1 00:00:00,250 --> 00:00:01,290 In the last lesson, 2 00:00:01,290 --> 00:00:03,750 we discussed all the legal and regulatory requirements 3 00:00:03,750 --> 00:00:05,690 that might effect your organizations. 4 00:00:05,690 --> 00:00:07,910 Now there are things that you legally must follow, 5 00:00:07,910 --> 00:00:09,800 and that's all those things we just talked about. 6 00:00:09,800 --> 00:00:12,540 But your organization will also create a lot of policies 7 00:00:12,540 --> 00:00:15,040 that they want their own employees to follow as well. 8 00:00:15,040 --> 00:00:17,290 Now these aren't legally binding or required, 9 00:00:17,290 --> 00:00:18,970 but they are used as part of a good, 10 00:00:18,970 --> 00:00:20,550 overarching security program 11 00:00:20,550 --> 00:00:22,730 by adding these administrative security controls 12 00:00:22,730 --> 00:00:24,540 to your security systems. 13 00:00:24,540 --> 00:00:26,890 First, we just spent a lot of time talking about 14 00:00:26,890 --> 00:00:28,590 all those legal requirements to protect 15 00:00:28,590 --> 00:00:30,120 your employees' and your customers' 16 00:00:30,120 --> 00:00:32,150 personal and private information. 17 00:00:32,150 --> 00:00:33,940 This is also going to be written up and developed 18 00:00:33,940 --> 00:00:36,500 in your organization's privacy policy. 19 00:00:36,500 --> 00:00:38,320 This privacy policy is going to govern 20 00:00:38,320 --> 00:00:40,580 the labeling of data to ensure that all employees 21 00:00:40,580 --> 00:00:42,910 understand what data they're looking at and handling 22 00:00:42,910 --> 00:00:45,000 happens to be personal information. 23 00:00:45,000 --> 00:00:46,910 And this will help prevent the mishandling 24 00:00:46,910 --> 00:00:48,940 of confidential information. 25 00:00:48,940 --> 00:00:51,340 Next, we have what's known as the AUP, 26 00:00:51,340 --> 00:00:53,430 or the acceptable use policy. 27 00:00:53,430 --> 00:00:55,040 An acceptable use policy is used 28 00:00:55,040 --> 00:00:56,770 to define the rules and restrict how 29 00:00:56,770 --> 00:00:59,827 computer, network, or other system can be used. 30 00:00:59,827 --> 00:01:02,730 For example, your organization might have a policy 31 00:01:02,730 --> 00:01:04,090 that states you can't use the internet 32 00:01:04,090 --> 00:01:06,170 to browse pornography or gambling websites 33 00:01:06,170 --> 00:01:07,550 while you're at work. 34 00:01:07,550 --> 00:01:09,320 Then, based on this policy, 35 00:01:09,320 --> 00:01:10,790 the security team can then monitor 36 00:01:10,790 --> 00:01:12,850 user website requests at the proxy, 37 00:01:12,850 --> 00:01:14,800 and if you try to access one of those sites, 38 00:01:14,800 --> 00:01:16,950 they can block your access or they might 39 00:01:16,950 --> 00:01:18,940 even disable your account. 40 00:01:18,940 --> 00:01:19,773 The third thing we're going to 41 00:01:19,773 --> 00:01:21,650 talk about is change management. 42 00:01:21,650 --> 00:01:23,490 Change management is our next policy. 43 00:01:23,490 --> 00:01:25,320 And change management is a structured way 44 00:01:25,320 --> 00:01:26,890 of changing the state of a computer system, 45 00:01:26,890 --> 00:01:29,530 network, or IT procedure. 46 00:01:29,530 --> 00:01:30,690 Back when we talked about creating a 47 00:01:30,690 --> 00:01:33,720 secure, known good baseline for the security of our systems, 48 00:01:33,720 --> 00:01:35,060 I mentioned that we want to control the 49 00:01:35,060 --> 00:01:38,250 configuration changes to be made to that secure baseline. 50 00:01:38,250 --> 00:01:40,800 And that's exactly what change management does for us. 51 00:01:40,800 --> 00:01:42,450 A good change management policy 52 00:01:42,450 --> 00:01:44,140 is designed to make sure that you're 53 00:01:44,140 --> 00:01:45,630 going to get the changes that you want 54 00:01:45,630 --> 00:01:48,150 in a secure and methodical manner. 55 00:01:48,150 --> 00:01:50,390 So if you decide you want to install a new application 56 00:01:50,390 --> 00:01:52,460 on your workstation, you're going to have to follow 57 00:01:52,460 --> 00:01:54,660 some corporate procedure to request permission 58 00:01:54,660 --> 00:01:55,990 to have it installed, and then 59 00:01:55,990 --> 00:01:58,150 that's going to go through the change management process 60 00:01:58,150 --> 00:02:00,530 to evaluate it and approve that installation. 61 00:02:00,530 --> 00:02:02,750 Because it's going to cause a change to your baseline. 62 00:02:02,750 --> 00:02:05,000 Next, we have the separation of duties. 63 00:02:05,000 --> 00:02:06,790 Separation of duties is a preventative 64 00:02:06,790 --> 00:02:08,230 type of administrative control, 65 00:02:08,230 --> 00:02:09,520 and it's one that should be considered 66 00:02:09,520 --> 00:02:11,230 when you're drafting up your organizational 67 00:02:11,230 --> 00:02:13,930 authentication and authorization policies. 68 00:02:13,930 --> 00:02:15,440 Separation of duties is designed 69 00:02:15,440 --> 00:02:16,840 to prevent fraud and abuse 70 00:02:16,840 --> 00:02:19,600 by distributing various tasks and approval authorities 71 00:02:19,600 --> 00:02:21,730 across a number of different users. 72 00:02:21,730 --> 00:02:23,970 For example, if you work in the accounting department, 73 00:02:23,970 --> 00:02:25,290 you may have access to request 74 00:02:25,290 --> 00:02:26,840 a check be sent to an employee. 75 00:02:26,840 --> 00:02:29,960 But you can't also approve that same request. 76 00:02:29,960 --> 00:02:31,120 You would request it, and then 77 00:02:31,120 --> 00:02:32,660 a supervisor would approve it. 78 00:02:32,660 --> 00:02:34,400 That's a separation of duties. 79 00:02:34,400 --> 00:02:36,230 This prevents fraud because now you're going to 80 00:02:36,230 --> 00:02:38,370 have to have two users who are working together 81 00:02:38,370 --> 00:02:39,930 to steal money from the organization 82 00:02:39,930 --> 00:02:41,930 in our check approval example. 83 00:02:41,930 --> 00:02:43,440 Now in the cybersecurity world, 84 00:02:43,440 --> 00:02:45,520 a great example of this is when one administrator 85 00:02:45,520 --> 00:02:47,770 is given the rights to create the backups on a server, 86 00:02:47,770 --> 00:02:50,130 and another administrator is given the proper rights 87 00:02:50,130 --> 00:02:51,960 to do the restoration of the files. 88 00:02:51,960 --> 00:02:54,720 This separation of duties, backup and restore, 89 00:02:54,720 --> 00:02:57,410 now goes across two different users. 90 00:02:57,410 --> 00:02:58,840 Any function in your organization 91 00:02:58,840 --> 00:03:00,380 that you consider high risk 92 00:03:00,380 --> 00:03:03,030 should utilize a proper separation of duties. 93 00:03:03,030 --> 00:03:04,770 For example, if you've ever watched a war movie 94 00:03:04,770 --> 00:03:06,490 like Crimson Tide, and they're going to 95 00:03:06,490 --> 00:03:07,750 try to launch a missile, 96 00:03:07,750 --> 00:03:09,330 you see that two people each take out 97 00:03:09,330 --> 00:03:11,680 a different physical key, insert it into the machine, 98 00:03:11,680 --> 00:03:13,370 and turn it at the same time. 99 00:03:13,370 --> 00:03:14,820 That is a separation of duties 100 00:03:14,820 --> 00:03:17,260 because we don't want somebody accidentally on their own 101 00:03:17,260 --> 00:03:18,640 launching a nuclear missile. 102 00:03:18,640 --> 00:03:20,270 And so they have to have two separate keys 103 00:03:20,270 --> 00:03:21,620 and two different people. 104 00:03:21,620 --> 00:03:23,580 This specific type of separation of duties 105 00:03:23,580 --> 00:03:25,630 is actually called dual control, 106 00:03:25,630 --> 00:03:26,810 because both people have to be 107 00:03:26,810 --> 00:03:29,030 present at the same time to do it. 108 00:03:29,030 --> 00:03:30,850 Now another type of separation of duties 109 00:03:30,850 --> 00:03:32,550 is known as split knowledge. 110 00:03:32,550 --> 00:03:34,370 This occurs when two people each have 111 00:03:34,370 --> 00:03:36,570 half of the knowledge of how to do something. 112 00:03:36,570 --> 00:03:39,350 So for example, let's imagine I have a safe in my house 113 00:03:39,350 --> 00:03:41,600 that holds my super secret family recipe 114 00:03:41,600 --> 00:03:44,110 for the best macaroni and cheese you've ever tasted. 115 00:03:44,110 --> 00:03:47,320 Well, I may lock it up in a safe using two different locks. 116 00:03:47,320 --> 00:03:49,700 Now I know the combination to one of those locks, 117 00:03:49,700 --> 00:03:51,250 but my wife knows the combination 118 00:03:51,250 --> 00:03:53,870 and the location of the key for the second padlock. 119 00:03:53,870 --> 00:03:56,350 Now, neither of us can open the safe by ourself, 120 00:03:56,350 --> 00:03:58,830 because each of us only has half of the knowledge. 121 00:03:58,830 --> 00:04:00,310 I know the combination, and she 122 00:04:00,310 --> 00:04:02,150 knows where the padlock key is. 123 00:04:02,150 --> 00:04:04,500 Now, only if we work together can we unlock the safe 124 00:04:04,500 --> 00:04:06,050 and take out the recipe. 125 00:04:06,050 --> 00:04:09,010 Now in the cyber world, we can do this using encryption. 126 00:04:09,010 --> 00:04:11,330 Where a key can be broken up into two pieces, 127 00:04:11,330 --> 00:04:14,170 and one is given to each of the administrators. 128 00:04:14,170 --> 00:04:17,270 Now the next policy is to consider job rotation. 129 00:04:17,270 --> 00:04:20,050 Job rotation is a detective type of administrative control. 130 00:04:20,050 --> 00:04:21,980 And with job rotation, different users 131 00:04:21,980 --> 00:04:24,810 are trained to perform the tasks of the same position 132 00:04:24,810 --> 00:04:27,180 in order to help prevent and identify fraud 133 00:04:27,180 --> 00:04:28,767 that could occur if one employee 134 00:04:28,767 --> 00:04:31,240 had the job the entire time themself. 135 00:04:31,240 --> 00:04:33,360 So basically, here we have multiple users 136 00:04:33,360 --> 00:04:34,950 who learn how to do a certain job, 137 00:04:34,950 --> 00:04:37,380 and then instead of one person doing it all the time, 138 00:04:37,380 --> 00:04:39,020 we rotate out different people. 139 00:04:39,020 --> 00:04:41,360 So again, if I go back to that check writing example, 140 00:04:41,360 --> 00:04:43,980 if only one person knew how to write up the checks 141 00:04:43,980 --> 00:04:46,180 and request the checks and approve the checks, 142 00:04:46,180 --> 00:04:48,060 then they could have a higher chance 143 00:04:48,060 --> 00:04:49,400 of stealing from the company. 144 00:04:49,400 --> 00:04:51,760 But if I make that person rotate out 145 00:04:51,760 --> 00:04:52,960 and have somebody else do that 146 00:04:52,960 --> 00:04:54,530 job performance at some points, 147 00:04:54,530 --> 00:04:55,910 they're going to have to go into the check register 148 00:04:55,910 --> 00:04:56,743 and they'll be able to see 149 00:04:56,743 --> 00:04:58,050 that somebody else wrote a check. 150 00:04:58,050 --> 00:04:59,760 And they'll be able to see that one was missing. 151 00:04:59,760 --> 00:05:02,430 And so having different employees rotate through a task 152 00:05:02,430 --> 00:05:04,680 will actually allow you to catch things 153 00:05:04,680 --> 00:05:05,970 that shouldn't be done. 154 00:05:05,970 --> 00:05:07,010 The other good thing about this 155 00:05:07,010 --> 00:05:08,670 is as your employees are going in and out 156 00:05:08,670 --> 00:05:10,360 of different roles for a week or so, 157 00:05:10,360 --> 00:05:12,020 they're actually going to learn new skills. 158 00:05:12,020 --> 00:05:13,120 And as they learn new skills, 159 00:05:13,120 --> 00:05:15,080 they're more valuable to your company. 160 00:05:15,080 --> 00:05:16,950 Now the other side of job rotation 161 00:05:16,950 --> 00:05:19,280 is what we call mandatory vacations. 162 00:05:19,280 --> 00:05:21,130 And with mandatory vacations, we require 163 00:05:21,130 --> 00:05:22,540 every employee take a vacation 164 00:05:22,540 --> 00:05:24,380 at some point during the year. 165 00:05:24,380 --> 00:05:25,940 Again, if they're on vacation, 166 00:05:25,940 --> 00:05:27,490 it forces somebody else to come in 167 00:05:27,490 --> 00:05:28,910 and do their job for them. 168 00:05:28,910 --> 00:05:30,130 And when they're doing their job, 169 00:05:30,130 --> 00:05:32,830 they may possibly uncover any unusual activity 170 00:05:32,830 --> 00:05:35,740 such as fraud or abuse that has to be looked into. 171 00:05:35,740 --> 00:05:37,430 Now besides the security benefits 172 00:05:37,430 --> 00:05:39,130 of protecting against fraud and abuse, 173 00:05:39,130 --> 00:05:40,870 job rotation also gives us the ability 174 00:05:40,870 --> 00:05:42,090 to cross train our employees, 175 00:05:42,090 --> 00:05:44,260 and develop trained personnel to back up the 176 00:05:44,260 --> 00:05:47,820 primary employee in case of an emergency or vacations. 177 00:05:47,820 --> 00:05:49,570 Job rotation is definitely a control 178 00:05:49,570 --> 00:05:50,590 you should consider adding 179 00:05:50,590 --> 00:05:53,340 inside your organizational security policies. 180 00:05:53,340 --> 00:05:55,520 Another administrative control you need to consider 181 00:05:55,520 --> 00:05:58,490 is what are you going to do when you hire or fire somebody. 182 00:05:58,490 --> 00:06:01,320 We also call this onboarding and offboarding. 183 00:06:01,320 --> 00:06:03,240 When we consider this, we're talking specifically 184 00:06:03,240 --> 00:06:04,930 about information system security, 185 00:06:04,930 --> 00:06:07,430 and not the human resource part of this process. 186 00:06:07,430 --> 00:06:09,900 But you should consult your human resources team 187 00:06:09,900 --> 00:06:11,290 whenever you're developing this part 188 00:06:11,290 --> 00:06:12,990 of your security policy. 189 00:06:12,990 --> 00:06:15,020 Organizations need to consider how personnel are 190 00:06:15,020 --> 00:06:17,600 going to be screened and background checked for position, 191 00:06:17,600 --> 00:06:19,480 how the candidates are hired and onboarded, 192 00:06:19,480 --> 00:06:22,580 and then how they're going to be terminated and offboarded. 193 00:06:22,580 --> 00:06:23,940 When you're screening personnel, 194 00:06:23,940 --> 00:06:25,270 your organization may consider 195 00:06:25,270 --> 00:06:26,800 doing a criminal background check, 196 00:06:26,800 --> 00:06:28,667 a credit history, a work history, 197 00:06:28,667 --> 00:06:31,450 educational background, checking your certifications 198 00:06:31,450 --> 00:06:34,290 and licenses, and even giving them a drug test. 199 00:06:34,290 --> 00:06:35,590 All of these various components 200 00:06:35,590 --> 00:06:38,450 need to be decided upon by your human resources staff, 201 00:06:38,450 --> 00:06:41,300 but are going to be incorporated into the security policy 202 00:06:41,300 --> 00:06:43,250 because you're going to have to address some of those areas 203 00:06:43,250 --> 00:06:44,500 such as if it's going to be pertinent 204 00:06:44,500 --> 00:06:45,780 to your business model that you're going to 205 00:06:45,780 --> 00:06:48,650 do a criminal background check using the IT system. 206 00:06:48,650 --> 00:06:49,620 You need to understand how you're going to 207 00:06:49,620 --> 00:06:52,750 collect that data and store that data securely. 208 00:06:52,750 --> 00:06:54,750 Now when you hire personnel, they should be 209 00:06:54,750 --> 00:06:57,370 required to sign all the appropriate documentations, 210 00:06:57,370 --> 00:06:59,000 things like their employment contract, 211 00:06:59,000 --> 00:07:01,570 the privacy statements, the privacy policy, 212 00:07:01,570 --> 00:07:04,400 the non-disclosure agreements, and other things like that. 213 00:07:04,400 --> 00:07:06,590 Then, the employee should undergo mandatory 214 00:07:06,590 --> 00:07:08,670 cyber security training and processing. 215 00:07:08,670 --> 00:07:09,810 And this is where the employee is 216 00:07:09,810 --> 00:07:11,400 going to be given access to the network. 217 00:07:11,400 --> 00:07:13,710 They're going to get their user name and their password, 218 00:07:13,710 --> 00:07:15,720 their hardware security authentication token 219 00:07:15,720 --> 00:07:17,750 if you're using multi-factor authentication. 220 00:07:17,750 --> 00:07:18,990 All those type of things. 221 00:07:18,990 --> 00:07:21,010 Now from a physical security standpoint, 222 00:07:21,010 --> 00:07:22,740 we also need to ensure that new employee 223 00:07:22,740 --> 00:07:25,380 has the needed building access identification. 224 00:07:25,380 --> 00:07:27,620 Things like their ID badge or their pin number 225 00:07:27,620 --> 00:07:29,010 to get in and out of the building. 226 00:07:29,010 --> 00:07:30,270 And all of those things to make sure 227 00:07:30,270 --> 00:07:31,960 they can get access into the building 228 00:07:31,960 --> 00:07:33,430 and into their office. 229 00:07:33,430 --> 00:07:35,760 Now when an employee is probably very cooperative 230 00:07:35,760 --> 00:07:37,490 during this hiring and onboarding process 231 00:07:37,490 --> 00:07:39,390 because they're excited about the new job, 232 00:07:39,390 --> 00:07:42,430 they're often not as cooperative if you're firing them. 233 00:07:42,430 --> 00:07:44,930 So if you're terminating somebody and it's friendly, 234 00:07:44,930 --> 00:07:46,100 such as the employee decides they're 235 00:07:46,100 --> 00:07:47,730 going to quit for a better job, 236 00:07:47,730 --> 00:07:49,410 well then they're likely to be cooperative 237 00:07:49,410 --> 00:07:51,040 and they'll turn in all their user access, 238 00:07:51,040 --> 00:07:53,430 their hardware tokens, their ID badges, 239 00:07:53,430 --> 00:07:55,380 and they'll even conduct an exit interview. 240 00:07:55,380 --> 00:07:57,330 Now during this offboarding process, 241 00:07:57,330 --> 00:07:59,330 it's important to remove their access from the network 242 00:07:59,330 --> 00:08:01,130 and disable their accounts. 243 00:08:01,130 --> 00:08:03,330 Now, if you have an unfriendly termination 244 00:08:03,330 --> 00:08:04,890 where you fire somebody, 245 00:08:04,890 --> 00:08:06,590 well that's when you're going to make sure 246 00:08:06,590 --> 00:08:07,830 you want to revoke their network and 247 00:08:07,830 --> 00:08:10,100 physical access to the building immediately. 248 00:08:10,100 --> 00:08:11,360 Because you don't want them going and 249 00:08:11,360 --> 00:08:12,670 try to steal things from your network 250 00:08:12,670 --> 00:08:14,750 or put in malware into your network. 251 00:08:14,750 --> 00:08:17,040 The employee should also be escorted out of the building 252 00:08:17,040 --> 00:08:19,189 by security to make sure they're not taking anything 253 00:08:19,189 --> 00:08:22,080 from the company such as resources, data, 254 00:08:22,080 --> 00:08:25,340 laptops, hard drives, or any property that they shouldn't be 255 00:08:25,340 --> 00:08:27,140 as they're being taken out of the building. 256 00:08:27,140 --> 00:08:28,340 Okay, so we've covered a lot, 257 00:08:28,340 --> 00:08:31,080 and I've got three more things to talk about in this lesson. 258 00:08:31,080 --> 00:08:32,700 These aren't necessarily policies, 259 00:08:32,700 --> 00:08:34,590 but they are concepts that you have to keep in mind 260 00:08:34,590 --> 00:08:36,210 when you're writing your policies. 261 00:08:36,210 --> 00:08:38,270 These are the concepts known as due diligence, 262 00:08:38,270 --> 00:08:40,510 due care, and due process. 263 00:08:40,510 --> 00:08:42,450 Due diligence means that you're ensuring the IT 264 00:08:42,450 --> 00:08:45,650 infrastructure risks are known and managed properly. 265 00:08:45,650 --> 00:08:47,720 To achieve due diligence, you need to ensure 266 00:08:47,720 --> 00:08:49,520 that you conduct proper risk assessment 267 00:08:49,520 --> 00:08:51,290 and conduct risk management activities 268 00:08:51,290 --> 00:08:54,200 to keep operations running smoothly over time. 269 00:08:54,200 --> 00:08:56,050 Due care is the mitigation actions 270 00:08:56,050 --> 00:08:58,240 that an organization takes to defend itself 271 00:08:58,240 --> 00:08:59,980 against risks that have been identified 272 00:08:59,980 --> 00:09:01,740 during your due diligence. 273 00:09:01,740 --> 00:09:03,620 So let's say I do due diligence, 274 00:09:03,620 --> 00:09:05,660 and I find that our company is not utilizing 275 00:09:05,660 --> 00:09:07,060 a modern operating system. 276 00:09:07,060 --> 00:09:09,150 And this represents a big vulnerability. 277 00:09:09,150 --> 00:09:11,870 So maybe I find they're using XP still, for instance. 278 00:09:11,870 --> 00:09:13,870 Well, if I want to exercise due care, 279 00:09:13,870 --> 00:09:15,840 I would allocate money to upgrade the system 280 00:09:15,840 --> 00:09:18,880 from Windows XP all the way up to Windows 10. 281 00:09:18,880 --> 00:09:20,150 By deciding against doing that, 282 00:09:20,150 --> 00:09:21,990 and it's later found out that you were hacked 283 00:09:21,990 --> 00:09:24,650 specifically because I failed to upgrade those systems, 284 00:09:24,650 --> 00:09:26,860 and exercise my due care, well, 285 00:09:26,860 --> 00:09:28,650 I could be held liable for damages, 286 00:09:28,650 --> 00:09:30,750 and I could lose my customers. 287 00:09:30,750 --> 00:09:33,880 Our third and final concept is called due process. 288 00:09:33,880 --> 00:09:35,500 Due process is a legal term, 289 00:09:35,500 --> 00:09:37,520 and it refers to how an organization must 290 00:09:37,520 --> 00:09:40,020 respect and safeguard personnel's rights. 291 00:09:40,020 --> 00:09:42,020 For example, if you're the federal government, 292 00:09:42,020 --> 00:09:45,450 you can't eaves drop or wire tap on any US citizen you want. 293 00:09:45,450 --> 00:09:46,420 You can't just go and say, 294 00:09:46,420 --> 00:09:48,760 hey, I'm going to listen to Johnny's phone calls today. 295 00:09:48,760 --> 00:09:50,260 No, this is prohibited by the 296 00:09:50,260 --> 00:09:52,296 US constitution's fourth amendment, 297 00:09:52,296 --> 00:09:55,220 which protects us against illegal search and seizure. 298 00:09:55,220 --> 00:09:56,430 Now, if the government believes you 299 00:09:56,430 --> 00:09:58,530 might be planning a terrorist attack though, 300 00:09:58,530 --> 00:10:00,450 well they can go follow due process, 301 00:10:00,450 --> 00:10:02,060 they can get a court ordered warrant, 302 00:10:02,060 --> 00:10:03,860 and then they can tap your phone lines 303 00:10:03,860 --> 00:10:05,240 to collect the information needed 304 00:10:05,240 --> 00:10:07,140 to stop that terrorist attack. 305 00:10:07,140 --> 00:10:09,070 Now basically, when you hear due process 306 00:10:09,070 --> 00:10:10,467 in terms of the security plus exam, 307 00:10:10,467 --> 00:10:12,130 I want you to think about the fact that 308 00:10:12,130 --> 00:10:15,390 due process is used to protect a person from the government, 309 00:10:15,390 --> 00:10:17,610 but it can also protect your organization 310 00:10:17,610 --> 00:10:18,993 from frivolous lawsuits.