CompTIA Security+ SY0-601 – 5.3 Policies to organizational security

1. Personnel Controls

In this video, I’m going to be going over the worst thing that has ever happened to it security people. Yes, humans are no good humans. They circumvent all of our security. Maybe if there was no humans, there wouldn’t be a need for it security. Then again, it wouldn’t be a need for this classroom. I wouldn’t even exist. Okay, so we’re stuck with humans. Let’s put some controls on them. So what I’ve done in this section this section is called Personnel or human controls. I’ve basically broken it down into four main set of controls. We have access and audit controls. We have policy controls, hiring and fire and controls and user training. So let’s go through these here pretty quickly.

Easy access and audit controls, authorities job rotation, mandatory vacation, separation of duties, and the principles of lease privilege. Let’s take a look at these here. Job rotation and mandatory vacation. When working in an environment, job rotation is a great thing to do. Job rotation has people moving from one job role to another. This does two things. Number one is it removes a single point of failure. Way too often our companies are stuck with one person and only that person because only that person knows the system. So what we could do is if we change up roles and different people are doing different things, people learn different things, removing that single point of failure.

Now it only dependent just on Bob to do that task. Now Mary could do it too. So to remove that single point of failure, creating redundant knowledge. The other great security thing here is that it’s going to help you to detect fraud. Detecting fraud. If you know that someone’s going to come do your job, it helps to detect and prevent fraud. The other one here is mandatory vacation. Certain financial institutions, like banks, for example, makes it mandatory that their employees go on vacations for about one to two weeks. Now remember, what you have to do is disable their access when they’re gone. Generally, debt means somebody comes and does their job.

Similar to job rotation, where somebody is going to come and do your job, you’re less likely to commit risks or commit fraud if you know someone is going to come and check your work. So this is a good way of preventing and detecting fraud. Now the other things here I mentioned are basically separation of duties and the principles of lease privilege. Now separation of duties, separation of duties happens when you break up tasks. You have one guy in the accounting department, he writes the check, he prints the check and he can sign the check. So this guy can basically write checks to himself. And who’s going to check that he stole money from the company himself? This is not good.

Separation of duties. They say absolute power corrupts absolutely. Let me ask you a question. If you can commit a crime and not get caught, you’re 100% sure. Would you do it? I hope not. But then again, maybe you would. I hope not. Well, let’s just say I hope not. You don’t. But some people might get tempted if they know, hey, I can get caught if I steal this money. So what we need to do is we need to break up the duties amounts, people. Maybe we have one guy writing a check, one guy reconcile in the bank accounts. So in separation of duties you’re basically breaking up the task.

Now there is a way to circumvent separation of duty. Separation is a great control, but there’s a way if they collude together, it’s a collusion is when they work together to break separation of duties. But separation of duties is a whole lot better than having one person do all the tasks. The next one that’s mentioned there is called the Principles of Lease Privilege. Basically, people should only have the minimum amount of access in the network. They only need a user account, they only need read access to that. They don’t need an administrator account. In the world of security, the more restrictive apply. So for me to do my job, I only need a normal user account, I only need access to these two applications and I only need read access to that folder, I need write access to that folder and I need to write and delete to that folder.

So you got to minimize the amount of access for giving people. You don’t want people with admin privileges running around the network. That in itself is bad security. Okay, so let’s take a look at some policies here. Now that we have two things I’m going to mention here. So we have what is known as the acceptable use policy and the clean desk policy. So acceptable use, what are we going to use on a network and keep your desk clean? Let’s explain these here an acceptable use policy. The policy and organization has telling you what’s acceptable to be done on their systems. This is not just a legal document, it’s also a document that tells you that when using company’s equipment, you shouldn’t be checking personal emails, you shouldn’t be doing your personal work.

You can only use it to conduct company business. Acceptable use policy can apply to your desktop, to your laptop and to your phone. The other one is called Clean desk. Let me check onto this keyboard here. You know what my password is there? Yeah, I put my password under my keyboard. Now in businesses today, it’s not uncommon to find people with a desk full of passwords or people storing their passwords under the keyboard. God, they put it on the monitor that I’ve seen sticky note boom, right on the monitor with bank and password. Remember I’m an auditor, right? Pen test. I’ve seen that clean desk policy basically means, or clean desk space basically means that you cannot have confidential data on your desk at any point. And there’s a policy that deals with this.

So it’s put in, it’s enforced, and auditors and administrators will check under your keyboard and on top of your desk for confidential information. The other thing that we want to talk about is background checks. So background checks are important to see if people are lying on their resume. That happens more often than you can imagine. Lying on their resume, people not being truthful to the employer. Background checks are critical. Certain types of jobs will require you to go through a background checks and run a security clearance. Now, I’ll tell you guys an interesting thing. You guys know I’m an author. It’s a lot of books. I do a lot of speaking engagements, especially for security and project management. And when I speak to security managers, I tell them something.

I tell them the most important trait that I look for in a security personnel is not the tech skill. I can teach you the tech skill that take a course to figure out how to configure a firewall in a few hours. What I can teach you that you must bring, that must come from your heart or come from, come from yourself, is integrity, right? So integrity I want to the most, because remember, as security people, we’re going to be given permission. We’re going to be given permission to the most sensitive data in that organization. We need to have the integrity not to give it away. I can’t give away my company’s data. And integrity is not just something you can be. You can train someone for something. I believe that it comes from something they learn very small and they grow up with it.

Now, can they learn it at an older age? Probably yes. But lying on your background is a way of checking that. Lying on your resume, claiming you have certifications you don’t have, claiming you have a clearance that you don’t have. This is important to check. Another thing organizations make you sign, and almost all do as an NDA. NDAs are common documents that basically says, hey, you can’t do this, you can’t check this, you can’t give away this information. So a lot of companies have their secrets, have their processes, the way to create products. They make you sign an Nd. If you were to release this information, you could be put in jail. You could even be sued and lose a lot of money. The other thing here we have is social media analysis.

Now, this is a newer thing, new to this exam objective. Social media analysis is something that more and more organizations are doing. They’re doing it to see maybe if those people that they’re hiring, if their goals or their beliefs lines up with the company’s mission, maybe that company, that person believes we should do B, and the company believes we should do A. And maybe they’re checking that they couldn’t even see. Some companies may be looking at this to even check your own integrity. For example, let’s say you were working at company A, and then you went to Facebook and you put on their company A is doing these processes all wrong. Then you’re a new company. You apply for a company B checks. Say this guy was giving away company’s A information.

His integrity is no good. He’s breaking their NDA. We don’t want them. Maybe you guys do this already. I know a lot of people that does this. People have two different social media accounts. People have the business media account, and then they have their own. Do whatever they like, voice whatever opinion they want, social media accounts that’s not linked to their name. So a lot of people do that. Me personally, if you’re asking, do I do that, I don’t really use social media. All of most of my social media, except my LinkedIn that I do. I want you guys to follow me on LinkedIn. I don’t use Facebook. My Facebook is a Tia logo. I use Twitter or anything like that. I really don’t go on it. Facebook LinkedIn is what I use to connect to my students.

Once in a while, I put a post there and maybe put a video on YouTube or something. As far as I go, really, I try to stay off my phone in computers when I’m not teaching or writing a book or something. Yeah, let’s all get off our phones. Anyhow, moving on, let’s talk about firing and hiring controls. Notice terms. It’s called onboarding and offboarding. So onboarding is when you hire someone and you quote, unquote, train them, right? So when you hire someone, they’re going to sign the policies. They’re going to learn the organizational procedures. They’re going to sign a whole they’re going to sign their life away. They got to sign the clean desk policy. They got to sign the overall company security policies that they may have. Many different policies are going to be there.

On boarding is when you teach them, you make them different policies. Off. Boarding is when you fire them. Off boarding is when you let go of them for your exam. Remember this. The first thing you must do when you fire someone is to disable their access before you tell people they are terminated. Here’s what you’re going to do. You’re going to disable their account. So here’s a quick thing. If you ever go into an organization today’s, word of work, you walk in, you sit in front of your desk and you try to log in. It says, account disabled. Yeah, you’ve probably been canned.

Means the information security desk has probably disabled your account because your boss is about to fire you. This is a common thing. So here’s the steps. You disable the account. You bring the person into the office. You do an off board, an interview and exit interview. You remind them of the NDAs they signed. You remind them, what is it that they shouldn’t and should not be released in if they sign certain types of policies and employment contracts that needs to be updated. You also have to collect the company assets, their laptops, company owned laptops, phones, badges, IDs, and so on. And then you have to alert people in the organization that these people left. You have to tell the security guard so they can’t come back in the building.

You have to tell Mary, hey, don’t let Bob back and we fire them basically. Okay? And finally here I want to talk about is user training. Yes, guys, listen, tell Bob not to click on the link. Without a doubt, user training is one of the best ways in order to prevent security breaches. Most viruses, most ransomware comes through email. So we’re going to have a few things. All right, number one, we’re going to skip down here. We’re going to go to phishing campaigns and phishing simulations send in. This is done by the red team. The red team may send out phishing emails, field sent out simulations where they can go through and see what happens when they click on links. This here will really test if your user trainer is working.

So user training is basically putting them through a series of classes where they’re going to learn. This is how you detect phishing emails. This is how you can see if this person is trying to hack you. And trust me, these phishing emails are getting more complex. We need to teach our users this. If not, you could be faced with some kind of crypto locker on your machine. Well, when doing the user training, you can try to game it, turn it into video games. People like video games, right? Make it fun, make it interactive, make it somewhat competitive. So as they’re doing a lot of times, a lot of times the user training is generally done on the computer by themselves and it’s probably some boring video, somebody’s talking and then they have to answer some questions.

But if we make it interactive, make it like a game, make it interactive, nice screens, do exercises, they’re going to learn much more. Now there’s a lot of software out there that does these phishing training for you. The other thing you can do is break them up into teams and have them compete with each other. Capture the flag is done in a user training scenario where you break them up into teams and then they compete in different scenarios such as programming scenarios, network security scenarios, and see how well they do on the teams that does. The West Captures the Flag is basically like a sporting event, except it’s user training in cybersecurity. Okay guys, in this video we talked a lot, we went through a lot of good stuff managing people here.

Please review this video again, make some notes on it. We talked about job rotation, manager vacation, separation duties and lease privileges. Those are normal security controls. Then, of course, those policies. Things like Kevin a clean desk NDA social media analysis. Don’t forget onboarding means to hire them, means to train them, fire them. Don’t forget, disable the account, give them that exit interview, collect all company assets and inform everyone. And don’t forget one of the most security controls we can ever do to secure our network is to train our users.

2. Third-party risk management

In this video, I’m going to be talking about third party risk management concepts. Now, in every single organization out there, you’re going to be working with a variety of different third parties. You’re going to be working with vendors such as Microsoft, Dell, Cisco, Junitor Networks, if you manage those types of routers, your firewall of vendors, your MDM, software vendors, tons of partnerships, your Internet provider, your organization will deal with a lot of third party people. And there’s some considerations and things to know when managing third party. Take a look. So the first thing up is we will deal yes, with a lot of vendors. Lots of vendors are going to be who we manage. Now, some of these vendors may have big supply chain, and we talked about supply chain risk in earlier videos, but you got to understand the supply chain, especially like how Dell would make equipment.

They would have to get it, they have to get hard drives and Ram sticks and other providers, and then they’ll have to fabricate the systems and so on. So there’s a lot of supply chain risk referred to those videos on them. But you’re going to have a lot of different business partners. And by setting up business partners and having stake in different businesses and managing the relationship, brings me to some different agreements that you may have. So one of them is called an SLA. Now, this is the most famous one when it comes to us It folks. US it folks likes to use SLA. SLA, the Service level agreement basically outlines the level of service that the service will be at. Now, this is famous for things like web hosting, internet lines, telephone systems.

So for example, you get a web server, and the web server, the web hoster will pay us a 99. 99% uptime. This is the escalator basically saying that our web server will stay up this much uptime. So within a given year, 99. 99 notice of 59, the server will be up. You also have places where they’ll tell you not just in percentage, but they may say you may have higher help desk company. And they say, well, you get a call back within ten minutes, you can buy an SLA from Dell that you’ll get harder replacement within 24 hours. This is outlined in the service level agreement. This is a contract. This is a document of itself that outlines these things that the organization signed for. So when you get internet lines, so for example, you go out, your organization get an Internet line that has an estimate of 90%.

Well, that’s no good. It means 10% of the year you have no internet. But for your organization, that’s a trade in desk not acceptable. You may want 99. 99% uptime. The higher that SLA generate, more expensive that serve, because the more the vendor is going to do to ensure that it stays up. Now, a memo of understanding basically maus basically are non legal binding documents. And what this does is that it’s an agreement between two organizations to understand how work is done. So I can have an MoU with an organization that we’re going to partner together and work on a particular project, maybe designing a software, or maybe working to secure a large company system.

Mouser just understanding between two businesses in order to get some kind of work done, and they’re generally non legally binding. The other one we have is a measurement systems analysis. Measurement systems analysis is going through systems and coming up with measurements to see how the system is performing. This is generally done in quality metrics and quality measurements. Generally. When I teach my project management class and my Six Sigma classes, I go over this with them. When I say, well, this is how you analyze a process. This is how you define the process. This is how you measure the process. Because when you’re trying to make quality products, you got to make sure that they’re defective free. So you got to have metrics set up, measure the systems to see how to meet these particular metrics.

The other one you have here is going to be a business partnership agreement. Now, the business partnership generally a legal document that outlines partnerships between businesses, like ownership stakes within each other, what type of relationships they’re going to have, who’s going to be doing what particular work. Think of it as me and you starting a business, and we have a partnership agreement between us. This outlines my job. That outlines your job. I own 50%, you own 50%, and this can also come together to get work done. Now, other things to think about end of life and end of service. So, for example, end of life is like that windows Seven VM I was using. End of life systems are basically systems from third party where there’s no more support available for it.

Now, because you’re so dependent on it, you may not be able to get off of it until you start upgrading your system. End of life, you should not be using end of life system. Some companies that still does air gap them, in which case they take them off the network, and it can’t be accessible that easily. End of service means there’s no more service available for that particular system, not anymore. And then finally, working with vendors, you want to make sure that you do an NDA. Most vendors will have you sign NDAs, or you should have them if they’re working within your organization, you should have the vendors sign NDA so they don’t give away any of your companies secrets. Okay? A lot of stuff here that you should know when managing your vendors, because believe me when I tell you, working in it means you’re going to be dealing with a whole lot of vendors.

3. Credential and organizations policies

In this video I’m going to be talking about a variety of different policies that an organization should have on data classification. So let’s get started. We got quite a few things here to get through that’s really important when managing the overall policies within an organization. The first thing I want to mention is the diversity of training technique. If there’s one thing when it comes to managing security, we mentioned a previous video as User trainer and people, different people learn in different ways. There’s a variety of different user training you could do. You could do actual classroom training where you bring people into the classroom and teach them how to teach them, teach Bob not to click on links like phishing, email.

You could do CBT, computer based training methods. That’s another one. In which case they watch videos on their screen. You could do different types of simulations. We talk about gaming methods. So I think you don’t want to keep it the same. You want to keep it more interactive, keep it interesting to them and change it up every now and then. Every time you do a different training session or training method, every time you do a different training session, you should use a different training method basically, is what it’s saying. So this keeps it interesting and keeps the user aware, not to mention as new threats comes out, you change your method to introduce those threats to them. Now let’s talk about data classification. Now we’re going to talk more about this in our privacy section.

But let’s say this data must be classified. Why is that? You guys see, in the government you may have top secret, secret, confidential, public data, classified data sensitive data. The question is, does all data have the same value? If this data is released, does this cause more damage than that? Yes, if the organization loses the payroll records of all its employees, damage them, very damaging to the organization. But what if what if the organization loses its top secret recipe to that barbecue sauce? Well, losing the employee records may get us a lot of bad PR and fines. We’re not encrypted it, but maybe not put us out of business. But if everybody knows how to create our famous barbecue sauce, probably put us out of business.

So we’ll say that’s top secret and then the secret could be secret data, could be employee records. Every company has a different way of doing this. But in order to ensure the right controls to the right data, you got to classify it. Keep this in mind. I will come back to this topic later in the class. The other thing is data governance. This is going to be data management. How are we going to secure the data, how are we storing the data? And this goes in, falls a lot into regulations. And how long do you retain the data? Also falls into a lot of different parts of regulations. Now credentials, user credentials, credentials, we’re talking about username and password, biometrics credentials.

Credential policies you should have in place now for example, Credential policies for the people that works in your organization. Do you have dual factor single factor authentication, third party, how can they connect? Maybe third party is connecting using VPN. So you put multi factor authentication devices. How are they stored? Can they store them? Service accounts that you create your own service accounts, do you use the default one? And then how do you manage administrator and root accounts? Now, one thing you should know for your exam is people that have admin accounts generally have two accounts. They have an admin account and they have a normal user account. At no point should people be logging in as an administrator and as a normal logging in.

I said that logging in as an administrator and as a normal user. In other words, they have one admin account. They’re always an admin. No, they’re going to have a normal user account that they do normal business work with the checking, email, surfing the internet, and when they need to do administrator tasks such as changing passwords and accounts, create user accounts, installing software and administering servers and workstations and whatnot then they log in to the administrator. So you want to have that dual account set up. This is common security in organizations for administrators to have an admin account and a normal user account. And finally, policies. Organizations need different policies to manage changes, especially change control and asset.

So anytime something breaks, what’s the first thing people say, oh, who changed what? Organizations need to have good change management in place. Change management is going to be about having a documented procedure to implement changes within the organization. Changes could be something as simple as installing new software and that workstation could be biggest. Rolling out Windows Ten to all your computers could be seriously security stuff like change in a firewall rule. Every change has the ability to reduce security. We need to have a security impact analysis on changes being done. We need to process a change management procedure where changes wants to get done, it’s submitted to a particular repository in the organization.

Something called change logs, where we submit it, we put it in the change log, the changes go through an assessment, it gets an approval done maybe by a change control board. Some organizations has once it’s approved and it’s scheduled to be implemented, it’s implemented, it’s tested, verified, is implemented correctly. You need to have good change control. This is what this is now in organizations, especially in It, we carry a lot of assets under us. It is known to be one of the most expensive, and I’m talking physical and logical it assets such as computers and software. It is known to buy, we consume more money in terms of spending than almost any other even facilities. Software It software is tens of thousands and millions of dollars.

You have to have a procedure in place. Once you guys go up in your It career, you’ll learn about it. You’ll learn about configuration management. Database, the assets. Database. A database. A central system repository where we can keep track of all our assets. This laptop, this desktop, that router, that server, that software, that license a central server where we could manage all the assets, where we can see all the computers we own, all the laptops, what they were, how old they are. Should we be throwing them out? Should they be recycling? Is it too old to be in our systems anymore? You’re need a good big asset management system. Okay? A lot of things here. Once again, in this video, guys, we talk data classification, data governance. We talk with managing different credentials. And don’t forget, you need to have good policies when managing changes. And your assets.

• Category: Uncategorized