Security Policies
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:01
>> Let's move ahead and talk about security policies.
00:01
In this section, we're going to
00:01
talk about organizational policies,
00:01
issue-specific policies,
00:01
and then system-specific policies.
00:01
As I mentioned we have three basic types of policy.
00:01
Your corporate policy
00:01
>> comes down from senior leadership.
00:01
>> That corporate policy is
00:01
leadership's way of stamping
00:01
their vision on the organization as a whole.
00:01
This is how we feel about security,
00:01
this is our commitment to it.
00:01
This is the business reason
00:01
that security is important to us.
00:01
Here are our expectations.
00:01
Here are the results of non-compliance.
00:01
That's what your organizational
00:01
security policy is going to be.
00:01
Then we're going to break it down further
00:01
into specific issues we're going to
00:01
deal with and specific systems.
00:01
Actually, I'm just going to mention
00:01
system-specific policies first,
00:01
because the idea is for
00:01
every system you have in your environment,
00:01
or every role of systems in your environment,
00:01
you may have different security policies.
00:01
What I mean by that is
00:01
you're going to have a different set of
00:01
policies for domain controllers
00:01
than you have for web servers.
00:01
You're going to have certain policies that impact
00:01
end-user workstations that are
00:01
going to be very different than
00:01
how you would protect your database or whatever.
00:01
I've given you a couple of examples on
00:01
this slide of what
00:01
a system-specific policy would look like.
00:01
This first point, web servers
00:01
must be configured according to
00:01
a consistent image with
00:01
baseline configuration approved by
00:01
the Director of IT and of Marketing.
00:01
What I want you to notice is that's a broad statement,
00:01
doesn't have any details as to
00:01
what that baseline image is going to include.
00:01
But it just basically says,
00:01
we're going to have an image for these systems.
00:01
They have to get signed off from Marketing and Sales.
00:01
That's policy.
00:01
I'm not getting into
00:01
all the details, all the particulars.
00:01
Remember, standards and procedures
00:01
are going to fill in those details.
00:01
As a general rule,
00:01
policy should be able to be
00:01
written and not have to be revised
00:01
>> for a couple of years.
00:01
>> It's not something that you're going to
00:01
change every time the wind blows.
00:01
Those are your system-specific policies.
00:01
I've given you a couple of other examples here.
00:01
Let's talk for just a minute
00:01
about issue-specific policies.
00:01
Really do think that you're going to
00:01
see questions on these policies.
00:01
I would encourage you to know them all and to really
00:01
understand what they bring to me
00:01
>> in a secure environment.
00:01
>> We'll start out with the Change Management Policy.
00:01
I cannot stress enough
00:01
that nothing should happen on the fly.
00:01
Even if things are on fire,
00:01
there's a process for how we
00:01
handle certain situations that might arise.
00:01
If they're necessary changes to our environment,
00:01
we should have a change control process that's in
00:01
place that's followed to
00:01
the teeth in the event of a recommended change.
00:01
Like I said, even if something's on fire,
00:01
there's an emergency change control process.
00:01
Because what we don't want to do is
00:01
create an unstable environment.
00:01
When people start making changes,
00:01
they forget to document,
00:01
they don't always do their due diligence and
00:01
sometimes you fix one problem just to cause another,
00:01
like we talked about with secondary risks.
00:01
Our change management policy makes sure
00:01
that we have a specific procedure in
00:01
place to ensure that
00:01
the changes that are made have been considered,
00:01
approved, tested, scheduled for roll-out.
00:01
They are get rolled out,
00:01
they get documented,
00:01
lessons learned are collected,
00:01
all of those pieces.
00:01
That should be included in
00:01
>> our change management policy.
00:01
>> The acceptable use policy is a resource policy,
00:01
meaning it's aimed at protecting company resources.
00:01
Questions like, can I print
00:01
personal material to the company printer?
00:01
Can I browse the Internet while I'm working?
00:01
Can I make phone calls on the company time?
00:01
Those would be considered to be
00:01
part of an acceptable use policy.
00:01
After that, privacy policy.
00:01
We're not talking about in this instance,
00:01
privacy of customer data,
00:01
what we're talking about here is employee privacy.
00:01
If I were to ask you,
00:01
do I have to guarantee
00:01
privacy for my employees in the workforce?
00:01
I've had different answers.
00:01
Or if I ask the question,
00:01
do employees have an expectation of privacy?
00:01
The truth is, they do expect privacy.
00:01
Now whether or not I have to guarantee,
00:01
that's a different story.
00:01
But the bottom line is,
00:01
my employees expect privacy, right, wrong,
00:01
or indifferent, and if I'm going
00:01
to infringe upon that privacy,
00:01
they need to be notified.
00:01
That's one of the most important elements of
00:01
your employee privacy program, notification.
00:01
For instance, when a new employee comes in,
00:01
I go over the employee handbook,
00:01
the high level with them.
00:01
Then I'm going to include in that,
00:01
you have no expectation of privacy
00:01
while you're within this building
00:01
on these computers at this time.
00:01
Here are the ways that we might infringe upon privacy.
00:01
We might monitor phone calls for quality assurance.
00:01
We might record keystrokes
00:01
or view web history, whatever it is.
00:01
There are systems technically we can do it,
00:01
but we want to do it in a manner that
00:01
is compliant with laws and regulations,
00:01
but also just best practices, just fairness.
00:01
We're not trying to sneak up
00:01
and catch our employees doing something wrong.
00:01
We're protecting our assets
00:01
and sometimes just telling people,
00:01
"Hey, we're watching," is enough of a deterrent.
00:01
It certainly keeps the honest people honest.
00:01
That's our privacy policy,
00:01
make sure that we have notification.
00:01
For data and system ownership.
00:01
Data ownership wins every time.
00:01
When we talk about who is
00:01
accountable for the protection of data?
00:01
Who determines the security of data?
00:01
Who determines access to data?
00:01
Who determines data's value?
00:01
All of those go to the data owner.
00:01
Usually, we don't really think about classifying
00:01
systems except based on
00:01
the data that's stored on those systems.
00:01
This computer doesn't mean anything to me.
00:01
It's really valuable to me based
00:01
on the data that's stored on the system.
00:01
So watch for tricky questions like,
00:01
User A is the owner of
00:01
data on a system that's owned by User B,
00:01
who controls the security?
00:01
The idea is one person owns the data,
00:01
the other person owns the system.
00:01
The data owner is always the one accountable,
00:01
always the one that makes
00:01
the decisions on the protection of data.
00:01
When you're ever in doubt,
00:01
data owner is the decision-maker.
00:01
They're our ultimate customer.
00:01
Another big topic is separation of duties.
00:01
Expect to see this on the exam.
00:01
A couple of ideas with separation of duties.
00:01
>> First of all, separation of duties keeps
00:01
any one individual from being
00:01
too powerful within an organization.
00:01
There's that old phrase,
00:01
"Absolute power corrupts absolutely."
00:01
I say that with a smile on my face because I remember
00:01
one of the first jobs in IT I had and I was very new.
00:01
Even at that point in time,
00:01
I knew this was ridiculous,
00:01
but it was a medium,
00:01
small size company and they had a single network admin.
00:01
Everybody considered him to just be the guru of
00:01
the organization and he was extremely smart.
00:01
But he had way too much power in that organization.
00:01
I kid you not, if you were in
00:01
a discussion with him and you ticked him off,
00:01
he seriously would go lock out
00:01
your account and he wouldn't
00:01
pick up his phone for 30 minutes.
00:01
The guy is a jerk. But above and beyond that,
00:01
how does that happen in an organization that
00:01
one person has that much power?
00:01
Separation of duties might say,
00:01
this one person can lock accounts,
00:01
this other person can unlock them.
00:01
We don't want one person sitting
00:01
on the keys to make everything in the company work.
00:01
Now, another idea with separation of duties is,
00:01
I want you to have the phrase, "Forcing collusion."
00:01
Separation of duties forces collusion.
00:01
The first time I heard that, I thought, what?
00:01
Because collusion isn't a good thing.
00:01
Collusion is multiple people coming together
00:01
to create fraud or to perpetrate fraud.
00:01
Collusion is never people coming together
00:01
to hold hands and sing We Are The World.
00:01
Collusion is always negative.
00:01
My thought was, why in the world would you
00:01
want to force collusion?
00:01
Well, the idea is I would
00:01
rather you have to collude with
00:01
someone to commit fraud
00:01
than to be able to do it on your own.
00:01
For instance, at your company,
00:01
the person that prints paychecks
00:01
is not the same person that signs paychecks.
00:01
If they were to commit fraud,
00:01
they'd have to collude together. Think about that.
00:01
If I'm not able to commit fraud on my
00:01
own and I have to collude with someone else,
00:01
how well would I have to know that person to say,
00:01
"Hey, Bob, I've got this great idea.
00:01
Do you want to risk 15 years in
00:01
prison because I've got a great idea?"
00:01
It's hard to find another party to collude with.
00:01
That's what we want, separation
00:01
of duties forces collusion.
00:01
Now, of course, we don't want
00:01
collusion to happen at all,
00:01
so we implement lots of
00:01
other compensating policies like job rotation.
00:01
We make sure that people
00:01
rotate their positions so that we
00:01
don't have time to build those collusive relationships.
00:01
We also monitor employee activity and we audit.
00:01
Separation of duties is a good start,
00:01
it's a preventive control.
00:01
Now, from separation of duties,
00:01
another policy we can put in
00:01
place is mandatory vacations.
00:01
This is something you're only going to
00:01
see in the financial industry.
00:01
As a matter of fact,
00:01
if you see a scenario question where
00:01
they're talking about you working for a bank,
00:01
mandatory vacations probably should
00:01
pop into your mind to say,
00:01
"Hey, are they going down this trail?"
00:01
Because here's what mandatory vacations does force.
00:01
Let's say that I get hired for a bank and they say,
00:01
"Congratulations, Ms. [inaudible]. You have the job.
00:01
You're going to get 10 days paid vacation."
00:01
Five of those days must be taken
00:01
>> in order consecutively.
00:01
>> During those five days,
00:01
you cannot come to work,
00:01
you can't check your email,
00:01
you can't remotely connect to the office,
00:01
you can't call people,
00:01
you can't show up in person,
00:01
you must be 100 percent absent from this organization.
00:01
If the bank is coming up
00:01
couple 100 bucks short every single week,
00:01
and all of a sudden, the one week Kelly's on
00:01
vacation in the Cayman Islands,
00:01
everything balances to the penny,
00:01
will then you may see,
00:01
this gives us some reasonable idea
00:01
that maybe there's fraudulent activity coming along.
00:01
In this case, when we have mandatory vacations,
00:01
that's a detective control.
00:01
I've already mentioned job rotation,
00:01
going around where we don't allow
00:01
individuals to stay in one job too long.
00:01
At some point in time,
00:01
when people know all the ins and outs, all the tricks,
00:01
all the workarounds, then it's probably
00:01
time to move them on to the next department,
00:01
the next role, the next function.
00:01
Then ultimately, we bring someone else
00:01
in so that they can observe the environment,
00:01
make sure that there wasn't any fraudulent activity.
00:01
It's also really good to cross-train your employees.
00:01
You can think about that in the event of
00:01
disaster recovery, business continuity planning.
00:01
We don't want that one individual
00:01
that can't be missing in action.
00:01
Principle of least privilege
00:01
and need to know both do the same thing,
00:01
they're both for the same purpose.
00:01
They're slightly different in
00:01
that principle of least privilege
00:01
>> has to do with action,
00:01
>> whereas need to know has to do with knowledge.
00:01
For instance, I don't allow users
00:01
to install applications on their systems.
00:01
They'll install garbage or
00:01
it'll be improperly installed or just whatever,
00:01
it just introduces a risk that isn't worth it.
00:01
That's principle of least privilege.
00:01
I'm only going to give you privilege to what you
00:01
absolutely have to have to do your job.
00:01
Principle of least privilege.
00:01
Need to know, you're not on
00:01
the sales team so I don't give you
00:01
access to the sales folder.
00:01
One is about knowledge,
00:01
the other is about action and activity.
00:01
I don't let you change system date and
00:01
time, least privilege.
00:01
I don't let you have access to a top secret folder
00:01
because they have clearance
00:01
of secret, that's need to know.
00:01
Then dual control and M of N control go together.
00:01
They're back to the ideas of separation of
00:01
duties, limiting the power.
00:01
For instance, with dual control,
00:01
if you've seen those movies
00:01
>> where there's a madman that's
00:01
>> overtaken the overall office
00:01
and he's going to launch the bomb,
00:01
and then down in the bunker,
00:01
there are keys,
00:01
two keys, one on each side of the room.
00:01
Two people would have to be present to turn
00:01
the keys in order to launch the missile.
00:01
That's a way of preventing one person from
00:01
being all powerful, that's dual control.
00:01
Now, technically,
00:01
dual control is a form of M of N control,
00:01
but M of N control is a little more flexible.
00:01
With dual control, I might say
00:01
Administrator 1 and Administrator 2
00:01
must be present in order to recover
00:01
a private key, that's dual control.
00:01
But with M of N control,
00:01
I'm not naming specifics,
00:01
I'm saying so many out of a total,
00:01
M and N are just variables.
00:01
What I mean by that is,
00:01
let's say in my company I have seven network admins.
00:01
I might say any three out of
00:01
seven need to be present to recover a private key.
00:01
With dual control, you dictate specific individuals,
00:01
Bob and Alice must be there.
00:01
But what if Bob's out or Alice is unavailable?
00:01
M of N control is much more flexible,
00:01
any three out of five,
00:01
four out of 10, two out of eight.
00:01
But it just gives that flexibility that I
00:01
have so many individuals in a specific role,
00:01
a certain number have to be there
00:01
rather than certain individuals.
00:01
That wraps up our security policy.
00:01
We talked about corporate policy,
00:01
which comes down from senior
00:01
management where they dictate
00:01
their vision and their view of
00:01
security within the organization,
00:01
then we talked about specific issues
00:01
>> with our employees,
00:01
>> as well as system-specific policies as well.
Up Next
Instructed By
Similar Content
