By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Description: IT security policy and governance procedures are implemented to secure organizational assets. This guide presents the creation, implementation, and management of the security policy life cycle. Use of business contracts for service level agreements and project documents to support security are also covered. - Organization security policies - Enterprise security procedures - Security process life cycle management - Business documents for security management - Legal support and compliance - Research security requirements - Privacy principles We learned about business influences on security. IT governance documents should be implemented to ensure that organizational assets are protected as much as possible. This guide explains how the process and policy life cycles are managed and how to support legal compliance. It discusses business documents and contracts that are commonly used to support security. It also covers general privacy principles. Finally, it discusses the development of policies containing standard security practices. Structure - Process life cycle management - New business & technologies - Environmental changes - Regulatory requirements - Emerging risks - Legal compliance and advocacy - Business documents to support security - Agreements - Security requirements for contracts - Privacy principles for sensitive information - Incident response - Information classification and life cycle Objective This guide will discuss the IT security policy and governance procedures that are implemented to secure organizational assets. This guide will present the creation, implementation, and management of the security policy life cycle. Use of business contracts for service level agreements and project documents to support security will also be covered. Business documents supporting security are deliberated, which include risk assessments, BIA, Agreements, MoU, and SLA among others. This guide also presents the standard security practices of separation of duties, job rotation, least privileged, incident response, and other procedures. Process life cycle management Management initiates, supports, and drives the security program in a top-down approach. Staff employees build a security program before getting instruction and assistance from management in a bottom-up manner. Because management’s support is one of the most critical components of a security program, a top-down strategy is significantly more efficient than a bottom-up approach. The top-down method can assist in guaranteeing that a company’s policies are in line with its strategic objectives. A policy is a course or principle of action set by an organization in the context of organizational security, while a process is a sequence of actions conducted to attain a certain goal. A process is a set of actions carried out in a specific order or a specific manner. All important decisions and activities inside an organization are determined by policies, procedures, and processes, and all organizational tasks work within the bounds imposed by policies, procedures, and processes. The policies are developed initially to guide the construction of procedures and processes in order to comprehend the link between the three. The high-level perspective of tasks inside the processes is provided by processes. Procedures are the step-by-step instructions for completing a task, as illustrated below.
Consider the following scenario: Assume that a company has a certain procedure for handling accounts payable. Receiving the bill, entering the bill, authorizing the payment, printing the check, signing the check, and mailing the check are all examples of high-level actions that must be completed as part of the process developed around this policy. Each step involved in each task in the process would be documented in the procedures. Policies, as depicted below, should be written based on the following life cycle:
Step 1: Develop/Design the policy Step 2: Perform the modeling and quality control Step 3: Obtain approval for executing the policy Step 4: Publish/Execute the policy and perform periodic monitoring and checks Step 5: Review for optimization and archive the policy, if no longer needed or applicable Figure: Process Life Cycle Changes in the company, technology, risk, and environment constantly need a policy review, such as the adoption of new technology, mergers, or the discovery of new attack methods. If workers want to access business email and shared drives from home, or the remote access has never been given but is suddenly required because of the need to boost productivity and respond quickly to consumer requests, the company should assess the requirement to see if it is legitimate. If a company decides to enable remote access, security experts should plan and design security policies based on the presumption that external environments are hostile. A quality check should be performed before approval to ensure that the policy complies with all applicable laws, regulations, and standards. When the policy is finalized, the company must make certain that all affected workers are properly notified. The new policy should be included in any training that this person gets. If policies need to be changed, version control should be used to ensure that the most recent version is used throughout the company. A policy should be archived if it is no longer applicable. Policies should be reviewed at least once a year and on a frequent basis. The first phase in this life cycle is to study the policy, and the second is to build the process based on the policy. All staff engaged in the process should be informed of how the new process works after it is deployed. The method should be reviewed on a regular basis and tweaked if concerns occur or the main policy is revised. Keep in mind that policies guide the creation of procedures. A new process is required whenever a new policy is implemented. If a policy is revised or retired, the policy’s procedure should be revised or retired as well. Procedures must be written once the policy and associated processes have been documented. Procedures are the closest to the computers and other devices and contain all the particular activities that workers are expected to follow. Step-by-step listings of how policies and processes are executed are common in procedures. After an organization has assessed business, technological, risk, and environment changes to build and update policies, it must next design and update its processes and procedures to reflect the new or updated policies, as well as the environment and business changes. If the business changes to the newest version of the backup software it employs, for example, the procedures may need to be adjusted. The majority of software updates entail examining present methods and deciding on how they should be altered. As an example, suppose the management wishes to hire more outside contractors to finish the job. It’s possible that the company will need to implement a new method for evaluating the quality of the outside contractor’s work. As the last example, assume a company wishes to replace its present Microsoft file servers with numerous Linux servers. While the high-level policies will stay the same, the methods for implementing those rules will need to be revised. If a company’s marketing department needs to provide more real-time interaction with its partners and customers and decides to establish a presence on multiple social networking sites to share information, the company will need to appoint a group of trained individuals to release information on the company’s behalf and train other employees on how to share the information. Change management, configuration management, network access procedures, wireless access procedures, and database administration procedures are just a few processes and procedures to think about. However, keep in mind that procedures and processes should only be developed or modified once the relevant policies have been accepted. Processes and procedures will be developed in accordance with the policies. Internal organizational drives serve as the foundation for developing rules and procedures. When a new business or business change occurs, new technologies are launched, environmental changes occur, or regulatory requirements alter, organizations should ensure that policies and processes are developed or evaluated. New business When a company starts or buys a new line of business, it is referred to as a new business. Consumer expectations frequently drive business changes governed by the nature of an organization’s company. When a change happens, an organization must ensure that it is aware of the change and its implications for the business’s security posture. When it comes to these developments and difficulties, businesses should be proactive. Anticipate the changes and use mitigation strategies to assist you in avoiding them. Assume a company chooses to begin a new venture in which consumers may now acquire things that were previously only available through huge retail locations. A new business policy based on this new model will need to be created, as well as a new procedure to manage the new business. Security specialists are essential to every project involving the start-up of a new firm or changes to an existing business because they guarantee that security measures are considered. All risks related to the new business or business shift should be documented, examined, and reported to management by security specialists. They must also disclose any security procedures they propose to address these risks. New technologies New technical breakthroughs require enterprises to embrace new technologies, which drive technology transformations. Organizations must once again ensure that they are aware of the developments and their consequences for their security posture. Assume a company decides to enable employees to implement a BYOD policy. The professionals in security should strive to ensure that the policy establishes the boundaries within which BYOD will be permitted or prohibited. Furthermore, the procedure will need to be formalized and will most likely comprise gaining official permission of a device, analyzing the device’s security posture, and allowing full or limited access to the device based on the device’s security posture. Security specialists are essential in the adoption or use of new technologies because they guarantee that security measures are taken into account. All hazards related to new technology should be documented, examined, and reported to management by security specialists. To reduce these risks, they must also advise and record security procedures. Environmental changes Environmental changes are separated into two categories – those prompted by an organization’s culture and those motivated by the industry’s environment. Organizations must ensure that they understand the changes and their consequences for their security posture, just as they do with new businesses or technology. Assume a company chooses to introduce a new policy that requires each of its facilities to include a particular quantity of green space. Management would have to devise a method for completing and maintaining these green places. It would most likely entail acquiring the property, creating a plan for the area, putting the new green space in place, and keeping the green space up to date. Regulatory requirements Regulatory requirements are any legal or regulatory requirements that must be documented and obeyed. Standards can be utilized as part of a regulatory framework, although they are not enforced as tightly as laws and regulations. Organizations must ensure that they understand the legislation and its consequences for the security posture of the company, just as they do with new business, technological, or environmental developments. The International Organization for Standardization (ISO) has created a set of guidelines to assist enterprises in developing security strategies. Local, state, federal, and other government entities are among the other regulating bodies.
Consider the following scenario: Assume an organization is updating its security rules and has come to a standstill because the management feels the company’s key vendors have a strong grip on compliance and regulatory standards. Executive-level managers are enabling suppliers to have a big say in how the organization’s policies are written. While vendor support is crucial, the IT director thinks that the firm must design the policy objectively since the suppliers may not always put the organization’s interests first.
The IT director should make the following recommendations to the senior staff: - Consult legal and regulatory requirements. - Draft a general organizational policy. - Specify functional implementation policies. - Establish necessary standards, procedures, baselines, and guidelines.
As this example demonstrates, you do not need to memorize the exact conditions. You must, however, understand how they are utilized in enterprises, how they are modified, and how they may be adjusted to match the company’s needs. Emerging risks Emerging hazards are any threats that have arisen as a result of the recent security environment. Dangers in new technologies, gadgets, and apps are usually not discovered until after they have been deployed. According to the policies and procedures created by organizations, security specialists should conduct an extensive study to identify the emerging threats. Patch management is extremely crucial when there are new issues to deal with. Vendors usually strive to provide security upgrades as quickly as feasible in response to emerging risks. Assume a corporation wants to introduce a new Internet of Things (IoT) device. After a few weeks, the vendor finds a security flaw that allows attackers to take over the device’s functionality. As a result, they’ve published a security patch to address the issue. If the necessary processes are in place, the organization’s security experts should monitor the vendor for patch management announcements and implement the update after it has been adequately tested. Legal compliance and advocacy A company’s human resources department, legal department or legal counsel, senior management, and other internal and external entities should all be included in its legal compliance and advocacy program. A company’s legal compliance ensures that it follows all applicable laws, regulations, and business practices. By or for an organization, legal advocacy is the practice of influencing public policy and resource allocation decisions in political, economic, and social systems and organizations. Human resources involvement ensures that the firm follows all labor laws and regulations in order to protect its employees. Human resources professionals may help guide a company’s security policy to ensure that individual rights are preserved while corporate assets and liabilities are safeguarded. To prevent legal issues, an organization should ensure that the users are informed of the employer’s rights to monitor, seize, and search organizational devices when they log in. If a technician is needed to take an employee’s workstation into custody as part of an investigation, the firm is protected. HR and legal departments should be involved in the development of the statement that will be delivered to guarantee that it has all relevant information. Business documents to support security Security professionals need to use many common business documents to support the implementation and management of organizational security. Understanding these business documents helps ensure that all areas of security risk are addressed and the appropriate policies, procedures, and processes are developed. Risk assessment Risk Assessment is a risk management tool that is used to discover vulnerabilities and threats, assess the consequences of those vulnerabilities and threats, and decide which controls to install.
Risk assessment or analysis has the following three main steps, as illustrated below: Step 1: Identify hazards, vulnerabilities, and threats. Step 2: Identify assets and the asset value at risk. Step 3: Calculate threat probability and business impact. Figure: Risk Assessment
The management and the risk assessment team must first decide which assets and threats to evaluate before beginning the risk assessment. This step entails establishing the project’s scope. After that, the risk assessment team must provide a report to the management detailing the worth of the assets under consideration. The asset list is then reviewed and finalized, with the management adding and deleting assets as needed, before determining the risk assessment project’s budget. A risk assessment will not be successful unless it is endorsed and led by the high management. The aim and scope of a risk assessment must be defined by the management, who must then assign personnel, time, and financial resources to the project. The statement of applicability (SOA) outlines and explains the controls that an organization has selected, as well as how and why they are applicable. The SOA is obtained from the risk assessment’s result. If ISO 27001 compliance is critical to a company, the SOA must link the chosen controls to the risks they are supposed to manage. The SOA should relate to the rules, procedures, additional documents, or systems that will be used to implement the specified control. It’s also a good idea to keep track of why certain controls were left out. Business impact analysis (BIA) A business impact analysis (BIA), as shown below, is a type of functional analysis used in business continuity and catastrophe recovery. A detailed BIA will aid the business units in comprehending the impact of a disaster. BIA produces a document that specifies the important and necessary business functions, as well as their resource requirements and criticality to the broader company.
Refer to the figure below that illustrates the business impact analysis: Figure: Business Impact Analysis Interoperability agreement (IA) An interoperability agreement (IA) is a contract between two or more entities to collaborate in order to exchange information. These agreements are most commonly used between sister firms that are controlled by the same major organization. Despite the fact that the businesses are built and operated differently, they may share systems, telecommunications, software, and data to enable resource consolidation and improved use. IAs are legally enforceable contracts. An interoperability agreement is not the same as a reciprocal agreement. A reciprocal agreement is an agreement between two organizations that have comparable technology demands and infrastructures, whereas an IA covers routine operations. In a reciprocal agreement, one organization undertakes to operate as an alternate venue for the other if one of the ’organizations’ principal facilities becomes unavailable. Unfortunately, in the vast majority of circumstances, these agreements are not legally enforceable. Interconnection security agreement (ISA) An interconnection security agreement (ISA) is a contract that documents the technical requirements of a connection between two entities that own and run linked IT systems. In most circumstances, each organization’s security control requirements are stated in the agreement to avoid any misunderstandings. The ISA also encourages the groups to sign a memorandum of understanding. For example, if a company has completed the connection of its network to a national high-speed network and local businesses in the area are seeking sponsorship to connect to the high-speed network by connecting directly through the company’s network, an ISA would be the best way to document the connection’s technical requirements. Memorandum of understanding (MOU) A memorandum of understanding (MOU) is a document that defines a shared course of action between two or more organizations. MOUs are frequently utilized when the parties do not have a legal commitment or when they are unable to reach a legally binding agreement. It’s also known as a letter of intent in some circumstances. Service-level agreement (SLA) A service-level agreement (SLA) is a contract that specifies how quickly the support system will respond to problems while maintaining a specified level of service. Internal SLAs between departments or external SLAs with a service provider are also possible. Agreeing on the speed with which certain problems are treated brings some predictability to the reaction to problems, which in turn helps maintain resource access. An SLA is often included with most service contracts, and it may contain security priorities, duties, guarantees, and warranties. When a new third-party vendor, such as a cloud computing provider, is chosen to maintain and administer an organization’s systems, an SLA is the best option. When an organization needs 24-hour assistance for specific internal services and wishes to utilize a third-party provider for shifts where the business does not have internal staff on duty, an SLA is a smart alternative. Operating-level agreement (OLA) An operating-level agreement (OLA) is a document that specifies the relationships that exist across departments to support business activity. SLAs are frequently used with OLAs. An OLA is a contract between the IT department and the accounting department in which the IT department agrees to be responsible for the accounting server’s backup services while the accounting employees are accountable for the server’s day-to-day operations. Non-disclosure agreement (NDA) A non-disclosure agreement (NDA) is a contract between two parties that specifies what information is secret and cannot be discussed with anyone else. An organization can use non-disclosure agreements (NDAs) with its employees to protect its intellectual property. When two companies collaborate to create a new product, NDAs might be employed. NDAs are signed to ensure that each partner’s data is secured because some information must be disclosed for the partnership to succeed. While the NDA cannot guarantee that sensitive information is not released, it does contain information on the consequences for the offender, including fines, jail terms, and the loss of rights. When a business wishes to legally assure that no sensitive information is compromised through a project with a third party or in a cloud-computing environment, for example, it should establish an NDA. The NDA you sign before taking the CompTIA Advanced Security Practitioner test is an example of one in use. You must digitally sign an NDA that explicitly indicates that you are not permitted to discuss any information about the exam’s contents other than what is officially stated in the CompTIA blueprint, which is published on the company’s website. If you don’t follow the terms of this NDA, you risk losing your CompTIA certification and being barred from taking future CompTIA examinations. Business partnership agreement (BPA) A business partnership agreement (BPA) is a contract between two or more company partners that spells out the terms of their cooperation. The obligations of each partner, profit/loss sharing specifics, resource sharing information, and data sharing details are commonly included in a BPA. For example, if an organization enters into a marketing agreement with a marketing firm in which the organization will share some of its customer information with the marketing firm, the terms of the agreement should be spelled out in a BPA, along with any contract boundaries, such as allowing the marketing firm to only contact customers who have explicitly agreed to be contacted by third parties. Any organizational policies that may influence the partner and its employees should be included in BPAs. Any BPAs with partners who may have staff working onsite should contain the details of your organization’s USB flash drive security policy. Master service agreement (MSA) A master service agreement (MSA) is a contract between two parties in which the majority of the parameters that will control the future transactions or agreements are agreed upon by both parties. If a company will have a long-term connection with a vendor or a supplier, this agreement is excellent. For the term of each contract, MSA offers a risk allocation plan that describes the risk and duty of contractors and employees included in the agreement. It also includes indemnity, which permits one party to hold another party blameless or protect them from current or future damages. Regardless of who is at blame, the indemnifying party undertakes to pay for damages it has caused or may cause in the future; these losses include legal expenses and litigation costs. A statement of work (SOW) is frequently included in an MSA, and it specifies the precise work that the vendor will perform for the customer. It outlines the tasks to be completed, as well as the deliverables and a timetable for completion. Security requirements for contracts Contracts with third parties are a common occurrence in the industry. Contracts now include provisions that expressly outline the vendor’s security requirements, as security has become a priority for most enterprises and government institutions. Organizations should engage in legal advice to ensure that the contracts they execute have the required security criteria to meet not just their own demands, but also any applicable government rules and laws.
An organization may want to consider including provisions such as the following as part of any contract: - Required policies, practices, and procedures related to handling organizational data - Training or certification requirements for any third-party personnel - Background investigation or security clearance requirements for any third-party personnel - Required security reviews of third-party devices - Physical security requirements for any third-party personnel - Laws and regulations that will affect the contract - Security professionals should research security requirements for contracts, including RFPs, RFQs, RFIs, and other agreements
The figure below illustrates the three security requirements for contracts – RFI, RFQ, and RFP: Figure: RFI, RFQ and RFP
Request for information (RFI) An RFI is a document used in the bidding process to gather written information on the capabilities of potential vendors. If necessary, an RFI can be used before an RFP or RFQ, but it can also be used thereafter if the RFP or RFQ fails to acquire sufficient specification information. Assume a major private firm’s security administrator is studying and putting up a proposal to acquire an IPS. Because no single IPS type has been chosen, the security administrator will need to gather information from multiple suppliers before deciding on a solution. An RFI would aid in the selection of a certain brand and model. Now, consider a case in which the RFI follows the RFP or RFQ. Assume that three senior executives have been collaborating to request bids for a series of firewall solutions for a big installation at the firm’s new office. The three managers have not received any meaningful data on the specs of any of the solutions after examining RFQs aquired from three suppliers, and they require that data before the procurement continues. To bring the procurement process back on track, the managers should call the three submitting vendor businesses and request that they file the supporting RFIs with more extensive information about their product solutions. Request for quote (RFQ) An invitation for bid, often known as an RFQ, is a bidding process document that encourages vendors to submit bids on specified items or services. RFQs are useful for procuring items that are standardized or produced in large quantities, such as desktop computers, RAM modules, or other devices, because they generally include item or service requirements. Assume a small private firm’s security administrator is studying and putting up a proposal to acquire an intrusion prevention system. The security administrator has to acquire cost information for a certain brand and model that has been chosen. To conduct a cost analysis report, the security administrator should write an RFQ. Payment terms, for example, would be included in the RFQ. Request for proposal (RFP) An RFP is a document used in the bidding process that describes a commodity, a service, or an asset that the organization wants to buy. The RFP is used as a framework for presenting a formal bid by potential providers. After three suppliers deliver their requested documents, two members of senior management believe they have a better understanding of what each vendor does and what solutions they can supply. However, the executives now want to understand the complexities of how these solutions might meet the firm’s needs. To gather this information, the managers should issue an RFP to the three submitting businesses. Agreement or contract Organizations employ a variety of third-party agreements in addition to the ones mentioned. Even though many of these agreements are not as formal as RFPs, RFQs, or RFIs, it is nevertheless critical for an organization to address any security needs in an agreement so that the third party is aware of them. This comprises purchase orders, sales agreements, manufacturing agreements, and other sorts of contracts that an organization employs to do business. Privacy principles for sensitive information When it comes to technology and how it is used nowadays, consumers’ privacy is a key worry. This privacy problem generally revolves around three areas – whether personal information may be shared with whom, whether messages can be transmitted privately, and if and how a user can send messages anonymously. Privacy is an important aspect of a company’s security measures. Personal identifiable information (PII) must be understood, identified, and secured as part of the security measures that companies must take to preserve privacy. Any piece of data that may be used alone or in combination with other information to identify a specific individual is referred to as PII. Any PII that an organization acquires must be safeguarded to the greatest extent practicable. Full name, identification numbers such as driver’s license and social security numbers, date of birth, place of birth, biometric data, financial account numbers such as bank account and credit card numbers, and digital identities such as social media names and tags are all examples of personally identifiable information. It’s important to remember that various nations and levels of government may use different criteria to identify PII. Security experts must ensure that they are familiar with PII rules and legislation at the international, national, state, and local levels. As the theft of this data grows more common, you may expect additional regulations affecting your profession to be implemented. Encourage the creation of policies that include standard security practices. To support all areas of security, organizational policies must be developed. Separation of duties, job rotation, mandatory vacation, least privilege, incident response, forensic tasks, employment and termination procedures, continuous monitoring, training and awareness for users, and auditing requirements and frequency should all be included in organizational security policies, according to experienced security professionals. Separation of duties When creating an organization’s authentication and authorization procedures, keep the separation of roles in mind as a preventative administrative control, as presented in Figure 3.5. By spreading tasks and their accompanying rights and privileges across users, the separation of responsibilities prevents fraud. This helps prevent fraud and collusion because if a company adopts proper separation of functions, fraud against the organization would need collaboration between two or more employees. Authorizing one person to control the backup operations and another to manage and restore procedures is an excellent illustration of splitting roles.
Refer to the figure below that illustrates the separation of duties: Figure: Separation of Duties Dual controls and divided knowledge are linked to the separation of responsibilities. Two or more people are permitted and needed to conduct particular operations with dual controllers. A retail firm, for example, could require two supervisors to unlock the safe. Split knowledge guarantees that no single person has access to all of the information required to complete a job. Split knowledge is demonstrated by the military’s need that two people input a different combination to approve missile fire. Separation of responsibilities, as shown below, assures that no single individual is capable of jeopardizing the organization’s security. Any high-risk activity should be broken down into discrete tasks, which may then be assigned to various people or departments. The separation of roles is the guiding concept when an organization establishes a policy stating that the systems administrator cannot be present during a system audit.
Refer to the figure below that illustrates segregated and non-segregated separation of duties: Figure: Separation of Duties (Segregated & Non-segregated) Consider the following example of a breach of the division of roles: Assume that an organization’s internal audit department is looking into a probable security breach. One of the auditors interviews three employees – a clerk in charge of inputting data into the financial system at the accounts receivable office, an administrative assistant in charge of purchasing orders approval at the accounts payable office, and the financial department manager, who may work as a clerk and an administrative assistant at the same time. To prevent future security breaches, the auditor should recommend that the manager’s role be limited to data assessment and approval of purchase orders. Job rotation Job rotation, as depicted below, from a security standpoint, refers to the investigative administrative control in which numerous users are taught to fulfill the functions of a position in order to assist in preventing fraud by any single employee. The premise is that by familiarizing several persons with the lawful tasks of the job, the probability of odd behavior by any one person being observed increases. Job rotation is frequently combined with required vacations. Beyond the security aspects of job rotation, additional benefits include the following: - Trained backup in case of emergencies - Protection against fraud - Cross-training of employees - Mandatory vacation Refer to Figure below illustrating job rotation: Figure: Job Rotation
Mandatory vacations require all employees to take time off, enabling other employees to fill in for them while they are away. This investigative administrative control improves the chances of uncovering odd conduct. Some of the security benefits of using mandatory vacations include having the replacement employee perform the following tasks: - Run the same applications as the vacationing employee - Perform tasks in a different order from the vacationing employee - Perform the job from a different workstation than the vacationing employee Employees who are filling in for a vacationing employee should avoid running scripts that were written by the vacationing employee. A substitute employee should either write their own script or execute the duties in the script manually. Least privilege The idea of least privilege states that a user or process should only have the access privileges necessary to complete a job. This principle’s major goal is to guarantee that users only have access to the resources they require and are permitted to execute just the jobs they require. Organizations must identify all users’ occupations and restrict users to only the rights indicated to fully execute the least privilege concept. The idea of least privilege is intimately linked to the need-to-know principle. The need-to-know concept sets the minimums for each profession or company function, despite the fact that least privilege attempts to minimize access to a bare minimum. When a user has more rights, privileges, and permissions than he needs to execute his job, this becomes an issue. In corporate contexts, excessive rights are difficult to manage. When a systems administrator is given both an administrative-level account and a regular user account, this is a frequent application of the least privileged and need-to-know concepts. Administrators should often utilize a regular user account. The administrative-level account should be used by systems administrators for perfoming administrative-level duties. When administrators undertake everyday operations using administrative-level accounts, they risk jeopardizing system security and user accountability.
Organizational rules that support the principle of least privilege include the following: - Keep the number of administrative accounts to a minimum. - Administrators should use normal user accounts when performing routine operations. - Permissions on tools that are likely to be used by attackers should be as restrictive as possible. Users should be separated into groups to make confining knowledge to a specific group or region easier to support the least privileged and need-to-know principles. The term for this procedure is compartmentalization. No access should be the default level of access. Users should only have access to the resources they need to execute their work, and that access should be granted manually after a supervisor has validated the necessity. User Systems need to know and include discretionary access control and role-based access control. To ensure the least amount of privilege, the user’s work must be recognized, and each user must be given the lowest level of clearance necessary for his or her responsibilities. The implementation of views in a database is another example. The operator must have the bare minimum of understanding of the system in order to complete his or her duty. If an administrator examines a recent security audit and discovers that two financial users also have access to human resource data, this might be a breach of the principle of least privilege if one of the identified users exclusively works in finance. Users should only have access to the data they need to fulfill their tasks. While certain users may need data from outside their department, this is not the norm and should always be thoroughly scrutinized. Incident response Security-related incidents are unavoidable. The organization’s response to a catastrophe has a significant influence on how harmful the event will be. Policies for incident response should be properly defined, clearly communicated, and adhered to. They should pay special attention to cyber-attacks on a company’s IT infrastructure. The steps in the incident response system (refer to Figure 3.8) can include the following:
Step 1: Detection: The first step is to find out what happened. This feature is included in all investigative controls, such as auditing. An event that goes unreported is the worst kind. Step 2: Respond: The incident should be responded to in a manner that is suitable for the kind of occurrence. DoS assaults on a web server would necessitate a more immediate and distinct reaction than a lost mouse in the server room. Standard responses and response times should be established ahead of time by an organization. Step 3: Report: All incidences should be reported within a reasonable time period, taking into account the severity of the situation. Creating a list of event categories and who to call when each sort of incident happens is beneficial in many circumstances. At this early stage, when time-sensitive information is still accessible, meticulous attention to detail is essential. Step 4: Recover: Recovering entails taking steps to restore the network or system’s functionality. What that entails depends on the circumstances and the recovery options available. If fault tolerance is in place, for example, the recovery may be as simple as enabling one server in a cluster to fail over to another. In other circumstances, restoring the server from a recent backup may be necessary. The major purpose of this stage is to re-establish access to all resources. Step 5: Remediate: This step entails removing any lingering threat or network harm that may still persist. For example, in the event of a viral epidemic, scanning systems to find any further infected devices might be necessary. When time permits, these approaches will be used to provide more extensive mitigation. Step 6: Recap: The third stage is to go through each episode again to see what lessons may be learned. Changes to processes may be required in order to communicate lessons gained with all workers who may be involved in a similar occurrence in the future. During the react, report, and recovery processes, the real investigation of an event takes place. During an investigation, following proper forensic and digital investigative protocols may assist in guaranteeing that the evidence is maintained.
The Figure illustrates the incident response steps: Figure: Incident Response Steps Every firm must have an incident response plan in place to guarantee that any security issues are recognized, contained, and investigated. Any inquiry begins with an incident reaction. Issue response employees carry out particular activities when an incident has been found. Throughout the event response, the incident response team must ensure that the right protocols are followed in order to preserve evidence. Security personnel must know the distinction between events and occurrences while responding to issues. The incident response team must have adequate incident response protocols in place to ensure that an event is handled properly, but the processes must not obstruct any forensic investigations that may be required to hold parties accountable for any illegal conduct. Any incident investigation requires security experts to grasp the rules of engagement, as well as the authority and scope of the inquiry. Events versus incidents There is a fundamental distinction between events and incidents when it comes to incident response. A change of status is referred to as an event. Whereas events may be both good and bad, incident response is mainly focused on negative occurrences—those that have been determined to have a detrimental impact on the company. An incident is a set of events that have a negative influence on the operations and security of a company. An attempt to connect to the server, for example, is an event. An incident occurs when a system is breached as a result of a series of failed attempts to connect to the server.
These are illustrated in the Figure: Figure: Event v/s Incident Only if a company has developed sufficient auditing and security procedures to monitor activities, may the events be discovered. It’s possible that a single bad occurrence will occur. An incorrect login attempt, for example, may be recorded in the auditing log. This login attempt isn’t a security risk on its own. However, if a large number of incorrect login attempts occur in a short period of time, the organization may be under assault. The first invalid login attempt is considered an event, but a succession of invalid login attempts over a period of hours would be termed an incident, especially if the incorrect login attempts all came from the same IP address. Rules of engagement, authorization, and scope The incident response team’s rules of engagement, authorization, and scope should all be documented. If an event has happened, the rules of engagement establish which acts are allowed and which are not. The authorization and scope give the incident response team the power to conduct an investigation as well as the extent of any investigation that the team is required to conduct. The incident response team’s rules of engagement serve as a guide to ensure that they do not cross the line from enticement to entrapment. Enticement happens when the attacker is offered the option to engage in illicit behavior (luring), but the attacker chooses to act on his own. Entrapment is the act of persuading someone to commit a crime that they had no intention of doing. Although the incentive is legal, it raises ethical concerns and may not be admissible in court. Entrapment is a crime. Forensic tasks Because the time constraint for the investigator is constricted, and an expert may be necessary to assist in the investigation, computer investigations involve different processes than ordinary investigations. Furthermore, because computer data is intangible, extra caution is typically required to guarantee that the data is preserved in its original format. Finally, obtaining evidence of a digital crime might be challenging. After a decision has been made to investigate a computer crime, you should follow standardized procedures, including the following: - Identify what type of system is to be seized. - Identify the search and seizure team members. - Determine the risk of the suspect destroying evidence. The investigator’s limits of the organization are raised if law enforcement is notified of a computer crime. It may be essential to turn the inquiry over to the law enforcement to guarantee that the evidence is properly maintained. Evidentiary rules must be followed while investigating a computer crime. Computer evidence must show a fact that is relevant to the case and be trustworthy. It’s crucial to keep the chain of custody intact. If the procedure for creating computer evidence has not been recorded, it is less likely to be allowed in court as evidence.
The forensic investigation involves the following steps: Step 1: Identification Step 2: Preservation Step 3: Collection Step 4: Examination Step 5: Analysis Step 6: Presentation Step 7: Decision Employment and termination procedures The vast majority of security vulnerabilities inside a business are caused by employees. As a result, an organization’s people security rules must be implemented. Screening, hiring, and firing rules should all be included in an organization’s people security policy. A criminal background check, job history, background investigations, credit history, driving records, substance-abuse tests, and education and license verification should all be done before an offer of employment is made. Screening requirements should be developed depending on the organization’s requirements and the degree of employment held by the potential recruit. Signing all applicable paperwork, including government-required documentation, no expectation of privacy declarations, and NDAs, should be part of the employment process. New workers are given a copy of the personnel handbook as well as other employment material. After a formal verification that the employee has finished all of the training, IDs and passwords should be provided. Depending on whether the termination is pleasant or unfriendly, it must be addressed accordingly. Human resources procedures may guarantee that organizational property is returned, user access is terminated when it is no longer needed, and departure interviews are done. When it comes to unfavorable terminations, organizational processes must be proactive in order to protect the company’s assets. As a result, unfavorable termination processes should involve the cessation of system and facility access before notifying employees of their termination, as well as security escort from the premises. During employment, management must also guarantee that adequate security rules are in place. Some roles may necessitate employment agreements in order to preserve the business and its assets even after the employee has left. NDAs, non-compete provisions, and code of conduct and ethics agreements are examples of these agreements. Continuous monitoring An organization’s operating baselines must be captured before continuous monitoring may be successful. After all, if an organization doesn’t know what “normal” is, it won’t be able to spot aberrant patterns of behavior. These baselines should be checked on a regular basis to confirm that they have not been altered. A new performance baseline should be acquired if a single web server is upgraded to a web server farm, for example. The organization’s security posture must be maintained at all times, according to security specialists. This needs constant monitoring. On a regular basis, auditing and security logs should be inspected. Baselines should be compared against performance measurements. Even simple actions like user login and logout timings should be tracked. If a user starts logging in and out at odd times, the user’s supervisor should be notified to make sure the user is permitted. Organizations must maintain constant vigilance over their enterprise’s security. Training and awareness for users Security awareness training, security training, and security education are all phrases that are frequently used interchangeably, but they are not interchangeable. The need of employing security measures to preserve precious resources is reinforced through awareness training. Personnel are taught the skills they need to execute their professions safely during security training. Security awareness training, which combines awareness and security training, promotes user security awareness and guarantees that users may be held accountable for their activities. Security education is more self-contained and geared at security professionals who need security knowledge to manage security programs in-house. As a result, awareness training focuses on what, security training on how, and security education on why. The audience should be considered while developing security awareness training. Trainers must also be aware of the business culture and how it influences security. In a small customer-focused bank, for example, bank workers may be encouraged to form connections with bank customers. In this scenario, security awareness training must take into account the hazards associated with close client connections. High-level management, middle management, technical professionals, and other staff are among the audiences to consider while developing training. Security awareness training for high-level management must include a thorough grasp of potential risks and threats, the impact of security concerns on the organization’s reputation and financial position, and any applicable rules and regulations that apply to the security program. Policies, standards, baselines, guidelines, and procedures, as well as how these components relate to different departments, should be discussed during middle management training. Middle management must also be aware of their security duties. Technical employees should be trained on how to configure and maintain security safeguards, as well as how to spot an attack when one happens. Furthermore, technical employees should be pushed to earn industry certifications and advanced degrees. Other employees must be aware of their security obligations in order to carry out their daily activities safely. Using real-life examples to stress adequate security practices is helpful for this team. Targeted security training is necessary to ensure that users at all levels of the company are aware of their security responsibilities. Assume the manager is in a training session that lasts all day. He is behind inputting bonus and payroll information for subordinates; he believes that logging into the payroll system and activating desktop sharing with a trusted subordinate is the best method to get the updates in. The manager hands over control of the desktop to the subordinate, giving him or her complete access to the payroll system. The subordinate lacks the necessary permissions to access the payroll system. The event is reported to the security staff by another employee. The most effective way to deal with this problem is to give targeted security awareness training and fire repeat offenders. Employees should sign a paper attesting to the fact that they have finished the training and comprehended all of the themes. Although initial security awareness training should take place when someone is employed, it should be regarded as an ongoing process, with future training sessions occurring at least once a year. It is critical for businesses to ensure that processes are followed correctly at all times. If a business detects that employees are not adhering to proper processes of any type, the procedures should be reviewed to ensure that they are right. The workers should then be provided the necessary training to ensure that the correct processes are followed. For example, if a recent security breach resulted in the disclosure of sensitive customer information, the firm must ensure that employees are properly taught to improve security and limit the risk of data disclosure. In this situation, the privacy compliance training program should primarily focus on explaining to employees how customer data is collected, utilized, released, and maintained. It’s also critical to conduct security audits on a regular basis. Consider the case where a security audit discovered lack of security controls relating to employee account management. The audit indicates that accounts are not deactivated immediately once an employee leaves the company. An employee’s account should be disabled within eight hours of termination, according to corporate policy. However, according to the audit, 10% of the accounts were not blocked until seven days after a terminated employee had left. In addition, 5% of the accounts are still active. To guarantee fast reporting of employee terminations, security professionals should discuss the termination policy with the organization’s managers. To guarantee that accounts are disabled when necessary, it may be important to develop a systematic mechanism for reporting terminations. Auditing requirements and frequency You must first recognize typical patterns of conduct before you can detect aberrant patterns of behavior. You should also define a clipping level, which is a threshold over which infractions will be reported. Three failed login attempts are a commonly used clipping level. Any unsuccessful login attempt that exceeds the three-time limit is deemed malicious. After this clipping threshold was achieved, most lockout policies will lockout a user’s account. Users are held accountable for their behavior through auditing and reporting, however, an auditing system can only report on occurrences that it is equipped to monitor. Organizations must find a balance between checking essential events and processes while also ensuring device performance is adequate. Organizations must also ensure that any monitoring they do is compliant with all applicable laws. Audit trails are used to identify computer breaches because they uncover behaviors that suggest abuse. Security experts should evaluate patterns of access to specific assets using audit trails. Information classification and life cycle The importance of data to the organization and its sensitivity to disclosure should be considered when classifying it. As previously stated in this guide, assigning a value to data helps an organization identify the resources that should be spent to safeguard the data. Personnel resources, monetary resources, and access control resources are all employed to safeguard data. Data classification based on confidentiality, integrity, and availability (CIA) allows you to employ various safeguards. After the data has been categorized, it can be split according to the level of protection required. Data is handled and safeguarded in the most cost-effective way possible, thanks to the categorization levels. The categorization levels that an organization utilizes should be determined based on the needs of the organization. Commercial information categories, as well as military and government information classifications, are widely employed. The classification of the data should also be used to guide the information life cycle. According to municipal, state, and federal rules and regulations, businesses are obligated to save certain information, notably financial data. Commercial business classifications Commercial businesses usually classify data using the four main classification levels, listed as follows, from the highest sensitivity level to the lowest: - Confidential - Sensitive
Trade secrets, intellectual property, application programming code, and other private information might have major consequences for the firm if it was leaked. Only employees in the organization whose job is related to the data’s subject would have access to this level of data. Each access to private data normally necessitates authorization. The Freedom of Information Act protects confidential information from dissemination. External entities can only have permitted access to secret data after signing a confidentiality agreement and complying with a court order in most situations. In the context of a government project or a contract procurement agreement, any information on employees, such as human resources records, medical records, and wage information, that is utilized solely within the firm is considered private data. Sensitive data, such as corporate financial information, needs additional safeguarding to ensure its CIA and correctness. The term “public data” refers to information that would not be harmful to the company. Military and government classifications Military and government entities usually classify data using the five main classification levels, listed as follows, from the highest sensitivity level to the lowest: - Top secret - Secret - Sensitive but unclassified - Unclassified Weapons designs, technical specifications, spy satellite intelligence, and other military data classified as top secret might jeopardize national security, if revealed. Secret data contains deployment plans, missile location, and other information that, if revealed, may jeopardize national security. Patents, trade secrets, and other proprietary information may have major consequences for the government if it was released without permission. Medical or other personal data that may not pose a severe threat to national security, but may cause individuals to question the government’s reputation, are examples of sensitive but unclassified data. Unclassified military and government material that does not fall into any of the other four categories must normally be released to the public under the Freedom of Information Act. Information life cycle Data retention and deletion protocols must be in place in all enterprises. All local, state, and federal requirements and laws must be followed while retaining and destroying data. Documenting the right processes guarantees that information is kept for the length of time necessary, avoiding financial penalties and possible imprisonment of high-ranking organizational executives. Both the retention term, including prolonged retention periods for legal holds, and the disposal process must be included in these protocols. Conclusion This guide discussed the impact of new business, technologies, and business and environmental changes on security policies and processes. Legal compliance aspects for human resources, staff, and management were also discussed. Business documents supporting security are deliberated which include risk assessments, BIA, Agreements, MoU, and SLA among others. This guide also argued on the standard security practices of separation of duties, job rotation, least privileged, incident response, and other procedures.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.