Policies and Best Practices Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> A few additional policies to be aware of.
00:00
Usually within an organization,
00:00
there're system specific policies
00:00
and issue specific policies.
00:00
We have certain policies for web servers
00:00
that are different from domain controllers,
00:00
which are different from end-user workstations.
00:00
We may have different policies for each.
00:00
For issue specific policies,
00:00
we've talked about the need for
00:00
a change management policy and
00:00
how there has to be an orderly procedure
00:00
to request and approve changes.
00:00
We also mentioned the acceptable use policy that
00:00
dictates how employees are to use company resources.
00:00
The next thing for privacy policy,
00:00
we can certainly have policies for private information
00:00
>> of our customers and how we
00:00
>> store and protect that private information,
00:00
but we also have to think about
00:00
the privacy of our employees.
00:00
Do we have a business need to monitor email?
00:00
Do you have a business need to record phone calls?
00:00
If so, that's fine.
00:00
But one of the most important elements of
00:00
a privacy policy is ensuring that we
00:00
notify the employees if there is
00:00
going to be an infringement on policy.
00:00
People expect policy in the workplace.
00:00
I don't have to provide it,
00:00
but if that's the case and I'm
00:00
going to infringe upon policy,
00:00
folks need to be notified.
00:00
We also have to be very clear on who owns
00:00
the data and who own systems for operation.
00:00
As a general rule,
00:00
the individual or individuals that own the data
00:00
determine the classification of
00:00
the data and the protection.
00:00
Data ownership is very important and it should be
00:00
clearly defined who fulfills that role.
00:00
Also, you usually see roles of data custodian
00:00
and that individual would be
00:00
responsible for maintaining the data.
00:00
That said, the data owner
00:00
>> determines its classification.
00:00
>> Separation of duties, which is a very important policy,
00:00
make sure that we don't have conflict of interest,
00:00
and also makes sure that
00:00
no one is too powerful on the network.
00:00
I worked for a company at one point in time that had
00:00
a single network admin and
00:00
this person was really all powerful.
00:00
In all seriousness,
00:00
if somebody offended him,
00:00
he could lock those users out of
00:00
their own account and not respond for 30 minutes,
00:00
which is a tremendous abuse of power.
00:00
That really goes back to whoever signed
00:00
off on a configuration of that sort.
00:00
There should never be a single network admin.
00:00
A series of network admins
00:00
performing different activities is good.
00:00
Mandatory vacations.
00:00
I think many of us probably wish
00:00
we could get a mandatory vacation.
00:00
You'll see this in banks and
00:00
other financial institutions,
00:00
but you don't see it everywhere.
00:00
Let's say I get hired to work in a bank.
00:00
I come on board and they say,
00:00
>> "Kelly, you're going to get 10 days of paid vacation.
00:00
>> Five of those days must be taken consecutively,
00:00
>> and during those five days,
00:00
>> you may not come into the office,
00:00
contact anybody at the office,
00:00
you can't check email,
00:00
you can't remote in, you have
00:00
nothing to do with this work environment."
00:00
That way, if the bank is coming
00:00
up a couple of 100 bucks short every week,
00:00
suddenly Kelly's out of the office in
00:00
the Bahamas and the bank balances to a penny.
00:00
That might be an important detective control
00:00
and an indicator that something is going on.
00:00
Mandatory vacations are generally only present in
00:00
financial institutions and job rotation
00:00
is another detective control.
00:00
I maybe database administrator
00:00
>> database 1 for six months,
00:00
>> then move over in administrator database 2.
00:00
>> Someone else comes in behind me to database 1 and they
00:00
can detect any activity that I made up, performed,
00:00
either mistakes I've made or fraudulent activity.
00:00
Least privilege and need to know,
00:00
those two go hand-in-hand.
00:00
Least privilege and need to know
00:00
>> are very close related.
00:00
>> Principle of least privilege is usually about action.
00:00
I will allow you the only actions
00:00
that you must have to do for your job.
00:00
Need to know is about information
00:00
>> and I'm going to let you know what information
00:00
>> you need to do your job.
00:00
>> For instance, I only allow
00:00
certain users to change the system date and time.
00:00
That's the principle of least privilege.
00:00
If you're not on the sales team,
00:00
you don't get to the axis of the sales folder.
00:00
That's need to know. Very closely related.
00:00
Then we have dual control and M of N control.
00:00
Dual control is for those actions on
00:00
the network that are of such a sensitive nature.
00:00
You don't want to allow a single person
00:00
to perform that action alone.
00:00
Maybe for things like key recovery.
00:00
When we talk about security and security plus,
00:00
>> we're going to cover the very significant element of
00:00
>> a private key and how
00:00
a private key is bound to your identity.
00:00
It provides authentication for you.
00:00
If my private key gets corrupted,
00:00
they're going to be activities that I can't perform.
00:00
We need our private keys.
00:00
For that purpose, we may back up our private keys with
00:00
the idea that if it gets corrupt, we can restore it.
00:00
Problem is usually
00:00
network administrator is
00:00
relegated to that responsibility.
00:00
If my private key is mine,
00:00
but a network admin backs it up and recovers it,
00:00
now that network admin has my private key.
00:00
We might require two network admins to be present
00:00
and both enter password before a key can be recovered.
00:00
There's also M of N control,
00:00
which M and N are just variables.
00:00
Out of a total number of administrators,
00:00
>> so many have to be present.
00:00
>> 4 out of 10 network admins,
00:00
3 out of 7, doesn't matter what the numbers are.
00:00
Again, it's the idea of making sure we don't have
00:00
one single person with
00:00
too much authority or too much control.
00:00
Just wrapping up the idea of this section.
00:00
Documentation is critical,
00:00
making sure that we can rebuild
00:00
the network in the event of a disaster,
00:00
but also that at any point in time,
00:00
you can go back to our documentation
00:00
and figure out what's what.
00:00
We talked about logical versus
00:00
physical documentation that whereas physical
00:00
helps us get an understanding of how
00:00
traffic moves on the network or physical
00:00
really shows this physical devices and
00:00
where the cable is moving from point A to point B.
00:00
Our network devices and various network equipment,
00:00
those need to be labels,
00:00
configurations need to be backed up,
00:00
access control lists, the firewalls and routers,
00:00
those should be well-documented.
00:00
Racks and wiring, label, label, label,
00:00
keep them neat, keep them well organized.
00:00
Then also we make sure that we have
00:00
documentation on our policies, our procedures,
00:00
our baseline performance information so
00:00
that anyone within our organization can go to
00:00
those documents and either learn
00:00
standard operating procedures or
00:00
take the information that they need.
00:00
Policies should be published,
00:00
policies should apply to
00:00
all individuals in the workforce.
00:00
We generally look at these administrative
00:00
directive controls and in that,
00:00
management states their expectations for behavior.
00:00
We look at things like acceptable use policy,
00:00
separation of duties, dual control.
00:00
All of those policies we discussed adds
00:00
an additional important layer to
00:00
security in our environment.
Up Next