Policies and Best Practices Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

9 hours 49 minutes
Video Transcription
a few additional policies to be aware of usually within an organization. There are system specific policies and issues specific policies.
We have certain policies for Web servers that are different from domain controllers, which are different from end user workstations. We may have different policies for each
for issues, specific policies. We've talked about the need for a change management policy and how there has to be an orderly procedure to request and approved changes.
We also mentioned the acceptable use policy that dictates how employees are to use company resources.
The next thing for privacy policy. We can certainly have policies for private information of our customers and how we store and protect that private information. But we also have to think about the privacy of our employees. Do we have a business need to monitor email? Do we have a business need to record phone calls? If so, that's fine.
But one of the most important elements of a privacy policy is ensuring that we notify the employees if there is going to be an infringement on policy.
People expect policy in the workplace. I don't have to provide it, but if that's the case and I'm going to infringe upon policy. Folks need to be notified.
We also have to be very clear on who owns the data and who owns systems for operation.
As a general rule, the individual or individuals that own the data determined the classification of the data and the protection
data. Ownership is very important and it should be clearly defined who fulfills that role.
Also, you usually see roles of data custodian, and that individual would be responsible for maintaining the data. That, said, the data owner determines its classification
separation of duties, which is a very important policy. Make sure that we don't have conflict of interest
and also make sure that no one is too powerful in the network. I worked for a company at one point in time that had a single network admin, and this person was really all powerful and all seriousness. If somebody offended him, he could lock those users out of their own account and not respond for 30 minutes, which is a tremendous abuse of power
that really goes back to ever signed off on a configuration of that sort.
There should never be a single network admin,
a series of network admins. Performing different activities is good
mandatory vacations.
I think many of us probably wish we could get a mandatory vacation. You'll see this in banks and other financial institutions, but you don't see it everywhere.
Let's say I get hired to work at a bank.
I come on board and they say, Kelly, you're going to get 10 days of paid vacation.
Five of those days must be taken consecutively, and during those five days you may not come into the office contact anybody at the office. You can't check email. You can't remote in. You have nothing to do with this work environment.
That way, if the bank is coming up a couple of 100 bucks short every week, suddenly Kelly is out of the office in the Bahamas and the bank balances to a penny. That might be an important detective control and an indicator that something is going on.
Mandatory vacations are generally only present in financial institutions, and job rotation is another detective control.
I may be database administrator database one for six months, then move over and administrative database, too.
Someone else comes in behind me to database one, and they can detect any sort of activity that I may have performed either mistakes I've made or fraudulent activity.
These privilege need to know those two go hand in hand.
These privilege need to know are very close related
principle of least privilege is usually about action. I will allow you the only actions that you must have to do for your job.
Need to know is about information, and I'm going to let you know what information you need to do your job. For instance, I only allow certain users to change the system date and time. That's the principle of least privilege. If you're not on the sales team, you don't get to the axis of the sales folder
that's need to know so very closely related.
Then we have dual control and command and control
dual control us for those actions on the network that are of such a sensitive nature. You don't want to allow a single person to perform that action alone. So maybe for things like key recovery,
we talk about security and security. Plus are going to cover the very significant element of a private key, and how a private key is bound to your identity provides authentication for you. If my private key gets corrupted, they're going to be activities that I can't perform.
We need our private keys for that purpose. We may back up our private keys with the idea that if it gets corrupt, we can restore it.
The problem is, usually Network Administrator is relegated to that responsibility
if my private key is mine, but a network admin backs it up and recovers it. Now that network admin has my private key, we might require to network admins to be present in both. Enter password before key can be recovered. There's also M of in Control, which M and N are just variables
out of a total number of administrators, so many have to be present. Four out of 10 network admins three out of seven doesn't matter what the numbers are again. It's the idea of making sure we don't have one single person with too much authority or too much control. All right,
so does wrapping up the idea of this section.
Documentation is critical, making sure that we can rebuild the network in the event of a disaster, but also that at any point in time we can go back to our documentation and figure out what's what we talked about. Logical versus physical documentation that were as physical helps us get an understanding of how traffic moves on the network
or physical really shows this physical devices, where the cable is moving from Point A to point B R network devices and various network equipment. Those need to be labels. Configurations need to be backed up. Access control lists, the firewalls and routers. Those should be well documented racks and wiring label label label. Keep them neat, keep them well organized.
Then also, we make sure that we have documentation on our policies, our procedures, our baseline performance information that anyone within our organization can go to those documents and either learning standard operating procedures or take the information that they need. Policies should be published. Policies should apply to all individuals in the workforce.
We generally look at these administrative directive controls and in that management states their expectations for behavior. We look at things like acceptable use policy, separation of duties, dual control,
all of those policies we discussed as an additional important Layer two security and our environment
Up Next