Time
8 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9

Video Description

This lesson covers implementing government IT standards and discusses the following: - Intellectual property - Data integrity - Mandatory control This lesson also discovers the importance of Human Resources (HR) work in making sure the people working for an organization are honest. This lesson also covers continuity planning and performance management within an organization. [toggle_content title="Transcript"] Alright, so having some standards for the governance of IT is an important thing to think about. We can't underestimate the value of intellectual property. This means that there's something someone created, or an organization created, that has some value in the marketplace. Of course they want to protect that. So that's why certain laws are put in to place and certain mechanisms are put in to place to prevent intellectual property abuses. Things like copyrights, trademarks, patents. These are all examples of intellectual property protection. We also have to think about data integrity. How do we know that the data that we are storing, transmitting and processing has not been tampered with? There are many, many different ways to achieve this goal. The solutions are up to the owners of the data to some degree, or the owners of the organization, but the basic concept of making sure that the data is correct and has not been modified is what we're driving at here. Then we have to think about mandatory controls. As it says here, this is the strongest type of control. A mandatory control could be an administrative thing, to say that you are not allowed to take more than one hour for lunch. If you take more than one hour for lunch, you might be penalized. These could also be technical controls; where you're not allowed to have a password that's less than eight characters. That's an enforced mandatory control. If you try to change your password and it's seven characters you'll get a message saying that you need to try again because you haven't met the minimum standard. Two simple examples, really. This important point about mandatory controls is that the compliance is enforced without any kind of exceptions and without any kind of manual interaction as well. Mandatory controls should be something that is done automatically, if you will. Then we have discretionary controls. These are things that are not as strong as mandatory controls. For instance, if you are a data owner, you own this data you have some discretion as to who can access it. If you're a system owner, you have some discretion as to who can access your system. These are examples of some types of discretionary controls. I could put data on a thumb drive and give it to you and say, 'At my discretion, I'm allowing you to have this data.' Once you've got that data, you can do whatever you want with it. Therefore, discretionary control is not very strong. It provides some protection, but only at the minimal level. What about monitoring? I mentioned the concept of continuous monitoring in an earlier section. This is important to think about in all different types of scenarios. We want to basically have the idea of continuous monitoring of all of our security controls in a given organization. That means that if somebody is walking into a room without using their badge, maybe that's monitored, through video cameras or through some other automated means. Maybe you're monitoring the fact that someone tried to change your administrator password on one of your systems, and you get an automatic alert because of this. Maybe some turns a system off, or turns a system on, and you've got controls that look for these things. Or you've got a screen lock that happens after fifteen minutes. These are all ways to control access to assets and resources. We have incident response. This is a vital part of any organization. Being able to rely on monitored controls, for one thing. Intrusion detection system is a monitoring control. If the intrusion detection system, or IDS discovers that someone is trying to hack into the network or doing a scan, then your incident response team should be able to get this information and react quickly and accordingly. So incident response is very important when your controls are failing, or maybe the controls are working but there are still problems that are being detected because of some other activity. We have to consider human resources. I already mentioned the value of doing background checks when you're hiring somebody. Being able to verify that someone's credentials actually check out - I've personally seen several people over the years get hired for a job and then get removed from that job because they lied about something on their resume. Or they did the background check on that person and it took some time for some information to come to-light and they find out, 'Oh, this person has an arrest record. They can't work here any longer.' So that's an important aspect of what HR does in making sure the people that are in the organization are reliable and have integrity and have a right to be there. What about when someone is terminated? This is also a very sticky situation sometimes. If someone gets fired general best practice says that they need to be removed from the building as soon as possible. You hand in your badge. You turn in your laptop and now everybody has to change all the passwords and that kind of thing. If somebody leaves voluntarily, all that same activity still happens, but it's friendlier. Typically, even when someone is fired, it should be done in as friendly a manner as possible so as not to cause further problems. Disgruntled employees attacking their former employers, that kind of thing, should be avoided or can be avoided if people are treated with some dignity and respect. When someone's terminated, whether it's hostile or non-hostile, sometimes exit interviews are conducted. 'What did you like about working here? What didn't you like? Did you like your manager?' Those can be valuable tools for the organization to try to improve its internal HR processes and the way that it deals with its employees. Employee contracts, these might be a bigger factor when you're a contractor or a consultant, or possibly if you are a member of a union. A lot of states have what's known as a right-to-work law, or they have hire and fire at-will laws, which means that you can be hired or fired for any reason. That tries to provide some bridge between people that are being unfairly treated or discriminated against versus the employer's right to say, 'You're just not doing a great job. We don't need you anymore.' So there's some complexities there that need to be understood if you're involved in any aspect of HR. Typically, there are confidentiality agreements, or non-disclosure agreements that might need to be signed by new employees, or contractors. This is to protect both parties, to say that, 'If you come in contact with sensitive information during the course of your duties that you're not going to sell this for personal gain, or share it with people or share it with competitors of the organization.' Those things should be enforceable with well-defined penalties. Same thing with non-competition agreements, or non-competes. Especially when you're working in a contractor or consulting capacity, if you do a job for a client, typically there is some time period where you are not allowed to solicit business from that client on your own. That protects the company you're working for and protects the client from any kind of shady dealings that might be going on. Then we have the logical conclusion of some of these other items, which is ethic statements. The ethic statements are a method to convey what the organization expects from people that work for it. 'We have a very high moral standard here. We expect our employees to be truthful,' and so on. If there is behavior that's unacceptable, it should be outlined in the ethic statement. I used the example in an earlier section about acceptable use of the Internet. You're allowed to go read your personal email, you're allowed to do some online shopping during your lunch hour, but you're not allowed to go to pornography sites or gambling sites or engage in hate speech, or something. Those things should be clearly identified so that you can't claim, at a later time, that you didn't know it was incorrect to do so, because you were shown the documentation and you signed it. So that's where they really come into their own as having a lot of value for the organization. Some other things to think about. Performance evaluations. There is some expectation that maybe on an annual or bi-annual, or even a quarterly basis, some evaluation of performance will be done. This gives the employer and the employee a chance to have a conversation about how things are going and what might need to be done to improve performance or improve attitudes or productivity, and so on. A promotion policy should be clearly identified. It should not be something that is just done on an ad-hoc basis. There should be some clear goals that are documented. That might not always be the case, but ideally that should be what we would expect. Knowing what this promotion policy is helps everybody work from the same page. If your goal is to get promoted, you should be able to clearly see what those goals and those steps are to get to that next level. What about work schedules? This is something that HR needs to be aware of as far as proper documentation goes. Making sure that everyone knows what the core working hours are, when the holidays are, when there are days that might be taken off for sick leave, or accumulated vacation time. These should all be well-documented. Lastly, we have corrective counseling. If an employee is making a lot of mistakes, or errors, there should be a process in-place to address that, to pull them aside and say, 'There's concerns about your performance. You're doing some things that are not acceptable. How can we fix this?' That's what a mature organization would be doing. So, our next topic is continuity planning. I've already mentioned BCP and DRP as forms of continuity planning. But we have to think about it in the bigger picture as well. So, the disaster recovery objectives are very important, but there are other things that auditors need to pay attention to. Who's in-charge when there's a problem? What happens with your investors or your customers? What happens with key personnel that need to perhaps commute to a site that's been damaged by a disaster, or having multiple ways to contact people in case the mobile phone network is down. Maybe email is another alternative, or pagers, even. So some of these possibilities are worth thinking about. This is all part of the continuity plan that should be created by the management of the organization. The auditor's job is to merely verify that various factors and details and components are part of the plan and that they are properly documented and that there's some kind of testing going on. Okay, so let's move on to performance management. What we're trying to do with performance management is identify key performance indicators, or KPIs, that can be used to keep track of how the business is doing. This can be measured in many different ways. It could be something like the number of active customers. The number of new customers. Profits, that's an obvious indicator. It could also be things like how many trouble tickets have been closed within a 30-day window, or how many trouble tickets were opened in the last 24 hours. These are all indications of the general health of an organization. That information can be used in various different ways. Maybe it's posted to some kind of a dashboard for management to look at. The key underlying principle here is that we need to have meaningful metrics that are agreed upon so that those can be used in the future for making risk-based decisions and for understanding the health of the organization. We also have to think about managing outsourcing. For instance, if you're using outsourced individuals for your accounting, or software development, or managed services for dealing with your systems administration tasks, there's a point where the outsourced company has a lot of control over portions of the organization's infrastructure. That can be a legitimate concern. Maybe you're losing control over some of the processes to some degree. In many situations that's expected and normal. Cloud computing, for instance. If you're hosting all of your servers with a third-party provider, your only access is through a web browser, or through some other type of Internet connection. So you just have to identify that as being the normal way that things are done in that context and adapt accordingly. One of the more important things, though especially as it relates to cloud computing, is trying to preserve the right to audit an outsourced infrastructure. So if you had a cloud computing provider, or you were doing some software development off-shore, trying to get the right to audit that environment to make sure they have appropriate security controls. Make sure that they're doing continuous monitoring; this would be an important consideration. Sometimes that might not be possible. It could be that the outsourcing company doesn't have the resources to support an audit by the main company. So, in that case, they could give them something like the SAS 70: which is a standard format auditor's report. That might give enough information to the auditor at the main organization to keep them happy to say that, 'Well, this appears to be being managed properly. They're doing everything they're supposed to be doing.' It's really preferable to ask for that right of audit and to get it put into the contract document so that it's definitely agreed upon by both parties. [/toggle_content]

Video Transcription

00:04
all right, So
00:05
having some standards for the governance of I t. Is an important thing to think about.
00:11
We can't underestimate the value of intellectual property.
00:15
This means that there is something someone created or organization created that has some value in the marketplace.
00:21
And, of course, they want to protect that.
00:23
So that's why certain laws are put into place and certain mechanisms are putting the place
00:30
to prevent intellectual property abuses. Things like copyrights, trademarks, patents.
00:36
These are all examples of intellectual property protection.
00:40
We also have to think about data integrity.
00:43
How do we know that the data that we are storing, transmitting and processing has not been tampered with?
00:50
There are
00:51
many, many different ways to achieve this goal.
00:55
Uh, the solutions are up to the owners of the data to some degree, or the owner owners of the organization.
01:02
But the basic concept
01:04
of making sure that the data is correct and has not been modified is what we're driving out here.
01:11
And we have to think about mandatory controls.
01:14
As it says here, this is the strongest type of control.
01:18
A mandatory control could be a administrative thing to say that you are not allowed to take more than,
01:25
UH, one hour for lunch.
01:27
If you take more than one hour for lunch, you might be penalized.
01:30
Things could also be technical controls
01:34
where you're not allowed. Thio
01:38
have a password that's less than eight characters.
01:41
That's an enforced mandatory control. If you try to change your password
01:45
and it's seven characters, you'll get a message saying that
01:48
that you need to try again because you haven't met the minimum standard,
01:52
too. Simple examples, really.
01:55
And this important point by mandatory controls is that the compliance is enforced without any kind of exceptions
02:04
and without any kind of manual interaction as well.
02:07
Man tor controls should be something that is done automatically, if you will,
02:13
then we have discretionary controls.
02:15
These are things that have a look that are not a strong is mandatory controls.
02:19
For instance, if you are a data owner,
02:22
you own this data. You have some discretion as to who can access it.
02:25
If you're a system owner, you have some discretion s task to who can access your system. These are examples of some types of discretionary controls.
02:35
I could I could put date on a thumb drive
02:38
and give it to you and stab at my discretion. I'm allowing you to have this data.
02:42
Once you've got that data, you can do whatever you want with it that therefore discretionary control is not very strong.
02:47
It provides some protection, but only at the minimal level.
02:53
What about monitoring?
02:54
I mentioned the concept of continuous monitoring in earlier section.
02:59
This is important to think about in all different types of scenarios.
03:02
We wantto basically have the idea of continuous monitoring of all of our security controls in a given organization.
03:09
That means that if somebody is
03:13
huh
03:14
walking into a room without using their badge, maybe that's monitor through video cameras or through some other automated means.
03:23
Maybe you're monitoring the fact that someone tried to change your administrator password on one of your systems
03:29
and you get an automatic alert. Because of this,
03:32
maybe someone turned the system off or turns a system on. And you've got control of that. Look for these things
03:38
or you've got a screen lock that happens after 15 minutes.
03:43
These are all ways to control the access to assets, and resource is
03:47
we have incident response.
03:50
This is a vital part of any organization
03:53
being able to rely on monitored controls. For one thing on intrusion detection system is a monitor and control.
04:01
If the intrusion detection system our I. D. S discovers that someone's trying to hack into the network or doing a scan,
04:09
then your incident response team should be able to get this information and react quickly and accordingly.
04:15
So in response is very, very important
04:18
when your controls are failing or maybe the controls are working. But they're still problems that are being detected because of some other activity
04:26
we have to consider. Human resource is
04:29
already mentioned the value of doing background checks when you're hiring somebody,
04:35
uh, being be able to verify that someone's credentials actually check out.
04:40
I've personally seen several people over the years
04:44
get hired for a job and then get removed from that job because they lied about something on their resume.
04:48
Or they did a background check on that person, and it took some time for some information to come to light, and they find out all this person has an arrest record. They can't work here any longer,
05:00
so that's an important aspect of what HR does
05:03
in making sure the people that are in the organization
05:06
are reliable and have integrity and have a right to be there.
05:12
What about when someone is terminated?
05:15
This this is ah
05:16
also a very sticky situation. Sometimes if someone gets fired,
05:21
the
05:21
General Best practices says that they need to read removed from the building as soon as possible.
05:29
Right, You hand in your badge,
05:30
you turn in your laptop
05:32
and now everybody has to change all the passwords and that kind of thing.
05:36
If somebody leaves voluntarily,
05:39
uh,
05:40
that all that same activity still happens.
05:43
But it's more friendly.
05:45
And typically, even when someone is fired, it should be done
05:48
and his friendly A manner as possible
05:50
so as not to cause further problems.
05:54
You know, disgruntled employees
05:57
attacking their former employers, that kind of thing. It should be avoided or can be avoided if people are treated with some dignity and respect.
06:04
Um,
06:05
when someone's terminated, whether it's hostile or non hostile, Sometimes exit interviews are conducted,
06:13
you know? What did you like about working here? What didn't you like? Did you like your manager and so on?
06:17
Those could be valuable tools for the organization to try to improve its internal
06:23
HR processes and the way that it deals with its employees. Employee contracts.
06:30
You might be a bigger factor when you're a contractor or a consultant,
06:34
or possibly if you're our member of a union.
06:39
Ah, lot of states have what's known as a right to work
06:43
law,
06:45
or they have, ah, hire and fire at will laws,
06:48
which means that you could be hired or fired for any reason
06:53
that tries to
06:57
provides some bridge between people that are being unfairly treated or discriminated against versus the employers. Right to say you're just not doing a great job. We don't need you anymore.
07:06
So there's some complexities there. They need to be understood
07:11
if you're involved in any aspect of HR. Typically, there are confidentiality agreements or non disclosure agreements that might need to be signed
07:19
by new employees
07:20
or contractors.
07:24
And this is to protect both parties to say that if you come in contact with sensitive information during the course of your duties, that you're not going to
07:30
sell this for personal gain or share with people
07:34
or share with competitors of the organization,
07:38
and those things should be enforceable with
07:40
well defined penalties
07:43
same thing with non competition agreement. So our non competes,
07:47
especially when you're working in a contractor or consulting capacity. If you do a job for a client,
07:55
typically there was some time period where you are not allowed to solicit business from that client on your own.
08:01
That protects the company you're working for and protects the client from any kind of shady dealings that might be going on.
08:09
Then we have the logical conclusion of some of these other items, which is ethics statements.
08:13
The ethics statements are a method to convey with the organization expects from people that work for it.
08:22
We have a very high moral standard here.
08:24
We expect our employees to be truthful and so on.
08:28
If there is behavior that's unacceptable, it should be outlined In the ethics statement.
08:33
I used the example in an earlier section about acceptable use of the Internet.
08:39
You're allowed to go read your personal email. You're allowed to do some online shopping during your lunch hour, but you're not allowed to go to *** sites or gambling sites or engage in hate speech or something.
08:50
Those things should be clearly identified so that you can't claim at a later time. You didn't know it was
08:56
incorrect to do so because you were shown the documentation and you signed it.
09:01
So that's where you really come and come into their own. Is having a lot of value for the organization. Some other things to think about. Performance evaluations.
09:11
There was some expectation that
09:13
maybe on an annual or biannual or even a quarterly basis, some evaluation of performance will be done.
09:18
This gives the employer and the employee a chance to have a conversation about how things were going
09:24
and what might need to be done to improve
09:28
performance or improve attitudes or productivity, and so on. A promotion policy should be clearly identified.
09:37
It should not be something that is just done on an ad hoc basis. There should be some clear goals
09:43
that are documented. That might not always be the case, but ideally, that should be what we would expect.
09:50
Knowing what this promotion policy is
09:52
helps everybody work from the same page. If your goal is to get promoted, you should be able to clearly see what those goals are on. Those steps are to get to that next level.
10:03
What about work schedules
10:05
This is something that that HR needs to be aware of.
10:09
A SZ faras proper documentation goes, making sure that everyone knows
10:15
what the corps working hours are. When the holidays are, when there are days that that might be taken off
10:22
for sick leave
10:24
or accumulated vacation time,
10:28
they should all be well documented.
10:31
And then, lastly, we have corrective counseling.
10:33
If it employees making a lot of mistakes or errors, there should be a process in place.
10:39
Two.
10:41
Address that to pull them aside and say There's concerns about your performance. You're doing some things that are that are not acceptable. What? So how can we fix this?
10:50
That's what a mature organization would be doing.
10:52
So our next topic is continuity planning.
10:56
I've already mentioned B, C, P and D RP as forms of continuity planning,
11:01
but we have to think about it in the bigger picture as well,
11:05
So
11:07
the disaster recovery objectives are very important. But there are other things that auditors need to pay attention to.
11:13
Who's in charge when there's a problem. What happens with your investors customers?
11:18
What happens with key personnel that need to perhaps a commute to a site that's been damaged by a disaster
11:26
or
11:28
the
11:30
having multiple ways to contact people in case the mobile phone network is down.
11:33
Maybe emails, another alternative
11:37
or ah,
11:37
pagers. Even
11:39
so, some of these possibilities were thinking about, But this is all part of the continuity plan that should be created
11:48
by the management of the organization. The editor's job is to merely verify that
11:52
various factors and details and components are part of the plan and that they are
11:58
properly documented and that there's some kind of testing going on.
12:03
Okay, so let's move on to performance management.
12:05
What we're trying to do with performance management is identify key performance indicators, or KP eyes that can be used to keep track of how the business is doing.
12:16
And this can be measured in many different ways. It could be something like
12:20
number off active customers.
12:22
The number of new customers,
12:24
profits. That's an obvious indicator.
12:28
But it could also be things like how many trouble tickets have been closed within a 30 day window,
12:33
or how many trouble tickets were opened in the last 24 hours. These were all indications
12:39
of the general health of an organization,
12:41
and that could be. The difference could be used in various different ways. Maybe it's posted to some kind of dashboard
12:48
for management to look at.
12:50
But the key underlying principle here is that we need to have a meaningful metrics
12:58
that our agreed upon
13:01
so that those could be used in the future for making risk based decisions and for understanding the health of the organization. We always have to think about managing outsourcing. For instance,
13:11
if you're using
13:13
outsourced
13:15
individuals for your accounting
13:16
or software development
13:18
or manage service is for dealing with your systems and systems administration tasks.
13:26
There's a point where
13:28
the the outsourced company has a lot of control over portions of the organization's infrastructure,
13:35
and that could be, ah, a legitimate concern.
13:37
Maybe you're losing control over some of the process is to some degree
13:45
in many situations that's expected and normal
13:48
cloud computing. For instance,
13:50
if you're hosting all of your servers with 1/3 party provider,
13:54
you're only access is through a Web browser or through some other type of Internet connection.
13:58
So you just have to identify that as being the normal
14:03
way the things were done in that context and adapt accordingly.
14:09
One of the more important things, though, especially as it relates to cloud computing, is trying to preserve the right to audit
14:16
an outsourced infrastructure.
14:18
So if you had
14:20
cloud computing provider or you were doing some software development offshore
14:28
trying to get the right to audit that environment to make sure they have appropriate security controls,
14:31
make sure that the truth they're doing continuous monitoring this would be an important consideration.
14:37
Sometimes that might not be possible. It could be that the
14:39
the outsourced
14:41
outsourcing company doesn't have the resources to support
14:46
a audit by there by the main company.
14:50
So in that case, they could give them something like the SAS 70
14:54
which is a standard format auditor's report
14:58
and that might give enough information
15:01
to the auditor at the main organization to keep them happy to say that, well, this
15:07
appears to be being managed properly. They're doing everything they're supposed to be doing,
15:11
but it's really preferable to ask for that right of auditing to get it,
15:16
uh,
15:16
put into the contract documents so that it's
15:20
definitely agreed upon by both parties

Up Next

Certified Information System Auditor (CISA)

In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.

Instructed By

Instructor Profile Image
Dean Pompilio
CEO of SteppingStone Solutions
Instructor