Policies and Best Practices Flashcards

1
Q

Privileged user agreement

A

• Network/system administrators have access to almost
everything
• With great power comes great responsibility

  • Expectations
    • Use other non-privileged methods when appropriate
  • Limitations
    • Use privileged access only for assigned job duties
  • Signed agreement
    • Everyone understands the policies
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Password policies

A

• Written policy
• All passwords should expire every 30 days, 60 days,
90 days, etc.

  • Critical systems might change more frequently
    • Every 15 days or every week
  • The recovery process should not be trivial!
    • Some organizations have a very formal process
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

On-boarding

A
  • Bring a new person into the organization
    • New hires or transfers

• IT agreements need to be signed
• May be part of the employee handbook or a
separate AUP

• Create accounts
• Associate the user with the proper groups and
departments

  • Provide required IT hardware
    • Laptops, tablets, etc.
    • Preconfigured and ready to go
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Off-boarding

A
  • All good things…
    • But you knew this day would come

• This process should be pre-planned
• You don’t want to decide how to do things at this
point

  • What happens to the hardware and the data?
  • Account information is usually deactivated
    • But not always deleted
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Licensing restrictions

A

• So many licenses
• Operating systems, applications, hardware
appliances
• And they all use different methods to apply the
license

  • Availability
    • Everything works great when the license is valid
    • Meeting the expiration date may cause problems
    • Application may stop working completely

• Integrity
• Data and applications must be accurate and
complete
• A missing/bad license may cause problems with
data integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

International export controls

A
  • Equipment, information, data
    • Country-specific laws controlling export
  • Not only shipment of physical items
    • Includes the transfer of software or information
    • Protect PII
  • Dual-use software can be controlled
    • Dual-use for both civilian and military use
    • Security software, malware, hacking tools

• Check with legal team - don’t ship unless you’re sure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Data Loss Prevention (DLP)

A

• Where’s your data?
• Social Security numbers, credit card numbers,
medical records

  • Detailed policies needed to define what is allowed
    • How is sensitive data transferred?
    • Is the data encrypted? How?
  • DLP solutions can watch and alert on policy violations
    • Often requires multiple solutions in different places
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Remote access policies

A
  • Easy to control internal communication
    • More difficult when people leave the building
  • Policy for everyone
    • Including third-party access

• Specific technical requirements
• Encrypted connection, confidential credentials,
use of network, hardware and software requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Security incidents

A

• User clicks an email attachment and executes
malware
• Malware then communicates with external servers

  • DDoS
    • Botnet attack
  • Confidential information is stolen
    • Thief wants money or it goes public

• User installs peer-to-peer software and allows
external access to internal servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Incident response policies

A
  • How is an incident identified?
    • Automated monitoring, personal account
  • How is the incident categorized?
    • Email issue, brute force attack, DDoS, etc.
  • Who responds to an incident?
    • Large list of predefined contacts

• What process is followed?
• Formal process needs to be created prior to the
incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

BYOD

A

• Bring Your Own Device or Bring Your Own
Technology
• Employee owns the device
• Need to meet the company’s requirements

• Difficult to secure
• It’s both a home device and a work device
• How is data protected?
• What happens to the data when a device is sold or
traded in?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Acceptable use policies (AUP)

A
  • What is acceptable use of company assets?
    • Detailed documentation
    • May be documented in the Rules of Behavior

• Covers many topics
• Internet use, telephones, computers, mobile
devices, etc.

• Used by an organization to limit legal liability
• If someone is dismissed, these are the well-
documented reasons why

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Non-disclosure agreement

A

• NDA (Non-disclosure agreement)
• Confidentiality agreement / Legal contract
• Prevents the use and dissemination of confidential
information

• Internal
• Protect the organization’s private and confidential
information
• Part of employee security policies

• External
• Two parties can’t disclose private information or
company secrets about the other party

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

System life cycle

A
  • Managing asset disposal
    • Desktops, laptops, tablets, mobile devices
  • Disposal becomes a legal issue
    • Some information must not be destroyed
    • Consider offsite storage
  • You don’t want critical information in the trash
    • People really do dumpster dive
    • Recycling can be a security concern
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Physical destruction

A
  • Shredder / pulverizer
    • Heavy machinery - complete destruction
  • Drill / Hammer
    • Quick and easy - platters, all the way through
  • Electromagnetic (degaussing)
    • Remove the magnetic field
    • Destroys the drive data and the electronics

• Incineration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Safety procedures and policies

A
  • Equipment safety
    • Electrical safety policies

• Personal safety
• Jewelry policy, lifting techniques, fire safety, cable
management, safety goggles, etc.

  • Handling of toxic waste
    • Batteries, toner
    • Refer to the MSDS (Material Safety Data Sheet)

• Local government regulations
• Safety laws, building codes, environmental
regulations