5.3 Explain the importance of policies to organizational security. Flashcards
What is an acceptable use policy?
Detailed documentation on the rules and behavior for company assets.
Covers internet use, telephones, computers, mobile devices, etc.
Used to limit legal liability
What is least privilege?
Rights and permissions should be set to
the bare minimum
– You only get exactly what’s needed to complete
your objective
* All user accounts must be limited
– Applications should run with minimal privileges
* Don’t allow users to run with administrative privileges
– Limits the scope of malicious behavior
What are some ways to train users?
Gamification
– Score points, compete with others, collect badges
* Capture the flag (CTF)
– Security competition
– Hack into a server to steal data (the flag)
– Can involve highly technical simulations
– A practical learning environment
* Phishing simulation
– Send simulated phishing emails
– Make vishing calls
– See which users are susceptible to phishing attacks
without being a victim of phishing
* Computer-based training (CBT)
– Automated pre-built training
– May include video, audio, and Q&A
– Users all receive the same training experience
What is an SLA
Service Level Agreement (SLA)
– Minimum terms for services provided
– Uptime, response time agreement, etc.
– Commonly used between customers and
service providers
MOU
Memorandum of Understanding (MOU)
– Both sides agree on the contents
of the memorandum
– Usually includes statements of confidentiality
– Informal letter of intent; not a signed contract
MSA
Measurement system analysis (MSA)
– Don’t make decisions based on incorrect data!
– Used with quality management systems,
i.e., Six Sigma
– Assess the measurement process
– Calculate measurement uncertainty
BPA
Business Partnership Agreement (BPA)
– Going into business together
– Owner stake
– Financial contract
– Decision-making agreements
– Prepare for contingencies
NDA
Non-disclosure agreement (NDA)
* Confidentiality agreement between parties
– Information in the agreement should not
be disclosed
* Protects confidential information
– Trade secrets
– Business activities
– Anything else listed in the NDA
* Unilateral or bilateral (or multilateral)
– On-way NDA or mutual NDA
* Formal contract
– Signatures are usually required
What are some secure business policies?
- Job rotation
– Keep people moving between responsibilities
– No one person maintains control for long periods
of time - Mandatory vacations
– Rotate others through the job
– The longer the vacation, the better chance
to identify fraud
– Especially important in high-security environments - Separation of duties
– Split knowledge:
No one person has all of the details
Half of a safe combination
– Dual control:
Two people must be present to perform
the business function
Two keys open a safe (or launch a missile) - Clean desk policy
– When you leave, nothing is on your desk
– Limit the exposure of sensitive data to third-parties
Supply chain assessement
Supply chain assessment
– Get a product or service from supplier to customer
– Evaluate coordination between groups
– Identify areas of improvement
– Assess the IT systems supporting the operation
– Document the business process changes
Data steward
– Manages the governance processes
– Responsible for data accuracy, privacy, and security
– Associates sensitivity labels to the data
– Ensures compliance with any applicable laws and
standards
What are the primary data classifications?
Public
Private
internal data
confidential
restricted
Public data
Public data can be important but is accessible to the public. Since this data is openly shared, it is the lowest level of data classification and its public nature makes it unnecessary to protect its use by unauthorized actors
Examples of public data include:
The names of companies and members of their executive team
Physical and email addresses
Press releases and promotional material
Company organizational charts and job descriptions
Private data
Private data requires a greater level of security than public data. This data should not be available for public access and is often protected through traditional security measures such as passwords. Compromised private data can pose a risk to an individual or an organization
Private data can include:
Email addresses and other personal contact information
Employee identification numbers
Smartphone content
Personal email content
Restricted data
Restricted data is the classification used for an organization’s most sensitive information. Access to this data is strictly controlled to prevent its unauthorized use. It needs to be encrypted for additional protection. The loss of restricted data can severely impact an organization or the individuals whose information is compromised. Examples of restricted data are:
Protected health information (PHI) as defined by regulatory agencies
Financial and tax data
Information that is secured by confidentiality agreements
Intellectual property