Tactical Management (part 2)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
13 hours 35 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:04
>> Having some standards for
00:04
the governance of IT is
00:04
an important thing to think about.
00:04
We can't underestimate
00:04
the value of intellectual property.
00:04
This means that there is something someone created or
00:04
an organization created that has
00:04
some value in the marketplace and of course,
00:04
they want to protect that.
00:04
That's why certain laws are put into
00:04
place and certain mechanisms are put
00:04
into place to prevent intellectual property abuses.
00:04
Things like copyrights, trademarks, patents.
00:04
These are all examples
00:04
of intellectual property protection.
00:04
We also have to think about data integrity.
00:04
How do we know that the data that we are storing,
00:04
transmitting, and processing has
00:04
>> not been tampered with?
00:04
>> There are many different ways to achieve this goal.
00:04
The solutions are up to the owners
00:04
of the data to some degree,
00:04
or the owners of the organization.
00:04
But the basic concept of making sure that the data
00:04
is correct and has not been
00:04
modified is what we're driving out here.
00:04
We have to think about mandatory controls.
00:04
As it says here, this is the strongest type of control.
00:04
A mandatory control could be
00:04
a administrative thing to say
00:04
that you are not allowed to take
00:04
more than one hour for lunch.
00:04
If you take more than one hour for lunch,
00:04
you might be penalized.
00:04
These could also be technical controls
00:04
where you're not allowed
00:04
to have a password that's less than eight characters.
00:04
That's an enforced mandatory control.
00:04
If you try to change your password
00:04
and it's seven characters,
00:04
you'll get a message saying that you
00:04
need to try again because you
00:04
haven't met the minimum standard.
00:04
Two simple examples really.
00:04
This important point about mandatory controls
00:04
is that the compliance is enforced
00:04
without any kind of
00:04
exceptions and without any kind
00:04
of manual interaction as well.
00:04
Mandatory controls should be something that
00:04
is done automatically, if you will.
00:04
Then we have discretionary controls.
00:04
These are things that are
00:04
not as strong as mandatory controls.
00:04
For instance, if you are a data owner,
00:04
you own this data, you have some discretion
00:04
as to who can access it.
00:04
If you're a system owner, you have some discretion
00:04
as to who can access your system.
00:04
These are examples of some types
00:04
of discretionary controls.
00:04
I could put data on
00:04
a thumb drive and give
00:04
it to you and say that in my discretion,
00:04
I'm allowing you to have this data.
00:04
Once you've got that data,
00:04
you can do whatever you want with it.
00:04
Therefore, discretionary control is not very strong.
00:04
It provides some protection,
00:04
but only at the minimal level. What about monitoring?
00:04
I mentioned the concept of
00:04
continuous monitoring in the earlier section.
00:04
This is important to think about
00:04
in all different types of scenarios.
00:04
We want to basically
00:04
have the idea of continuous monitoring
00:04
of all of our security controls
00:04
>> in a given organization.
00:04
>> That means that if somebody
00:04
is walking into a room without using their badge,
00:04
maybe that's monitored through video cameras
00:04
or through some other automated means.
00:04
Maybe you're monitoring the fact
00:04
that someone tried to change
00:04
your administrator password in one of
00:04
your systems and you get
00:04
an automatic alert because of this.
00:04
Maybe someone turns the system off or turn
00:04
the system on and you've got
00:04
controls that look for these things.
00:04
Or you've got a screen lock
00:04
that happens after 15 minutes.
00:04
These are all ways to control
00:04
the access to assets and resources.
00:04
We have incident response.
00:04
This is a vital part of any organization.
00:04
Being able to rely on monitored controls for one thing,
00:04
an intrusion detection system is a monitoring control.
00:04
If the intrusion detection system or IDS
00:04
discovers that someone's trying to hack
00:04
into the network or doing a scan,
00:04
then your incident response team should be able to
00:04
get this information and react quickly and accordingly.
00:04
Incident response is very
00:04
important when your controls are failing,
00:04
or maybe the controls are working,
00:04
but there're still problems that are being
00:04
detected because of some other activity.
00:04
We have to consider human resources.
00:04
I already mentioned the value
00:04
of doing background checks when you're hiring somebody.
00:04
Being able to verify that
00:04
someone's credentials actually checkout.
00:04
I've personally seen several people over
00:04
the years get hired for a job and then get removed
00:04
from that job because they lied about something
00:04
on their resume or they did
00:04
a background check on
00:04
that person and it took
00:04
some time for some information to come to light,
00:04
and they find out, oh,
00:04
this person has an arrest record,
00:04
they can't work here any longer.
00:04
That's an important aspect of what HR
00:04
does in making sure the people that
00:04
are in the organization are reliable and have integrity
00:04
>> and have a right to be there.
00:04
>> What about when someone is terminated?
00:04
This is also very sticky situation sometimes.
00:04
If someone gets fired, general best practices
00:04
says that they need to be removed from
00:04
the building as soon as possible.
00:04
You hand in your badge,
00:04
you turn in your laptop,
00:04
and now everybody has to
00:04
change all the passwords and that kind of thing.
00:04
If somebody leaves voluntarily,
00:04
all that same activity still happens,
00:04
but it's more friendly,
00:04
and typically, even when someone is fired,
00:04
it should be done in as friendly a manner as
00:04
possible so as not to cause further problems.
00:04
Disgruntled employees
00:04
attacking their former employers, that kind of thing,
00:04
it should be avoided or can be avoided if people are
00:04
treated with some dignity and respect.
00:04
When someone's terminated,
00:04
>> whether it's hostile or non-hostile,
00:04
>> sometimes exit interviews are conducted.
00:04
What did you like about working
00:04
here? What didn't you like?
00:04
Did you like your manager? So on.
00:04
Those can be valuable tools
00:04
for the organization to try to improve
00:04
its internal HR processes
00:04
and the way that it deals with its employees.
00:04
Employee contracts.
00:04
These might be a bigger factor when
00:04
you're a contractor or a consultant,
00:04
or possibly if your are a member of a union.
00:04
A lot of states have what's known as
00:04
a right-to-work law,
00:04
or they have hire and fire at will laws,
00:04
which means that you can be hired
00:04
or fired for any reason,
00:04
that tries to provide
00:04
some bridge between people that are being
00:04
unfairly treated or discriminated against
00:04
versus the employer's right
00:04
to say you're just not doing a great job,
00:04
we don't need you anymore.
00:04
There are some complexities there that need to be
00:04
understood if you are involved in any aspect of HR.
00:04
Typically, there are
00:04
confidentiality agreements or
00:04
non-disclosure agreements that might
00:04
need to be signed by new employees or contractors.
00:04
This is to protect both parties to say that if
00:04
you come in contact with sensitive information
00:04
during the course of your duties,
00:04
that you're not going to sell this for personal gain,
00:04
or share it with people,
00:04
or share it with competitors of the organization.
00:04
Those things should be enforceable
00:04
with well defined penalties.
00:04
Same thing with non-competition agreements
00:04
or non-competes.
00:04
Especially when you're working in
00:04
a contractor or consulting capacity,
00:04
if you do a job for a client,
00:04
typically there is some time period where you are not
00:04
allowed to solicit business
00:04
>> from that client on your own.
00:04
>> That protects the company you're working for
00:04
>> and protects the client from
00:04
>> any shady dealings that might be going on.
00:04
>> Then we have the
00:04
logical conclusion of some of these other items,
00:04
which is ethics statements.
00:04
The ethics statements are a method to
00:04
convey what the organization
00:04
expects from people that work for it.
00:04
We have a very high moral standard here,
00:04
we expect our employees to be truthful and so on.
00:04
If there is behavior that's unacceptable,
00:04
it should be outlined in the ethics statement.
00:04
Use the example in
00:04
an earlier section about acceptable
00:04
>> use of the internet.
00:04
>> You're allowed to go read your personal email.
00:04
You're allowed to do some online
00:04
shopping during your lunch hour,
00:04
but you're not allowed to go to pornography sites
00:04
or gambling sites,
00:04
or engage in hate speech or something.
00:04
Those things should be clearly identified so
00:04
that you can't claim at a later time that
00:04
you didn't know it was
00:04
incorrect to do so because you were
00:04
shown the documentation and you signed it.
00:04
That's where they really come into their own as
00:04
having a lot of value for the organization.
00:04
Some other things to think about,
00:04
performance evaluations.
00:04
There are some expectation that maybe on an
00:04
annual or biannual or even a quarterly basis,
00:04
some evaluation of performance will be done.
00:04
This gives the employer and the employee
00:04
a chance to have a conversation
00:04
about how things are going and
00:04
what might need to be done to improve
00:04
performance or improve attitudes
00:04
or productivity and so on.
00:04
A promotion policy should be clearly identified.
00:04
It should not be something that
00:04
is just done on an ad hoc basis.
00:04
There should be some clear goals that are documented.
00:04
That might not always be the case,
00:04
but ideally that should be what we would expect.
00:04
Knowing what this promotion policy is
00:04
helps everybody work from the same page.
00:04
If your goal is to get promoted,
00:04
you should be able to clearly see what
00:04
those goals are and those steps
00:04
are to get to that next level.
00:04
What about work schedules?
00:04
This is something that HR needs to be
00:04
aware of as far as proper documentation goes,
00:04
making sure that everyone knows
00:04
what the core working hours are,
00:04
when the holidays are,
00:04
when there are days that might be taken off
00:04
for sick leave or accumulated vacation time.
00:04
They should all be well-documented.
00:04
Then lastly, we have corrective counseling.
00:04
If an employee is making a lot of mistakes or errors,
00:04
there should be a process in place to address that,
00:04
to pull them aside and say
00:04
there's concerns about your performance.
00:04
You're doing some things that are not acceptable.
00:04
How can we fix this?
00:04
That's what a mature organization would be doing.
00:04
Our next topic is continuity planning.
00:04
I've already mentioned BCP and
00:04
DRP as forms of continuity planning.
00:04
But we have to think about it
00:04
in the bigger picture as well.
00:04
The disaster recovery objectives are very important,
00:04
but there are other things that
00:04
auditors need to pay attention to.
00:04
Who's in charge when there's a problem?
00:04
What happens with your investors or your customers?
00:04
What happens with key personnel that need to
00:04
perhaps commute to a site
00:04
that's been damaged by disaster?
00:04
Or having multiple ways
00:04
to contact people in case
00:04
the mobile phone network is down.
00:04
Maybe emails and other alternative or pagers even.
00:04
Some of these possibilities are worth thinking about.
00:04
But this is all part of the continuity plan
00:04
that should be created
00:04
by the management of the organization.
00:04
The auditor's job is to merely verify
00:04
that various factors and details and components
00:04
are part of the plan and that they
00:04
are properly documented and
00:04
that there's some testing going on.
00:04
Let's move on to performance management.
00:04
What we're trying to do with performance management is
00:04
identifying Key Performance Indicators or KPIs,
00:04
that can be used to
00:04
keep track of how the business is doing.
00:04
This can be measured in many different ways.
00:04
It could be something like number of active customers,
00:04
the number of new customers,
00:04
profits, that's an obvious indicator.
00:04
But it could also be things like
00:04
how many trouble tickets
00:04
have been closed within a 30 day window,
00:04
or how many trouble tickets were
00:04
opened in the last 24 hours.
00:04
These are all indications
00:04
of the general health of an organization.
00:04
That information can be used in various different ways.
00:04
Maybe it's posted to
00:04
some dashboard for management to look at.
00:04
The key underlying principle here is that
00:04
we need to have a meaningful metrics that are
00:04
agreed upon so that those can be used in the future for
00:04
making risk-based decisions and for
00:04
understanding the health of the organization.
00:04
We also have to think about managing outsourcing.
00:04
For instance, if you're using
00:04
outsourced individuals for your accounting
00:04
or software development or a managed services
00:04
for dealing with your systems
00:04
and systems administration tasks.
00:04
There's a point where the outsourced company
00:04
>> has a lot of control over portions of
00:04
>> the organization's infrastructure and that
00:04
can be a legitimate concern.
00:04
Maybe you're losing control
00:04
over some of the processes to some degree.
00:04
In many situations that's expected and normal,
00:04
Cloud computing, for instance,
00:04
if you're hosting all of your servers
00:04
with a third party provider,
00:04
your only access is through
00:04
a web browser or through some
00:04
other type of internet connection.
00:04
You just have to identify that as being
00:04
the normal way that
00:04
things are done in that context and adapt accordingly.
00:04
One of the more important things, though,
00:04
especially as it relates to Cloud computing,
00:04
is trying to preserve the right to audit
00:04
>> and outsourced infrastructure.
00:04
>> If you had a Cloud computing provider
00:04
or you were doing some software development offshore,
00:04
trying to get the right to audit
00:04
>> that environment to make
00:04
>> sure they have appropriate security controls,
00:04
make sure that they're doing continuous monitoring.
00:04
This would be an important consideration.
00:04
Sometimes that might not be possible.
00:04
It could be that the outsourcing company doesn't have
00:04
the resources to support audit by the main company.
00:04
In that case, they could give
00:04
them something like the SAS-70,
00:04
which is a standard format auditor's report
00:04
and that might give
00:04
enough information to the auditor at
00:04
the main organization to keep them happy to say that,
00:04
well, this appears to be being managed properly.
00:04
They're doing everything they're supposed to be doing.
00:04
But it's really preferable to
00:04
ask for that right of audit and to get it.
00:04
Put into the contract documents so that
00:04
it's definitely agreed upon by both parties.
Up Next