Video Description

As a continuance of the previous lesson, we discuss risk related controls and controls types and explain the concepts behind them. We define what a control is, and what function it serves. You'll learn what types of policies and procedures are developed as a technical, management and operational control, and why those distinctions are significant. You'll also learn what types of privacy policies should be developed and what types of risks are associated with each kind. [toggle_content title="Transcript"] Section 2.1 of the security plus syllabus explains the importance of risk related concept, what is a control? A control could be hardware or software to implement and enforce a policy. It is a solution we put in place to implement and enforce the policy. Some organizations are able to implement policies but not enforce it, but by using controls best practices you want to implement the control and enforce the control. Controls are no good if they are implemented and do not be enforced, so we have different types of controls. We have technical controls, these could be also regarded as logical controls; passwords, encryptions so examples would be passwords and encryptions those are technical controls. You could also have management controls in the form of policies, procedures. Policies, practices, best practice these are management procedures. Operational controls involve how, controls that govern the operation within the business environment and this could be in the form of procedures, standards, and best practices. All of these are to implement and enforce the directives of management. When you put controls in place, it's possible that your controls are too lax or too tight and this gives room to what we call false positives or false negatives. So now we will be discussing false positives and false negatives. What do we mean false positive? your security controls are saying there is a problem but in reality there is no problem. Say we have a user can access a facility the user then decides to access the facility, the user has been authorized to access the facility, but when the user decides to access the facility the alarms go off- intruder, intruder, intruder. This person is authorized to access but the system is saying there is an intruder that is a false positive. Yes it is a positive but it's false, there is no intruder. The person that the alarm is going off on is authorized to access the system. Now for false negative, the system is saying that there is no problem but in reality there is a problem. Say you visit a store, you are meant to pay for every item you pick. But you visit the store; you pick the items and not pay. And as you walk to the door the alarms don't go off, so the system is saying oh there is no problem but in reality there is a problem because you haven't paid for those items in the bag. So that is a false negative, it is seeing it as nothing is happening but in reality something is happening. Items are leaving the store that have not been paid for, so when your system is saying things that shouldn't be alerted and its alerting on those, we call it a false positive and when your system fails to alert on instances where it should alert that is a false negative. Now we discuss the importance of policies to reduce risk. Organizations implement policies, create policies to reduce risk in the organization without the policies in place there are no rules and that way the risk could be so high within the enterprise. The first we look at is the privacy policy. The privacy policies would be policies that dictate how privacy should be carried out within the organization. PCIDS dictates standards to be followed if we collect credit card information, how to store, how to safe guard those data on our networks. Regulations protect health records. These are all privacy policies to reduce the risk of unauthorized disclosure of information, that risk will be reduced. If you don't follow best practices for privacy, within the organization, organizations will suffer from indirect loss, financial indirect loss in the sense of we have law suits I have given you my credit card and my credit card is breached, I could sue that organization or even my medical records, individuals could sue certain organizations. So to reduce the risk of law suits, organizations are best to advised to follow the privacy policy. The acceptable used policy; this is a policy put in place to dictate acceptable use of equipment or resources within an organization. So in the big seeking to use these resources cannot say they don't know. They are not meant to use the resources in certain ways because before the resource is made available to you, you should be taught and educated as to how you can use it, what you are allowed to use it for and what you cannot use it for. The acceptable use policy is put into place by organizations to protect themselves so that should a staff be using say the organization vehicle for unauthorized means, the organization, knows that the individual is better educated that okay we should not use this for personal use but only for official use. So the acceptable use policy is simply a policy to dictate what is allowed or not allowed when we use resources made available by the organization. The security policy could be one policy or a group of policies. The security policy would dictate how security roll within the organization maybe it will be how accounts are created, maintained and decommissioned. How users interact with the system in case of password generation, password complexity, password length and re-use. Security policy would govern everything as it relates to security within the organization. The principle of mandatory vacation; the principle of mandatory vacation dictates that our users should go on periodic vacation, this way their activities can also be investigated. Somebody else will sit at their desk and do their job, so should it be that these persons are committing some form of fraud or crime this is opportunity for us to disclose this, to discover. Somebody else is doing their job they could then discover that oh user A has always been doing this, why is he doing it so that then you can better investigate to see that some people are committing fraud. People that tend to resist vacation have a tendency of doing something malicious on the network. Job rotation: the principle of job rotation dictates that we rotate our staff amongst jobs a form of cross training for them to learn other people's roles. So in the absence of one person another person can step into their shoes and carry out their job function, there is no vacuum created by the loss of one person. It is not a single point of failure so multiple people can learn multiple roles if one person is missing, somebody else is available. This helps ensure the availability concept of the CIA (Confidentiality, Integrity& Availability). The principle of separation of duties: this principle dictates that critical job functions be broken down into multiple roles not one person starts all the way to the end. When you have only one person handling a critical job function, there is possibility for fraud, they abuse the function or they are not even doing it right. So the principle dictates that multiple job roles should be made available to service a critical job function. If person A starts if off, person B continues, person C could finish it off. That way you limit the risk of fraud within the organization or abuse of power. The principle of least privilege dictates that our users be given only the permission they need to do their work no more no less. If you give insufficient permission they will all be calling help desk, I can't get my work done no productivity. If you give the exact amount of permission they can work and you give them too much they will abuse it. We should have periodic audits to check permissions to ensure that we've only assigned the least privilege possible, that way there is no room to abuse privilege. [/toggle_content]

Course Modules