Lesson 16: Explaining Organizational Security Concepts Flashcards

1
Q

security posture

A

As a vital component of a company’s IT infrastructure, employees must understand how to use ICT securely and safely and be aware of their responsibilities. To support this, the organization needs to create proper documentation to help staff understand and fulfill their responsibilities and to follow proper procedures. Adopting an effective security posture is a difficult and costly change for an organization to make, as it involves disruption to normal practice at almost every level without any tangible reward or benefit. Security compliance requires the cooperation and support of all the organization’s employees.

The value of a comprehensive policy is that it removes any uncertainty that employees may have about what to do in a given situation. For example, if you work for a large company and meet someone you do not recognize in your work area, should you smile and say hello or smile, say hello, ask them where they want to be, and then escort them to that place? If there is a company policy saying that visitors to the workplace must be escorted at all times, it will be much easier for employees to take it upon themselves to “act the policeman” in this sort of circumstance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

corporate security policy

A

The aim of a corporate security policy should be to obtain support for security awareness in the organization and outline in general terms the risks, guidelines, and responsibilities. The creation and enforcement of a security policy also demonstrates that due care (and due diligence) has been applied.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Policy is an overall statement of intent. In order to establish the correct working practices, three different mechanisms can be put in place:

A
  • Standard—A standard is a measure by which to evaluate compliance with the policy.
  • Procedure—A procedure, often referred to as a standard operating procedure (SOP), is an inflexible, step-by-step listing of the actions that must be completed for any given task. Most critical tasks should be governed by SOPs.
  • Guidance—Guidelines exist for areas of policy where there are no procedures, either because the situation has not been fully assessed or because the decision making process is too complex and subject to variables to be able to capture it in a procedure. Guidance may also describe circumstances where it is appropriate to deviate from a specified procedure.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

interoperability agreements

A

It is important to remember that although one can outsource virtually any service or activity to a third party, one cannot outsource legal accountability for these services or actions. You are ultimately responsible for the services and actions that these third parties take. If they have any access to your data or systems, any security breach in their organization (for example, unauthorized data sharing) is effectively a breach in yours. Issues of security risk awareness, shared duties, and contractual responsibilities can be set out in a formal legal agreement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The following types of interoperability agreements are common:

A
  • Memorandum of understanding (MOU)—A preliminary or exploratory agreement to express an intent to work together. MOUs are usually intended to be relatively informal and not to act as binding contracts. MOUs almost always have clauses stating that the parties shall respect confidentiality, however.
  • Memorandum of agreement (MOA)—A formal agreement (or contract) that contains specific obligations rather than a broad understanding. If one party fails to fulfill its obligations, the other party will be able to seek redress under the terms of the agreement through the courts.

Note: Contract law is complex. It is possible for a document described as an “MOU” in a heading to create legally enforceable terms if the wording of the document establishes some sort of obligation to act, especially if it is in return for payment. The name of the agreement is not relevant—the terms are.

  • Service level agreement (SLA)—A contractual agreement setting out the detailed terms under which a service is provided.
  • Business partners agreement (BPA)—While there are many ways of establishing business partnerships, the most common model in IT is the partner agreements that large IT companies (such as Microsoft and Cisco) set up with resellers and solution providers.
  • Interconnection security agreement (ISA)—ISAs are defined by NIST’s SP800-47 “Security Guide for Interconnecting Information Technology Systems” (https://csrc.nist.gov/publications/detail/sp/800-47/final). Any federal agency interconnecting its IT system to a third party must create an ISA to govern the relationship. An ISA sets out a security risk awareness process and commits the agency and supplier to implementing security controls.
  • Non-disclosure agreement (NDA)—Legal basis for protecting information assets. NDAs are used between companies and employees, between companies and contractors, and between two companies. If the employee or contractor breaks this agreement and does share such information, they may face legal consequences. NDAs are useful because they deter employees and contractors from violating the trust that an employee places in them.

A legal agreement is all very well, but it is still up to you to make sure that your suppliers, vendors, and contractors can live up to it. If they can’t, you may successfully sue them, but if they go out of business, you are still accountable for their actions or failures to act.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data handling or document management

A

process of managing information over its lifecycle (from creation to destruction). At each stage of the lifecycle, security considerations are vital. A data policy describes the security controls that will be applied to protect data at each stage of its lifecycle. Data policies and procedures are important in reducing the risk of data loss or theft. There may also be legal and compliance reasons for enforcing strict data policies. The regulations for the health care and payment card industries contain many specific terms for preventing data breach. A company that does not comply with the regulations could face hefty fines and be prevented from accessing the market. Employees that are negligent in performing their roles could even face criminal proceedings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The information management workflow for each document will involve several roles with different functions, such as authors, editors, reviewers, and publishers. There are also important data roles for oversight and management of a range of information assets within the organization. A company with a formal data governance policy will define the following roles:

A

Data owner—A senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of the information asset. The owner is responsible for labeling the asset (such as determining who should have access and determining the asset’s criticality and sensitivity) and ensuring that it is protected with appropriate controls (access control, backup, retention, and so forth). The owner also typically selects a steward and custodian and directs their actions.

  • Data steward—This role is primarily responsible for data quality. This involves tasks such as ensuring data is labelled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.
  • Data custodian—This role is responsible for managing the system on which the data assets are stored. This includes responsibility for enforcing access control, encryption, and backup/recovery measures.

Note: One of the problems with access control systems is that they are very difficult to make data inaccessible to system administrators. Privileged admin accounts can generally take ownership or change the permissions of any type of resource. Non-discretionary privilege management models are aimed to mitigate this, but even then it is difficult to secure data from the people responsible for managing the model. Strict audit policies are also of use, but again there is the potential for an account with complete privileges to compromise the audit system.

• Privacy officer—This role is responsible for oversight of any personally identifiable information (PII) assets managed by the company. The privacy officer ensures that the processing and disclosure of PII complies with legal and regulatory frameworks. The privacy officer will also oversee retention of PII. One principal of personal data privacy is that information be retained for only as long as is necessary. This can complicate the inclusion of PII in backups and archives.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

workflow

A

Most documents go through one or more draft stages before they are published. As a draft, a document will be subject to a workflow, which describes how editorial changes are made and approved. The workflow will specify who are the authors, editors, and reviewers of the document. As part of the creation process, the document must be classified depending on how sensitive it is.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Classification

A

restricts who may see the document contents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Classification (or labeling) is generally divided into several levels, following military usage:

A
  • Unclassified (public)—There are no restrictions on viewing the document.
  • Classified (private/restricted/internal use only/official use only)—Viewing is restricted to the owner organization or to third parties under an NDA.
  • Confidential (or low)—The information is highly sensitive, for viewing only by approved persons within the organization (and possibly by trusted third parties under NDA).
  • Secret (or medium)—The information is too valuable to permit any risk of its capture. Viewing is severely restricted.
  • Top-Secret (or high)—This is the highest level of classification.

Classified, confidential, secret, and top-secret information should be securely protected (encrypted) for storage and transmission.

Note: Data labeling applies both to soft copy (computer data) and hard copy (printed) documents.

Information may change in sensitivity, typically becoming less sensitive over time. A document may be downgraded to a lower security level or eventually declassified. In this circumstance, there needs to be a clear process of authorization and notification, so that confidentiality is not breached.

Information classification lends itself to the mandatory access control (MAC) model. However, even where a document is subject to DAC or RBAC, it is still wise to label the document with its sensitivity level, especially when it is transmitted in a form that is not subject to the access control system (such as printed copies).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Personally identifiable information (PII)

A

data that can be used to identify, contact, or locate an individual. A Social Security Number (SSN) is a good example of PII. Others include name, date of birth, email address, telephone number, street address, biometric data, and so on. Some bits of information, such as a SSN, may be unique; others uniquely identify an individual in combination (for example, full name with birth date and street address).

Some types of information may be PII depending on the context. For example, when someone browses the web using a static IP address, the IP address is PII. An address that is dynamically assigned by the ISP may not be considered PII. PII is often used for password reset mechanisms and to confirm identity over the telephone. For example, PII may be defined as responses to challenge questions, such as “What is your favorite color/pet/movie?” These are the sort of complexities that must be considered when laws are introduced to control the collection and storage of personal data.

Apart from the impact on the affected individual’s privacy, disclosing PII inadvertently can lead to identity theft (where someone usurps a legally valid identity to conceal their illegal activities). Staff should be trained to identify PII and to handle personal or sensitive data appropriately. This means not making unauthorized copies or allowing the data to be seen or captured by any unauthorized persons. Examples of treating sensitive data carelessly include leaving order forms with customers’ credit card details in view on a desk, putting a credit card number in an unencrypted notes field in a customer database, or revealing an email address to others through the careless use of Reply All or Send To address fields.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Protected health information (PHI)

A

refers to medical and insurance records, plus associated hospital and laboratory test results. PHI may be associated with a specific person or used as an anonymized or de-identified data set for analysis and research. An anonymized data set is one where the identifying data is removed completely. A de-identified data set contains codes that allow the subject information to be reconstructed by the data provider. PHI trades at high values on the black market, making it an attractive target. Criminals would seek to exploit the data for insurance fraud or possibly to blackmail victims. PHI data is highly sensitive and unrecoverable. Unlike a credit card number or bank account number, it cannot be changed. Consequently, the reputational damage that would be caused by a PHI data breach is huge.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Proprietary information or intellectual property (IP)

A

information created and owned by the company, typically about the products or services that they make or perform. IP is an obvious target for a company’s competitors and IP in some industries (such as defense or energy), is of interest to foreign governments. IP may also represent a counterfeiting opportunity (movies, music, and books, for instance).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Data retention

A

process of an organization maintaining the existence of and control over certain data in order to comply with business policies and/or applicable laws and regulations. In many cases, the organization is required by law to retain certain types of data for different lengths of time. For example, an American health care provider will need to retain audit logs for several years as mandated by HIPAA. On the other hand, the provider may also be required to retain employee correspondence over email for a shorter duration. Organizations must often balance their retention needs with the privacy stipulations. PII, PHI, and other personal information needs to be retained for some duration; however, keeping these records for too long will place them at greater risk of being compromised. Data retention policies must therefore integrate closely with data disposal policies for optimal security of confidential information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

data sanitization and disposal policy

A

refers to the procedures that the organization has in place for disposing of obsolete information and equipment, typically storage devices themselves or devices with internal data storage capabilities, but also paper records.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

paper record disposal

A

One of the less pleasant social engineering techniques is dumpster diving, referring to combing through an organization’s waste to discover documents containing useful information. Generally speaking, all paper documents should be shredded before disposal. This is because even quite innocuous information (such as employee telephone lists, calendar appointments, and so on) can help an attacker with impersonation attacks.

It’s important to shred any sensitive documents prior to disposal. (Photo by monsterkoi on Pixabay.)

Confidential or secret documents should be marked as such. Such documents may be treated to special disposal methods, such as finer cross-shredding or even incineration. There are several types of shredders. They can be classified to a certain security level, based on the size of the remnants they reduce a sheet to. Level 1 is 12mm strips, while Level 6 is 0.8x4mm particles.

If shredding is not considered secure enough, the shredded material can be further subjected to a process of pulping (mixing with water then pulverizing) or burning.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Media sanitization or remnant removal

A

refers to decommissioning various media, including hard drives, flash drives/SSDs, tape media, CD and DVD ROMs, and so on. The problem has become particularly prominent as organizations recycle their old PCs, either by donating them to charities or by sending them to a recycling company, who may recover and sell the parts. The problem also applies to network printers, which often have installable hard disks to use to cache print jobs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

There are at least three reasons that make remnant removal critical:

A
  • An organization’s own confidential data could be compromised.
  • Third-party data that the organization processes could be compromised, leaving it liable under Data Protection legislation (in addition to any contracts or SLAs signed).
  • Software licensing could be compromised.

The main issue is understanding the degree to which data on different media types may be recoverable. Data deleted from a magnetic-type disk (such as a hard disk) is not erased. Rather, the sectors are marked as available for writing and the data they contain will only be removed as new files are added. Similarly, using the standard Windows® format tool will only remove references to files and mark all sectors as useable. In the right circumstances and with the proper tools, any deleted information from a drive could be recoverable.

19
Q

Data remnants can be dealt with either by destroying the media or by purging it (removing the confidential information but leaving the media intact for reuse). There are several different ways of either destroying or purging media:

A
  • Overwriting/disk wiping—Data sanitization software tools ensure that old data is purged by writing to each location on the media. A simple means of doing this is zero filling, which sets each bit to zero. Zero filling can leave patterns that can be read with specialist tools. A more secure method is to overwrite the content with ones and zeros using pseudorandom input. Overwriting might also be performed in multiple passes. This is suitable for all but the most confidential data, but is time consuming and requires special software.
  • Low-level format—Most disk vendors supply tools to reset a disk to its factory condition. These are often described as low-level format tools and will have the same sort of effect as disk wiping software. Technically speaking, a low-level format creates cylinders and sectors on the disk. This can generally only be done at the factory. The disk utilities just clean data from each sector; they don’t re-create the sector layout.
  • Pulverizing/degaussing—A magnetic disk can be mechanically shredded or degaussed (exposing the disk to a powerful electromagnet disrupts the magnetic pattern that stores the data on the disk surface) in specialist machinery. Obviously, this sort of machinery is costly and will usually render the disk unusable, so it cannot be repurposed or resold.

A less expensive method is to destroy the disk with a drill or hammer—do be sure to wear protective goggles. This method is not appropriate for the most highly confidential data as it will leave fragments that could be analyzed using specialist tools.

• Disk encryption—This method encrypts all the information in a volume, so that any remnants could not be read without possession of the decryption key.

Optical media cannot be reformatted. Discs should be destroyed before discarding them. Shredders are available for destroying CD and DVD media.

20
Q

Follow these guidelines for managing data security:

A
  • Apply data security at all levels of the organization.
  • Review the various ways in your organization that data can be vulnerable to compromise.
  • Choose a data encryption method that is most appropriate for your data security needs.
  • Label each set of data according to its sensitivity and purpose.
  • Divide data management responsibilities into multiple roles of varying duties.
  • Determine your data retention requirements as mandated by law.
  • Balance data retention requirements with privacy requirements.
  • Dispose of data securely using one of several methods.
  • Consider how a disposal method may or may not enable you to recover the physical storage medium.
21
Q

Human Resources (HR) is the department given the task of recruiting and managing the organization’s most valuable and critical resource: people. Personnel management policies are applied in three phases:

A
  • Recruitment (hiring)—Locating and selecting people to work in particular job roles. Security issues here include screening candidates and performing background checks.
  • Operation (working)—It is often the HR department that manages the communication of policy and training to employees (though there may be a separate training and personal development department within larger organizations). As such, it is critical that HR managers devise training programs that communicate the importance of security to employees.
  • Termination or separation (firing or retiring)—Whether an employee leaves voluntarily or involuntarily, termination is a difficult process, with numerous security implications.

Operational policies include privilege management, data handling, and incident response, as discussed elsewhere. One function of HR is to communicate these policies to employees, including any updates to the policies. Another function is to enforce disciplinary measures (perhaps in conjunction with departmental managers).

22
Q

Onboarding

A

HR level is the process of welcoming a new employee to the organization. The same sort of principle applies to taking on new suppliers or contractors. Some of the tasks that most impact security during the onboarding process are as follows:

  • Background check—This process essentially determines that a person is who they say they are and are not concealing criminal activity, bankruptcy, or connections that would make them unsuitable or risky. Employees working in high confidentiality environments or with access to high value transactions will obviously need to be subjected to a greater degree of scrutiny. For some jobs, especially federal jobs requiring a security clearance, background checks are mandatory. Some background checks are performed internally, whereas others are done by an external third party.
  • Identity and access management (IAM)—Create an account for the user to access the computer system, assign the appropriate privileges, and ensure the account credentials are known only to the valid user.
  • Signing an NDA—When an employee or contractor signs an NDA, they are asserting that they will not share confidential information with a third party. The terms of an NDA might be incorporated within the employee contract or could be a separate document.
  • Asset allocation—Provision computers or mobile devices for the user or agree to the use of BYODs.
  • Training/policies—Schedule appropriate security awareness and role-relevant training and certification.
23
Q

Separation of duties

A

means of establishing checks and balances against the possibility that critical systems or procedures can be compromised by insider threats. Separation of duties states that no one person should have too much power or responsibility. Duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers. Duties such as authorization and approval, and design and development, should not be held by the same individual, because it would be far too easy for that individual to exploit an organization into using only specific software that contains vulnerabilities, or taking on projects that would be beneficial to that individual. For example, in many typical IT departments, the roles of backup operator, restore operator, and auditor are assigned to different people.

24
Q

Several different policies can be applied to enforce separation of duties:

A
  • SOPs mean that an employee has no excuse for not following protocol in terms of performing these types of critical operations.
  • Shared authority means that no one user is able to action or enable changes on his or her own authority. At least two people must authorize the change.
  • Least privilege means that a user is granted sufficient rights to perform his or her job and no more. For critical tasks, duties should be divided between several people.
  • Effective auditing means that decisions and changes are recorded and can be scrutinized independently of the person that made the decision.
  • Mandatory vacations mean that employees are forced to take their vacation time, during which someone else fulfills their duties. The typical mandatory vacation policy requires that employees take at least one vacation a year in a full-week increment so that they are away from work for at least five days in a row. During that time, the corporate audit and security employees have time to investigate and discover any discrepancies in employee activity.
  • Job rotation (or rotation of duties) means that no one person is permitted to remain in the same job for an extended period. For example, managers may be moved to different departments periodically, or employees may perform more than one job role, switching between them throughout the year. Rotating individuals into and out of roles, such as the firewall administrator or access control specialist, helps an organization ensure that it is not tied too firmly to any one individual because vital institutional knowledge is spread among trusted employees. Job rotation also helps prevent abuse of power, reduces boredom, and enhances individuals’ professional skills.
  • Separation of duties is most evident in accounts and financial departments. One example is requiring all checks to be co-signed (that is, signed by two people); another is separating responsibility for purchasing (ordering) and payment. M-of-N control, discussed in the section on cryptography, is another example of separation of duties.
25
Q

exit interview (or offboarding)

A

the process of ensuring that an employee leaves a company gracefully.

26
Q

In terms of security, there are several processes that must be completed to offboard:

A
  • IAM—Disable the user account and privileges. Ensure that any information assets created or managed by the employee but owned by the company are accessible (in terms of encryption keys or password-protected files).
  • Retrieving company assets—Mobile devices, keys, smart cards, USB media, and so on. The employee will need to confirm (and in some cases prove) that they have not retained copies of any information assets.
  • Returning personal assets—Employee-owned devices need to be wiped of corporate data and applications. The employee may also be allowed to retain some information assets (such as personal emails or contact information), depending on the policies in force.

The departure of some types of employees should trigger additional processes to re-secure network systems. Examples include employees with detailed knowledge of security systems and procedures, and access to shared or generic account credentials. These credentials must be changed immediately.

27
Q

acceptable use policy (AUP) (or fair use policy)

A

sets out what someone is allowed to use a particular service or resource for. Such a policy might be used in different contexts. For example, an acceptable use policy could be enforced by a business to govern how employees use equipment and services, such as telephone or Internet access, provided to them at work. Another example might be an ISP enforcing a fair use policy governing usage of its Internet access services.

Enforcing an acceptable use policy is important to protect the organization from the security and legal implications of employees (or customers) misusing its equipment. The policy should define what use of organizational assets, such as computers and telecommunications equipment, will be considered acceptable and what will be considered adverse actions in violation of policy. Typically, the policy will forbid the use of equipment to defraud, defame, or to obtain illegal material. It is also likely to prohibit the installation of unauthorized hardware or software and to explicitly forbid actual or attempted intrusion (snooping). Acceptable use guidelines must be reasonable and not interfere with employees’ fundamental job duties or human rights. A policy statement allowing or limiting the use of personal email during work hours is an example of an AUP item. An organization’s AUP may forbid use of Internet tools outside of work-related duties or restrict such use to break times.

28
Q

rules of behavior and general security policies

A

The equipment used to access the Internet in the workplace is owned by the employer. Many employees expect relatively unrestricted access to Internet facilities for personal use. In fact, employees’ use of social networking and file sharing poses substantial risks to the organization, including threat of virus infection or systems intrusion, lost work time, copyright infringement, and defamation. If an employee breaks copyright laws or libels someone using an organization’s equipment, the organization itself could be held liable.

To avoid confusion, an employee’s handbook should set out the terms under which use of web browser/email/social networking/P2P software is permitted for personal use, and what penalties could be incurred from exceeding those terms. Employers are within their rights to prohibit all private use of Internet tools. Users should be aware that any data communications, such as email, made through an organization’s computer system are likely stored within the system, on servers, backup devices, and so on. Such communications are also likely to be logged and monitored. Consequently, users should not use computers at work to send personal information (for their own security if nothing else).

Rules of behavior are also important when considering employees with privileged access to computer systems. Technicians and managers should be bound by clauses that forbid them from misusing privileges to snoop on other employees or to disable a security mechanism.

29
Q

use of personally owned devices in the workplace

A

Portable devices, such as smartphones, USB sticks, media players, and so on, pose a considerable threat to data security, as they make file copy so easy. Camera and voice recording functions are other obvious security issues.

Network access control, endpoint security, and data loss prevention solutions can be of some use in preventing the attachment of such devices to corporate networks. Some companies may try to prevent staff from bringing such devices on site. This is quite difficult to enforce, though.

Also important to consider is the unauthorized use of personal software by employees. Personal software may include either locally installed software or hosted applications, such as personal email or instant messenger, and may leave the organization open to a variety of security vulnerabilities. Such programs may provide a route for data exfiltration, a transport mechanism for malware, or possibly software license violations for which the company might be held liable, just to name a few of the potential problems.

30
Q

clean desk policy

A

A clean desk policy means that each employee’s work area should be free from any documents left there. The aim of the policy is to prevent sensitive information from being obtained by unauthorized staff or guests at the workplace.

There can be some problematic areas in enforcing a clean desk policy. For example, employees may repeatedly use visual aids, such as process flowcharts, that would have to be tidied and taken out again each day.

31
Q

privacy and monitoring policies

A

The right to privacy is one expected by citizens of most countries. However, the right to privacy must be balanced against the need for the companies we work for and shop with to receive and process (and in some cases, keep) information about us. For example, a mail order company needs to know your address in order to deliver goods to you. When you tell them your address, you might expect them to use it only for delivering goods that you have ordered and not to use it to contact you about other products or to pass it to another company without your permission.

In order to protect their business, employers claim a responsibility to monitor the way employees use the IT equipment provided. Issues where staff are using personal email/social media, committing some type of policy violation, or even posing an insider threat require logging and monitoring to detect and troubleshoot. Set against this, employees can claim rights that they should not be treated cruelly or unusually. The balance between these rights and responsibilities is not always clearly defined in law, though as workplace privacy becomes more of an issue, laws and company guidelines are being instituted to account for it. A contract of employment may set out what an employee must agree to as a condition of employment.

32
Q

Workplace surveillance can be divided into several categories:

A
  • Security assurance—Monitoring data communications and employees’ behavior to ensure that they do not divulge confidential information or compromise the security of the organization. Employers may also use security systems such as CCTV to prevent theft.
  • Monitoring data—Analyzing data communications to measure an employee’s productivity. For example, a contact management system may record the frequency and duration of telephone contacts.
  • Physical monitoring—Recording employees’ movement, location, and behavior within the workplace, often using CCTV and drugs/alcohol testing.

A good employer will make the procedures for workplace surveillance clear and unambiguous. To this end, a contract of employment or staff handbook should make clear the rules for employee conduct with regards to security, refreshment breaks, and use of equipment, and define prohibited actions and appropriate disciplinary procedures and punishments. Each employee should be given the opportunity to read these guidelines and the employer should confirm that the employee understands them.

Additionally, some thought needs to be given to guests and callers, where the issue of consent is even more ambiguous.

33
Q

policy violation

A

When a policy violation by an employee or contractor is detected, it is necessary to follow incident response procedures rather than act off the cuff. To formulate an appropriate response, you need to assess whether the violation was accidental or intentional and determine the severity of the violation. If the violation was accidental, there might be disciplinary action or simply a recommendation for re-training, depending on the seriousness of the violation. If it is suspected that the violation constituted a malicious insider threat, a forensic investigation to gather appropriate evidence might be required.

34
Q

adverse action

A

If any sort of disciplinary procedure is invoked, it is important to take the possibility of adverse action into consideration. Adverse action means that in disciplining or firing an employee, the employer is discriminating against them in some way. To preclude the possibility of an adverse action being invoked, the policy violation must be backed up by evidence, and it must be shown that the same policy applies equally to all employees.

35
Q

whistleblowers

A

The HR department is also likely to be the internal point-of-contact for whistleblowers. An organization’s best defense against internal fraud, collusion (where two or more people conspire to commit fraud), vandalism, or poor practice is the alertness of other employees. However, to maximize this resource, employees must be confident that they can report incidents in confidence without seriously impacting their own career prospects.

36
Q

Use the following techniques to troubleshoot specific personnel issues:

A
  • Personnel violate your organization’s policy and engage in unacceptable use of systems, data, and the network—Determine the actual policy item that was violated, and then (possibly in conjunction with HR) bring the violation to the person’s attention and suggest ways for the person to better comply with policy. To prevent reoccurrence, develop training programs to better inform personnel of policy and to foster a culture of cybersecurity.
  • Personnel use social media and personal email accounts in ways that bring risk to the organization—Remind the employee of the policy and inform them of how divulging too much information on social media can help attackers. As a technical control, you can implement data loss/leak prevention (DLP) solutions to prevent personnel from sending sensitive information to external users or websites.
  • Personnel fall victim to social engineering attacks and divulge sensitive information or give access to unauthorized users—Train users on how to spot social engineering attempts and mitigate their effects. Establish exactly what information and access each person may be able to inadvertently give to attackers. Uphold the principle of least privilege to minimize the effects of a successful social engineering attacks.
  • Disgruntled or otherwise malicious personnel use their unique knowledge of the organization to exploit it for personal gain—Conduct an exit interview and thoroughly offboard the terminated employee. In the longer term, employ personnel management tasks like mandatory vacation and job rotation to reduce the amount of power any one individual holds. Regularly review and audit privileged users’ activities.
37
Q

Unlicensed software installs affect both availability and integrity:

A
  • Availability—The software vendor may suspend all licenses if the customer is found to be non-compliant.
  • Integrity—Unlicensed software exposes an organization to large fines and penalties.
38
Q

Licensing agreements such as Master License Agreements (MLAs) can be complex and keeping track of usage requires investment in license management and auditing software. Some of the activities involved in ensuring compliance with license agreements include:

A
  • Identifying unlicensed and unauthorized software installed on clients, servers, and VMs. Ideally privilege management and change controlled instances would prevent this from happening. Best intentions are not enough, however, so periodic inspections are required to ensure continued compliance. It is particularly important to audit field devices (laptops, smartphones, and tablets).
  • Identifying per-seat or per-user compliance with licensed software. The complex nature of client access type licensing means that many companies over-allocate seats compared to what their license agreement allows. There is also the complexity of managing software over multiple sites (and possibly also different countries) and remote devices.
  • Preparing for vendor audits—most license agreements specify that the vendor may undertake a software license compliance (SLC) audit. This means that the vendor or their nominated third party may access the customer’s systems to audit license usage.
  • Ensuring compliance with the terms of open source licensing. If open source code is reused (whether in commercial or in-house software), the product must be distributed in compliance with the terms of the original open source license.
39
Q

Untrained users

A

Another essential component of a secure system is effective user training. Untrained users represent a serious vulnerability because they are susceptible to social engineering and malware attacks and may be careless when handling sensitive or confidential data.

A security system cannot be too inflexible or users will complain or adopt unsecure behavior. For example, when users have too many passwords to remember, they often start recycling them; also, when users are presented with numerous security warnings, they start to click through without really thinking about what they are doing. It is much better to educate users about security risks and to monitor behavior, to ensure that users are following best practices. This needs to be backed up by a strong disciplinary procedure to sanction users who continue to act carelessly.

Training might be the responsibility of HR or of a dedicated training department. Training methods include facilitated workshops, one-on-one instruction and mentoring, plus resources such as online training, books, and newsletters.

40
Q

Appropriate security awareness training needs to be delivered to employees at all levels, including end users, technical staff, and executives. NIST has created a guide to designing security awareness programs, published as SP800-50 (https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf). Some of the general topics that need to be covered include the following:

A
  • Overview of the organization’s security policies and the penalties for non-compliance.
  • Incident identification and reporting procedures.
  • Site security procedures, restrictions, and advice, including safety drills, escorting guests, use of secure areas, and use of personal devices.
  • Data handling, including document confidentiality, PII, backup, encryption, and so on.
  • Password and account management plus security features of PCs and mobile devices.
  • Awareness of social engineering and malware threats, including phishing, website exploits, and spam plus alerting methods for new threats.
  • Secure use of software such as browsers and email clients plus appropriate use of Internet access, including social networking sites.

It is necessary to frame security training in language that end users will respond to. Education should focus on responsibilities and threats that are relevant to users. It is necessary to educate users about new or emerging threats (such as viruses and Trojans, phishing scams, or zero day exploits in software, such as browser plug-ins), but this needs to be stated in language that users understand.

For example, if you try to inform users that “The threat of Trojan Horse software being used to install rootkits that can launch DoS attacks,” their response will typically be either to fall asleep, laugh, or stare at you blankly. Instead, user education should be phrased in terms that are relevant to what they do day-to-day at work and avoid technical language and jargon. For example, “Don’t try to disable anti-virus software and don’t open email file attachments if you are not sure what they contain.”

Similarly, when security alerts are issued, these must be drafted carefully so as not to cause confusion or alarm. It is important to only issue alerts for critical incidents or risks. If users are faced with a continual series of alerts, they will start to ignore them.

41
Q

Continuing education

A

programs ensure that the participants do not treat a single training course or certificate as a sort of final accomplishment. Skills and knowledge must be continually updated to cope with changes to technology and regulatory practices. Continuing education programs often use the concept of credits to show that a participant has maintained and advanced their understanding of the topic area. Credits can be earned for work-related activities, participating in seminars or other industry events, and completing additional courses or certifications.

42
Q

role-based training

A

There should also be a system for identifying staff performing security-sensitive roles and grading the level of training and education required (between beginner, intermediate, and advanced, for instance). Note that in defining such training programs you need to focus on job roles, rather than job titles, as employees may perform different roles and have different security training, education, or awareness requirements in each role.

Advanced security training will be required for roles such as IT and networking, management, software development, and accounts. Some of the specific training requirements of security-focused job roles are as follows:

  • System owner—This role is responsible for designing and planning computer, network, and database systems. The role requires expert knowledge of IT security and network design.
  • Data owner—As described earlier, data owner is a role with overall responsibility for data guardianship (possibly in conjunction with data stewards). Training for this role will focus on compliance issues and data classification systems.
  • System administrator/data custodian—The day-to-day sysadmin role requires technical understanding of access controls and privilege management systems.
  • Standard users—As well as security awareness training, ordinary users might require training on product- or sector-specific issues.
  • Privileged users—Employees with access to privileged data should be given extra training on data management and PII plus any relevant regulatory or compliance frameworks.
  • Executive users—Good security awareness is essential as these users are likely to be specifically targeted (whale phishing and spear phishing). Executive users will also require training on compliance and regulatory issues and may need a good understanding of technical controls, secure system architecture and design, and secure supply chain management depending on the business function they represent.
43
Q

Follow these guidelines for incorporating documentation in your operational security:

A
  • Ensure that you have an overarching security policy that is driven by your organization’s business and security needs.
  • Ensure that the security policy adequately describes the goals and requirements for the organization’s security operations.
  • Consider how various business agreements can facilitate interoperability with other organizations.
  • Consider creating supplementary policies based on specific type, like AUPs and password policies.
  • Incorporate personnel management tasks in your security policies.
  • Consider separating duties among different personnel.
  • Consider mandating that personnel rotate their job responsibilities every so often.
  • Consider mandating vacations for all employees for at least a full week every year.
  • Consider implementing additional personnel management tasks like background checks and signing NDAs.
  • Implement a cybersecurity training program for all personnel.
  • Ensure that the training personnel receive is ongoing.
  • Consider training personnel differently based on the roles they fulfill in the organization.