5.3 Explain the Importance Of Policies to Organizational Security Flashcards

1
Q

Personnel

A

Personnel accounts could use a shared account, where all members of the customer service team use the same account to email customers. The downside of this is that you cannot audit or monitor individual users. The other type of personnel account is the user account, which should be subjected to the principle of least privilege.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Acceptable User Policy (AUP)

A

The purpose of the AUP is to let employees or contractors know what they can or cannot do with company computers and BYOD devices. It lays out the practices relating to how you can access the company network and the internet. It also outlines practices that are forbidden, such as using blogs and social media sites such as Facebook or Twitter while at work or installing pirated software.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Job Rotation

A

Job rotation is used for two main reasons – the first is so that all staff can be trained in all aspects of the jobs in the company. Employees may change departments every 6 months; this way, they get a better training experience. The second reason is that by rotating jobs, any theft or fraudulent activities can be discovered by the new person coming in.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Mandatory Vacations

A

Mandatory vacations help detect whether an employee has been involved in fraudulent activities by forcing them to take holidays of a week or more. When people are involved in fraudulent activities, they tend not to take many holidays so that the fraud cannot be discovered. This is especially rife in jobs in which people have fiscal trusts, such as someone working in finance or someone who can authorize credit card payments.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Separation of Duties

A

Separation of duties is having more than one person participate in completing a task; this is an internal control to prevent fraud or error. Say a single person worked in the finance department, collects all money coming in, and authorizes all the payments being paid out. This could lead to fraud or theft. This would be better if there were two distinct finance jobs, where one person received money and another authorized payments, preventing embezzlement. A charity in the United Kingdom was defrauded out of £1.3 million over a period of 6 years this way. Separation of duties aims to have no one person doing the entirety of a task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Least Privilege Policy

A

This policy states that access to data should be restricted and that employees should be given the minimum access required for them to perform their job. In the military, it is known as the need-to-know principle, where if you don’t need access, then you have no access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Clean-Desk Policy

A

A clean-desk policy (sometimes known as a clear-desk policy) is a company policy that specifies that employees should clear their desks of all papers at the end of each day. This prevents the cleaning staff or anyone else from reading those papers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Background Checks

A

Completing background checks on new employees may involve looking into criminal records and employment and education history, as well as driving license and credit checks. This is to ensure that what the person has stated on their CV (or resume) is correct. More stringent background checks are needed for those working with children or handling finances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Non-Disclosure Agreement (NDA)

A

An NDA is a legally binding contract made between an employee or a business partner, where they promise not to disclose trade secrets to others without proper authorization. The reason for this is to stop trade secrets or proprietary information from being sold on to competitors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Social Media Analysis

A

We need a good company policy on what we post on social media as we need to prevent useful information from being accessed by attackers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

On-Boarding Policy

A

Companies can allow a Bring Your Own Device (BYOD) policy for employees, and part of that process is carrying out on-boarding and off-boarding. An on-boarding policy states that any device must be checked for viruses, and any application that could cause damage to the company’s network should be removed before the device is given access to the network. If someone fails to carry out onboarding properly, then the company could be infected by a virus.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Off-Boarding Policy

A

When someone leaves your company, then the business data used on BYOD devices need to be removed before departure. If off-boarding is not carried out properly, an ex-employee could leave with company business data on their device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

User Training

A

User training is vital to reducing the risk of being exploited by cybercriminals. (In the next section, we are going to look at different types of user training, starting by looking at the diversity of training techniques.) Exam TipIf you install pirated software onto a company computer, then you are in violation of the AUP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Computer-Based Training (CBT)/Gamification

A

This is where employees watch a video and are given questions after each section of the video to ensure that they understand the training. This is a form of gamification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Capture the Flag

A

These events are where red team members (posing as attackers) will have an exploitation-based exercise or blue team members (defenders) will have a threat that they need to deal with. Each member tackles their particular exercises, achieving one objective at a time until they meet their overall aim (which is known as capturing the flag). At this point, they can move on to another level of the exercise. Once they have completed a sufficient number of levels, they are fit to join their relevant teams.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Phishing Campaigns/Simulations

A

Here the company sends phishing emails to their employees to see how they react. Personnel who fall victim to them are then given remedial training on phishing attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Role-Based Training

A

Here the company carries out security awareness training and ensures that all employees are sufficiently trained for their job roles. Exam TipCapture the Flag exercises help to train both red and blue team members. They complete tasks and every completion of a task moves them up one level at a time. When all of the training is complete, this is known as capturing the flag.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Diversity of Training Techniques

A

Due to the increase in the number and sophistication of different types of attacks, companies must provide a diverse range of user security training and regular seminars. User training is vital to reducing the risk of being exploited by cybercriminals, and we are going to look at different types of user training here. Let’s start by looking at Capture the Flag

19
Q

Third-Party Risk Management

A

Companies use a vast amount of third parties either for software or to provide a service, and since we do not control those third parties, we need to carry out risk assessments that look at the way we interact with those companies.

20
Q

Vendors

A

When you purchase software, you must ensure that it is from a reputable vendor because if the vendor cannot be trusted, they could be installing malware such as remote access trojans or spyware with the software. They could also have a backdoor built-in. The more you integrate the products from a single vendor, the more you are reliant on them. If they go bankrupt, it could leave you vulnerable.

21
Q

Supply Chain

A

Your supply chain comprises the companies that you rely on to provide the materials you need to carry out business functions or make a product for sale. Let’s say that you are a laptop manufacturer, and Company A provides the batteries and Company B provides the power supplies. If either of these companies runs short of batteries or power supplies, it stops you from manufacturing and selling your laptops. They could also be sub-contractors or carry out different types of maintenance.

22
Q

Business Partners

A

A Business Partnership Agreement (BPA) is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day-to-day running of the business, who makes the decisions, and how the profits are shared. It also has rules for the partnership ending either at a given point or if one of the partners dies or moves on.

23
Q

Service Level Agreement (SLA)

A

An SLA is a contract between a service provider and a company receiving the service. The agreement can be for either a fix or a response over a certain period of time and is measured by metrics.

24
Q

Memorandum of Understanding (MOU)

A

An MOU is a formal agreement between two or more parties. MOUs are stronger than a gentlemen’s agreement and both parties must be willing to make a serious commitment to each other, but they are not legally binding.

25
Q

Measurement Systems Analysis (MSA)

A

MSA is a process wherein systems are evaluated by the collection of statistics to ensure that the quality of the systems is effective.

26
Q

Business partnership agreements (BPA)

A

Business Partners: A Business Partnership Agreement (BPA) is used between two companies who want to participate in a business venture to make a profit. It sets out how much each partner should contribute, their rights and responsibilities, the rules for the day-to-day running of the business, who makes the decisions, and how the profits are shared. It also has rules for the partnership ending either at a given point or if one of the partners dies or moves on.

27
Q

End of Life (EOL)

A

This is where a vendor stops selling a product and the availability of replacement parts and technical support is limited. Warranties are still honored.

28
Q

End of Service Life (EOSL)

A

This is where the vendor believes that the product has reached the end of its usefulness, maybe due to a new version of the product being released. They will not commit any more time or resources to maintain the product. Users can still use the product but must take into consideration that there will be no more security updates or technical support available from the vendor. This will mean that over time, such products will become vulnerable and pose a huge security risk to any company still using them.Exam TipAn SLA lays down how quickly a supplier should respond to an incident such as a failed printer. It is measured using metrics.

29
Q

Non-Disclosure Agreement (NDA)

A

An NDA is a legally binding contract made between an employee or a business partner where they promise not to disclose trade secrets to others without proper authorization. The reason for this is to stop trade secrets or proprietary information from being sold on to competitors.

30
Q

Data

A

Data is one of the most important assets that a company has, and it is important to ensure that policies are in place to ensure that it is classified, handled, stored, and disposed of in accordance with regulations such as GDPR or HIPAA.

31
Q

Classification

A

This is the process of labeling data with relevant classifications, so that we know if it is top secret, secret, confidential, or sensitive data. The classification determines how the data is handled.

32
Q

Governance

A

Data governance is the oversight and management that describes the security controls that are applied at each stage of the data-handling process, from creation to destruction. These procedures detail the processes used to manage, store, and dispose of data to ensure that you are compliant.

33
Q

Retention

A

Companies do not want to hold data any longer than they need to, as it reduces their liability; however, they may have to keep data in an archive after its usefulness to remain compliant. An example of this is medical data in the UK, which needs to be retained for 25 years.

34
Q

Credential Policies

A

Credentials must be kept safe to prevent unauthorized access to systems; therefore, it is vital that policies are in place to prevent vulnerabilities and unauthorized access. Let’s look at the policies we need to put in place, starting with personnel-related policies

35
Q

Personnel

A

Personnel accounts could use a shared account, where all members of the customer service team use the same account to email customers. The downside of this is that you cannot audit or monitor individual users. The other type of personnel account is the user account, which should be subjected to the principle of least privilege.

36
Q

Third-Party

A

A third-party credential could be a SAML token given by a cloud provider or a Security as a Service (SECaaS) vendor, where the cloud provider manages your identity management. If we are doing remote administration, we could use SSH keys for Secure Shell, where the public key is installed on the target server.

37
Q

Devices

A

Devices have generic accounts with default password settings. As soon as you purchase a device, you need to change the default settings, as these are published on websites. Please go to https://cirt.net/passwords to see these passwords.

38
Q

Service Accounts

A

Service accounts are used to run applications such as anti-virus. They can run as local service accounts with the same rights as a user. A system account gives you a higher level of privilege, giving you full control.

39
Q

Administrator/Root Accounts

A

Administrative and root accounts in Linux need to be protected as they allow you to install software, make configuration changes, and access any file. These accounts should be restricted to a few IT personnel. When we install new systems, we need to ensure that we change the default account settings. The root account in Linux is called superuser and is not restricted; this account should not be used unless it is absolutely necessary. The administrator should have two accounts: a normal user account for day-to-day use and an admin account for administrative duties.

40
Q

Organizational Policies

A

Organizational policies need to be in place to deal with changes in technology, risk, or security to maintain a secure working environment. Let’s look at some of these policies, starting with change management

41
Q

Change Management

A

When an audit is carried out and reports show that the controls in place are not secure enough, we either implement change management or write a new policy. A new policy changes an entire process, and change management amends existing processes.

42
Q

Change Control

A

Change control is where someone requests those managing the implementation of a change to an existing control. Let’s say that management would like to know about the financial benefits of a change, and the savings that would be gained either in labor time or monetary value. Such changes need to be sent to the Change Advisory Board (CAB) to ensure that it is beneficial to the company.

43
Q

Asset Management

A

This is a process where each asset that belongs to the company has been tagged and is recorded in an asset register. Annual audits need to be carried out to ensure that all assets are accounted for. It will also help to identify unauthorized devices on your network.