5.3 Explain the Importance Of Policies to Organizational Security Flashcards
Personnel
Personnel accounts could use a shared account, where all members of the customer service team use the same account to email customers. The downside of this is that you cannot audit or monitor individual users. The other type of personnel account is the user account, which should be subjected to the principle of least privilege.
Acceptable User Policy (AUP)
The purpose of the AUP is to let employees or contractors know what they can or cannot do with company computers and BYOD devices. It lays out the practices relating to how you can access the company network and the internet. It also outlines practices that are forbidden, such as using blogs and social media sites such as Facebook or Twitter while at work or installing pirated software.
Job Rotation
Job rotation is used for two main reasons – the first is so that all staff can be trained in all aspects of the jobs in the company. Employees may change departments every 6 months; this way, they get a better training experience. The second reason is that by rotating jobs, any theft or fraudulent activities can be discovered by the new person coming in.
Mandatory Vacations
Mandatory vacations help detect whether an employee has been involved in fraudulent activities by forcing them to take holidays of a week or more. When people are involved in fraudulent activities, they tend not to take many holidays so that the fraud cannot be discovered. This is especially rife in jobs in which people have fiscal trusts, such as someone working in finance or someone who can authorize credit card payments.
Separation of Duties
Separation of duties is having more than one person participate in completing a task; this is an internal control to prevent fraud or error. Say a single person worked in the finance department, collects all money coming in, and authorizes all the payments being paid out. This could lead to fraud or theft. This would be better if there were two distinct finance jobs, where one person received money and another authorized payments, preventing embezzlement. A charity in the United Kingdom was defrauded out of £1.3 million over a period of 6 years this way. Separation of duties aims to have no one person doing the entirety of a task.
Least Privilege Policy
This policy states that access to data should be restricted and that employees should be given the minimum access required for them to perform their job. In the military, it is known as the need-to-know principle, where if you don’t need access, then you have no access.
Clean-Desk Policy
A clean-desk policy (sometimes known as a clear-desk policy) is a company policy that specifies that employees should clear their desks of all papers at the end of each day. This prevents the cleaning staff or anyone else from reading those papers.
Background Checks
Completing background checks on new employees may involve looking into criminal records and employment and education history, as well as driving license and credit checks. This is to ensure that what the person has stated on their CV (or resume) is correct. More stringent background checks are needed for those working with children or handling finances.
Non-Disclosure Agreement (NDA)
An NDA is a legally binding contract made between an employee or a business partner, where they promise not to disclose trade secrets to others without proper authorization. The reason for this is to stop trade secrets or proprietary information from being sold on to competitors.
Social Media Analysis
We need a good company policy on what we post on social media as we need to prevent useful information from being accessed by attackers.
On-Boarding Policy
Companies can allow a Bring Your Own Device (BYOD) policy for employees, and part of that process is carrying out on-boarding and off-boarding. An on-boarding policy states that any device must be checked for viruses, and any application that could cause damage to the company’s network should be removed before the device is given access to the network. If someone fails to carry out onboarding properly, then the company could be infected by a virus.
Off-Boarding Policy
When someone leaves your company, then the business data used on BYOD devices need to be removed before departure. If off-boarding is not carried out properly, an ex-employee could leave with company business data on their device.
User Training
User training is vital to reducing the risk of being exploited by cybercriminals. (In the next section, we are going to look at different types of user training, starting by looking at the diversity of training techniques.) Exam TipIf you install pirated software onto a company computer, then you are in violation of the AUP.
Computer-Based Training (CBT)/Gamification
This is where employees watch a video and are given questions after each section of the video to ensure that they understand the training. This is a form of gamification.
Capture the Flag
These events are where red team members (posing as attackers) will have an exploitation-based exercise or blue team members (defenders) will have a threat that they need to deal with. Each member tackles their particular exercises, achieving one objective at a time until they meet their overall aim (which is known as capturing the flag). At this point, they can move on to another level of the exercise. Once they have completed a sufficient number of levels, they are fit to join their relevant teams.
Phishing Campaigns/Simulations
Here the company sends phishing emails to their employees to see how they react. Personnel who fall victim to them are then given remedial training on phishing attacks.
Role-Based Training
Here the company carries out security awareness training and ensures that all employees are sufficiently trained for their job roles. Exam TipCapture the Flag exercises help to train both red and blue team members. They complete tasks and every completion of a task moves them up one level at a time. When all of the training is complete, this is known as capturing the flag.