Lesson 16: Explaining Organization Security Concepts

Question 1

security posture

Answer 1

• organization needs to create proper documentation to help staff understand and fulfill their responsibilities and to follow proper procedures
• adopting an effective security posture is a difficult and costly change for an organization to make, as it involves disruption to normal practice at almost every level without any tangible reward or benefit

Question 2

corporate security policy

Answer 2

aim of a corporate security policy should be to obtain support for security awareness in the organization and outline in general terms the risks, guidelines, and responsibilities

Question 3

standard

Answer 3

measure by which to evaluate compliance with the policy

Question 4

procedure

Answer 4

often referred to as a standard operating procedure (SOP), is an inflexible, step-by-step listing of the actions that must be completed for any given task. Most critical tasks should be governed by SOPs

Question 5

guidance

Answer 5

guidelines exist for areas of policy where there are no procedures, either because the situation has not been fully assessed or because the decision making process is too complex and subject to variables to be able to capture it in a procedure. Guidance may also describe circumstances where it is appropriate to deviate from a specified procedure

Question 6

memorandum of understanding (MOU)

Answer 6

preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts. MOUs almost always have clauses stating that the parties shall respect confidentiality, however

Question 7

memorandum of agreement (MOA)

Answer 7

formal agreement (or contract) that contains specific obligations rather than a broad understanding. If one party fails to fulfill its obligations, the other party will be able to seek redress under the terms of the agreement through the courts

Question 8

service level agreement (SLA)

Answer 8

contractual agreement setting out the detailed terms under which a service is provided

Question 9

business partners agreement (BPA)

Answer 9

while there are many ways of establishing business partnerships, the most common model in IT is the partner agreements that large IT companies (such as Microsoft and Cisco) set up with resellers and solution providers

Question 10

interconnection security agreement (ISA)

Answer 10

• defined by NIST’s SP800-47 “Security Guide for Interconnecting Information Technology Systems”
• any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls

Question 11

non-disclosure agreement (NDA)

Answer 11

egal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them

Question 12

data handling (or document management)

Answer 12

process of managing information over its lifecycle (from creation to destruction). At each stage of the lifecycle, security considerations are vital

Question 13

data policy

Answer 13

• describes the security controls that will be applied to protect data at each stage of its lifecycle
• important in reducing the risk of data loss or theft

Question 14

legal and compliance

Answer 14

reasons for enforcing strict data policies

Question 15

data governance

Answer 15

• company with formal data governance policy will define following roles:
• data owner - senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of information asset
• data steward - primarily responsible for data quality. This involves tasks such as ensuring data is labelled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations
• data custodian - responsible for managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures
• privacy officer - ole is responsible for oversight of any personally identifiable information (PII) assets managed by the company - ensures that the processing and disclosure of PII complies with legal and regulatory frameworks

Question 16

workflow

Answer 16

describes how editorial changes are made and approved

Question 17

classification

Answer 17

• restricts who may see the document contents

•

Unclassified (public)—There are no restrictions on viewing the document.

• Classified (private/restricted/internal use only/official use only)—Viewing is restricted to the owner organization or to third parties under an NDA.
• Confidential (or low)—The information is highly sensitive, for viewing only by approved persons within the organization (and possibly by trusted third parties under NDA).
• Secret (or medium)—The information is too valuable to permit any risk of its capture. Viewing is severely restricted.
• Top-Secret (or high)—This is the highest level of classification.

Question 18

personally identifiable information (PII)

Answer 18

data that can be used to identify, contact, or locate an individual

Question 19

protected health information (PHI)

Answer 19

refers to medical and insurance records, plus associated hospital and laboratory test results

Question 20

proprietary information or intellectual property (IP)

Answer 20

information created and owned by the company, typically about the products or services that they make or perform

Question 21

data retention

Answer 21

process of an organization maintaining the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations

Question 22

data sanitization and disposal policy

Answer 22

refers to the procedures that the organization has in place for disposing of obsolete information and equipment, typically storage devices themselves or devices with internal data storage capabilities, but also paper records

Question 23

media sanitization or remnant removal

Answer 23

• refers to decommissioning various media, including hard drives, flash drives/SSDs, tape media, CD and DVD ROMs, and so on
• three reasons that make remnant removal critical:
• An organization’s own confidential data could be compromised.
• Third-party data that the organization processes could be compromised, leaving it liable under Data Protection legislation (in addition to any contracts or SLAs signed).
• Software licensing could be compromised.

Question 24

ways of either destroying or purging media

Answer 24

• overwriting/disk wiping—Data sanitization software tools ensure that old data is purged by writing to each location on the media. A simple means of doing this is zero filling, which sets each bit to zero. Zero filling can leave patterns that can be read with specialist tools
• low-level format—Most disk vendors supply tools to reset a disk to its factory condition. These are often described as low-level format tools and will have the same sort of effect as disk wiping software
• pulverizing/degaussing - A magnetic disk can be mechanically shredded or degaussed (exposing the disk to a powerful electromagnet disrupts the magnetic pattern that stores the data on the disk surface) in specialist machinery
• disk encryption—This method encrypts all the information in a volume, so that any remnants could not be read without possession of the decryption key

Question 25

guidelines for managing data security

Answer 25

• Apply data security at all levels of the organization.
• Review the various ways in your organization that data can be vulnerable to compromise.
• Choose a data encryption method that is most appropriate for your data security needs.
• Label each set of data according to its sensitivity and purpose.
• Divide data management responsibilities into multiple roles of varying duties.
• Determine your data retention requirements as mandated by law.
• Balance data retention requirements with privacy requirements.
• Dispose of data securely using one of several methods.
• Consider how a disposal method may or may not enable you to recover the physical storage medium.

Question 26

personnel management policies are applied in three phases

Answer 26

• Recruitment (hiring)—Locating and selecting people to work in particular job roles. Security issues here include screening candidates and performing background checks
• Operation (working)—It is often the HR department that manages the communication of policy and training to employees (though there may be a separate training and personal development department within larger organizations)
• Termination or separation (firing or retiring)—Whether an employee leaves voluntarily or involuntarily, termination is a difficult process, with numerous security implications

Question 27

onboarding

Answer 27

HR level is the process of welcoming a new employee to the organization

Question 28

separation of duties

Answer 28

• means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats
• states that no one person should have too much power or responsibility
• different policies can be applied to enforce separation of duties:
• SOPs mean that an employee has no excuse for not following protocol in terms of performing these types of critical operations
• Shared authority means that no one user is able to action or enable changes on his or her own authority
• Least privilege means that a user is granted sufficient rights to perform his or her job and no more
• Effective auditing means that decisions and changes are recorded and can be scrutinized independently of the person that made the decision
• Mandatory vacations mean that employees are forced to take their vacation time, during which someone else fulfills their duties
• Job rotation (or rotation of duties) means that no one person is permitted to remain in the same job for an extended period
• most evident in accounts and financial departments

Question 29

exit interview (or offboarding)

Answer 29

• process of ensuring that an employee leaves a company gracefully
• in terms of security, there are several processes that must be completed:
• IAM—Disable the user account and privileges. Ensure that any information assets created or managed by the employee but owned by the company are accessible (in terms of encryption keys or password-protected files)
• retrieving company assets—Mobile devices, keys smart cards, USB media, and so on
• Returning personal assets—Employee-owned devices need to be wiped of corporate data and applications

Question 30

acceptable use policy (AUP) (or fair use policy)

Answer 30

sets out what someone is allowed to use a particular service or resource for

Question 31

clean desk policy

Answer 31

• employee’s work area should be free from any documents left there
• aim of the policy is to prevent sensitive information from being obtained by unauthorized staff or guests at the workplace

Question 32

workplace surveillance can be divided into several categories

Answer 32

• Security assurance—Monitoring data communications and employees’ behavior to ensure that they do not divulge confidential information or compromise the security of the organization
• Monitoring data—Analyzing data communications to measure an employee’s productivity
• Physical monitoring—Recording employees’ movement, location, and behavior within the workplace, often using CCTV and drugs/alcohol testing

Question 33

policy violation

Answer 33

wWhen a policy violation by an employee or contractor is detected, it is necessary to follow incident response procedures rather than act off the cuff. To formulate an appropriate response, you need to assess whether the violation was accidental or intentional and determine the severity of the violation

Question 34

adverse action

Answer 34

• means that in disciplining or firing an employee, the employer is discriminating against them in some way

Question 35

whistleblowers

Answer 35

organization’s best defense against internal fraud, collusion (where two or more people conspire to commit fraud), vandalism, or poor practice is the alertness of other employees

Question 36

techniques to troubleshoot specific personnel issues

Answer 36

• Personnel violate your organization’s policy and engage in unacceptable use of systems, data, and the network—Determine the actual policy item that was violated, and then (possibly in conjunction with HR) bring the violation to the person’s attention and suggest ways for the person to better comply with policy. To prevent reoccurrence, develop training programs to better inform personnel of policy and to foster a culture of cybersecurity
• Personnel use social media and personal email accounts in ways that bring risk to the organization—Remind the employee of the policy and inform them of how divulging too much information on social media can help attackers. As a technical control, you can implement data loss/leak prevention (DLP) solutions to prevent personnel from sending sensitive information to external users or websites
• Personnel fall victim to social engineering attacks and divulge sensitive information or give access to unauthorized users—Train users on how to spot social engineering attempts and mitigate their effects
• Disgruntled or otherwise malicious personnel use their unique knowledge of the organization to exploit it for personal gain—Conduct an exit interview and thoroughly offboard the terminated employee

Question 37

unlicensed software installs affect both availability and integrity

Answer 37

• Availability—The software vendor may suspend all licenses if the customer is found to be non-compliant.
• Integrity—Unlicensed software exposes an organization to large fines and penalties.

Question 38

Master License Agreements (MLAs)

Answer 38

• licensing agreements such as Master License Agreements (MLAs) can be complex and keeping track of usage requires investment in license management and auditing software
• activities involved in ensuring compliance with license agreements include:
• Identifying unlicensed and unauthorized software installed on clients, servers, and VMs
• Identifying per-seat or per-user compliance with licensed software. The complex nature of client access type licensing means that many companies over-allocate seats compared to what their license agreement allows
• Preparing for vendor audits—most license agreements specify that the vendor may undertake a software license compliance (SLC) audit
• Ensuring compliance with the terms of open source licensing. If open source code is reused (whether in commercial or in-house software), the product must be distributed in compliance with the terms of the original open source license

Question 39

untrained users

Answer 39

represent a serious vulnerability because they are susceptible to social engineering and malware attacks and may be careless when handling sensitive or confidential data

Question 40

continuing education

Answer 40

programs ensure that the participants do not treat a single training course or certificate as a sort of final accomplishment. Skills and knowledge must be continually updated to cope with changes to technology and regulatory practices. Continuing education programs often use the concept of credits to show that a participant has maintained and advanced their understanding of the topic area

Question 41

specific training requirements of security-focused job roles are as follows

Answer 41

• System owner—This role is responsible for designing and planning computer, network, and database systems
• Data owner—As described earlier, data owner is a role with overall responsibility for data guardianship (possibly in conjunction with data stewards)
• System administrator/data custodian—The day-to-day sysadmin role requires technical understanding of access controls and privilege management systems
• Standard users—As well as security awareness training, ordinary users might require training on product- or sector-specific issues

• Privileged users—Employees with access to privileged data should be given extra training on data management and PII plus any relevant regulatory or compliance frameworks
•

Executive users—Good security awareness is essential as these users are likely to be specifically targeted (whale phishing and spear phishing0

Question 42

incorporating documentation in your operational security

Answer 42

• Ensure that you have an overarching security policy that is driven by your organization’s business and security needs.
• Ensure that the security policy adequately describes the goals and requirements for the organization’s security operations.
• Consider how various business agreements can facilitate interoperability with other organizations.
• Consider creating supplementary policies based on specific type, like AUPs and password policies.
• Incorporate personnel management tasks in your security policies.
• Consider separating duties among different personnel.
• Consider mandating that personnel rotate their job responsibilities every so often.
• Consider mandating vacations for all employees for at least a full week every year.
• Consider implementing additional personnel management tasks like background checks and signing NDAs.
• Implement a cybersecurity training program for all personnel.
• Ensure that the training personnel receive is ongoing.
• Consider training personnel differently based on the roles they fulfill in the organization.