Anki - Organization Security 3

Question 1

What is Personnel Management?

Answer 1

The practice of ensuring all of an organization’s internal and external personnel complies with policy.

Question 2

What are the three phases of a Personnel Management Policy?

Answer 2

Recruitment
Operation
Termination

Question 3

What department is tasked with managing personnel?

Answer 3

HR

Question 4

What are some operational policies of personnel management?

Answer 4

Communication of policies to employees E.g.

• Privilege management
• Data handling
• Incident response
• Also enforcement of disciplinary measures

Question 5

What are 5 security tasks when onboarding a new employee?

Answer 5

1. Background check
2. Identity and access management (IAM)
3. Sign an NDA
4. Asset allocation (laptop)
5. Training/policies

Question 6

What is Separation of Duties?

Answer 6

Separation of duties states that no one person should have too much power or responsibility.

It is a way to protect against inside threats.

Question 7

What is Shared Authority? What is it an example of?

Answer 7

No single user is able to make changes on their own. At least two people must authorize the change.

An example of a Separation of Duties Policy.

Question 8

What is Least Privilege? What is it an example of?

Answer 8

A user is granted sufficient rights to perform their job and no more. For critical tasks, duties are divided between several people.

An example of a Separation of Duties Policy.

Question 9

What are mandatory vacations? Why are they useful?

Answer 9

Forced vacations - they are useful to discover any discrepancies in employee activity once they are away.

Question 10

What is job rotation? Why is it useful?

Answer 10

Employees must rotate job roles.

E.g. Firewall Administrator or Access Control Specialist.

Prevents abuse of power, reduces boredom and enhances employee’s skills!

Question 11

What are the three processes for off-boarding an employee?

Answer 11

• IAM - Disable user account and privileges
• Retrieve company assets - keys, laptops etc.
• Wipe personal assets of company data

Maybe also change credentials to shared security systems, if that person had access.

Question 12

What is a conduct policy?

Answer 12

A policy that defines employee conduct and respect for privacy.

Question 13

What is an AUP?

Answer 13

Acceptable Use Policy, or Fair Use Policy sets what someone is allowed to use a particular service or resource for.

E..g what a company laptop may be used for.

Question 14

How can allowing employees unrestricted access to the internet in a workplace be a problem?

Answer 14

Use of social networking and file sharing can put an organization at risk of:

• virus infection
• systems intrusion
• lost work time
• copyright infringement
• defamation

The organization could be liable.

Question 15

What should be included in an employee’s handbook?

Answer 15

What browser/email/social networking/P2P software is permitted for personal use.

And what penalties exist.

Question 16

What are some issues with allowing personally owned devices or software in the workplace?

Answer 16

• Data loss
• Transport mechanism for malware
• Software license violations

Question 17

What is a clean desk policy?

Answer 17

Employees desk must be free from documents to prohibit sensitive info being obtained by unauthorized staff or guests.

Challenging with whiteboard/flow charts etc.

Question 18

What are the three categories of acceptable workplace surveillance of employees?

Answer 18

• Security Assurance
• Monitoring Data
• Physical Monitoring

Question 19

What is Security Assurance when referring to workplace surveillance?

Answer 19

Monitoring of data communications and employee behavior e.g. Check emails, CCTV to prevent theft

Question 20

What is Monitoring Data when referring to workplace surveillance?

Answer 20

Analyzing data communications to measure an employee’s productivity. E.g. Call center might track call frequency and duration

Question 21

What is Physical Monitoring when referring to workplace surveillance?

Answer 21

Recording employee’s movement and behavior within workplace. E.g. Drug testing, CCTV

Question 22

How should an organization handle an employee’s policy violation?

Answer 22

Follow a predefined incident response procedure

• Assess if accidental or intentional
• Determine severity
• Decide on disciplinary action or re-training
• If serious, perform a forensic investigation

Question 23

What could happen if an employee faces disciplinary action/termination as a result of a policy violation?

Answer 23

Adverse Action - the employer is accused of discriminating against employee.

To prevent this, the policy violation must be backed up by evidence, and must be shown that the same policy applies equally to all employees.

Question 24

Why is Software License Compliance important?

Answer 24

• Availability, Software vendor may suspend all licenses that are non-compliant
• Integrity, exposes an org to large fines/penalties

Question 25

What are MLAs?

Answer 25

Master License Agreements (MLAs)

Question 26

What things should be frequently audited for software license compliance?

Answer 26

Any field devices - laptops, smartphones, tablets

Clients/Servers or VMs

Question 27

What is an SLC audit?

Answer 27

Software License Compliance Audit

Where the vendor (or a third party) may access a company’s systems to audit license usage.

Question 28

Why is it important to comply with Open Source Licensing?

Answer 28

Open source code has specific licenses, and the final product that uses the code must adhere.

Question 29

What is Client Access Type Licensing? What are the drawbacks.

Answer 29

Software licensing purchased on a per-seat or per-user model.

Companies may over-allocate seats and break the license agreement
Challenges when managing software over multiple regions and remote devices.

Question 30

Why can having too many security procedures be a problem for organizations? What is better?

Answer 30

Employees may adopt unsecure behavior e.g.

• reusing passwords
• users may just click through security warnings without reading them

Better to educate users about security risks and monitor behavior

Question 31

What things should be included in security awareness training?

Answer 31

• Overview of security policies and penalties for non-compliance
• Incident identification and reporting procedures
• Site security procedures, safety drills, escorting guests, use of secure areas, and use of personal devices.
• Data handling, PII, backup, encryption
• Password and account management plus security features of PCs and mobile devices
• Awareness of social engineering/malware/phishing etc
• How to securely use browsers and email clients
• Appropriate use of Internet access and social networking sites.

Question 32

What is role based training?

Answer 32

A system for identifying staff performing security sensitive roles - and the level of training they require.

Question 33

What roles require advanced security training?

Answer 33

IT and networking
Management
Software Development
Accounts

Question 34

What is a System Owner role responsible for, and therefore need to be trained in?

Answer 34

Responsible for designing and planning computer network and database systems.

Needs training in IT security and network design

Question 35

What is a Data Owner role responsible for, and therefore need to be trained in?

Answer 35

Responsible for data guardianship (possibly in conjunction with data stewards).

Needs training in compliance issues and data classification systems.

Question 36

What is a System Administrator/Data Custodian role need to be trained in?

Answer 36

Technical understanding of access controls and privilege management systems.

Question 37

What do Standard Users need to be trained in?

Answer 37

Security awareness training.

Product- or sector-specific training.

Question 38

What do Privileged Users need to be trained in?

Answer 38

• Training on data management and PII

- Relevant regulatory or compliance frameworks

Question 39

What do Executive Users need to be trained in?

Answer 39

• Good security awareness to avoid whale phishing and spear phishing
• Compliance and regulatory issues
• Secure system architecture
• Secure supply chain management