Policies and Best Practices Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> A few additional policies to be aware of.
00:00
Usually, within an organization,
00:00
there are system specific policies
00:00
and issue specific policies.
00:00
We have certain policies for
00:00
web servers that are different from
00:00
domain controllers which are
00:00
different from end-user workstations.
00:00
We may have different policies for each.
00:00
For issue specific policies,
00:00
we've talked about the need for
00:00
a change management policy and
00:00
how there has to be an orderly procedure
00:00
to request and approve changes.
00:00
We also mentioned the acceptable use policy that
00:00
dictates how employees are to use company resources.
00:00
The next thing for privacy policy,
00:00
we can certainly have policies for private information of
00:00
our customers and how we
00:00
store and protect that private information,
00:00
but we also have to think about
00:00
the privacy of our employees.
00:00
Do we have a business need to monitor email?
00:00
Do we have a business need to record phone calls?
00:00
If so, that's fine.
00:00
But one of the most important elements of
00:00
a privacy policy is ensuring that we
00:00
notify the employees if there is
00:00
going to be an infringement on policy.
00:00
People expect policy in the workplace.
00:00
I don't have to provide it,
00:00
but if that's the case and I'm
00:00
going to infringe upon policy,
00:00
folks need to be notified.
00:00
We also have to be very clear on who owns
00:00
the data and who owns systems for operation.
00:00
As a general rule,
00:00
the individual or individuals that own the data
00:00
determined the classification of
00:00
the data and the protection.
00:00
Data ownership is very important and it should be
00:00
clearly defined who fulfills that role.
00:00
Also, you usually see roles of data custodian
00:00
and that individual would be
00:00
responsible for maintaining the data.
00:00
That said, the data owner determines its classification.
00:00
Separation of duties which is a very important policy,
00:00
make sure that we don't have conflict of interest.
00:00
It also make sure that no one
00:00
is too powerful on the network.
00:00
I worked for a company at one point in time that had
00:00
a single network admin and
00:00
this person was really all powerful.
00:00
In all seriousness, if somebody offended him,
00:00
he could lock those users out of
00:00
their own account and not respond for 30 minutes,
00:00
which is a tremendous abuse of power.
00:00
That really goes back to whoever signed
00:00
off on a configuration of that sort.
00:00
There should never be a single network admin.
00:00
A series of network admins
00:00
performing different activities is good.
00:00
Mandatory vacations.
00:00
I think many of us probably wish
00:00
we could get a mandatory vacation.
00:00
You'll see this in banks and
00:00
other financial institutions,
00:00
but you don't see it everywhere.
00:00
Let's say I get hired to work in a bank.
00:00
I come on board and they say, "Kelly,
00:00
you're going to get 10 days of paid vacation.
00:00
Five of those days must be taken
00:00
consecutively and during those five days,
00:00
you may not come into the office,
00:00
contact anybody at the office,
00:00
you can't check email, you can't remote in.
00:00
You have nothing to do with this work environment."
00:00
That way, if the bank is coming up
00:00
a couple of 100 bucks short every week,
00:00
suddenly Kelly is out of the office in
00:00
the Bahamas and the bank balances to a penny.
00:00
That might be an important detective control
00:00
and an indicator that something is going on.
00:00
Mandatory vacations are generally only present in
00:00
financial institutions and job rotation
00:00
is another detective control.
00:00
I may be Database Administrator,
00:00
Database 1 for six months,
00:00
then move over and Administrator Database 2,
00:00
someone else comes in behind me to Database 1 and they
00:00
can detect any activity that I may have performed,
00:00
either mistakes I've made or fraudulent activity.
00:00
Least privilege and need to know,
00:00
those two go hand in hand.
00:00
Least privilege and need to know are very close related.
00:00
Principle of least privilege is usually about action.
00:00
I will allow you the only actions
00:00
that you must have to do for your job.
00:00
Need to know is about information.
00:00
I'm going to let you know what information
00:00
you need to do your job.
00:00
For instance, I only allow
00:00
certain users to change the system date and time.
00:00
That's the principle of least privilege.
00:00
If you're not on the sales team,
00:00
you don't get to the axis of the sales folder.
00:00
That's need to know, so very closely related.
00:00
Then we have dual control and M of N control.
00:00
Dual control is for those actions on
00:00
the network that are of such a sensitive nature.
00:00
You don't want to allow a single person
00:00
to perform that action alone,
00:00
so maybe for things like key recovery.
00:00
We talk about security and security plus,
00:00
we're going to cover the very significant element of
00:00
a private key and how
00:00
a private key is bound to your identity.
00:00
It provides authentication for you.
00:00
If my private key gets corrupted,
00:00
they're going to be activities that I can't perform.
00:00
We need our private keys.
00:00
For that purpose, we may back up our private keys with
00:00
the idea that if it gets corrupt, we can restore it.
00:00
The problem is usually
00:00
network administrator is
00:00
relegated to that responsibility.
00:00
If my private key is mine,
00:00
but a network admin backs it up and recovers it,
00:00
now that network admin has my private key,
00:00
we might require two network admins to be present
00:00
and both enter a password before a key can be recovered.
00:00
There's also M of N control,
00:00
which M and N are just variables.
00:00
Out of a total number of administrators,
00:00
so many have to be present.
00:00
Four out of 10 network admins,
00:00
three out of seven, it doesn't
00:00
matter what the numbers are.
00:00
Again, it's the idea of making sure we don't have
00:00
one single person with
00:00
too much authority or too much control.
00:00
Just wrapping up the idea of
00:00
this section, documentation is critical.
00:00
Making sure that we can rebuild
00:00
the network in the event of a disaster,
00:00
but also that at any point in time,
00:00
you can go back to our documentation
00:00
and figure out what's what.
00:00
We talked about logical versus
00:00
physical documentation that we're asked
00:00
physical helps us get an understanding of
00:00
how traffic moves on the network.
00:00
Or physical really shows
00:00
those physical devices where
00:00
the cables moving from point A to point B.
00:00
Our network devices and various network equipment,
00:00
those need to be labels.
00:00
Configurations need to be backed up,
00:00
access control lists, the firewalls and routers,
00:00
those should be well-documented.
00:00
Racks and wiring, label, label, label.
00:00
Keep them neat, keep them well-organized.
00:00
Then also we make sure that we have
00:00
documentation on our policies, our procedures,
00:00
our baseline performance information so
00:00
that anyone within our organization can go to
00:00
those documents and either learn
00:00
standard operating procedures or
00:00
take the information that they need.
00:00
Policies should be published.
00:00
Policies should apply to
00:00
all individuals in the workforce.
00:00
We generally look at these
00:00
administrative directive controls and then
00:00
that management states their expectations for behavior.
00:00
We look at things like acceptable use policy,
00:00
separation of duties, dual control.
00:00
All of those policies we discussed adds
00:00
an additional important layer to
00:00
security in our environment.
Up Next
Similar Content
