This lesson covers implementing government IT standards and discusses the following: - Intellectual property - Data integrity - Mandatory control This lesson also discovers the importance of Human Resources (HR) work in making sure the people working for an organization are honest. This lesson also covers continuity planning and performance management within an organization. [toggle_content title="Transcript"] Alright, so having some standards for the governance of IT is an important thing to think about. We can't underestimate the value of intellectual property. This means that there's something someone created, or an organization created, that has some value in the marketplace. Of course they want to protect that. So that's why certain laws are put in to place and certain mechanisms are put in to place to prevent intellectual property abuses. Things like copyrights, trademarks, patents. These are all examples of intellectual property protection. We also have to think about data integrity. How do we know that the data that we are storing, transmitting and processing has not been tampered with? There are many, many different ways to achieve this goal. The solutions are up to the owners of the data to some degree, or the owners of the organization, but the basic concept of making sure that the data is correct and has not been modified is what we're driving at here. Then we have to think about mandatory controls. As it says here, this is the strongest type of control. A mandatory control could be an administrative thing, to say that you are not allowed to take more than one hour for lunch. If you take more than one hour for lunch, you might be penalized. These could also be technical controls; where you're not allowed to have a password that's less than eight characters. That's an enforced mandatory control. If you try to change your password and it's seven characters you'll get a message saying that you need to try again because you haven't met the minimum standard. Two simple examples, really. This important point about mandatory controls is that the compliance is enforced without any kind of exceptions and without any kind of manual interaction as well. Mandatory controls should be something that is done automatically, if you will. Then we have discretionary controls. These are things that are not as strong as mandatory controls. For instance, if you are a data owner, you own this data you have some discretion as to who can access it. If you're a system owner, you have some discretion as to who can access your system. These are examples of some types of discretionary controls. I could put data on a thumb drive and give it to you and say, 'At my discretion, I'm allowing you to have this data.' Once you've got that data, you can do whatever you want with it. Therefore, discretionary control is not very strong. It provides some protection, but only at the minimal level. What about monitoring? I mentioned the concept of continuous monitoring in an earlier section. This is important to think about in all different types of scenarios. We want to basically have the idea of continuous monitoring of all of our security controls in a given organization. That means that if somebody is walking into a room without using their badge, maybe that's monitored, through video cameras or through some other automated means. Maybe you're monitoring the fact that someone tried to change your administrator password on one of your systems, and you get an automatic alert because of this. Maybe some turns a system off, or turns a system on, and you've got controls that look for these things. Or you've got a screen lock that happens after fifteen minutes. These are all ways to control access to assets and resources. We have incident response. This is a vital part of any organization. Being able to rely on monitored controls, for one thing. Intrusion detection system is a monitoring control. If the intrusion detection system, or IDS discovers that someone is trying to hack into the network or doing a scan, then your incident response team should be able to get this information and react quickly and accordingly. So incident response is very important when your controls are failing, or maybe the controls are working but there are still problems that are being detected because of some other activity. We have to consider human resources. I already mentioned the value of doing background checks when you're hiring somebody. Being able to verify that someone's credentials actually check out - I've personally seen several people over the years get hired for a job and then get removed from that job because they lied about something on their resume. Or they did the background check on that person and it took some time for some information to come to-light and they find out, 'Oh, this person has an arrest record. They can't work here any longer.' So that's an important aspect of what HR does in making sure the people that are in the organization are reliable and have integrity and have a right to be there. What about when someone is terminated? This is also a very sticky situation sometimes. If someone gets fired general best practice says that they need to be removed from the building as soon as possible. You hand in your badge. You turn in your laptop and now everybody has to change all the passwords and that kind of thing. If somebody leaves voluntarily, all that same activity still happens, but it's friendlier. Typically, even when someone is fired, it should be done in as friendly a manner as possible so as not to cause further problems. Disgruntled employees attacking their former employers, that kind of thing, should be avoided or can be avoided if people are treated with some dignity and respect. When someone's terminated, whether it's hostile or non-hostile, sometimes exit interviews are conducted. 'What did you like about working here? What didn't you like? Did you like your manager?' Those can be valuable tools for the organization to try to improve its internal HR processes and the way that it deals with its employees. Employee contracts, these might be a bigger factor when you're a contractor or a consultant, or possibly if you are a member of a union. A lot of states have what's known as a right-to-work law, or they have hire and fire at-will laws, which means that you can be hired or fired for any reason. That tries to provide some bridge between people that are being unfairly treated or discriminated against versus the employer's right to say, 'You're just not doing a great job. We don't need you anymore.' So there's some complexities there that need to be understood if you're involved in any aspect of HR. Typically, there are confidentiality agreements, or non-disclosure agreements that might need to be signed by new employees, or contractors. This is to protect both parties, to say that, 'If you come in contact with sensitive information during the course of your duties that you're not going to sell this for personal gain, or share it with people or share it with competitors of the organization.' Those things should be enforceable with well-defined penalties. Same thing with non-competition agreements, or non-competes. Especially when you're working in a contractor or consulting capacity, if you do a job for a client, typically there is some time period where you are not allowed to solicit business from that client on your own. That protects the company you're working for and protects the client from any kind of shady dealings that might be going on. Then we have the logical conclusion of some of these other items, which is ethic statements. The ethic statements are a method to convey what the organization expects from people that work for it. 'We have a very high moral standard here. We expect our employees to be truthful,' and so on. If there is behavior that's unacceptable, it should be outlined in the ethic statement. I used the example in an earlier section about acceptable use of the Internet. You're allowed to go read your personal email, you're allowed to do some online shopping during your lunch hour, but you're not allowed to go to pornography sites or gambling sites or engage in hate speech, or something. Those things should be clearly identified so that you can't claim, at a later time, that you didn't know it was incorrect to do so, because you were shown the documentation and you signed it. So that's where they really come into their own as having a lot of value for the organization. Some other things to think about. Performance evaluations. There is some expectation that maybe on an annual or bi-annual, or even a quarterly basis, some evaluation of performance will be done. This gives the employer and the employee a chance to have a conversation about how things are going and what might need to be done to improve performance or improve attitudes or productivity, and so on. A promotion policy should be clearly identified. It should not be something that is just done on an ad-hoc basis. There should be some clear goals that are documented. That might not always be the case, but ideally that should be what we would expect. Knowing what this promotion policy is helps everybody work from the same page. If your goal is to get promoted, you should be able to clearly see what those goals and those steps are to get to that next level. What about work schedules? This is something that HR needs to be aware of as far as proper documentation goes. Making sure that everyone knows what the core working hours are, when the holidays are, when there are days that might be taken off for sick leave, or accumulated vacation time. These should all be well-documented. Lastly, we have corrective counseling. If an employee is making a lot of mistakes, or errors, there should be a process in-place to address that, to pull them aside and say, 'There's concerns about your performance. You're doing some things that are not acceptable. How can we fix this?' That's what a mature organization would be doing. So, our next topic is continuity planning. I've already mentioned BCP and DRP as forms of continuity planning. But we have to think about it in the bigger picture as well. So, the disaster recovery objectives are very important, but there are other things that auditors need to pay attention to. Who's in-charge when there's a problem? What happens with your investors or your customers? What happens with key personnel that need to perhaps commute to a site that's been damaged by a disaster, or having multiple ways to contact people in case the mobile phone network is down. Maybe email is another alternative, or pagers, even. So some of these possibilities are worth thinking about. This is all part of the continuity plan that should be created by the management of the organization. The auditor's job is to merely verify that various factors and details and components are part of the plan and that they are properly documented and that there's some kind of testing going on. Okay, so let's move on to performance management. What we're trying to do with performance management is identify key performance indicators, or KPIs, that can be used to keep track of how the business is doing. This can be measured in many different ways. It could be something like the number of active customers. The number of new customers. Profits, that's an obvious indicator. It could also be things like how many trouble tickets have been closed within a 30-day window, or how many trouble tickets were opened in the last 24 hours. These are all indications of the general health of an organization. That information can be used in various different ways. Maybe it's posted to some kind of a dashboard for management to look at. The key underlying principle here is that we need to have meaningful metrics that are agreed upon so that those can be used in the future for making risk-based decisions and for understanding the health of the organization. We also have to think about managing outsourcing. For instance, if you're using outsourced individuals for your accounting, or software development, or managed services for dealing with your systems administration tasks, there's a point where the outsourced company has a lot of control over portions of the organization's infrastructure. That can be a legitimate concern. Maybe you're losing control over some of the processes to some degree. In many situations that's expected and normal. Cloud computing, for instance. If you're hosting all of your servers with a third-party provider, your only access is through a web browser, or through some other type of Internet connection. So you just have to identify that as being the normal way that things are done in that context and adapt accordingly. One of the more important things, though especially as it relates to cloud computing, is trying to preserve the right to audit an outsourced infrastructure. So if you had a cloud computing provider, or you were doing some software development off-shore, trying to get the right to audit that environment to make sure they have appropriate security controls. Make sure that they're doing continuous monitoring; this would be an important consideration. Sometimes that might not be possible. It could be that the outsourcing company doesn't have the resources to support an audit by the main company. So, in that case, they could give them something like the SAS 70: which is a standard format auditor's report. That might give enough information to the auditor at the main organization to keep them happy to say that, 'Well, this appears to be being managed properly. They're doing everything they're supposed to be doing.' It's really preferable to ask for that right of audit and to get it put into the contract document so that it's definitely agreed upon by both parties. [/toggle_content]
Certified Information System Auditor (CISA)
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, CISA course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed.