Time
10 hours 32 minutes
Difficulty
Beginner
CEU/CPE
11

Video Transcription

00:01
Welcome to Cyber Aires. Video Siris on the comp Tia Security Plus S. Y +0501 certification and example
00:09
I'm your instructor Round Werner.
00:12
You can learn more about me in the first series of videos available through Cyber.
00:17
Please visit Cyber A Diet I t. To learn more about security, plus their certification as well as many other certifications.
00:27
This next series of videos talks about security risk management.
00:32
You see, security is all about managing risk.
00:36
The likelihood of an unexpected event that will impact an organization
00:41
managing risk require strong governance with an understanding of the goals of the organization, an understanding of critical functions performed within the organization and the comprehensive assessment of the risk the organization faces.
00:56
From this understanding, organizations come to develop appropriate policies, plans and procedures related to organizational security that are commensurate or equal to the goals of an acceptable risk, tolerance and threshold of the organization.
01:12
Don't worry. If the's terms seem kind of new to you,
01:15
we'll be going through each of them through this video.
01:19
The Fifth Security plus Domain Explorers risk management
01:23
how to manage corporate policies, assess business impacts, identify and analyze potential risks and enable appropriate business decisions.
01:34
This domain also covers incident response and forensics,
01:38
disaster recovery in business continuity
01:41
and the other effects of risks.
01:44
Lastly, we'll explore various types of security controls and methods for carrying out data security and privacy practices.
01:53
Section 5.1 requires you to explain the importance of policies, plans and procedures related to information security
02:04
to ensure that proper risk management is coordinated, update and communicated and maintained.
02:08
It is important to establish clear and detailed security policies
02:14
that are approved by organizational management and brought to the attention of all of the users through regular security awareness. Training
02:23
policies that the users do not know about are rarely effective, and those that lack management support can be unenforceable.
02:31
Several policies could support risk management within the organization.
02:36
I'll explain policies in more detail in this section.
02:40
This slide provides an overview of security policies, plans, procedures that different types of policy documents such a standards.
02:50
These are all explained in the Company of Security plus security certification exam objectives. I recommend you review that document prior to viewing this video. Siri's
03:01
in the next few minutes will be covering policy types such a standards, policies, guidelines, procedures,
03:08
a standard operating procedure or s o p.
03:13
Different types of agreements such as N d. A B p A s l A.
03:17
By the way, if you're not familiar with these terms, will be covering them in a moment.
03:23
We'll also talk about general security policies that you'll see in most organizations, such as a social media policy. Acceptably used policy. Maybe a policy on e mail
03:35
final part will talk about his personnel management howto handle people.
03:43
Okay,
03:44
I get it.
03:45
Policies are a bore
03:47
you're working through somewhat of a technical security certification like Security. Plus, you're going. Why do we need to understand policies?
03:57
Let me tell you, policies are the foundation and the bedrock of a security program
04:02
very challenging to move security forward without a good set of policies, one that is understood by the organization that people accept and are following.
04:15
So, fortunately, documentation, documentation documentation is still key to a lot of what we do as security professionals.
04:24
Policies
04:26
that you have in your organization will define how I t
04:30
will approach security, how people within the organization should approach security and how certain situations will be handled
04:39
all of this needs to be documented because if it's not written down,
04:42
probably won't be followed consistently and constantly within an organization.
04:48
They're different types of policy documents you'll see within a standard organization.
04:55
Sometimes we'll use the word policies and refer to multiple types of statements or documents.
05:01
You can see on this slide that their policies, standards, guidelines, procedures that all fulfill the organizational goal.
05:11
A policy
05:13
thes air. The thou shout now shout shout rules for the organization. The must follow rules
05:20
that an organization will have.
05:23
These are the rules that, if not followed or violated or breached, can cause serious damage. Possible termination of employees who do violate a policy statement.
05:35
Second type of a policy document is a standard.
05:39
These tend to be more technical in nature and specify mandatory controls for example,
05:46
password or authentication standards, which couldn't and enable with back in technology, such as a security policy like a GPO. Within Microsoft,
05:57
the standard should be based on a specific policy.
06:00
The third type of policy document. You need to be familiar with our guidelines. These air they won't pay, try to do this,
06:09
but if they are not followed really doesn't cause a lot of damage to the organization.
06:15
Provide examples in a moment. Procedures. These are steps to take to fulfill a guideline, standard
06:21
or policy.
06:23
So an incident response procedure there may be an incident response policy. For example, Response policy is
06:30
any incidents shall be documented and investigated.
06:35
The incident response plan or procedure
06:39
will provide those step by step instructions to follow When there is an incident,
06:45
a standard could come into play with incident response if you have a standard set of tools. So for any forensics investigation, we will always use this tool,
06:56
by the way, with policies you want to keep them. Technology agnostic should not specify technology.
07:01
What I've seen happen is that an organization had a policy about remote access that talked about dial up.
07:09
Yeah,
07:10
dial up like the old phone. We really don't use that much anymore, do we?
07:14
But that's what it was stated in The policy was the standard remote access for the organization, and when technology changed, they didn't update their policy. So kind of makes the policy worth worthless.
07:27
So review these different terms as they are very important, not only within the company of security plus example. But out there in the business world as well
07:39
as you are reviewing policies or even perhaps writing a policy for an organization,
07:45
there's certain common key elements that you'll find in each one of them,
07:49
for example, will be a scope statement,
07:53
an overview statement, a purpose statement, the target audience
07:58
definitions And, yes, definitions do matter, Because how I described an incident may be different. How you describe an incident
08:05
versions and implementation date.
08:09
Let me describe some of these First of all, overview.
08:11
Quick sentence. A tweet about what that policy is about
08:18
the purpose. What are the risks? The policy is fulfilling
08:22
scope. Who does the policy apply to?
08:24
Yeah, it's the entire company. Is it a specific area? Are specific technologies important to include that with the scope
08:33
target audience? The Who who needs to read and follow a policy
08:37
mentioned definition So any terms that are not commonly known
08:43
Set your definitions for your organization.
08:46
The version of the policy has your updating the policy
08:50
implementation date. When
08:52
that policy will be enforced, give your user sometime become used to that policy.
08:58
Don't write the policy and say what you need to follow it on day one. That's pretty rare.
09:03
Give that time to become familiar
09:05
compliance and exception. So if someone's noncompliant with your policy,
09:09
one of the ramifications, what's the effect?
09:13
Can that person be fired?
09:16
Exceptions to the policy. How do you handle exceptions?
09:18
And then, lastly, So this is all the beginning part, and then you go into your policy statements
09:24
specific statements about the rules for your company. All of this should be included in a standard policy document.
09:33
By the way, if you look up on the Internet, policy states a template, you'll find many are out there that follow this.
09:43
There are many common types of policies that you'll see within organizations. So this is just not only good to know for security plus exam,
09:54
but also to be a good security professional.
09:56
Number one will be an exceptional, exceptional acceptable use policy.
10:01
The acceptable use policy or a U. P. R. The rules around the use of computers.
10:09
What is acceptable.
10:09
Maybe Internet browsing would be included. The use of communications applications such as email, instant messaging, text how can we use company systems? What are we supposed to do and not supposed to do
10:24
all of those air included, except acceptable use policy
10:28
access policy. Those are the rules regarding access. It might also include authorization.
10:35
Let me give you a quick example. This is my policies should be kept short.
10:39
Policies are short. Go into more detail and other documents. My acceptable use policy associated with access control. It's very simple.
10:50
Users are responsible for their access.
10:54
You were responsible for securing the user. I d. And any authentication such the past were given to them.
11:03
If you want to include rules such as
11:07
sharing of passwords or writing down passwords, though should not be included on policy. Those air actually standards.
11:15
So the policy high level.
11:16
Because when you're writing a policy, consider how you're going to enforce it. How you gonna audit against that policy? Very important.
11:26
Let me tell you, I've seen so many policies that are completely unenforceable. And then really, what value do they have?
11:33
Okay, make sure your policies are enforceable and kept short.
11:37
This life shows many other common forms of policies review them. You'll see them throughout your cybersecurity career.
11:48
A standard operating procedure
11:50
is a term I've heard used with the Army. But some businesses use. Then
11:56
it's the standard set of instructions for workers to carry out
12:00
attacks. Cassette of operations,
12:03
so standard operating procedure. This is more set for common tasks. You don't necessarily see this with security, although it could include, say, patching
12:13
standard operating procedures for when you see an update is available as a general user here, the steps you need to follow
12:22
so you'll see eso peas in your career. So be familiar with this term for the comedy A Security Plus Exam.
12:31
The next area in our exploration of policies
12:35
recording for businesses, etcetera are the different types of agreements that are set
12:41
between an employee and an organization and then between organizations.
12:48
This is the alphabet soup portion. Be familiar with these again. I've seen these throughout my security and career.
12:56
The 1st 1 is an nd a non disclosure agreement.
13:01
I'll often have to sign these when I'm talking to an organization is part of a security assessment
13:07
what this is. This is protect sensitive information.
13:11
So I'm talking to an organization I find out of vulnerability.
13:15
I'm not allowed to
13:16
talk about this outside of the context of my assessment because of the nd A. It's a legally binding agreement.
13:24
It could be between an individual and an organization or organizations between each other.
13:31
The next type of typical business agreement is the B P. A. Or a business partner agreements.
13:37
This is regarding such as profit sharing. So I'm working with another business
13:43
and we're working together to grow. Our business is we've made a determination of how we're gonna do that. That's in the B p. A more of a financial document than a security agreement, but occasionally they will contain security statements.
13:58
S L. A
14:01
seen SL is forever service level agreements. What is the level of service you will provide,
14:09
for example, of hiring a security operation center?
14:13
How quickly do they need to provide me with an alert
14:16
or outsourcing? My i T.
14:20
What level of service. So what percentage should I expect for up time?
14:24
59 is a typical S L A variety. So it's 99.999% up time
14:33
is an A type of S l A.
14:35
Be familiar with this. It's the nature and level of service
14:39
provided by a vendor provider.
14:43
Other types you'll find our memory memorandum of understanding or memorandum of agreement.
14:50
This outlines the terms and details of the agreement. So we decided we're working together.
14:58
We want to make sure we have all of the details hashed out in an M. O, U or M Away
15:03
The interconnection security agreement.
15:07
Who my connecting to on my network, whether any third parties or vendors that we're working together,
15:15
we want to have a nice an interconnection security agreement or service agreement in place prior to connecting our networks. Just tow. Provide a certain level of security controls in place to protect both sides.
15:28
Review. These different pipes of agreements may see these unaccompanied of security plus exams, and you will see them out in the business world.
15:41
This nest next section is about personnel management.
15:45
How do we handle people
15:46
associated with security?
15:50
Security requires people to do their function, do their job to protect, to detect.
15:56
So this next section talks about different steps. Different ways to protect, detect and respond.
16:03
For example, mandatory vacation.
16:07
Why is this a policy? Why don't we require vacations? It's actually Detective Element.
16:14
So say I'm committing fraud
16:17
and then
16:18
it requires me to log in every day.
16:21
Well, if I'm on vacation, I can't do that.
16:23
So, for example, for a financial organization from where I worked required us to take atleast seven consecutive days of vacation.
16:32
We're not allowed to log in. We're not allowed remote access. We had to step away to detect fraud.
16:38
Job rotation,
16:41
switching out of jobs again to detect fraud. You have someone else do your job for a while. A good for cross training redundancy.
16:51
Hopefully, someone else with a job rotation will be able to confirm that you're doing your job
16:56
for people who have not been doing their job. That's how they've been caught. Someone else started doing their job while they're away or during a regular job irritation and detected
17:07
separation of duties. This is one of those key security tenants
17:11
security concept.
17:12
So separate the duties. You don't have the same person who writes the check that in cash. The checks, for example. Same person who can service the servers. Someone else should check their work. So you have a separate person. Do the quality. Check
17:27
a clean desk policy for security being sure people aren't leaving out sensitive documents or other information.
17:37
Other steps for personnel management. Background checks normally accomplished through human resource is prior to employment.
17:47
Making sure people are doing ran have done what they said they've done.
17:51
Checking their financial background, legal background, criminal background sure that they're not gonna be influenced unduly, potentially harm your organization in their systems
18:03
on boarding. Also done within human resource is
18:07
normally there may be some security awareness training associated with on board.
18:11
You might be part of that. If you're part of a security group,
18:15
it's a great time to get in front of new employees. Get them thinking about cyber security
18:21
to make sure you're part of the security group is part of the on boarding process.
18:26
The terminations exit interviews.
18:30
I've been part of that to make sure people's access is removed immediately upon termination
18:37
that they can't get to the computer systems through a remote access channel VPN, for example, that any of their files are secured that they don't have any back doors into the systems or Trojans or time bombs on the systems of that happening.
18:55
Exit interviews to gain information about what the employee who's leaving has experienced security also need to be very involved with human resources.
19:08
The last portion of personnel management
19:11
is roll based awareness training. So conducting that regular awareness training don't just do it one time of year
19:19
but also focus it on the rolls
19:22
makes security personal for people. Great way to encourage them to be a part of the security program.
19:30
Systems administrators will have separate security training than a general user.
19:36
Maybe your application developers. They need their own security training day on a WASP. And if you're not familiar with the wops, go back to the previous session on application security and specific training available for application developers.
19:52
So it's based on their job responsibilities.
19:56
Then you want to make sure there's continuing education, continual learning for employees. This way, they're always part of the security solution.
20:06
These are many of the ideas behind personnel management, where security needs to be involved
20:15
to help you prepare for the company a security plus 5 +01 exam. Here's some questions for you.
20:23
Based on this session,
20:26
which of the following policies describes how the employees in an organization can use corporate resource is
20:33
hey,
20:33
Internet use policy, the service level agreement or S l. A.
20:37
See acceptable use policy
20:40
u P or the separation of duties policy.
20:45
What do you think the answer is?
20:49
The answer is C Acceptable use policy.
20:53
The next question for this section.
20:56
According to the Comedy of Security Plus Blueprint,
21:00
this is a personnel management practice of rotating administrative users between roles to ensure that fraudulent activity cannot be sustained.
21:11
Looking through the answer, she will see the answer is a job rotation.
21:15
Go through this and other exam questions and keep practicing
21:21
to gain a better understanding to help you pass your security plus exam and become a great security plus professional.
21:32
This ends section 5.1.
21:34
We need to be able to explain the importance of policies, plant policy plans and procedures related to organizational security.
21:44
I'm Ron were.

Up Next

CompTIA Security+

CompTIA Security Plus certification is a great place to start learning IT or cybersecurity. Take advantage of Cybrary's free Security+ training.

Instructed By

Instructor Profile Image
Ron Woerner
CEO, President, Chief Consultant at RWX Security Solutions LLC
Instructor