valued project.
00:03
You want to go in and start auditing those accounts.
00:03
Just to look for anomalies
00:03
>> and some of those indicators.
00:03
>> Backup and recovery.
00:03
Obviously, you want store backup media off-site,
00:03
ensure media is protected from unauthorized access,
00:03
and only be retrieved by small number of individuals.
00:03
We talked on this,
00:03
obviously, if this is the information,
00:03
you're going to depend on in the event of an emergency,
00:03
you want to ensure
00:03
that it's going to be there when you need it.
00:03
Utilize professional off-site storage facility.
00:03
Don't send backup media home with employees.
00:03
This is critical information.
00:03
You'll want to make sure that it's ready for
00:03
your use and encrypting the backup media and
00:03
manage the encryption keys to
00:03
ensure backups and recovery are possible.
00:03
Again protect your backup data.
00:03
Living on, ensure that configurations of
00:03
network infrastructure devices, routers,
00:03
switches, and firewalls are part of
00:03
your the organization's backup recovery plan as well.
00:03
In part of that business continuity planning process,
00:03
you want to know what's going to
00:03
have to be in operation if you have
00:03
>> to start backing up and going
00:03
>> to executing that business continuity plan.
00:03
Next is, implement a backup and recovery process
00:03
that involves at least two people,
00:03
a backup administrator,
00:03
and a restore administrator.
00:03
Both people should be able to perform either role.
00:03
But essentially, you have two people
00:03
on-site to be able to do that.
00:03
That way you can ensure a separation of duties.
00:03
Regularly test both backup and recovery processes.
00:03
Ensuring that your organization
00:03
can reconstitute all critical data
00:03
as defined by the business continuity plan
00:03
or disaster recovery plan.
00:03
Ensure this process does not rely
00:03
on any single person to be successful.
00:03
It's more than just going through
00:03
the motions of this process.
00:03
In the last lesson,
00:03
we'll talk in-depth about some case studies of
00:03
people who did do business continuity planning.
00:03
They just didn't do a good job of doing
00:03
the business continuity planning and some of
00:03
the events that they should have foreseen,
00:03
>> they did not.
00:03
>> When it came time to execute that plan,
00:03
it was done in a manner that was not
00:03
good and they were not able to continue operations.
00:03
Lastly, sabotage,
00:03
behavioral issues should be
00:03
>> reported by management to HR.
00:03
>> If you see someone continually acting out,
00:03
continually being a problem,
00:03
some of those indicators should be present and they may
00:03
begin to start conducting this subversive activity.
00:03
The HR should notify
00:03
the insider threat team and then they can start doing
00:03
their investigation hopefully before
00:03
the fact of someone actually subverting the system.
00:03
The insider threat team conducts an inquiry of
00:03
past and present online activity and
00:03
projects future online activity.
00:03
Again, it's looking for those sensors
00:03
>> and indicators and trying to come up
00:03
>> with a picture of what might occur.
00:03
>> Theft of IP.
00:03
An employee who has access to sensitive information,
00:03
our intellectual property such as trade secret,
00:03
source code, engineering or scientific info,
00:03
strategic plans, the recipe for
00:03
Colonel Sanders chicken quits.
00:03
You want to start doing
00:03
an investigation of that employee,
00:03
what they had access to.
00:03
HR should notify the insider threat team
00:03
to conduct an inquiry on past
00:03
>> and present online activity and to project
00:03
>> future online activity with
00:03
a particular focus on logs and activity for
00:03
30 days before and after the insider resigned.
00:03
That's just covering your basis,
00:03
making sure that that data
00:03
did not leave with that employee.
00:03
Moving on, we talk about fraud.
00:03
An employee is experiencing
00:03
extreme financial difficulty or
00:03
has had a sudden unexplained
00:03
>> change in financial status.
00:03
>> We've talked about the indicator that undo athletes,
00:03
management should tell security or HR,
00:03
which will then inform the insider threat team of
00:03
that potential indicator that
00:03
that person may be an insider threat.
00:03
The insider threat team would increase monitoring of
00:03
financial transaction data and PII
00:03
that could be susceptible to financial theft or fraud.
00:03
Creating these insider threat programs,
00:03
ensure that legal counsel determines
00:03
the framework the team will work in.
00:03
Obviously, you want to be within the confines of
00:03
the law and everything that
00:03
insider threat team does should be legal.
00:03
You want to establish policies and procedures
00:03
for addressing insider threats that include HR,
00:03
legal security management, and information assurance.
00:03
You also want to consider establishing
00:03
a contact with an outside consulting firm,
00:03
that is capable of providing
00:03
incident response capabilities for
00:03
all types of incidence.
00:03
If the organization has not yet developed
00:03
the expertise to conduct
00:03
the legal objective and thorough inquiry.
00:03
If you don't know how to do it,
00:03
find someone that does.
00:03
Formalize an insider threat program
00:03
with a senior official of the organization
00:03
appointed as the program manager that can
00:03
monitor for and respond to the insider threats.
00:03
Implement insider threat detection rules
00:03
into your detection systems.
00:03
Review logs on a continuous basis
00:03
and ensure watch lists are updated.
00:03
Lastly, ensure the insider threat team meets on
00:03
a regular basis and maintains a readiness state.
00:03
Establishing a baseline.
00:03
We talked about if you don't know
00:03
>> what right looks like,
00:03
>> it's hard to figure out what wrong looks like.
00:03
Use network monitoring tools
00:03
to monitor the network for a period of
00:03
time to establish baseline
00:03
of normal activities and trends.
00:03
You want to deny VPN access to foreign countries
00:03
where a genuine business need does not exist,
00:03
and you want to white list countries where
00:03
a genuine business need does exist.
00:03
You want to establish
00:03
which ports and protocols are needed for
00:03
normal network activity and
00:03
configure devices to use only those services.
00:03
Next, you want to determine
00:03
which firewall and IDS alerts are normal.
00:03
That way you know what is abnormal.
00:03
Either correct what causes
00:03
these alerts or document normal
00:03
ranges to include them
00:03
with network baseline documentation.
00:03
You want to establish network activity baselines
00:03
for individual subunits of the organization,
00:03
and you want to determine
00:03
which devices on a network need to
00:03
communicate with the others and
00:03
implement access control list,
00:03
firewall rules, and other
00:03
technologies to limit communications that should.
00:03
Lastly, understand VPN user requirements.
00:03
You want to limit access to certain hours and monitor
00:03
bandwidth consumption because that could be a way
00:03
someone would easily take data off your network.
00:03
Established which resources will be
00:03
accessible via VPN and from
00:03
what remote IP addresses and you want
00:03
to alert on anything that is outside of the door.
Up Next
Similar Content
