10. Exploring Security Policies

  • Written security policies are management controls that identify a security plan.
  • Security controls and tools should enforce these policies.
  • Personnel Policies
    • Expectations and Discipline
    • Acceptable Use Policy
      • Includes what is or isn’t private
      • What users can or cannot do
    • Mandatory Vacations
      • At least 5 consecutive business days
      • Prevents embezzlement because the villain should be present to modify files and respond to inquiries
      • Limits the likelihood that one person can cover something up forever
    • Separation of Duties
      • Prevents a single person from having complete control over a sector
      • Prevents fraud and mistakes
      • Checks and balances, basically
      • Developers can’t implement code with admins testing it
      • IT Admins may have oversight from Security Admins
    • Job Rotation
      • Learn processes in each job
      • Increases oversight
      • Prevents collusion
    • Clean Desk Policy
      • Ensures protection of secure data
        • No keys, cell phones, access card, sensitive papers, logged-on computers, printouts, passwords, unlocked filing cabinets, or PII
      • Account Management Policies
        • Least Privilege
        • Account Disablement
        • Admins need Two Accounts
        • No Shared Accounts
      • Third Party Issues
        • Utilize NDA and Least Privilege
        • Stress
          • Privacy
          • Data Ownership
          • Data Backups
          • Unauthorized Data Sharing
          • Security Policy and Procedures
          • Reviews
        • Interoperability Agreements
          • Interconnection Security Agreement (ISA)
            • Specifies technical and security guidelines for maintaining secure connection and encryption
          • Service Level Agreement (SLA)
          • Memorandum of Understanding (MOU)
            • Indicates intention to work together for a goal. Less formal than SLA and doesn’t include financial penalties.
          • Business Partner Agreement (BPA)
            • Details relationship between business partners including obligations, shares, and leaving rules.
          • Change Management Policy
            • Ensure changes don’t cause unintended side-effects
            • Provide accounting and documentation for changes
            • Changes need to be reviewed and approved.
          • Data Policies
            • Information Classification
              • How secure is each bit of data.
              • Data Labeling and Handling
                • Not everyone knows how important everything is- unless its labeled.
              • Data Wiping and Disposal
                • Get rid of it so its really gone
                • Bit-level Overwrite
                • Degauss the Discks
                • Physical Destruction.
              • Wiping Files
                • Cluster-Tip Wiping
                • Bit-Level Wiping
              • Storage and Retention Policies
              • PII Protection
              • Privacy Policy
                • What info a site can collect and what it can do with that
              • Social Media Security Usage
                • Single-Sign On Risks
                • Banner Ads And Malvertisements
                • P2P
                  • Can lead to hosting inappropriate data or sharing secure data
                • Responding to Incidents
                  • Incident response team defines different incidents and how to respond
                    • Senior Management
                    • Network Admin/Engineer
                    • Security Expert
                    • Communication Expert
                  • Team often has extensive training to cope with a variety of situation
                  • Incident Response Procedures
                    • Preparation
                    • First Responders
                    • Incident Identification
                    • Incident Isolation
                    • Damage and Loss Control
                    • Escalation and Notification
                    • Reporting
                    • Data Breach
                    • Recovery/Reconstitution Procedures
                    • Lessons Learned
                    • Mitigation Steps
                  • Implementing Basic Forensic Procedures
                    • EnCase by Guidance Software
                    • Forensic Toolkit by AccessData
                    • Order of Volatility
                      • Order in which to collect evidence before its modified
                        • RAM doesn’t last, so don’t power down a device
                      • Data in cache – processor and hard drive cache
                      • Data in RAM
                      • Swap file or paging file
                      • Data stored on local disks
                      • Remote logs
                      • Archived Media
                    • Capture System Image
                      • Captures the entire contents of a drive
                      • Some tools can read data bit-by-bit without modifying it
                      • Dd command in Linux
                    • Take Hashes
                    • Analyze copies, not original
                    • Network Traffic and Logs
                      • Look for MAC addresses of possible suspects
                      • Protocol analyzers can help monitor traffic
                      • Trace IP to ISP
                    • Chain of Custody
                      • Indicate everyone who touched evidence and where it was stored
                    • Capture Video CCTV
                    • Record Time Offset
                      • Time zone changes?
                    • Screenshots
                    • Witnesses
                    • Track Man-Hours and Expense
                    • Big Data Analysis
                  • Raising Security Awareness
                    • Security Policy Training and Procedures
                    • Role-Based Training
                      • Executive Personnel
                      • Incident Response Team
                      • Administrators
                      • End Users
                    • Can Include
                      • Security Policy Contents
                      • Keeping Cipher Codes Private
                      • Acceptable Use and user responsibilities
                      • PII
                      • Data labeling, handling, and disposal
                      • Information classification
                      • Compliance with laws, practices, and standards
                      • Threat awareness including malware and phishing
                      • User habits that present risks
                      • Social Networking and P2P
                    • Training and Compliance Issues
                      • Metrics to Validate Compliance
                        • Measure security incidents
Advertisements
Advertisements

I post all things that interest me. Mainly computers.

%d bloggers like this: