3.5 Identify policies and best practices. Flashcards
Privileged user agreement
Network/system administrators have access to almost everything
Expected to Use other non-privileged methods when appropriate
Limited to privileged access only for assigned job duties
Signed agreement acknowledge policies
Password policies
Written policy - expire every X days,
The recovery process should not be trivial! - forma process
On-boarding
Bring a new person into the organization -New hires or transfers
IT agreements need to be signed
Create accounts
Provide required IT hardware
Off-boarding
This process should be pre-planned Account information is usually deactivated
Licensing restrictions
So many licenses
Availability - Everything works great when the license is valid
Integrity - A missing/bad license may cause problems with data integrity
International export controls
Equipment, information, data
Not only shipment of physical items
Dual-use software can be controlled - civilian and military use - Security software, malware, hacking tools
Check with legal team - don’t ship unless you’re sure
Data Loss Prevention (DLP)
Where’s your data? -Detailed policies needed to define what is allowed - How is sensitive data transferred? - Is the data encrypted? How?
DLP solutions can watch and alert on policy violations
Remote access policies
Easy to control internal communication - More difficult when people leave the building
Policy for everyone
Specific technical requirements - Encrypted connection, confidential credentials,
Security incidents
User clicks an email attachment and executes malware
Malware then communicates with external servers
DDoS
Botnet attack
Confidential information is stolen
User installs peer-to-peer software and allows external access to internal servers
Incident response policies
How is an incident identified? - Automated monitoring, personal account
How is the incident categorized? - Email issue, brute force attack, DDoS, etc.
Who responds to an incident? - Large list of predefined contacts
What process is followed? - Formal process needs to be created prior to the incident
BYOD
Bring Your Own Device or Bring Your Own Technology
Employee owns the device that meets company’s requirements
Difficult to secure - how to protect data
Acceptable use policies (AUP)
What is acceptable use of company assets? -Detailed documentation
Covers many topics - Internet use, telephones, computers, mobile devices, etc.
Used by an organization to limit legal liability - If someone is dismissed, these are the well-documented reasons why
Non-disclosure agreement
NDA (Non-disclosure agreement)
Confidentiality agreement / Legal contract
Prevents the use and dissemination of confidential information
Internal
Protect the organization’s private and confidential information
Part of employee security policies
