By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Explain the importance of policies to organizational security. Topics: - acceptable use policy (AUP) - job rotation - separation of duties - least privilege - nondisclosure agreement (NDA) - service-level agreement (SLA) - memorandum of understanding (MOU) - business partnership agreement (BPA) - interconnection security agreement (ISA) Policy Framework To ensure that proper risk management is coordinated, updated, communicated, and maintained, it is important to establish clear and detailed security policies that are ratified by an organization’s management and brought to the attention of its users through regular security-awareness training. Policies that users do not know about are rarely effective, and those that lack management support can be unenforceable. Several policies can support risk management within the organization, as described in the following sections. To protect information and the organization, the risk management framework includes various components: - Policy: Provides the foundation on which everything else is built. Policies are general management statements. - Standard: Describes specific mandatory controls, based on a given policy. - Guideline: Provides recommendations or good practices. - Procedure: Provides instructions and greater specifics, detailing how a policy, standard, and guideline will be implemented. Policies tend to be higher level and more descriptive, whereas procedures are prescriptive. A procedure is sometimes also known as a standard operating procedure (SOP), although SOPs tend to have a further level of specificity in providing step-by-step instructions to ensure a standardized and repeatable method for performing a task. Human Resource Management Policies Human resources (HR) policies and practices should reduce the risk of theft, fraud, or misuse of information facilities by employees, contractors, and third-party users. The primary legal and HR representatives should review all policies for privacy issues, legal issues, and HR enforcement language. Many, if not most, organizations require legal and HR review of policies. Background Checks Organizational policies often drive the need to hire trustworthy, competent employees. As a result, an organization might require background checks before offering employment. Background checks can be quite simple, requiring only reference checks, or can involve more stringent checks, such as verifying educational credentials, checking for criminal records, verifying employment history, and conducting drug testing. The hiring process should include provisions for making new employees aware of acceptable use, data handling, and disposal policies, as well as sanctions that could be enacted if violations occur. An organization should also institute a formal code of ethics to which all employees must subscribe, particularly privileged users and those with broad administrative rights. Likewise, procedures need to be in place to ensure that when employees leave the organization, in addition to having all access removed, they return equipment and data. The process should be clear regarding expectations, particularly those related to confidential or internal-use-only data. Mandatory Vacations The organization’s security policy should require users to take vacations and rotate positions or functional duties. This policy should outline the way a user is associated with necessary information and system resources and the way access is rotated between individuals. Employees must be able to do each other’s jobs to avoid corruption, validate cross-checks, and minimize the effect of personnel loss. All employees must be adequately cross-trained and should have only the minimal level of access necessary to perform their normal duties (least privilege). Another benefit of mandatory vacations is that they help identify gaps in employee capabilities. Separation of Duties Too much power can lead to corruption, whether in politics or network administration. Most governments and other organizations implement some type of balance of power through separation of duties. It is important to include a separation of duties when planning for security policy compliance. Without this separation, all areas of control and compliance could end up in the hands of a single individual. The idea of separation of duties hinges on the concept that a scenario in which multiple people conspire to corrupt a system is less likely than a scenario in which a single person seeks to corrupt it. For example, in financial institutions, to violate the security controls, all the participants in the process have to agree to compromise the system. For physical or operational security questions, avoid giving one individual complete control of a transaction or process from beginning to end. Also implement policies such as job rotation, mandatory vacations, and cross-training. These practices also protect against the loss of a critical skill set due to injury, death, or another form of personnel separation. Job Rotation As an extension of the separation of duties best practice, rotating administrative users between roles both improves awareness of the mandates of each role and ensures that fraudulent activity cannot be sustained. This is also the reason users with administrative access might be required to take mandatory vacations, allowing other administrators to review standard operating practices and protocols in place. You can easily remember the idea of job rotation by thinking of the English translation of the Latin phrase Quis custodiet ipsos custodes?: “Who will guard the guardians themselves?” Clean Desk Policies A clean desk policy is one of the top strategies for reducing the risk of security breaches in the workplace. Training should include details of the organization’s clean desk policy, encouraging users to avoid jotting down hard-to-recall passphrases or details from electronic systems that might contain PII. A clean desk policy can also increase employee awareness about protecting sensitive information. Users should understand why taping a list of their logons and passwords under their keyboards is a bad idea. A clean desk policy can be a vital tool in protecting sensitive and confidential materials in the hands of end users. A clean desk policy requires that users remove sensitive and confidential materials from workspaces when they leave and lock away items they are not using. Role-Based Awareness and Training For organizations to protect the integrity, confidentiality, and availability of information in today’s highly diverse network environments, each person involved needs to understand his or her roles and responsibilities. NIST Special Publication 800-16 outlines the advantages of role- and performance-based security training and presents models for the two training models. All employees need fundamental training in IT security concepts and procedures. Training can then be broken into three levels: beginning, intermediate, and advanced. Each of these levels is linked to roles and responsibilities, based on the skills and abilities necessary to perform the required responsibilities. Of course, an individual might perform more than one role within the organization, and such employees might need intermediate or advanced IT security training in their primary job role but require only beginning training in their secondary role. Awareness is different from training. The primary difference is that training is more active. Awareness deals with recognition, specifically helping employees recognize IT security concerns. A common example of security awareness might be distributing pens and posters with security slogans or exhortations. Training relates more specifically to the specific competencies required of the individual. Effective training requires an understanding of user types who interact across information systems. Specific training can be role based and tailored to specific roles and responsibilities. Users can be the following types: - General user: These users typically make up most of the user population. They have general nonprivileged access to use and transact across information systems. - Privileged user: These users have access to otherwise restricted data and system functions. - System administrator: This user is the custodian of the data and has responsibility for technical control over the systems that contain and process data. - Executive user: These users are more likely to have privileged access to sensitive data but also nonprivileged access to systems. These users have overall accountability for the security efforts of the organization. - Data owner: This user often is responsible for a specific information asset and many times is a senior person within a department or division. For example, the vice president of human resources might be the data owner for all employee data. - System owner: This user is responsible for the systems that contain and process data. Typically, the system owner oversees the employees who are responsible for the technical control and operations of such systems. The system owner also works closely with the data owner to ensure that data is secure across its life cycle. Executive users, data owners, and system owners are all responsible for drafting and promulgating security policies, standards, and procedures related to the information systems. You must understand the differences among the different user types. Specifically, be sure you understand that each role requires different training. Executive users, data owners, and system owners, in particular, are responsible for drafting and promulgating security policies. Many organizations rely on computer-based training (CBT), which can be effectively delivered via computer and mobile devices and specifically tailored to the organization’s needs. CBT also provides additional benefits, including the following: - Continued engagement that can be revisited, which can help with efficacy and retention of knowledge - Flexible deployment through the Internet with flexible scheduling - Ability to track the learner’s progress and use of analytics to provide for continual improvement - Encouraging healthy competition while making learning fun through gamification, including the ability to earn badges, score points, or play against others Continuing Education User education and training are required to ensure that users are made aware of expectations, options, and requirements related to secure access in an organization’s network. These programs should continue beyond the onboarding process and should occur regularly. Education can include many different forms of communication, including the following: - New employees and contract agents should be educated in security requirements as part of the hiring process. - Reminders and security-awareness newsletters, emails, and flyers should be provided to raise general security awareness. - General security policies should be defined, documented, and distributed to employees. - Regular focus group sessions and on-the-job training should be provided for users regarding changes to the user interface, application suites, and general policies. - General online security-related resources should be made available to users through a simple, concise, and easily navigable interface. Combining security training during employee orientation with ongoing training is ideal to ensure that employees recognize and retain information and also gain necessary skills and understanding. User training should ensure that operational guidelines, restrictions on data sharing, disaster recovery strategies, and operational mandates are clearly conveyed to users and refreshed regularly. Policies might also require refresher training during transfers between organizational components or between roles/job duties under the rotation policy. Details such as data classification (high, medium, low, confidential, private, public), sensitivity of data and handling guidelines, legal mandates related to data forms such as personally identifiable information (PII) in financial or healthcare settings, best practices, and consumption standards can vary widely among organizational units. The proper protocols for access, storage, and disposal should vary accordingly. In response to the continued expansion of electronic technology provided by users in bring your own device (BYOD) settings, security awareness training is key to managing user habits and expectations developed as a result of the prevalence of mobile devices and computing equipment in homes. Acceptable Use Policy/Rules of Behavior An organization’s acceptable use policy (AUP) must provide details that specify what users can do with their network access. Such rules help protect the organization’s data and guard against legal liability. This includes email and instant messaging usage for personal purposes, limitations on access times, and the storage space available to each user. Such policies generally also include rules of behavior or a code of conduct to ensure that users behave in a manner that is legal, ethical, and within the cultural expectations of the organization. An acceptable use policy should be written in clear, specific language and should include the following main components: - Detailed standards of behavior - Detailed enforcement guidelines and standards - Acceptable and unacceptable uses - Consent forms - Privacy statement - Disclaimer of liability An organization should be sure that its acceptable use policy complies with current state and federal legislation and does not create unnecessary business risk to the company due to employee misuse of resources. Upon logon, users should see a statement that network access is granted under certain conditions and that all activities could be monitored. This way, you can be sure to cover any legal ramifications. Acceptable use policies commonly also address use of the Internet, covered next. Internet Usage An organization should set expectations on appropriate use of the Internet through an acceptable use policy or an Internet use policy. In addition to protecting the organization’s data, such policies help ensure employee productivity and discourage disruptive and illegal activities. Obvious examples include guidelines that prohibit accessing or transmitting threatening or illegal material. In the past, organizations commonly prohibited the use of personal email and disallowed other nonbusiness use of corporate systems and Internet access. Many policy statements today do provide for personal use but limit this use, especially when it is excessive. Internet usage policies also often govern the appropriate use of email and social media. Email and social media provide open platforms that enable seamless data sharing, allowing organizations and partners to interface and extend network services and applications. An organization uses email for communication inside and outside the organization. Social media is often used beyond the organization to communicate externally and garner opinions about products and services. These technologies improve collaboration and communication within and across partners and also raise the level of productivity and interaction between workers. Although such tools enable instant collaboration and increase productivity, they pose serious privacy concerns. Organizations must be cautious because of potential negative impacts such as damage to brand recognition and liability for online defamation and libel claims. An organization must carefully consider risks vs. benefits when deciding on a social media strategy. The organization must evaluate the risks related to using social media as a business tool to communicate with affiliates, granting employee access to social media sites while on the corporate network, and allowing employee use of social media tools from corporate-issued mobile devices. Strategies to address the risks of email and social media usage should focus on user behavior and should be supported by user training and awareness programs. Technical controls can assist in policy enforcement and in blocking, preventing, or identifying potential incidents. Examples of technical controls include mobile device management (MDM) and mobile application management (MAM). These are enterprise solutions that you can use in social media application security, protection, and asset management. To ensure secure email usage, many organizations today engage in phishing campaigns. These campaigns typically involve simulations that mimic phishing attempts and track when users inappropriately click links or open files that they otherwise should not. Users who fail such campaigns may be presented with immediate feedback or tasked with taking appropriate training. Controls should be monitored to ensure that they are effective. In addition, an organization can engage a brand protection firm that scans the Internet and looks for misuse of the organization’s brand. This approach maintains awareness of potential fraud and establishes clear guidelines about what information should be posted as part of a social media presence. Nondisclosure Agreements A nondisclosure agreement (NDA) is a legally binding document that organizations might require of both their own employees and anyone else who comes into contact with confidential information, including vendors, consultants, and contractors. The purpose of an NDA is to protect an organization’s intellectual property and trade secrets. As a legally binding document, it protects the information from being improperly disclosed, even after the relationship is terminated, such as for employees who move to a competing organization or partners who work across competing organizations. Disciplinary and Adverse Actions Policies should specify consequences for violations. Policies often can be enforced through technical controls, such as content and web filters. The most common and simple example of a policy is a statement such as, “An employee found to be in violation of this policy may be subject to disciplinary action, including termination of employment.” Again, policy awareness and training are required. In most cases, disciplinary actions depend on the nature of the violation and the status of the individual involved. Most violations are handled by management, the information technology team, and the human resources department. However, civil and criminal violations need to be governed outside the organization. As a result, policy statements should include the jurisdiction responsible for interpreting applicable laws. Exit Interviews Exit interviews are a vital tool to help an organization identify workplace factors that lead employees to leave. These interviews provide a feedback loop to allow human resources personnel to improve the current situation and also adapt programs to ensure that the company can continue to recruit and hire the best talent. Other benefits include potentially learning more about competing organizations (for example, are other organizations paying more?) and ensuring that the employee has a positive exit experience. A member of the human resources department typically conducts an exit interview in a one-on-one setting with the exiting employee. Exit interviews are typically voluntary and confidential to help ensure candid responses from the employee. Third-Party Risk Management Integrating systems and data with third parties such as vendors or business partners can combine complexity and inefficiency, leading to increased risk for the organization. Risks in partnerships are usually analyzed only during the onboarding process; after a relationship is established, organizations often forget about associated risks. Security policies and procedures need to be followed, however, to identify risks and security controls that will be implemented to protect the confidentiality, integrity, and availability of any connected systems and the data that will pass between them or be accessed. Controls should be appropriate for the environment and should contain a centralized platform to monitor the range of assessments, tasks, and responsibilities of all parties. Policies should define ownership and accountability. Both organizations must maintain clear lines of regular communication. Risk assessments and audits should be conducted regularly, and a record of compliance should be established so that documentation pertains to the due diligence performed. In addition, the legal and regulatory environment should be monitored for changes that impact the partnership or third-party agreement. Risks exist in the supply chain and should be considered and managed. Supply-chain risks include both hardware and software risks. For hardware, a simple example is personal computers purchased from a supplier or manufacturer in your home country that relies on parts and components from foreign sources. Even commercial software from a particular vendor likely includes many different components from other vendors and open-source software. Hardware and software is also susceptible to varying risks, based on specific support agreements. Two important components include the end of life (EOL) date and the end of service life (EOSL) date. The EOL and EOSL dates are points within a product’s life cycle that mark the end of production and may limit or end the vendor’s liability. EOSL usually means that service and maintenance for the solution are no longer provided. For example, a software vendor may not sell or add features to a solution that has gone EOL but still provide security updates and fix vulnerabilities up to the EOSL date. It is common practice for vendors to announce an EOL date prior to the actual date to provide customers plenty of time to upgrade or plan for alternatives. Interoperability Agreements Third-party risk can vary greatly, depending on each individual third-party arrangement. Sometimes the risks are clear-cut. Other times, the risks seem unclear. To establish responsibilities in collaboration or the delivery of services, interoperability agreements are used. Agreements can be tailored to the circumstances and requirements of the participating parties, the various collaborative arrangements agreed upon, or the complexity of the service relationship. These agreements help create a common understanding about the agreement and each party’s responsibilities.
The following are several agreements that are commonly used in business: - Service-level agreement (SLA): A service-level agreement (SLA) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. An SLA often contains technical and performance parameters, such as response time and uptime, but it generally does not include security measures. - Business partner agreement (BPA): A business partner agreement (BPA) is a contract that establishes partner profit percentages, partner responsibilities, and exit strategies for partners. This is strictly a business arrangement that specifies partner financial and fiduciary responsibilities. It does not cover security measures. - Memorandum of understanding (MOU): A memorandum of understanding (MOU), which is sometimes called a memorandum of agreement (MOA), is a document that outlines the terms and details of an agreement between parties, including each party’s requirements and responsibilities. An MOU that expresses mutual accord on an issue between two or more organizations does not need to contain legally enforceable promises; it can be legally enforceable based on the intent of the parties. - Interconnection security agreement (ISA): An interconnection security agreement (ISA) is an agreement between organizations that have connected or shared IT systems. The purpose of an ISA is to document the technical requirements of the interconnection, such as identifying the basic components of the interconnection, methods and levels of interconnectivity, and potential security risks associated with an interconnection. An ISA also supports an MOU between the organizations. Another agreement commonly encountered is a Health Insurance Portability and Accountability Act (HIPAA) business associate agreement (BAA). This contract is signed between a HIPAA-covered entity and a HIPAA business associate (BA) to protect personal health information (PHI) in accordance with HIPAA guidelines. Organizations can take additional steps, such as the following, to ensure that they are meeting compliance and performance standards: - Annually approve and review third-party arrangements and performance. - Maintain an updated list of all third-party relationships and periodically review the list. - Take appropriate action with any relationship that presents elevated risk. - Review all contracts for compliance with expectations and obligations. The organization might also consider requiring an annual attestation by the partner or third party, stating adherence to the contract and its established controls, policies, and procedures. Third-party risk includes determining expectations, which can be spelled out in SLAs, BPAs, MOUs, and ISAs. Depending on the situation, an SLA, an MOU, and an ISA might all be necessary. An ISA is the only document that specifically outlines any technical solution and addresses security requirements. Quiz questions:1. Say that you work for a cloud service provider. Prior to signing off on a purchase order for a new security cloud service, a prospective customer wants to understand the nature of what you are providing and what levels of service in regard to performance and uptime your service offers. What should you provide the prospective customer? A. ISA B. MOU C. BPA D. SLA2. Which of the following legally binding controls should you consider in order to protect sensitive information from being improperly disclosed by a third-party vendor you are hiring for consulting work in the organization? A. DLP B. SOP C. Separation of duties D. NDA3. Your organization currently runs an operating system for which software developed after the end of last month may no longer work or even be installable. Which of the following best describes this milestone for the operating system? B. EOL C. NDA D. MOU Answer 1: D. A service-level agreement (SLA) is a contract between a service provider and a customer that specifies the nature of the service to be provided and the level of service that the provider will offer to the customer. An SLA often contains technical and performance parameters, such as response time and uptime, but it generally does not include security measures. Answers A, B, and C are also types of interoperability agreements, but they are not applicable in this case. Answer 2: D. A nondisclosure agreement (NDA) is a legally binding document that organizations might require of both their own employees and anyone else who comes into contact with confidential information, including vendors, consultants, and contractors. The purpose of an NDA is to protect an organization’s intellectual property and trade secrets. While data loss prevention (DLP) can help protect an organization’s data from being improperly disclosed, DLP is a program related to technical controls rather than a legally binding contract. Thus, answer A is incorrect. Answer B is incorrect as standard operating procedures (SOP) specify step-step-instructions for a task. Answer C is incorrect as this would help protect all areas of control being assigned to a single person. Answer 3: B. End of life (EOL) marks the end of a product’s life cycle that began with the product first being generally available. While security patches may still be offered, the vendor does not provide for new features or continued compatibility. Answer A is incorrect because an ISA is an agreement between organizations that have connected or shared IT systems. Answer C is incorrect because an NDA is a legally binding document that organizations might require of both their own employees and anyone else who comes into contact with confidential information. Answer D is incorrect because an MOU is a document that outlines the terms and details of an agreement between parties, including each party’s requirements and responsibilities.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.