Now, when we talk about policies and there are all sorts of policies that you may have with an organization, this is a pretty good list of things that we should consider and make sure that we have policies on now. I'm not necessarily gonna read every one of these and go through. Some of them are fairly easy to understand. I am going to hit the important ones, though, and one of the most important policies
that use an organization would have in place
separation of duties so very essential, separate out roles and responsibilities. Make sure that no one individual has too many rights. No one individual is too powerful. Rather than having a network administrator, you have a network administration team,
and different individuals within that team have different roles that they perform
different rights and permissions associate it with those separation of Judy's and separation of access. So very important on DDE that goes hand in hand with principal of least privilege and need to know I'll separate out duties. But I'll make sure that each Judy or each role within the company
on Lee has the rights and permissions essential
to do its goal. If you followed it all the compromise with Target and it's hard not to follow. It's been in the news a lot, Lady. Lately, over 70 million credit cards were compromised. The way this attack happened is a representative for small H. Phat Company.
Logged on to a system,
opened up an email with an attachment that contained backdoor software. But the point of that is, how in the world did somebody who was an H FAC guy have access to call targets Production network that contained 70 million credit card numbers?
Here's a guy that needed his this system. For what? What possible reason
would there be for him being on a production environment? Hiss system. He didn't have need to access the production network. He should have had an isolated system on an isolated domain that had no possibility of interfering or accessing targets. Production network
isolation is so very important.
I need to know principle of Lise privilege. The guy has no need to access the production network. Therefore, he has no access to that network and the problem would have been solved. But because sometimes people choose ease of use and let's just put everything in one giant network where everybody can access everything they need.
You see compromises like this happen.
So isolation of resource is separation of beauties, very important security principles.
Job rotation. Job rotation is an important security control. The idea is that we want to make sure, first of all, that our employees are cross trained. That's very helpful. So no one stays stagnant in the job for too long that you move on to different departments, you learn new skills.
You're better able to benefit the company, and that's important to you. But from a security standpoint,
um, we want to make sure that our database administrator
isn't a database administrator for years and years and years, and he's the only person that has access to that database. Um, what are they doing with that database? Why are they so proprietary over that database? Let's make sure somebody comes in. Make sure nothing fraudulence going on. It really is a defective mechanism.
It's also a way that we would prevent collusion,
and that's a good thing. Collusion on our network. When we talk about collusion, it's multiple parties coming together to commit fraud.
Um, and like I'd said, you know, the person that prints your paychecks isn't the same person to sign your paychecks. That's a very good principal. Very important.
But job rotation makes it less likely that people would come together to collude.
Because if you really think about it, how long do I have to know somebody before I invite them into a collusive attempt to commit fraud to the company?
How long do I have to know somebody before I say, Hey,
I've got this brilliant idea to cheat our employer out of millions of dollars? Do you want to risk going to jail with me? Because of my great idea?
I would have to know somebody a very long time and have a very close relationship before I would ever approach somebody to propose some sort of collusion. So job rotation means that you don't have that same person in the same job year in and year out. It's a good detective mechanism, but it's also helpful for things like collusion.
Mandatory vacation is along the same line. It's a detective control. You see this a lot in financial industries. Let's say that we work for a bank.
The bank's been coming up a couple $100 short every week for the last six months. Why don't we send Kelly on vacation for two weeks? She's not allowed in the business. She's not allowed on the property. She's not allowed to contact any of the employees there. And let's find out how the bank balances with Kelly out of the office for 14 days
and you can see how that would be a detective Control
talked about principle of least privilege. You certainly must have a well documented set of processes for how we respond to incidents and any sort of forensic tasks that we would be required to perform as a result of incident response. We'll talk about that a few minutes, obviously, securities and ongoing,
training and awareness, I need to know, need to know goes hand in hand with Lise privilege. But least privilege is about action. Need to know is about dab.
So, for instance, if I don't give you access to the contents of the sales folder because you're not in the sales team,
if I don't allow you to install applications on your system. That's principle of Lise privilege. OK, the two are very close, closely related.
Certainly we want to indicate to our employees what is prohibited. You know, we want to tell him what compliance looks like. We also want to tell him what noncompliance looks like here. The activities that we do not allow
if we have data classifications, the policies for that classifications, how long things remain classified when they fall out of that scope on how we handle sensitive data that should be defined in policy.
We need user password policies, and we must enforce those. Because if we were to give users their ultimate preference,
they would use the same password again and again and again. And be very simple. Password.
copyright and intellectual property. What is our stance on the company's intellectual property? What consists of what would a violation of intellectual property? What would that look like? What are the penalties associated with it? Are companies ethical stance on intellectual property licensing?
Acceptable use policy that's an important policy, are acceptable use policy is about our resource is what can users do with our resource is on the network. Can a user browse the Internet for personal purposes? Maybe what his policy say acceptable use
Can a user make personal phone calls on the company phones? Maybe
acceptable use policy? How can fax machines be used? What about the postage meter? What about any other company resource that should be well defined in the acceptable use policy
data destruction policy? We had talked earlier about data remnants. And how that being a threat? The confidentiality. You know, once you delete files, you still leave remnants of those files on your hard drive or your thumb drive or whatever type of media you're using.
So if we have sensitive information,
we have policies in place that detail how that data must be destroyed in such a way that it can't further be compromised. You know, there might also be provisioning policies, how we would go about commissioning and Decommissioning systems after use.
Like I said, there are many other policies we could have in place. But this would be a good start. And looking at some of the policies we wanted implement