5.1 Security Policies Flashcards
Security standards
A formal definition for using security technologies
and processes
– Complete documentation reduces security risk
– Everyone understands the expectations
* These may be written in-house
– Your requirements may be unique
* Many standards are already available
– ISO (International Organization for Standardization)
– NIST (National Institute of Standards and Technology)
Password
What makes a good password?
– Every organization has their own requirements
– Create a formal password complexity policy
* Define acceptable authentication methods
– No local accounts, only LDAP to the AD database, etc.
* Create policies for secure password resets
– Avoid unauthorized resets and access
* Other password policies
– Password change frequency, secure password storage
requirements, password manager options, etc.
Access control
How does an organization control access to data?
– Determine which information, at what time
– And under which circumstances
* Define which access control types can be used
– No discretionary, mandatory only, etc.
* Determine how a user gets access
– Require privilege documentation
* Document how access may be removed
– Security issue, expiration, contract renewals, etc.
Physical security
Rules and policies regarding physical security controls
– Doors, building access, property security
* Granting physical access
– Different for employees vs. visitors
* Define specific physical security systems
– Electronic door locks, ongoing monitoring,
motion detection, etc.
* Additional security concerns
– Mandatory escorts, off-boarding, etc.
Encryption
Define specific standards for encrypting and
securing data
– All things cryptographic
– Can include implementation standards
* Password storage
– Methods and techniques
* Data encryption minimums
– Algorithms for data in use, data in transit,
data at rest
– Will probably be different for each state
Change management
How to make a change
– Upgrade software, change firewall configuration,
modify switch ports
* One of the most common risks in the enterprise
– Occurs very frequently
* Often overlooked or ignored
– Did you feel that bite?
* Have clear policies
– Frequency, duration, installation process,
fallback procedures
* Sometimes extremely difficult to implement
– It’s hard to change corporate culture
Change control
A formal process for managing change
– Avoid downtime, confusion, and mistakes
* Nothing changes without the process
– Determine the scope of the change
– Analyze the risk associated with the change
– Create a plan
– Get end-user approval
– Present the proposal to the change control board
– Have a backout plan if the change doesn’t work
– Document the changes
Onboarding
Bring a new person into the organization
– New hires or transfers
* IT agreements need to be signed
– May be part of the employee handbook or a
separate AUP
* Create accounts
– Associate the user with the proper groups
and departments
* Provide required IT hardware
– Laptops, tablets, etc.
– Preconfigured and ready to go
Offboarding
All good things…
– But you knew this day would come
* This process should be pre-planned
– You don’t want to decide how to do things at this point
* What happens to the hardware?
* What happens to the data?
* Account information is usually deactivated
– But not always deleted
Playbooks
Conditional steps to follow; a broad process
– Investigate a data breach, recover from ransomware
* Step-by-step set of processes and procedures
– A manual checklist
– Can be used to create automated activities
* Often integrated with a SOAR platform
– Security Orchestration, Automation, and Response
– Integrate third-party tools and data sources
– Make security teams more effective
Monitoring and revision
IT security is constantly changing
– Processes and procedures also must change
* Update to security posture
– Tighter change control, additional playbooks
* Change to an individual procedure
– Update the playbooks, include additional checks
* New security concerns
– Protect against emerging threats
Governance structures
Boards
– A panel of specialists
– Often responsible for gathering information
for a committee
* Committees
– Primary decision makers
– Considers the input from a board
– Determines next steps for a topic at hand
* Government entities
– A different kind of machine
– Legal concerns, administrative requirements,
political issues
– Often open to the public
* Centralized/decentralized
– The source of the processes and procedures
– Centralized governance is located in one location
with a group of decision makers
– Decentralized governance spreads the
decision-making process around to other
individuals or locations
Regulatory
Regulations are often mandated
– Security processes are usually a foundational
consideration
– Logging, data storage, data protection, and retention
* Sarbanes-Oxley Act (SOX)
– The Public Company Accounting Reform and
– Investor Protection Act of 2002
* The Health Insurance Portability and
Accountability Act (HIPAA)
– Extensive healthcare standards for storage, use, and
transmission of health care information
Legal
The security team is often tasked with legal responsibilities
– Reporting illegal activities
– Holding data required for legal proceedings
* Security breach notifications
– A legal requirement in many jurisdictions
* Cloud computing can make this challenging
– Data moves between jurisdictions without
human intervention
– The security team must follow legal guidelines
Industry
The industry may require specific
security considerations
– Every market is a bit different
* Electrical power and public utilities
– Isolated and protected system controls
* Medical
– Highly secure data storage and access logs
– Data encryption and protection
