Lesson 16: Explaining Organizational Security Concepts Flashcards
security posture
As a vital component of a company’s IT infrastructure, employees must understand how to use ICT securely and safely and be aware of their responsibilities. To support this, the organization needs to create proper documentation to help staff understand and fulfill their responsibilities and to follow proper procedures. Adopting an effective security posture is a difficult and costly change for an organization to make, as it involves disruption to normal practice at almost every level without any tangible reward or benefit. Security compliance requires the cooperation and support of all the organization’s employees.
The value of a comprehensive policy is that it removes any uncertainty that employees may have about what to do in a given situation. For example, if you work for a large company and meet someone you do not recognize in your work area, should you smile and say hello or smile, say hello, ask them where they want to be, and then escort them to that place? If there is a company policy saying that visitors to the workplace must be escorted at all times, it will be much easier for employees to take it upon themselves to “act the policeman” in this sort of circumstance.
corporate security policy
The aim of a corporate security policy should be to obtain support for security awareness in the organization and outline in general terms the risks, guidelines, and responsibilities. The creation and enforcement of a security policy also demonstrates that due care (and due diligence) has been applied.
Policy is an overall statement of intent. In order to establish the correct working practices, three different mechanisms can be put in place:
- Standard—A standard is a measure by which to evaluate compliance with the policy.
- Procedure—A procedure, often referred to as a standard operating procedure (SOP), is an inflexible, step-by-step listing of the actions that must be completed for any given task. Most critical tasks should be governed by SOPs.
- Guidance—Guidelines exist for areas of policy where there are no procedures, either because the situation has not been fully assessed or because the decision making process is too complex and subject to variables to be able to capture it in a procedure. Guidance may also describe circumstances where it is appropriate to deviate from a specified procedure.
interoperability agreements
It is important to remember that although one can outsource virtually any service or activity to a third party, one cannot outsource legal accountability for these services or actions. You are ultimately responsible for the services and actions that these third parties take. If they have any access to your data or systems, any security breach in their organization (for example, unauthorized data sharing) is effectively a breach in yours. Issues of security risk awareness, shared duties, and contractual responsibilities can be set out in a formal legal agreement
The following types of interoperability agreements are common:
- Memorandum of understanding (MOU)—A preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts. MOUs almost always have clauses stating that the parties shall respect confidentiality, however.
- Memorandum of agreement (MOA)—A formal agreement (or contract) that contains specific obligations rather than a broad understanding. If one party fails to fulfill its obligations, the other party will be able to seek redress under the terms of the agreement through the courts.
Note: Contract law is complex. It is possible for a document described as an “MOU” in a heading to create legally enforceable terms if the wording of the document establishes some sort of obligation to act, especially if it is in return for payment. The name of the agreement is not relevant—the terms are.
- Service level agreement (SLA)—A contractual agreement setting out the detailed terms under which a service is provided.
- Business partners agreement (BPA)—While there are many ways of establishing business partnerships, the most common model in IT is the partner agreements that large IT companies (such as Microsoft and Cisco) set up with resellers and solution providers.
- Interconnection security agreement (ISA)—ISAs are defined by NIST’s SP800-47 “Security Guide for Interconnecting Information Technology Systems” (https://csrc.nist.gov/publications/detail/sp/800-47/final). Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls.
- Non-disclosure agreement (NDA)—Legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them.
A legal agreement is all very well, but it is still up to you to make sure that your suppliers, vendors, and contractors can live up to it. If they can’t, you may successfully sue them, but if they go out of business, you are still accountable for their actions or failures to act.
Data handling or document management
process of managing information over its lifecycle (from creation to destruction). At each stage of the lifecycle, security considerations are vital. A data policy describes the security controls that will be applied to protect data at each stage of its lifecycle. Data policies and procedures are important in reducing the risk of data loss or theft. There may also be legal and compliance reasons for enforcing strict data policies. The regulations for the health care and payment card industries contain many specific terms for preventing data breach. A company that does not comply with the regulations could face hefty fines and be prevented from accessing the market. Employees that are negligent in performing their roles could even face criminal proceedings.
The information management workflow for each document will involve several roles with different functions, such as authors, editors, reviewers, and publishers. There are also important data roles for oversight and management of a range of information assets within the organization. A company with a formal data governance policy will define the following roles:
•
Data owner—A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The owner is responsible for labeling the asset (such as determining who should have access and determining the asset’s criticality and sensitivity) and ensuring that it is protected with appropriate controls (access control, backup, retention, and so forth). The owner also typically selects a steward and custodian and directs their actions.
- Data steward—This role is primarily responsible for data quality. This involves tasks such as ensuring data is labelled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.
- Data custodian—This role is responsible for managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.
Note: One of the problems with access control systems is that they are very difficult to make data inaccessible to system administrators. Privileged admin accounts can generally take ownership or change the permissions of any type of resource. Non-discretionary privilege management models are aimed to mitigate this, but even then it is difficult to secure data from the people responsible for managing the model. Strict audit policies are also of use, but again there is the potential for an account with complete privileges to compromise the audit system.
• Privacy officer—This role is responsible for oversight of any personally identifiable information (PII) assets managed by the company. The privacy officer ensures that the processing and disclosure of PII complies with legal and regulatory frameworks. The privacy officer will also oversee retention of PII. One principal of personal data privacy is that information be retained for only as long as is necessary. This can complicate the inclusion of PII in backups and archives.
workflow
Most documents go through one or more draft stages before they are published. As a draft, a document will be subject to a workflow, which describes how editorial changes are made and approved. The workflow will specify who are the authors, editors, and reviewers of the document. As part of the creation process, the document must be classified depending on how sensitive it is.
Classification
restricts who may see the document contents.
Classification (or labeling) is generally divided into several levels, following military usage:
- Unclassified (public)—There are no restrictions on viewing the document.
- Classified (private/restricted/internal use only/official use only)—Viewing is restricted to the owner organization or to third parties under an NDA.
- Confidential (or low)—The information is highly sensitive, for viewing only by approved persons within the organization (and possibly by trusted third parties under NDA).
- Secret (or medium)—The information is too valuable to permit any risk of its capture. Viewing is severely restricted.
- Top-Secret (or high)—This is the highest level of classification.
Classified, confidential, secret, and top-secret information should be securely protected (encrypted) for storage and transmission.
Note: Data labeling applies both to soft copy (computer data) and hard copy (printed) documents.
Information may change in sensitivity, typically becoming less sensitive over time. A document may be downgraded to a lower security level or eventually declassified. In this circumstance, there needs to be a clear process of authorization and notification, so that confidentiality is not breached.
Information classification lends itself to the mandatory access control (MAC) model. However, even where a document is subject to DAC or RBAC, it is still wise to label the document with its sensitivity level, especially when it is transmitted in a form that is not subject to the access control system (such as printed copies).
Personally identifiable information (PII)
data that can be used to identify, contact, or locate an individual. A Social Security Number (SSN) is a good example of PII. Others include name, date of birth, email address, telephone number, street address, biometric data, and so on. Some bits of information, such as a SSN, may be unique; others uniquely identify an individual in combination (for example, full name with birth date and street address).
Some types of information may be PII depending on the context. For example, when someone browses the web using a static IP address, the IP address is PII. An address that is dynamically assigned by the ISP may not be considered PII. PII is often used for password reset mechanisms and to confirm identity over the telephone. For example, PII may be defined as responses to challenge questions, such as “What is your favorite color/pet/movie?” These are the sort of complexities that must be considered when laws are introduced to control the collection and storage of personal data.
Apart from the impact on the affected individual’s privacy, disclosing PII inadvertently can lead to identity theft (where someone usurps a legally valid identity to conceal their illegal activities). Staff should be trained to identify PII and to handle personal or sensitive data appropriately. This means not making unauthorized copies or allowing the data to be seen or captured by any unauthorized persons. Examples of treating sensitive data carelessly include leaving order forms with customers’ credit card details in view on a desk, putting a credit card number in an unencrypted notes field in a customer database, or revealing an email address to others through the careless use of Reply All or Send To address fields.
Protected health information (PHI)
refers to medical and insurance records, plus associated hospital and laboratory test results. PHI may be associated with a specific person or used as an anonymized or de-identified data set for analysis and research. An anonymized data set is one where the identifying data is removed completely. A de-identified data set contains codes that allow the subject information to be reconstructed by the data provider. PHI trades at high values on the black market, making it an attractive target. Criminals would seek to exploit the data for insurance fraud or possibly to blackmail victims. PHI data is highly sensitive and unrecoverable. Unlike a credit card number or bank account number, it cannot be changed. Consequently, the reputational damage that would be caused by a PHI data breach is huge.
Proprietary information or intellectual property (IP)
information created and owned by the company, typically about the products or services that they make or perform. IP is an obvious target for a company’s competitors and IP in some industries (such as defense or energy), is of interest to foreign governments. IP may also represent a counterfeiting opportunity (movies, music, and books, for instance).
Data retention
process of an organization maintaining the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations. In many cases, the organization is required by law to retain certain types of data for different lengths of time. For example, an American health care provider will need to retain audit logs for several years as mandated by HIPAA. On the other hand, the provider may also be required to retain employee correspondence over email for a shorter duration. Organizations must often balance their retention needs with the privacy stipulations. PII, PHI, and other personal information needs to be retained for some duration; however, keeping these records for too long will place them at greater risk of being compromised. Data retention policies must therefore integrate closely with data disposal policies for optimal security of confidential information.
data sanitization and disposal policy
refers to the procedures that the organization has in place for disposing of obsolete information and equipment, typically storage devices themselves or devices with internal data storage capabilities, but also paper records.
paper record disposal
One of the less pleasant social engineering techniques is dumpster diving, referring to combing through an organization’s waste to discover documents containing useful information. Generally speaking, all paper documents should be shredded before disposal. This is because even quite innocuous information (such as employee telephone lists, calendar appointments, and so on) can help an attacker with impersonation attacks.
It’s important to shred any sensitive documents prior to disposal. (Photo by monsterkoi on Pixabay.)
Confidential or secret documents should be marked as such. Such documents may be treated to special disposal methods, such as finer cross-shredding or even incineration. There are several types of shredders. They can be classified to a certain security level, based on the size of the remnants they reduce a sheet to. Level 1 is 12mm strips, while Level 6 is 0.8x4mm particles.
If shredding is not considered secure enough, the shredded material can be further subjected to a process of pulping (mixing with water then pulverizing) or burning.
Media sanitization or remnant removal
refers to decommissioning various media, including hard drives, flash drives/SSDs, tape media, CD and DVD ROMs, and so on. The problem has become particularly prominent as organizations recycle their old PCs, either by donating them to charities or by sending them to a recycling company, who may recover and sell the parts. The problem also applies to network printers, which often have installable hard disks to use to cache print jobs.