580 likes | 837 Views
Operational and Organizational Security. Chapter 3. Objectives. Identify various operational aspects to security in your organization. Identify various policies and procedures in your organization. Identify the security awareness and training needs of an organization.
E N D
Operationaland Organizational Security Chapter 3
Objectives • Identify various operational aspects to security in your organization. • Identify various policies and procedures in your organization. • Identify the security awareness and training needs of an organization. • Understand the different types of agreements employed in negotiating security requirements.
Key Terms (1 of 2) • Acceptable use policy (AUP) • Account disablement • Account lockout • Business partnership agreement (BPA) • Due care • Due diligence • Guidelines • Incident response policy • Interconnection security agreement (ISA) • Memorandum of understanding (MOU) • Nondisclosure agreement (NDA)
Key Terms (2 of 2) • Policies • Procedures • Security policy • Service level agreement (SLA) • Standard operating procedure • Standards • User habits
Policies, Procedures, Standards,and Guidelines (1 of 3) • Policies – high-level, broad statements of what the organization wants to accomplish • Made by management when laying out the organization’s position on some issue • Procedures – step-by-step instructions on how to implement policies in the organization • Describe exactly how employees are expected to act in a given situation or to accomplish a specific task
Policies, Procedures, Standards,and Guidelines (2 of 3) • Standards– mandatory elements regarding the implementation of a policy • Accepted specifications providing specific details on how a policy is to be enforced • Possibly externally driven • Guidelines– recommendations relating to a policy • Key term: recommendations • Not mandatory steps
Policies, Procedures, Standards,and Guidelines (3 of 3) • Four steps of the policy lifecycle • Plan (adjust) for security in your organization. • Develop the policies, procedures, and guidelines • Implement the plans. • Includes an instruction period • Monitor the implementation. • Ensure effectiveness • Evaluate the effectiveness. • Vulnerability assessment and penetration test
Security Policies • Security policy – a high-level statement produced by senior management • Outlines both what security means to the organization and the organization’s goals for security • Main security policy broken down into additional policies covering specific topics • Should include other policies • Change management, data policies, human resources policies
Change Management Policy • Change management ensures proper procedures followed when modifications to the IT infrastructure are made. • Modifications prompted by a number of different events • “Management” implies process controlled in some systematic way. • Change management process includes various stages: • Request change, review and approve process, examine consequences, implement change, document process
Data Policies (1 of 8) • Data can be shared for the purpose of processing or storage. • Control over data is a significant issue in third-party relationships. • Who owns the data?
Data Policies (2 of 8) • Data ownership • Data requires a data owner. • Data ownership roles for all data elements need to be defined in the business. • Data ownership is a business function. • The requirements for security, privacy, retention, and other business functions must be established. • Not all data requires the same handling restrictions, but all data requires these characteristics to be defined. • This is the responsibility of the data owner.
Data Policies (3 of 8) • Unauthorized data sharing • Unauthorized data sharing can be a significant issue, and in today’s world, data has value and is frequently used for secondary purposes. • Ensuring that all parties in the relationship understand the data-sharing requirements is an important prerequisite. • Ensuring that all parties understand the security requirements of shared data is important.
Data Policies (4 of 8) • Data backup requirements involve: • Determining level of backup, restore objectives,and level of protection requirements • Can be defined by the data owner and then executed by operational IT personnel • Determining the backup responsibilities and developing the necessary operational procedures to ensure that adequate backups occur are important security elements.
Data Policies (5 of 8) • Classification of information • Needed because of different importance or sensitivity • Factors affecting information classification • Value to the organization, age, and laws or regulations governing protection • Most widely known classification system – U.S. government • Confidential, Secret, and Top Secret • Business classifications • Publicly Releasable, Proprietary, Company Confidential, and For Internal Use Only
Data Policies (6 of 8) • Data labeling, handling, and disposal • Data labeling enables an understanding of level of protection required. • For data inside an information-processing system: • Protections should be designed into the system • Data outside system require other means of protection. • Training ensures labeling occurs and is used and followed. • Important for users whose roles are impacted by the material • Important for proper data handling and disposal
Data Policies (7 of 8) • Need to know goes hand-in-hand with least privilege. • Guiding factor is that: • Each individual supplied absolute minimum amount of information and privileges needed to perform work • Access requires justified need to know. • Policy should spell out these two principles: • Who in the organization can grant access to information • Who can assign privileges to employees
Data Policies (8 of 8) • Disposal and destruction policy • Important papers should be shredded. • Delete all files and overwrite data on magnetic storage data before discarding. • Destroy data magnetically using a strong magnetic field to degauss the media. • File off magnetic material from the surface of a hard drive platter. • Shred floppy media, CDs and DVDs. • Best practice is to match the action to the risk level.
Password and Account Policies (1 of 4) • Average user has 20 passwords • Password complexity should include • Minimum length • Uppercase • Lowercase • Numerals • Non-alphabetic characters
Password and Account Policies (2 of 4) • Account expiration • Should occur when a user is no longer authorized on a given system • Manager should notify Human Resources (HR) • Account recovery • Can be serious, especially if an administrator password is lost • Need a recovery plan
Password and Account Policies (3 of 4) • Account disablement • Preferable to removal because removal might result in permission and ownership problems • Account lockout • Temporary disablement (e.g., if user tries to log on too many times) • Password history • Should prevent users from reusing prior passwords
Password and Account Policies (4 of 4) • Password reuse • Not a good idea • Password length • At least 10 characters, with 12 preferable • Protection of Passwords • Should prevent users from writing down or sharing
Human Resources Policies (1 of 14) • Humans are the weakest link in security chain. • Three policies are needed: • Policy for hiring of individuals • Policy to keep employees from “disgruntled” category • Policy to address employees leaving organization • Security must be considered in all policies.
Human Resources Policies (2 of 14) • Code of ethics • Describes expected behavior at highest level • Sets tone for how employees act and conduct business • Code inclusions • Demand honesty from employees • Demand employees perform all activities in a professional manner • Address principles of privacy and confidentiality • State how employees treat client and organizational data • Cover how to handle conflicts of interests
Human Resources Policies (3 of 14) • Job rotation • By rotating jobs, individuals get a better perspective on how various parts of IT can enhance or hinder the business • Rotating individuals through security positions can result in a much wider understanding throughout the organization about potential security problems. • A benefit is that the company does not have to rely on any one individual too heavily for security expertise. • Separation of duties no individual can conduct transactions alone
Human Resources Policies (4 of 14) • Employee hiring and promotions • Policies should ensure organization hires the most capable and trustworthy employees. • Policies should minimize the risk that the employee will ignore company rules and affect security. • Periodic reviews by supervisory personnel, additional drug checks, and monitoring of activity during work • Policy should handle employee’s status change. • Especially if construed as negative • If employee promoted, privileges may still change
Human Resources Policies (5 of 14) • Retirement, separation, or termination of an employee • Employee announced retirements – limit access to sensitive documents when employee announces their intention. • Forced retirement – determine risk if employee becomes disgruntled. • New job offer – carefully consider continued access to sensitive information. • Termination – assume he is or will become disgruntled.
Human Resources Policies (6 of 14) • Exit interviews are a powerful tool for collecting information when people leave a firm • On-boarding/off-boarding business partners • Agreements tend to be fairly specific with respect to terms associated with mutual expectations associated with the process of the business. • Important considerations prior to the establishment of the relationship include: • On-boarding and off-boarding processes • Data retention and destruction by the third party
Human Resources Policies (7 of 14) • Adverse reactions • How to deal with employees who violate policies • Mandatory vacations • Employee who never takes time off might be involved in nefarious activity. • Requiring mandatory vacations serves as a security protection mechanism. • Tool to detect fraud • Necessity of a second person familiar with security procedures to fill in while employee on vacation
Human Resources Policies (8 of 14) • Social media networks • Considered a form of third party • Challenge of terms of use as there is no negotiated set of agreements with respect to requirements • Only option is to adopt provided terms of service
Human Resources Policies (9 of 14) • Acceptable use policy (AUP) • AUP outlines what the organization considers to be the appropriate use of company resources, such as computer systems, e-mail, Internet access, and networks. • Goal is to ensure employee productivity while limiting organizational liability through inappropriate use of the organization’s assets. • Policy clearly delineates what activities are not allowed. • It states if the organization considers it appropriate to monitor the employees’ use of the systems and network.
Human Resources Policies (10 of 14) • Internet usage policy • Goal: ensure maximum employee productivity and to limit potential liability to the organization from inappropriate use of the Internet in a workplace • Address what sites employees allowed and not allowed to visit • Spell out the acceptable use parameters • Describe circumstances an employee allowed to post something from the organization’s network on the Web • Need procedure to post the object or message
Human Resources Policies (11 of 14) • E-mail usage policy • Specifies what the company allows employees to send in, or as attachments to, e-mail messages • Spells out whether nonwork e-mail traffic allowed • Describes type of message considered inappropriate to send • Specifies disclaimers that must be attached to an employee’s message sent to an individual outside the company • Reminds employees of the risks of clicking on links in e-mails, or opening attachments
Human Resources Policies (12 of 14) • Clean desk policy • Specifies that sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian • Identifies and prohibits things that are not obvious upon first glance, such as passwords on sticky notes underkeyboards and mouse pads or in unsecured desk drawers • Training for clean desk activities making the issue a personal one
Human Resources Policies (13 of 14) • Bring your own device (BYOD) policy • Primary purpose • Lower risk associated with connecting a wide array of personal devices to a company’s network and accessing sensitive data on them. • Center element of a BYOD policy • Security, in the form of risk management • Device requirements • Must be maintained in a current, up-to-date software posture, and with certain security features
Human Resources Policies (14 of 14) • Privacy policy • Explains guiding principles in guarding personal data to which organizations are given access • Personally identifiable information (PII) • Includes any data that can be used to uniquely identify an individual • Name, address, driver’s license number, and other details • Necessary measures taken by company • Ensure data is protected from compromise
Due Care and Due Diligence • Due care generally refers to the standard of care a reasonable person is expected to exercise in all situations. • Due diligence generally refers to the standard of care a business is expected to exercise in preparation for a business transaction. • The standard applied—reasonableness—is extremely subjective and often is determined by a jury. • Many sectors have a set of “security best practices.”
Due Process • Due process is concerned with guaranteeing fundamental fairness, justice, and liberty in relation to an individual’s legal rights. • Individual’s rights outlined by Constitution and Bill of Rights • Procedural due process uses concept of “fair”. • Courts recognize series of rights embodied by the Constitution. • Organizational due process occurs in administrative actions adversely affecting employees.
Incident Response Policies and Procedures • Incident response policy and associated procedures • Developed to outline how the organization will prepare for security incidents and respond to them when they occur • Designed in advance • Should cover five phases: • Preparation, detection, containment and eradication, recovery, and follow-up actions
Security Awareness and Training • Programs enhance an organization’s security posture. • Teach personnel how to follow the correct set of actions to perform their duties in a secure manner • Make personnel aware of the indicators and effects of social engineering attacks • Properly trained employees perform duties in a more effective manner. • Security awareness programs and campaigns include: • Seminars, videos, posters, newsletters, similar materials • Fairly easy to implement and not very costly
Security Policy Training and Procedures • Personnel need training with respect to the tasks and expectations to perform complex tasks. • Applies to security policy and operational security details • Use refresher training for periodic reinforcement. • Collection of policies should paint a picture describing the desired security culture of the organization. • Security policy– high-level directive • Second-level policies– password, access, information handling, and acceptable use policies
Role-based Training • Training needs to be targeted to the user with regardto their role in the subject of the training. • Role-based training is an important part of information security training. • Applies to: • Data Owner - User • System Administrator - Privileged User • System Owner - Executive User
Compliance with Laws, Best Practices,and Standards (1 of 2) • Wide array of laws, regulations, contractual requirements, standards, and best practices associated with information security. • Organization must build them into their own policies and procedures.
Compliance with Laws, Best Practices,and Standards (2 of 2) • External requirements impart a specific training and awareness component upon the organization. • Payment Card Industry Data Security Standard (PCI DSS), Gramm Leach Bliley Act (GLBA), or Health Insurance Portability Accountability Act (HIPAA)
User Habits • User habits are a front-line security tool in engaging the workforce to improve the overall security posture of an organization. • Individual user responsibilities vary between organizations and the type of business in which each organization is involved. • There are certain very basic responsibilities that all users should be instructed to adopt.
Training Metrics and Compliance • Requirements for maintaining a trained workforce • Record-keeping system measuring compliance with attendance and the effectiveness of the training • Follow up and gather training metrics • Challenges • Maintaining active listing of training and retraining • Monitoring the effectiveness of the training; measuring effectiveness by actual impact on employee behavior • Standard operating procedures • Mandatory step-by-step instructions
Interoperability Agreements (1 of 5) • Many business operations involve actions between many different parties. • Actions require communication between the parties. • Define the responsibilities and expectations of the parties • Define business objectives • Define environment within which the objectives will be pursued • Written agreements used to ensure agreement is understood between the parties.
Interoperability Agreements (2 of 5) • Service level agreements (SLA) • Contractual agreements between entities that describe specified levels of service that the servicing entity agrees to guarantee for the customer • SLA rules • Describe entire set of product or service functions in sufficient detail that their requirement will be unambiguous • Provide a clear means of determining whether a specified function or service has been provided at the agreed-upon level of performance
Interoperability Agreements (3 of 5) • Business partnership agreement (BPA) • Legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners • Sharing of profits and losses, the responsibilities of each partner, the addition or removal of partners, and any other issues • Uniform Partnership Act (UPA) • Lays out uniform set of rules associated with partnerships to resolve any partnership terms • Designed as “one size fits all”
Interoperability Agreements (4 of 5) • Memorandum of understanding (MOU) • Legal document used to describe a bilateral agreement between parties • Written agreement expressing a set of intended actions between the parties with respect to some commonpursuit or goal • More formal and detailed than a simple handshake • Generally lacks the binding powers of a contract • Common to find between different units within an organization to detail expectations associated with the common business interest
Interoperability Agreements (5 of 5) • Interconnection security agreement (ISA) • These are specialized agreement between organizations that have interconnected IT systems. • Purpose is to document the security requirements associated with the interconnection. • ISA as part of an MOU • ISA can detail specific technical security aspects of a data interconnection. • Nondisclosure Agreements (NDAs) – explain the boundaries of corporate secret material