Policies and Best Practices Flashcards
Privileged user agreement
• Network/system administrators have access to almost
everything
• With great power comes great responsibility
- Expectations
- Use other non-privileged methods when appropriate
- Limitations
- Use privileged access only for assigned job duties
- Signed agreement
- Everyone understands the policies
Password policies
• Written policy
• All passwords should expire every 30 days, 60 days,
90 days, etc.
- Critical systems might change more frequently
- Every 15 days or every week
- The recovery process should not be trivial!
- Some organizations have a very formal process
On-boarding
- Bring a new person into the organization
- New hires or transfers
• IT agreements need to be signed
• May be part of the employee handbook or a
separate AUP
• Create accounts
• Associate the user with the proper groups and
departments
- Provide required IT hardware
- Laptops, tablets, etc.
- Preconfigured and ready to go
Off-boarding
- All good things…
- But you knew this day would come
• This process should be pre-planned
• You don’t want to decide how to do things at this
point
- What happens to the hardware and the data?
- Account information is usually deactivated
- But not always deleted
Licensing restrictions
• So many licenses
• Operating systems, applications, hardware
appliances
• And they all use different methods to apply the
license
- Availability
- Everything works great when the license is valid
- Meeting the expiration date may cause problems
- Application may stop working completely
• Integrity
• Data and applications must be accurate and
complete
• A missing/bad license may cause problems with
data integrity
International export controls
- Equipment, information, data
- Country-specific laws controlling export
- Not only shipment of physical items
- Includes the transfer of software or information
- Protect PII
- Dual-use software can be controlled
- Dual-use for both civilian and military use
- Security software, malware, hacking tools
• Check with legal team - don’t ship unless you’re sure
Data Loss Prevention (DLP)
• Where’s your data?
• Social Security numbers, credit card numbers,
medical records
- Detailed policies needed to define what is allowed
- How is sensitive data transferred?
- Is the data encrypted? How?
- DLP solutions can watch and alert on policy violations
- Often requires multiple solutions in different places
Remote access policies
- Easy to control internal communication
- More difficult when people leave the building
- Policy for everyone
- Including third-party access
• Specific technical requirements
• Encrypted connection, confidential credentials,
use of network, hardware and software requirements
Security incidents
• User clicks an email attachment and executes
malware
• Malware then communicates with external servers
- DDoS
- Botnet attack
- Confidential information is stolen
- Thief wants money or it goes public
• User installs peer-to-peer software and allows
external access to internal servers
Incident response policies
- How is an incident identified?
- Automated monitoring, personal account
- How is the incident categorized?
- Email issue, brute force attack, DDoS, etc.
- Who responds to an incident?
- Large list of predefined contacts
• What process is followed?
• Formal process needs to be created prior to the
incident
BYOD
• Bring Your Own Device or Bring Your Own
Technology
• Employee owns the device
• Need to meet the company’s requirements
• Difficult to secure
• It’s both a home device and a work device
• How is data protected?
• What happens to the data when a device is sold or
traded in?
Acceptable use policies (AUP)
- What is acceptable use of company assets?
- Detailed documentation
- May be documented in the Rules of Behavior
• Covers many topics
• Internet use, telephones, computers, mobile
devices, etc.
• Used by an organization to limit legal liability
• If someone is dismissed, these are the well-
documented reasons why
Non-disclosure agreement
• NDA (Non-disclosure agreement)
• Confidentiality agreement / Legal contract
• Prevents the use and dissemination of confidential
information
• Internal
• Protect the organization’s private and confidential
information
• Part of employee security policies
• External
• Two parties can’t disclose private information or
company secrets about the other party
System life cycle
- Managing asset disposal
- Desktops, laptops, tablets, mobile devices
- Disposal becomes a legal issue
- Some information must not be destroyed
- Consider offsite storage
- You don’t want critical information in the trash
- People really do dumpster dive
- Recycling can be a security concern
Physical destruction
- Shredder / pulverizer
- Heavy machinery - complete destruction
- Drill / Hammer
- Quick and easy - platters, all the way through
- Electromagnetic (degaussing)
- Remove the magnetic field
- Destroys the drive data and the electronics
• Incineration
