Obtain Regulatory frameworks compliance
It is often required for the organizations to comply with some type of security regulation
Complying with regulatory frameworks is a collaborative effort between governments, and private bodies to encourage voluntary/mandatory improvements to cybersecurity
IT security regulatory frameworks contain a set of guidelines and best practices
IT security regulatory frameworks inform businesses that they need to follow these guidelines and best practices to meet regulatory requirements, improve security, and achieve certain business objectives
Regulatory Frameworks (PCI-DSS)
Policies (encryption Policy)
Standards (encryption standards such as data encryption standard, advanced encryption standard, and rivest-shamir-adleman algorithm)
Procedures, Practices, and Guidelines (data encryption procedures)
Why organizations need compliance?
Improves Security – IT security regulation and standards improve overall security of an organization by meeting regulatory requirements
Minimize Losses – Improved security, in turn, prevents security breaches, which can cost loss to company
Maintain Trust – Customer trusts the organization in belief that their information is safe
Identify which regulatory framework to comply
An organization needs to assess itself to determine which regulatory framework applies to it best
For example, following table shows different regulations and which organization would be subject to the scope of the regulatory framework
Health Insurance Portability and Accountability Act (HIPAA) – Any company or office that deals with healthcare data, including, but not limited to, doctor’s offices, insurance companies, business associates, and employers
Sarbanes Oxley Act (SOX) – US public company boards, management, and public account firms
Federal Information Security Management Act of 2002 (FISMA) – All federal agencies must develop a methods of protecting information systems
Gramm Leach Bliley Act (GLBA) – Companies that offer financial products or services to individuals such as loans, financial or investment advice, or insurance
Payment Card Industry Data Security Standards (PCI-DSS) – Companies handling credit card information
Regulatory requirements – PCI-DSS requirement No 1.1.1 “A formal process for approving and testing al network connections and changes to the firewall and router configurations.
PCI-DSS Requirement No 1.2.1: “Restrict inbound and outbound traffic to that which is necessary fro the cardholder data environment, and specifically deny all other traffic.”
Policies, procedures, and controls to satisfy the requirements -Provision for detecting all unauthorized network connections to/from an organization’s IT assets
Regulatory requirement PCI-DSS requirement no 1.1.6.: “Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.”
Policies, procedures, and controls to satisfy the requirements – Provision for looking insecure protocols and services running on systems.
Regulatory requirement – PCI-DSS requirement no1.3.1: ” Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.”
PCI-DSS Requirement 1.3.2: “Limit inbound Internet traffic to IP addresses within the DMZ.”
PCIO-DSS Requirement No 1.3.5.: “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.”
Policies, procedures, and controls to satisfy the requirements – Provision for checking how traffic is flowing across the DMZ to/from the internal network
Regulatory requirement – PCI-DSS requirement no 5.1: “Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).”
Polices, procedures, and controls to satisfy the requirements – Provision for detecting malware infection when anti-virus protection is disabled on the machines.
Discuss various regulatory frameworks, laws, and acts
PCI-DSS
The PCI-DSS is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards
It applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data
High-level overview of PCI-DSS requirements are developed and maintained by PCI Security Standards Council:
PCI Data Security Standards: High-level Overivew
Build and Maintain a Secure Network – Implement Strong Access Control Measures
Protect Cardholder Data – Regularly Monitor and Test Networks
Maintain a Vulnerability Management Program – Maintain an Information Security Policy
Failure to meet PCI-DSS requirements may result in fines or termination of payment card processing privileges
HIPAA
Electronic Transaction and Code Sets Standards – Requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers
Privacy Rule – Provides federal protections for personal health information held by covered entities and empowers patients with an array of rights with respect to that information.
Security Rule – Specifies a series of administrative, physical, and technical safeguards for covered entities to use as well as to assure the confidentially, integrity, and availably of the electronic protected health information .
National Identifier Requirements – Requires that health care providers, health plans, and employers have standard nation numbers that identify them on standard transactions
Enforcement Rule – Provides standards for enforcing all Administration Simplification Rules.
GDPR
The GDPR is a regulation in European Union law on data protection and privacy for all individuals within the European Union and the European Economic Area: it also addresses the export of personal data outside these areas
The GDPR replaces the Data Protection Directive 94/46/EC and is designed to:
Harmonize data privacy laws across Europe
Protect and empower all European Union citizens data privacy
Reshape the way organization across the region approach data privacy
Sarbanes-Oxley Act (SOX)
The SOX Act is a US federal law that sets new or enhanced standards for all US public company boards, management, and accounting firms.
The rules and enrolment policies outlined by the SOX Act amend or supplement existing legislation on security regulations
Section 302 – A mandate that requires senior management to certify the accuracy of the reported financial statement
CEOs and CFs of accounting company’s clients must sign statement verifying the completeness and accuracy of the financial reports.
Section 404 – A requirement that management and auditors establish internal controls and reporting methods on the adequacy of those controls
CEOs, CFOs, and auditors must report on, and attest to the effectiveness of, internal controls for financial reporting
Gramm-Leach-Bliley Act (GLBA)
The objective of the Gramm-Leach-Bliley Act was to ease the transfer of financial information between institutions and banks while making the rights of the individual more specific through security requirements.
Key Points includes:
Protecting consumer’s personal financial information held by financial institutions and their service providers
The officers and directors of the financial institution shall be subject o, and personally liable for, a civil penalty of not more than $10,000 for each violation.
ISO Information Security Standards – www.iso27001security.com
- ISO/IEC 27001 – Formal ISMS specification
- ISO/IEC 27002 – Information security controls
- ISO/IEC 27003 – ISMS implementation guide
- ISO/IEC 27004 – Information security metrics
- ISO/IEC 27005 – Information security risk management
- ISO/IEC 27006 – ISMS certification guide
- ISO/IEC 27007 – Management system auditing
- ISO/IEC TR 27008 – Technical auditing
- ISO/IEC 27010 – For inter-organization communication
- ISO/IEC 27011 – Iso27k in telecoms
- ISO/IEC 27013 – ISMS & ITIL/service management
- ISO/IEC 27013 – ISMS & ITIL/service management
- ISO/IEC 27014 – Information security governance
- ISO/IEC TR 27015 – Iso27k in financial services
- ISO/IEC TR 27016 – Information security economics
- ISO/IEC 27017 – Cloud security controls
- ISO/IEC 27018 – Cloud privacy
- ISO/IEC TR 27019 – Process control in energy
- ISO/IEC 27031 – ICT business continuity
- ISO/IEC 27032 – Cybersecurity
- ISO/IEC 270033-1 to 5 – Network security
- ISO/IEC 27034-1 & 2 – Application security
- ISO/IEC 27035 – Incident management
- ISO/IEC 2706-1 -2 & 3 – ICT supply chain
- ISO/IEC 27037 – Digital evidence [forensics]
- ISO/IEC 27038 – Document reduction
- ISO/IEC 27039 – Intrusion prevention
- ISO/IEC 27040 – Storage security
- ISO/IEC 27041 – Investigation assurance
- ISO/IEC 27042 – Analyzing digital evidence
- ISO/IEC 27043 – Incident investigation
- ISO/IEC 27799 ISO27k – In healthcare
DMCA and FISMA
The Digital Millennium Copyright Act (DMCA) – The DMCA is a US copyright law that implements two 1996 treaties of the World Intellectual Property Organization
It defines legal prohibitions against the circumvention of technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information
www.copyeright.gov
Federal Information Security Management Act (FISMA)
The FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets.
It includes:
Standards for categorizing information and information systems by mission impact
Standards for minimum security requirements for information and information systems
Guidance for selecting appropriate security controls for information systems
Guidance for assessing security controls in information systems and determining security control effectiveness
Guidance for the security authorization of information systems.
Other Information Security Acts and Laws
USA Patriot Act 2001
Freedom of Information Act (FOIA)
The Electronic Communications Privacy Act
The Human Rights Act 1998
The Freedom of Information Act 2000
Computer Fraud and Abuse Act
Cyber Laws in Different Countries
USA
Section 107 of the copyright law mentionsd the doctrine of “fair use” – www.copyright.gov
Online copyright infrigement liability limitatoin act – www.copyright.gov
The Lanham (Trademark) Act (15 USC & 1051 – 1127) – www.uspto.gov
The electronic communications privacy act – www.fas.org
Foreign INtelligence Surveillance Act – www.fas.org
Protect America Act of 2007 – www.justice.gov
Privacy Act of 1974 – www.justice.gov
National Information Infrastructure Protection Act o f 1996 – www.nrotc.navy.mil
Computer Security Act of 1987 – csrc.nist.gov
Federal Information Security Management Act (FISMA) – csrc.nist.gov
The Digital Millennium Copyright Act (DMCA) – www.copyright.gov
Sarbanes Oxley Act (SOX) – www.sec.gov
Australia
The Trade Marks Act 1995 – www.comlaw.gov.au
The Patents Act 1990 – www.comlaw.gov.au
The Copyright Act 1968 – www.comlaw.gov.au
Cybercrime Act 2001 – www.comlaw.gov.au
United Kingdom
The Copyright, Etc. and Trademarks (Offenses And Enforcement) Act 2002 – www.legislation.gov.uk
Trademarks Act 1994 – www.legislation.gov.uk
Computer Misuse Act 1990 – www.legislation.gov.uk
China
Copyright Law of People’s Republic of China (Amendments on October 27, 2001) – www.npc.gov.cn
Trademark Law of the People’s Republic of China (Amendments on October 27, 2001) – www.npc.gov.cn
India
The Patents (Amendment) Act, 1999, Trade Marks Act, 1999, The Copyright Act, 1957 – www.ipindia.nic.in
Information Technology Act – www.dot.gov.in
Germany
Section 202a. Data Espionage, Sectoin 303a. Alteration of Dat, Section 303b Computer Sabotage – www.cybercrimelaw.net
Learn to design and develop security policies
A security policy is a well-document set of plans, processes, procedures, standards and guidelines required to establish an ideal information security status of an organization
Security policies are used to inform people on how to work in a safe secure manner; they dine and guide employee actions on how to deal with organization sensitive operation, data, or resources.
The security policy is an integral part of an information security management program for any organization
Need for a Security Policy
Provide consistent application of security principles throughout the organization
Ensure information security standards
Limit the organizations exposure to external information threats
Outline senior managements commitment in maintaining a secure environment
Provide legal protection
Quickly respond to security incidents
reduce the impact of a security incident
Enhance the overall data and network security.
Characteristics of a Good Security Policy
Concise and Clear
Usable
Economically Feasible
Understandable
Realistic
Consistent
Procedurally Tolerable
Legal Compliance
Based on Standards and Regulations
Contents of a security policy
High-level security requirements – This features the requirements of a system when implementing security policies that include discipline security, safeguard security, procedural security, and assurance security
Policy description based on requirements – Focuses on the security disciplines, safeguards, procedures, continuity of operations, and documentation.
Security concept of operation – Defines the roles, responsibilities, and functions of a security policy
Allocation of security enforcement to architecture elements – Provides a computer system architecture allocation to each system in the program.
Typical Policy Document Content
Document Control
Document Location
Revision History
Approvals
Distribution
Document History
Overview
Purpose
Scope
Definitions
Roles and Responsibilties
Target Audience
Policy Statements
Sanctions and Violations
Related Standards, Polices, and Processes
Contact Information
Where to Fine More Information
Glossary / Acronyms
Policy Statements
A policy is only as effective as the policy statements it contains; policy statements must be written in a very clear and formal style.
Several good examples of a policy statement are:
- All computers must have anti-virus protection activate to provide real-time, continues protection
- All servers must have the minimum services configured to perform their designated functions
- All access to data is based on a valid business need and subject to a formal approval process
- All computer software must be purchased by the IT department in accordance with the organization procurement policy
- A copy of all backup and restoration media must be kept with the off-site backup media
- While using the Internet, no user is permitted to abuse, defame, stalk, harass, threaten anyone, or violate local and internal cyber laws.
Steps to Create and Implement Security Policy
- Perform a risk assessment to identify risk to an organizations assets
- Learn from standard guidelines and other organizations
- Include senior management and other staff in policy development
- Set clear penalties and enforce them
- Publish the final version to everyone in an organization
- Ensure every member of your staff reads, signs, and understands the policy
- Deploy tools to enforce polices
- Train employees and educate them about the policy
- Regularly review and update
The security policy development team contains the information security team, technical writers, technical personnel, legal counsel, human resources, user groups, and the audit/compliance team
Consideration before designing a security policy
What is the purpose of the policy? Is it a value addition or a mere formality?
Is the policy in line with the training programs?
Does the policy comply with the organizations objectives?
Is the policy a guideline for best practices or does it need to be based on some standard?
How many people fall under the scope of the policy, and who are they?
What is the least amount of information each employee must know in order to do their job?
Are all details required in the policy?
Can the policy be linked? What is the best method?
What odes the staff need to understand from the policies?
Design of a Security Policy
Guidelines should cover the following policy structure points:
Detailed description of policy issues
Functionalities of those affected by the policy
Compatibility level of the policy is necessary
Consequences of non-compliance
Applicability of policy to the environment
Description of policy status
Types of Information Security Polices
Enterprise Information Security Policy (EISP)
EISP drives an organizations scope and provides direction to their security polices
Example of EISP:
Application Policy
Network and network device security policy
Security policy auditing
Back up and restore policy
System Security policy
Polices for servers
Issue Specific Security Policy (ISSP)
ISSP directs the audience on the usage of technology-based systems with the help of guidelines
Example of ISSP:
Remote access and wireless policies
Incident response plan
Password policies
Polcies for personal devices
User account policies
Internet and web usage policies
System Specific Security Policy (SSSP)
SSSP directs users while configuring or maintaining a system.
Examples of SSSP:
DMZ policy
Encryption policy
Acceptable use policy
Policies for secure cloud computing
Policies for intrusion detection and prevention
Access control policy
Internet Access Policies
Promiscuous Policy
No restrictions on Internet/remote access
Nothing is blocked
Permissive Policy
Known dangerous services/attacks blocked
Policy begins with no restrictions
Known holes plugged; known dangers stopped
Impossible to keep up with current exploits administrators always play catch-up
Paranoid Policy
Everything is forbidden
No Internet connection, or severely limited Internet usage
Users find ways around overly sevre restrictions
Prudent Policy
Provides maximum security while allowing known, but necessary, dangers
All services are blocked
Safe/necessary services are enabled individually
Nonessential services/procedures that cannot be made safe are not allowed
Everything is logged
Acceptable Use Policy
An acceptable use policy defines the proper use of an organizations, electronic computing devices, system and accounts, users accounts, and network accounts.
Design Considerations
Should users read and copy files that are not their own, but are accessible?
Should users modify files they have read and write access to, but do not own?
Should users be permitted to use .rhost files, even when the entries are acceptable?
Should users be allowed to share accounts?
Should users make copies of system configurations for personal user or provide them to other people?
Should users be allowed to make duplicates of copyrighted software?
User Account Policy
The user account policy defines the creation process of user accounts and includes user rights and responsibilities
Design considerations
Who has the authority to approve account requests?
Who (employees, spouses, children’s, or company visitors) are permitted to use the computing resources?
Can users have multiple accounts on a single system?
Can users share accounts?
What are the rights and responsibilites of the user?
When should an account be disabled and archived?
Remote Access Policy
Remote access policy defines who can have remote access mediums, and remote access security controls
Design considerations
Who is allowed remote access?
What specific methods (such as cable modem/DSL or dial-up) does the company support?
Are dial-out modems allowed on the internal network?
Are there any extra requirement such as mandatory anti-virus and security software on the remote systems?
Can other family member of an employee use the computer network?
Do any restrictions exist on the data that can be accessed remotely?
Information Protection Policy
Information protection policy defines guidelines for processing, storing and transmitting sensitive information.
Design Considerations
What are the information sensitivity levels?
Who can access the sensitive information?
How is the sensitive information stored and transmitted?
What level of sensitive information can be printed on public printers?
What is the process for removing sensitive information from storage media (paper shredding, scrubbing HDDs, or degaussing disks)?
Firewall Managmeent Policy
Firewall management policy defines access, management, and monitoring of the firewalls in the organization
Design consideration
Who has access to the firewall systems?
Who can receive requested to make changes to the firewall configurtations?
Who can approve request to changer the firewall configuration?
Who can see the firewall configuration rules and access lists?
Who often should the firewall configuration be reviewed?
Special Access Policy
Special Access Policy defines the terms and conditions of granting special access to system resources
Design consideration
Who can receive requests for specialize access?
Who can approve requests for specialize access?
What are the password rules for special access accounts?
How often are passwords changed?
What reasons or situations can lead to revocation of specials access privileges?
Network Connection Policy
Network connection policy defines the standards for establishing the connection for computer, servers, or other devices to the network.
Design considerations
Who can install new resources on the network?
Who approves installation of new devices?
Who must be notified when new devices are being added to the network?
Who documents network changes?
Are there any security requirements for the new devices being added to the network?
Business Partner Policy
Business partner policy defines the agreements, guidelines, and responsibilities for business partners to run business securely
Design Considerations
Is it mandatory for a company to have a written security policy?
Should each company have a firewall or other perimeter security device?
Have will one communicate (VPN over the Internet or leased line)?
How will access to the partner’s resources be requested?
Should each partner keep accurate accounts, books, and records related to the business?
Email Security Policy
An email security policy defines the proper usage of corporate email
Design considerations
Define prohibited use
Define personal use, if allowed
Employees should know if their emails are reviewed and/or archived
What types of emails should be kept and for how long
When to encrypt emails
Consequences of violating email security policy
Password Policy
Password policy provides guidelines for using strong password for an organizations resources
Design considerations
Password length and formation
Complexity of password
Password blacklists
Password duration
Common password practice
Physical Security Policy
Physical security policy defines guidelines to ensure that adequate physical security measures are in place
Design considerations
Is the building protection deficiency reviewed regularly?
Is there a process to identify outsiders such as visitors, contractors, and vendors before giving them access to the premise?
Are there adequate lighting systems in place?
Are each of the entry points properly blocked?
Are badges, locks, keys, and authentication controls audited regularly?
Is video surveillance footage monitored regularly?
Is a proper inventory of an organizations assets maintained regularly?
Information System Security Policy
Information system security policy defines guidelines to safeguard an organizations information systems from malicious use.
Design considerations
Are there information systems protected with anti-malware?
Is the anti-malware updated regularly?
Is the OS updated and patched regularly?
Are they secured using strong password policies?
Are they security with strong physical security policies?
Bring Your Own Devices (BYOD) Policy
A BYOD policy provides a set of guidelines to maximize business benefits and minimize risks while using an employees personal device on an organizations network.
Design Considerations:
What personal devices are allowed for use under BYOD?
Which resources can be accessed through BYOD?
What features need to be disabled in BYOD devices?
What are the data storage considerations for BYOD devices?
What security measures are required for data and BYOD devices?
Software / Application Security Policy
Application security policy mandates proper measures that enhance the security of in-house and purchased applications
Design considerations
Configuration Management
Data protection in storage and in transit
Authorizations
Authentication
User and session management
Data validation
Error handling and exception management
Logging and auditing
Encryption
Data Backup Policy
The backup policy helps an organization recover and safeguard information in the event of a security incident / network failure.
Design Considerations:
Location of data backup
Name and contract of authorized personnel who can access backups
Backup schedule
Type of backup method used
Hardware and software requirements for taking backups
Confidential Data Policy
Design Considerations
Treatment of confidential data including data storage access, transmission, sharing, disposal, handling, and disclosure
Use of confidential data
Security controls for confidential data
Emergency access to the data
Data Classification Policy
A data classification policy establishes a framework for classifying organizational data based on its level of sensitivity, value, and criticality within the IT security policy.
The organizations data are classified into one of three sensitivity levels or classifications restricted, private, public
Design considerations
Appropriate data classifications by data owners
protecting data at rest
protecting data in transit
Data labeling
Internet Usage Policy
Internet usage policy governs the way the organizations Internet connection is used by every device on the network.
Design considerations
Internet usage limit for official as well as personal use
Time frame for personal use
Method adoption for web usage monitoring
Levels of privacy for employees
Restricted content
Server Policy
Server policy established a standard for the base configuration of an organizations server
An effective server policy restricted unauthorized access to an organization data and technology
Design consideratoin
Location and protection consideration for servers
Configuration of servers
Monitoring of servers
Wireless Network Policy
A wireless network policy states the rule and regulations for accessing an organizations wireless network resources
Design considerations
Defining an access point for a WLAN
Placement of an access point
Technologies used for wireless connectivity
Procedure for integration of a new system into the wireless environment
Procedure for monitoring the network
User Access Control Policy
User access control policy gives an organization the ability to control, restrict, monitor, and protect corporate resource availability, integrity, and confidentiality
Design considerations
Who can access (people, process, or machines)?
What system resources can be accessed?
What files can be read?
What programs can be executed?
How to share data with other entities?
Switch Security Policy
Switch Security Policy describes a required minimal security configuratoin for the switches in the network.
Design considerations
Is the switch data monitored regularly?
Are unnecessary services and applications blocked?
Are all stored password and sensitive data encrypted?
Is the switch located in a restricted area?
Intrusion Detection and Prevention (IDS/IPS) Policy
The IDS and IPS policy facilitates detection and prevention of intrusion into an organizations network
Design considerations
Deployment of a standard IDS system
Monitor log files of an IDS continuously
Regularly update the intruders definitions in the IDS logic for all evolving threats
Encryption Policy
The encryption policy defines an acceptable use and management of encryption methods, techniques, and tools throughout an enterprise.
The policy is applicable to all enterprise network resources, users, (staff or stakeholders, amount others), internal neatwork (LAN, Wi-Fi) and remote (WAN) connections
Design considerations It should define encryption standards that need to be used in an enterprise wired/wireless data communications, servers, desktops, laptops, smart phones, removal storage devices, USB memory sticks, VPN and Wi-Fi.
Router Policy
Router policy describes a required minimal security configuration for all routers on the network
Design consideratoins:
User authenticatoins
Access rules
Placement
Password management
Services required/disallowed/blocked
Policy Implementation checklist
After the security policy has been crated, the most difficult part in the process is deploying it throughout the organization
- Make sure the security policy approved by senior management
- Make sure the security policy is officially adopted as a company policy
- Review each policy and decide how it can be enforced within an organization
- Ensure that appropriate tools and techniques are in place to conform to the policy
- Develop a policy change plan for both the network and the policy itself
- Coordinate with other departments to develop procedures based on the policies
- Provide basic information security awareness training to employees
Conduct security awareness training
Employee Awareness Training
Employees are one of the primary asset of organization and can be part of an organizations attack surface
An organization need to provided formal security awareness training for its employees when they join and periodically thereafter, so employees
Know how to to defend themselves and the organization against threats
Follow security polices and procedures for working with IT
Know whom to contact if they discover a securitythreat
Can identify the nature of the data based on data classification
Protect physical and informational assets of that organization
Moreover, organization should provide security awareness training to employees to meet regulatory requirements, if they want to comply with certain regulatory framework.
Different methods to train employees are:
Classroom style training
Online training
Round table discussions
Security awareness website
Providing hints
Making short films
Conducting seminars
Employee Awareness and Training: Security Policy
Security policy training teaches employees how to perform their duties and to comply with the security policy.
Organizations should train new employees before granting them access to the network or provide limited access until the completion of their training.
Advantages:
Effective implementation of a security policy
Policies are followed and not just enforced
Creates awareness on compliance issues
Helps an organization enhance its network security
Employee Awareness and Training: Physical Security
Proper training should be given to educate employees on physical security
Training increases the knowledge and awareness about physical security
Training should educate employees about how to:
Minimize breaches
Identify the elements that are more probe to hardware theft
Assess the risks handling sensitive data
Ensure physical security at the workplace
Employee Awareness and Training: Social Engineering
Train employees on possible social engineering techniques and how to comabt these techniques
Areas of Risk – Attack Techniques – Train employee / Help Desk on:
Phone – Impersonation – Not providing any confidential information, if this has occured
Dumpsters – Dumpster Diving – Not throwing sensitive documents in the trash, Shredding documents before putting into the trash, Erasing magnetic data before putting into the trash
Email – Phishing, Malicious attachment – Differentiating between legitimate email and a targeted phishing email, Not downloading malicious attachment
Employee Awareness and Training: Data Classification
Organizations should train employees onhow to tell if information is confidential
Areas of Risk – Attack Techniques – Train employee / Help Desk on
Office – Stealing sensitive information – How to classify and mark document-based classification levels and keep sensitive document in secure place
Typical information classification levels:
Top Secret (TS)
Secret
Confidential
Restricted
Official
Unclassified
Clearance
Compartmented Information
Security labels are used to mark the security level requirements for the information assets and controls access to it
Organization use security labels to manage access clearance to their information assets
Discuss other administrative security measures
Staff Hiring and Leaving Process
Consider and implement personnel security measures, starting from the selection and hiring of staff or contractors to relieving them of their duties.
Provide orientation sessions explaining the company background, along with their roles and responsibilities, and security policies
Insert clauses in the contract to enforce personnel security for contractors and audit their compliance
Remove access rights and collect all company assets from employees and contractors when they leave the organization
Hire employees after a thorough identity verification and background check
Contractors should be hired with the same due diligence as in-0house employees
Employee Monitoring
The organization should conduct indiscriminate monitoring of employees activities to detect any act related to the policy violation
Use employee monitoring tool such as Spytech SpyAgent to monitor employee behavior.
Summary
Security policy outline constraints using rules and regulations concerning every aspect of an organizations network secrutiy
The security policy is an integral part of the Information Security Management Program for organizations
Policy statements must be written in a very clear and formal style
Information system security policy defines guidelines to safeguard an organizations information systems from malicious use
A BYOD policy provides a set of guidelines to maximize business benefits and minimize risks while using an employees personal device on an organizations network
Security policy training and awareness is required for effective implementation of security polices