1 00:00:00,280 --> 00:00:01,560 In this section of the course. 2 00:00:01,560 --> 00:00:03,650 We're going to focus on policies and procedures 3 00:00:03,650 --> 00:00:05,590 in all of their different forms. 4 00:00:05,590 --> 00:00:07,760 Now when I discuss policies and procedures, 5 00:00:07,760 --> 00:00:09,980 I'm not talking specifically about technical controls 6 00:00:09,980 --> 00:00:12,730 necessarily but instead, I'm focusing a lot 7 00:00:12,730 --> 00:00:14,790 on administrative controls. 8 00:00:14,790 --> 00:00:17,210 Policies are one part of a larger concept 9 00:00:17,210 --> 00:00:19,080 known as IT governance. 10 00:00:19,080 --> 00:00:21,830 IT governance is used to provide us a comprehensive security 11 00:00:21,830 --> 00:00:25,120 management framework for the organization to build upon. 12 00:00:25,120 --> 00:00:28,600 We do this by using Policies, Standards, Baselines, 13 00:00:28,600 --> 00:00:31,750 Guidelines, Procedures and Information classification 14 00:00:31,750 --> 00:00:33,980 and even an entire lifecycle approach 15 00:00:33,980 --> 00:00:36,570 to our information technology systems. 16 00:00:36,570 --> 00:00:39,340 Policies are used to define the role of security inside 17 00:00:39,340 --> 00:00:42,250 of an organization and it establishes the desired end state 18 00:00:42,250 --> 00:00:44,050 for that security program. 19 00:00:44,050 --> 00:00:46,190 This is usually provided by your senior management 20 00:00:46,190 --> 00:00:48,060 and it's going to clarify the level in which 21 00:00:48,060 --> 00:00:50,290 the organization is going to enforce security 22 00:00:50,290 --> 00:00:52,050 and how we're going to categorize the controls 23 00:00:52,050 --> 00:00:53,580 that are being applied. 24 00:00:53,580 --> 00:00:56,560 Policies tend to be very broad and they provide the basic 25 00:00:56,560 --> 00:00:59,290 foundation upon which the Standards, Baselines, 26 00:00:59,290 --> 00:01:02,000 Guidelines and Procedures are going to be built. 27 00:01:02,000 --> 00:01:05,090 Security policies are built to fill in one of three levels. 28 00:01:05,090 --> 00:01:07,710 They can be Organizational, System specific 29 00:01:07,710 --> 00:01:09,370 or Issue specific. 30 00:01:09,370 --> 00:01:11,500 Organizational security policies are going to 31 00:01:11,500 --> 00:01:13,310 provide direction and goals. 32 00:01:13,310 --> 00:01:14,750 They're going to give you a framework to meet 33 00:01:14,750 --> 00:01:17,710 the business goals and define the roles, responsibilities 34 00:01:17,710 --> 00:01:19,710 and terms associated with it. 35 00:01:19,710 --> 00:01:22,430 System specific policies are going to address the security 36 00:01:22,430 --> 00:01:25,270 of a specific technology, application, network 37 00:01:25,270 --> 00:01:26,450 or computer system. 38 00:01:26,450 --> 00:01:28,640 These system specific policies tend to be much 39 00:01:28,640 --> 00:01:31,470 more technical and they focus on protecting a certain piece 40 00:01:31,470 --> 00:01:34,220 of the system or a certain piece of technology. 41 00:01:34,220 --> 00:01:36,480 Finally we have Issue Specific Policies 42 00:01:36,480 --> 00:01:39,210 and these are built to address a specific security issue 43 00:01:39,210 --> 00:01:42,160 such as email privacy, employee termination procedures, 44 00:01:42,160 --> 00:01:44,300 or other specific issues. 45 00:01:44,300 --> 00:01:46,220 Now in addition to those three areas, 46 00:01:46,220 --> 00:01:48,710 our policies can be further separated down into one 47 00:01:48,710 --> 00:01:51,480 of three categories inside of information security. 48 00:01:51,480 --> 00:01:54,500 They're regulatory, advisory or informative. 49 00:01:54,500 --> 00:01:56,360 When I talk about regulatory policies, 50 00:01:56,360 --> 00:01:58,580 I'm talking about things that address mandatory standards 51 00:01:58,580 --> 00:02:00,930 and laws that are going to affect the organization. 52 00:02:00,930 --> 00:02:03,010 Advisory policies are going to provide us guidance 53 00:02:03,010 --> 00:02:04,950 on what is and what is not considered 54 00:02:04,950 --> 00:02:06,380 an acceptable activity. 55 00:02:06,380 --> 00:02:08,480 The most common example of this type of policy, 56 00:02:08,480 --> 00:02:11,530 is known as the acceptable use policy or AUP. 57 00:02:11,530 --> 00:02:12,990 And this is something that companies provide 58 00:02:12,990 --> 00:02:15,050 to their employees to tell them what they can 59 00:02:15,050 --> 00:02:16,980 and can't do on the network. 60 00:02:16,980 --> 00:02:19,150 The third type is an Informative policy. 61 00:02:19,150 --> 00:02:21,020 Now an Informative Policy is going to focus on 62 00:02:21,020 --> 00:02:22,650 a certain topic and it's designed 63 00:02:22,650 --> 00:02:24,530 to be educational in nature. 64 00:02:24,530 --> 00:02:27,060 For example your company may wish to provide its employees 65 00:02:27,060 --> 00:02:29,380 an informational policy that's going to tell them 66 00:02:29,380 --> 00:02:32,040 how they should use social media outside of business hours, 67 00:02:32,040 --> 00:02:33,870 so they can remain more secure. 68 00:02:33,870 --> 00:02:37,080 So as we move beyond the policy, we then go into Standards. 69 00:02:37,080 --> 00:02:39,030 And Standards are used to implement a policy 70 00:02:39,030 --> 00:02:40,340 in an organization. 71 00:02:40,340 --> 00:02:42,530 These are going to include things like mandatory actions, 72 00:02:42,530 --> 00:02:45,730 steps or rules that are needed to achieve the desired level 73 00:02:45,730 --> 00:02:47,050 of security. 74 00:02:47,050 --> 00:02:48,480 Beyond that, we have Baselines. 75 00:02:48,480 --> 00:02:50,680 And Baselines are created as reference points. 76 00:02:50,680 --> 00:02:53,560 And these are used to document any kind of system 77 00:02:53,560 --> 00:02:56,420 so you can later go back and compare it for later analysis. 78 00:02:56,420 --> 00:02:58,890 We talked about Baselines in terms of security earlier 79 00:02:58,890 --> 00:03:00,940 and we also talked about Baselines of the network. 80 00:03:00,940 --> 00:03:02,410 Where you know what the network pattern is 81 00:03:02,410 --> 00:03:04,390 and then you can decide if something is above 82 00:03:04,390 --> 00:03:06,200 that Baseline or below that Baseline 83 00:03:06,200 --> 00:03:07,890 which becomes an anomaly. 84 00:03:07,890 --> 00:03:10,610 Another example of this is if you've got a brand new server. 85 00:03:10,610 --> 00:03:13,550 Your team can securely configure it as much as possible 86 00:03:13,550 --> 00:03:15,550 and then take a snapshot in time and call that 87 00:03:15,550 --> 00:03:17,270 the Configuration Baseline. 88 00:03:17,270 --> 00:03:19,920 Now this is the Baseline against which all other servers 89 00:03:19,920 --> 00:03:22,080 of that particular type are going to be compared. 90 00:03:22,080 --> 00:03:24,360 So if I think something bad has happened to that server 91 00:03:24,360 --> 00:03:26,830 I can go back and compare what it looks like now versus 92 00:03:26,830 --> 00:03:28,110 what it looked like when I installed it 93 00:03:28,110 --> 00:03:30,290 and see what the differences are. 94 00:03:30,290 --> 00:03:31,910 The next thing we have is a Guideline. 95 00:03:31,910 --> 00:03:34,700 Now guidelines are not required actions but instead 96 00:03:34,700 --> 00:03:36,580 these are the recommended ones. 97 00:03:36,580 --> 00:03:38,360 Guidelines tend to be flexible in nature. 98 00:03:38,360 --> 00:03:40,640 They allow for exceptions and allowances when in a unique 99 00:03:40,640 --> 00:03:42,010 situation occurs. 100 00:03:42,010 --> 00:03:44,560 So for example, let's say I have a guideline that every 101 00:03:44,560 --> 00:03:48,400 employee gets one terabyte of storage on our cloud servers. 102 00:03:48,400 --> 00:03:50,520 That might be fine for most people and if we have 103 00:03:50,520 --> 00:03:53,160 secretaries or accountants or somebody who does a lot 104 00:03:53,160 --> 00:03:55,540 of contract work those are fairly small files 105 00:03:55,540 --> 00:03:57,580 and so one terabyte is plenty of information 106 00:03:57,580 --> 00:03:58,860 and plenty of storage. 107 00:03:58,860 --> 00:04:01,460 But my video editor might come up and say you know what, 108 00:04:01,460 --> 00:04:03,540 one terabyte is not sufficient for me, 109 00:04:03,540 --> 00:04:05,110 I need five terabytes because I'm dealing 110 00:04:05,110 --> 00:04:07,290 with these large video files all the time. 111 00:04:07,290 --> 00:04:09,970 Well, because it's a guideline, we can make an exception 112 00:04:09,970 --> 00:04:12,290 in an allowance for that person, we could say you know what, 113 00:04:12,290 --> 00:04:14,720 normally we give one terabyte but because 114 00:04:14,720 --> 00:04:17,100 of your specific job role we're going to break that 115 00:04:17,100 --> 00:04:20,000 and we're going to go beyond that and give you more storage 116 00:04:20,000 --> 00:04:22,620 and break that guideline that we normally have. 117 00:04:22,620 --> 00:04:24,130 The next thing we have is Procedures. 118 00:04:24,130 --> 00:04:27,470 And Procedures are our detailed step-by-step instructions 119 00:04:27,470 --> 00:04:29,510 that are created to ensure personnel can perform 120 00:04:29,510 --> 00:04:30,730 a given action. 121 00:04:30,730 --> 00:04:33,140 These procedures are where those high-level policies 122 00:04:33,140 --> 00:04:35,200 are transferred all the way down through those standards 123 00:04:35,200 --> 00:04:37,550 and guidelines into actionable steps. 124 00:04:37,550 --> 00:04:40,450 For example your service desk probably has a procedure 125 00:04:40,450 --> 00:04:42,420 on how to create a new user account. 126 00:04:42,420 --> 00:04:44,590 And it's going to encompass all of the security related 127 00:04:44,590 --> 00:04:47,260 Policies Standards and Guidelines and that will allow 128 00:04:47,260 --> 00:04:50,290 your frontline employees to follow the step by step things 129 00:04:50,290 --> 00:04:52,740 to create a new account and give them the right permissions 130 00:04:52,740 --> 00:04:54,350 the right password strength and all 131 00:04:54,350 --> 00:04:55,480 of those types of things. 132 00:04:55,480 --> 00:04:57,640 Now I know that was a ton of information. 133 00:04:57,640 --> 00:05:00,010 And how you develop all these Policies and Standards 134 00:05:00,010 --> 00:05:01,730 and Guidelines and Procedures. 135 00:05:01,730 --> 00:05:04,640 Well the good news is you don't have to start from scratch. 136 00:05:04,640 --> 00:05:07,170 If you're a brand new organization a lot of this stuff 137 00:05:07,170 --> 00:05:09,770 already exists if you look out to enterprise security 138 00:05:09,770 --> 00:05:11,240 architecture frameworks. 139 00:05:11,240 --> 00:05:13,190 Now we're not going to cover those right now, 140 00:05:13,190 --> 00:05:15,190 but we are going to cover those in a separate lesson 141 00:05:15,190 --> 00:05:17,110 later on in this course. 142 00:05:17,110 --> 00:05:19,560 Now, further the security plus exam, the big concept 143 00:05:19,560 --> 00:05:22,120 from this lesson that I want you to remember is the idea 144 00:05:22,120 --> 00:05:24,050 of a policy and a procedure. 145 00:05:24,050 --> 00:05:25,940 Remember that a policy is something that gives you 146 00:05:25,940 --> 00:05:28,020 generic guidance to the organization. 147 00:05:28,020 --> 00:05:30,150 For example, your password policy might say that 148 00:05:30,150 --> 00:05:33,230 all passwords have to be long, strong, complex 149 00:05:33,230 --> 00:05:35,340 and be changed every 90 days. 150 00:05:35,340 --> 00:05:37,730 Then we have a procedure which is very specific. 151 00:05:37,730 --> 00:05:40,440 And if I had a password procedure that might detail exactly 152 00:05:40,440 --> 00:05:42,150 how to configure that password policy 153 00:05:42,150 --> 00:05:44,300 on a Windows 2016 server. 154 00:05:44,300 --> 00:05:47,230 Or, I might have a password procedure that's going to tell 155 00:05:47,230 --> 00:05:49,900 the user how they can change their password every 90 days 156 00:05:49,900 --> 00:05:52,850 by going into Windows and following steps one through five.