Obtain Regulatory frameworks compliance

It is often required for the organizations to comply with some type of security regulation

Complying with regulatory frameworks is a collaborative effort between governments, and private bodies to encourage voluntary/mandatory improvements to cybersecurity

IT security regulatory frameworks contain a set of guidelines and best practices

IT security regulatory frameworks inform businesses that they need to follow these guidelines and best practices to meet regulatory requirements, improve security, and achieve certain business objectives

Regulatory Frameworks (PCI-DSS)

Policies (encryption Policy)

Standards (encryption standards such as data encryption standard, advanced encryption standard, and rivest-shamir-adleman algorithm)

Procedures, Practices, and Guidelines (data encryption procedures)

Why organizations need compliance?

Improves Security – IT security regulation and standards improve overall security of an organization by meeting regulatory requirements

Minimize Losses – Improved security, in turn, prevents security breaches, which can cost loss to company

Maintain Trust – Customer trusts the organization in belief that their information is safe

Identify which regulatory framework to comply

An organization needs to assess itself to determine which regulatory framework applies to it best

For example, following table shows different regulations and which organization would be subject to the scope of the regulatory framework

Health Insurance Portability and Accountability Act (HIPAA) – Any company or office that deals with healthcare data, including, but not limited to, doctor’s offices, insurance companies, business associates, and employers

Sarbanes Oxley Act (SOX) – US public company boards, management, and public account firms

Federal Information Security Management Act of 2002 (FISMA) – All federal agencies must develop a methods of protecting information systems

Gramm Leach Bliley Act (GLBA) – Companies that offer financial products or services to individuals such as loans, financial or investment advice, or insurance

Payment Card Industry Data Security Standards (PCI-DSS) – Companies handling credit card information

Regulatory requirements – PCI-DSS requirement No 1.1.1 “A formal process for approving and testing al network connections and changes to the firewall and router configurations.

PCI-DSS Requirement No 1.2.1: “Restrict inbound and outbound traffic to that which is necessary fro the cardholder data environment, and specifically deny all other traffic.”

Policies, procedures, and controls to satisfy the requirements -Provision for detecting all unauthorized network connections to/from an organization’s IT assets

Regulatory requirement PCI-DSS requirement no 1.1.6.: “Documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.”

Policies, procedures, and controls to satisfy the requirements – Provision for looking insecure protocols and services running on systems.

Regulatory requirement – PCI-DSS requirement no1.3.1: ” Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports.”

PCI-DSS Requirement 1.3.2: “Limit inbound Internet traffic to IP addresses within the DMZ.”

PCIO-DSS Requirement No 1.3.5.: “Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.”

Policies, procedures, and controls to satisfy the requirements – Provision for checking how traffic is flowing across the DMZ to/from the internal network

Regulatory requirement – PCI-DSS requirement no 5.1: “Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).”

Polices, procedures, and controls to satisfy the requirements – Provision for detecting malware infection when anti-virus protection is disabled on the machines.

Discuss various regulatory frameworks, laws, and acts

PCI-DSS

The PCI-DSS is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards

It applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process, or transmit cardholder data

High-level overview of PCI-DSS requirements are developed and maintained by PCI Security Standards Council:

PCI Data Security Standards: High-level Overivew

Build and Maintain a Secure Network – Implement Strong Access Control Measures

Protect Cardholder Data – Regularly Monitor and Test Networks

Maintain a Vulnerability Management Program – Maintain an Information Security Policy

Failure to meet PCI-DSS requirements may result in fines or termination of payment card processing privileges

HIPAA

Electronic Transaction and Code Sets Standards – Requires every provider who does business electronically to use the same health care transactions, code sets, and identifiers

Privacy Rule – Provides federal protections for personal health information held by covered entities and empowers patients with an array of rights with respect to that information.

Security Rule – Specifies a series of administrative, physical, and technical safeguards for covered entities to use as well as to assure the confidentially, integrity, and availably of the electronic protected health information .

National Identifier Requirements – Requires that health care providers, health plans, and employers have standard nation numbers that identify them on standard transactions

Enforcement Rule – Provides standards for enforcing all Administration Simplification Rules.

GDPR

The GDPR is a regulation in European Union law on data protection and privacy for all individuals within the European Union and the European Economic Area: it also addresses the export of personal data outside these areas

The GDPR replaces the Data Protection Directive 94/46/EC and is designed to:

Harmonize data privacy laws across Europe

Protect and empower all European Union citizens data privacy

Reshape the way organization across the region approach data privacy

Sarbanes-Oxley Act (SOX)

The SOX Act is a US federal law that sets new or enhanced standards for all US public company boards, management, and accounting firms.

The rules and enrolment policies outlined by the SOX Act amend or supplement existing legislation on security regulations

Section 302 – A mandate that requires senior management to certify the accuracy of the reported financial statement

CEOs and CFs of accounting company’s clients must sign statement verifying the completeness and accuracy of the financial reports.

Section 404 – A requirement that management and auditors establish internal controls and reporting methods on the adequacy of those controls

CEOs, CFOs, and auditors must report on, and attest to the effectiveness of, internal controls for financial reporting

Gramm-Leach-Bliley Act (GLBA)

The objective of the Gramm-Leach-Bliley Act was to ease the transfer of financial information between institutions and banks while making the rights of the individual more specific through security requirements.

Key Points includes:

Protecting consumer’s personal financial information held by financial institutions and their service providers

The officers and directors of the financial institution shall be subject o, and personally liable for, a civil penalty of not more than $10,000 for each violation.

ISO Information Security Standards – www.iso27001security.com

  1. ISO/IEC 27001 – Formal ISMS specification
  2. ISO/IEC 27002 – Information security controls
  3. ISO/IEC 27003 – ISMS implementation guide
  4. ISO/IEC 27004 – Information security metrics
  5. ISO/IEC 27005 – Information security risk management
  6. ISO/IEC 27006 – ISMS certification guide
  7. ISO/IEC 27007 – Management system auditing
  8. ISO/IEC TR 27008 – Technical auditing
  9. ISO/IEC 27010 – For inter-organization communication
  10. ISO/IEC 27011 – Iso27k in telecoms
  11. ISO/IEC 27013 – ISMS & ITIL/service management
  12. ISO/IEC 27013 – ISMS & ITIL/service management
  13. ISO/IEC 27014 – Information security governance
  14. ISO/IEC TR 27015 – Iso27k in financial services
  15. ISO/IEC TR 27016 – Information security economics
  16. ISO/IEC 27017 – Cloud security controls
  17. ISO/IEC 27018 – Cloud privacy
  18. ISO/IEC TR 27019 – Process control in energy
  19. ISO/IEC 27031 – ICT business continuity
  20. ISO/IEC 27032 – Cybersecurity
  21. ISO/IEC 270033-1 to 5 – Network security
  22. ISO/IEC 27034-1 & 2 – Application security
  23. ISO/IEC 27035 – Incident management
  24. ISO/IEC 2706-1 -2 & 3 – ICT supply chain
  25. ISO/IEC 27037 – Digital evidence [forensics]
  26. ISO/IEC 27038 – Document reduction
  27. ISO/IEC 27039 – Intrusion prevention
  28. ISO/IEC 27040 – Storage security
  29. ISO/IEC 27041 – Investigation assurance
  30. ISO/IEC 27042 – Analyzing digital evidence
  31. ISO/IEC 27043 – Incident investigation
  32. ISO/IEC 27799 ISO27k – In healthcare

DMCA and FISMA

The Digital Millennium Copyright Act (DMCA) – The DMCA is a US copyright law that implements two 1996 treaties of the World Intellectual Property Organization

It defines legal prohibitions against the circumvention of technological protection measures employed by copyright owners to protect their works, and against the removal or alteration of copyright management information

www.copyeright.gov

Federal Information Security Management Act (FISMA)

The FISMA provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support federal operations and assets.

It includes:

Standards for categorizing information and information systems by mission impact

Standards for minimum security requirements for information and information systems

Guidance for selecting appropriate security controls for information systems

Guidance for assessing security controls in information systems and determining security control effectiveness

Guidance for the security authorization of information systems.

Other Information Security Acts and Laws

USA Patriot Act 2001

Freedom of Information Act (FOIA)

The Electronic Communications Privacy Act

The Human Rights Act 1998

The Freedom of Information Act 2000

Computer Fraud and Abuse Act

Cyber Laws in Different Countries

USA

Section 107 of the copyright law mentionsd the doctrine of “fair use” – www.copyright.gov

Online copyright infrigement liability limitatoin act – www.copyright.gov

The Lanham (Trademark) Act (15 USC & 1051 – 1127) – www.uspto.gov

The electronic communications privacy act – www.fas.org

Foreign INtelligence Surveillance Act – www.fas.org

Protect America Act of 2007 – www.justice.gov

Privacy Act of 1974 – www.justice.gov

National Information Infrastructure Protection Act o f 1996 – www.nrotc.navy.mil

Computer Security Act of 1987 – csrc.nist.gov

Federal Information Security Management Act (FISMA) – csrc.nist.gov

The Digital Millennium Copyright Act (DMCA) – www.copyright.gov

Sarbanes Oxley Act (SOX) – www.sec.gov

Australia

The Trade Marks Act 1995 – www.comlaw.gov.au

The Patents Act 1990 – www.comlaw.gov.au

The Copyright Act 1968 – www.comlaw.gov.au

Cybercrime Act 2001 – www.comlaw.gov.au

United Kingdom

The Copyright, Etc. and Trademarks (Offenses And Enforcement) Act 2002 – www.legislation.gov.uk

Trademarks Act 1994 – www.legislation.gov.uk

Computer Misuse Act 1990 – www.legislation.gov.uk

China

Copyright Law of People’s Republic of China (Amendments on October 27, 2001) – www.npc.gov.cn

Trademark Law of the People’s Republic of China (Amendments on October 27, 2001) – www.npc.gov.cn

India

The Patents (Amendment) Act, 1999, Trade Marks Act, 1999, The Copyright Act, 1957 – www.ipindia.nic.in

Information Technology Act – www.dot.gov.in

Germany

Section 202a. Data Espionage, Sectoin 303a. Alteration of Dat, Section 303b Computer Sabotage – www.cybercrimelaw.net

Learn to design and develop security policies

A security policy is a well-document set of plans, processes, procedures, standards and guidelines required to establish an ideal information security status of an organization

Security policies are used to inform people on how to work in a safe secure manner; they dine and guide employee actions on how to deal with organization sensitive operation, data, or resources.

The security policy is an integral part of an information security management program for any organization

Need for a Security Policy

Provide consistent application of security principles throughout the organization

Ensure information security standards

Limit the organizations exposure to external information threats

Outline senior managements commitment in maintaining a secure environment

Provide legal protection

Quickly respond to security incidents

reduce the impact of a security incident

Enhance the overall data and network security.

Characteristics of a Good Security Policy

Concise and Clear

Usable

Economically Feasible

Understandable

Realistic

Consistent

Procedurally Tolerable

Legal Compliance

Based on Standards and Regulations

Contents of a security policy

High-level security requirements – This features the requirements of a system when implementing security policies that include discipline security, safeguard security, procedural security, and assurance security

Policy description based on requirements – Focuses on the security disciplines, safeguards, procedures, continuity of operations, and documentation.

Security concept of operation – Defines the roles, responsibilities, and functions of a security policy

Allocation of security enforcement to architecture elements – Provides a computer system architecture allocation to each system in the program.

Typical Policy Document Content

Document Control

Document Location

Revision History

Approvals

Distribution

Document History

Overview

Purpose

Scope

Definitions

Roles and Responsibilties

Target Audience

Policy Statements

Sanctions and Violations

Related Standards, Polices, and Processes

Contact Information

Where to Fine More Information

Glossary / Acronyms

Policy Statements

A policy is only as effective as the policy statements it contains; policy statements must be written in a very clear and formal style.

Several good examples of a policy statement are:

  1. All computers must have anti-virus protection activate to provide real-time, continues protection
  2. All servers must have the minimum services configured to perform their designated functions
  3. All access to data is based on a valid business need and subject to a formal approval process
  4. All computer software must be purchased by the IT department in accordance with the organization procurement policy
  5. A copy of all backup and restoration media must be kept with the off-site backup media
  6. While using the Internet, no user is permitted to abuse, defame, stalk, harass, threaten anyone, or violate local and internal cyber laws.

Steps to Create and Implement Security Policy

  1. Perform a risk assessment to identify risk to an organizations assets
  2. Learn from standard guidelines and other organizations
  3. Include senior management and other staff in policy development
  4. Set clear penalties and enforce them
  5. Publish the final version to everyone in an organization
  6. Ensure every member of your staff reads, signs, and understands the policy
  7. Deploy tools to enforce polices
  8. Train employees and educate them about the policy
  9. Regularly review and update

The security policy development team contains the information security team, technical writers, technical personnel, legal counsel, human resources, user groups, and the audit/compliance team

Consideration before designing a security policy

What is the purpose of the policy? Is it a value addition or a mere formality?

Is the policy in line with the training programs?

Does the policy comply with the organizations objectives?

Is the policy a guideline for best practices or does it need to be based on some standard?

How many people fall under the scope of the policy, and who are they?

What is the least amount of information each employee must know in order to do their job?

Are all details required in the policy?

Can the policy be linked? What is the best method?

What odes the staff need to understand from the policies?

Design of a Security Policy

Guidelines should cover the following policy structure points:

Detailed description of policy issues

Functionalities of those affected by the policy

Compatibility level of the policy is necessary

Consequences of non-compliance

Applicability of policy to the environment

Description of policy status


Types of Information Security Polices

Enterprise Information Security Policy (EISP)

EISP drives an organizations scope and provides direction to their security polices

Example of EISP:

Application Policy

Network and network device security policy

Security policy auditing

Back up and restore policy

System Security policy

Polices for servers

Issue Specific Security Policy (ISSP)

ISSP directs the audience on the usage of technology-based systems with the help of guidelines

Example of ISSP:

Remote access and wireless policies

Incident response plan

Password policies

Polcies for personal devices

User account policies

Internet and web usage policies

System Specific Security Policy (SSSP)

SSSP directs users while configuring or maintaining a system.

Examples of SSSP:

DMZ policy

Encryption policy

Acceptable use policy

Policies for secure cloud computing

Policies for intrusion detection and prevention

Access control policy

Internet Access Policies

Promiscuous Policy

No restrictions on Internet/remote access

Nothing is blocked

Permissive Policy

Known dangerous services/attacks blocked

Policy begins with no restrictions

Known holes plugged; known dangers stopped

Impossible to keep up with current exploits administrators always play catch-up

Paranoid Policy

Everything is forbidden

No Internet connection, or severely limited Internet usage

Users find ways around overly sevre restrictions

Prudent Policy

Provides maximum security while allowing known, but necessary, dangers

All services are blocked

Safe/necessary services are enabled individually

Nonessential services/procedures that cannot be made safe are not allowed

Everything is logged

Acceptable Use Policy

An acceptable use policy defines the proper use of an organizations, electronic computing devices, system and accounts, users accounts, and network accounts.

Design Considerations

Should users read and copy files that are not their own, but are accessible?

Should users modify files they have read and write access to, but do not own?

Should users be permitted to use .rhost files, even when the entries are acceptable?

Should users be allowed to share accounts?

Should users make copies of system configurations for personal user or provide them to other people?

Should users be allowed to make duplicates of copyrighted software?

User Account Policy

The user account policy defines the creation process of user accounts and includes user rights and responsibilities

Design considerations

Who has the authority to approve account requests?

Who (employees, spouses, children’s, or company visitors) are permitted to use the computing resources?

Can users have multiple accounts on a single system?

Can users share accounts?

What are the rights and responsibilites of the user?

When should an account be disabled and archived?

Remote Access Policy

Remote access policy defines who can have remote access mediums, and remote access security controls

Design considerations

Who is allowed remote access?

What specific methods (such as cable modem/DSL or dial-up) does the company support?

Are dial-out modems allowed on the internal network?

Are there any extra requirement such as mandatory anti-virus and security software on the remote systems?

Can other family member of an employee use the computer network?

Do any restrictions exist on the data that can be accessed remotely?

Information Protection Policy

Information protection policy defines guidelines for processing, storing and transmitting sensitive information.

Design Considerations

What are the information sensitivity levels?

Who can access the sensitive information?

How is the sensitive information stored and transmitted?

What level of sensitive information can be printed on public printers?

What is the process for removing sensitive information from storage media (paper shredding, scrubbing HDDs, or degaussing disks)?

Firewall Managmeent Policy

Firewall management policy defines access, management, and monitoring of the firewalls in the organization

Design consideration

Who has access to the firewall systems?

Who can receive requested to make changes to the firewall configurtations?

Who can approve request to changer the firewall configuration?

Who can see the firewall configuration rules and access lists?

Who often should the firewall configuration be reviewed?

Special Access Policy

Special Access Policy defines the terms and conditions of granting special access to system resources

Design consideration

Who can receive requests for specialize access?

Who can approve requests for specialize access?

What are the password rules for special access accounts?

How often are passwords changed?

What reasons or situations can lead to revocation of specials access privileges?

Network Connection Policy

Network connection policy defines the standards for establishing the connection for computer, servers, or other devices to the network.

Design considerations

Who can install new resources on the network?

Who approves installation of new devices?

Who must be notified when new devices are being added to the network?

Who documents network changes?

Are there any security requirements for the new devices being added to the network?

Business Partner Policy

Business partner policy defines the agreements, guidelines, and responsibilities for business partners to run business securely

Design Considerations

Is it mandatory for a company to have a written security policy?

Should each company have a firewall or other perimeter security device?

Have will one communicate (VPN over the Internet or leased line)?

How will access to the partner’s resources be requested?

Should each partner keep accurate accounts, books, and records related to the business?

Email Security Policy

An email security policy defines the proper usage of corporate email

Design considerations

Define prohibited use

Define personal use, if allowed

Employees should know if their emails are reviewed and/or archived

What types of emails should be kept and for how long

When to encrypt emails

Consequences of violating email security policy

Password Policy

Password policy provides guidelines for using strong password for an organizations resources

Design considerations

Password length and formation

Complexity of password

Password blacklists

Password duration

Common password practice

Physical Security Policy

Physical security policy defines guidelines to ensure that adequate physical security measures are in place

Design considerations

Is the building protection deficiency reviewed regularly?

Is there a process to identify outsiders such as visitors, contractors, and vendors before giving them access to the premise?

Are there adequate lighting systems in place?

Are each of the entry points properly blocked?

Are badges, locks, keys, and authentication controls audited regularly?

Is video surveillance footage monitored regularly?

Is a proper inventory of an organizations assets maintained regularly?

Information System Security Policy

Information system security policy defines guidelines to safeguard an organizations information systems from malicious use.

Design considerations

Are there information systems protected with anti-malware?

Is the anti-malware updated regularly?

Is the OS updated and patched regularly?

Are they secured using strong password policies?

Are they security with strong physical security policies?

Bring Your Own Devices (BYOD) Policy

A BYOD policy provides a set of guidelines to maximize business benefits and minimize risks while using an employees personal device on an organizations network.

Design Considerations:

What personal devices are allowed for use under BYOD?

Which resources can be accessed through BYOD?

What features need to be disabled in BYOD devices?

What are the data storage considerations for BYOD devices?

What security measures are required for data and BYOD devices?

Software / Application Security Policy

Application security policy mandates proper measures that enhance the security of in-house and purchased applications

Design considerations

Configuration Management

Data protection in storage and in transit

Authorizations

Authentication

User and session management

Data validation

Error handling and exception management

Logging and auditing

Encryption

Data Backup Policy

The backup policy helps an organization recover and safeguard information in the event of a security incident / network failure.

Design Considerations:

Location of data backup

Name and contract of authorized personnel who can access backups

Backup schedule

Type of backup method used

Hardware and software requirements for taking backups

Confidential Data Policy

Design Considerations

Treatment of confidential data including data storage access, transmission, sharing, disposal, handling, and disclosure

Use of confidential data

Security controls for confidential data

Emergency access to the data

Data Classification Policy

A data classification policy establishes a framework for classifying organizational data based on its level of sensitivity, value, and criticality within the IT security policy.

The organizations data are classified into one of three sensitivity levels or classifications restricted, private, public

Design considerations

Appropriate data classifications by data owners

protecting data at rest

protecting data in transit

Data labeling

Internet Usage Policy

Internet usage policy governs the way the organizations Internet connection is used by every device on the network.

Design considerations

Internet usage limit for official as well as personal use

Time frame for personal use

Method adoption for web usage monitoring

Levels of privacy for employees

Restricted content

Server Policy

Server policy established a standard for the base configuration of an organizations server

An effective server policy restricted unauthorized access to an organization data and technology

Design consideratoin

Location and protection consideration for servers

Configuration of servers

Monitoring of servers

Wireless Network Policy

A wireless network policy states the rule and regulations for accessing an organizations wireless network resources

Design considerations

Defining an access point for a WLAN

Placement of an access point

Technologies used for wireless connectivity

Procedure for integration of a new system into the wireless environment

Procedure for monitoring the network

User Access Control Policy

User access control policy gives an organization the ability to control, restrict, monitor, and protect corporate resource availability, integrity, and confidentiality

Design considerations

Who can access (people, process, or machines)?

What system resources can be accessed?

What files can be read?

What programs can be executed?

How to share data with other entities?

Switch Security Policy

Switch Security Policy describes a required minimal security configuratoin for the switches in the network.

Design considerations

Is the switch data monitored regularly?

Are unnecessary services and applications blocked?

Are all stored password and sensitive data encrypted?

Is the switch located in a restricted area?

Intrusion Detection and Prevention (IDS/IPS) Policy

The IDS and IPS policy facilitates detection and prevention of intrusion into an organizations network

Design considerations

Deployment of a standard IDS system

Monitor log files of an IDS continuously

Regularly update the intruders definitions in the IDS logic for all evolving threats

Encryption Policy

The encryption policy defines an acceptable use and management of encryption methods, techniques, and tools throughout an enterprise.

The policy is applicable to all enterprise network resources, users, (staff or stakeholders, amount others), internal neatwork (LAN, Wi-Fi) and remote (WAN) connections

Design considerations It should define encryption standards that need to be used in an enterprise wired/wireless data communications, servers, desktops, laptops, smart phones, removal storage devices, USB memory sticks, VPN and Wi-Fi.

Router Policy

Router policy describes a required minimal security configuration for all routers on the network

Design consideratoins:

User authenticatoins

Access rules

Placement

Password management

Services required/disallowed/blocked

Policy Implementation checklist

After the security policy has been crated, the most difficult part in the process is deploying it throughout the organization

  1. Make sure the security policy approved by senior management
  2. Make sure the security policy is officially adopted as a company policy
  3. Review each policy and decide how it can be enforced within an organization
  4. Ensure that appropriate tools and techniques are in place to conform to the policy
  5. Develop a policy change plan for both the network and the policy itself
  6. Coordinate with other departments to develop procedures based on the policies
  7. Provide basic information security awareness training to employees

Conduct security awareness training

Employee Awareness Training

Employees are one of the primary asset of organization and can be part of an organizations attack surface

An organization need to provided formal security awareness training for its employees when they join and periodically thereafter, so employees

Know how to to defend themselves and the organization against threats

Follow security polices and procedures for working with IT

Know whom to contact if they discover a securitythreat

Can identify the nature of the data based on data classification

Protect physical and informational assets of that organization

Moreover, organization should provide security awareness training to employees to meet regulatory requirements, if they want to comply with certain regulatory framework.

Different methods to train employees are:

Classroom style training

Online training

Round table discussions

Security awareness website

Providing hints

Making short films

Conducting seminars

Employee Awareness and Training: Security Policy

Security policy training teaches employees how to perform their duties and to comply with the security policy.

Organizations should train new employees before granting them access to the network or provide limited access until the completion of their training.

Advantages:

Effective implementation of a security policy

Policies are followed and not just enforced

Creates awareness on compliance issues

Helps an organization enhance its network security

Employee Awareness and Training: Physical Security

Proper training should be given to educate employees on physical security

Training increases the knowledge and awareness about physical security

Training should educate employees about how to:

Minimize breaches

Identify the elements that are more probe to hardware theft

Assess the risks handling sensitive data

Ensure physical security at the workplace

Employee Awareness and Training: Social Engineering

Train employees on possible social engineering techniques and how to comabt these techniques

Areas of Risk – Attack Techniques – Train employee / Help Desk on:

Phone – Impersonation – Not providing any confidential information, if this has occured

Dumpsters – Dumpster Diving – Not throwing sensitive documents in the trash, Shredding documents before putting into the trash, Erasing magnetic data before putting into the trash

Email – Phishing, Malicious attachment – Differentiating between legitimate email and a targeted phishing email, Not downloading malicious attachment

Employee Awareness and Training: Data Classification

Organizations should train employees onhow to tell if information is confidential

Areas of Risk – Attack Techniques – Train employee / Help Desk on

Office – Stealing sensitive information – How to classify and mark document-based classification levels and keep sensitive document in secure place

Typical information classification levels:

Top Secret (TS)

Secret

Confidential

Restricted

Official

Unclassified

Clearance

Compartmented Information

Security labels are used to mark the security level requirements for the information assets and controls access to it

Organization use security labels to manage access clearance to their information assets

Discuss other administrative security measures

Staff Hiring and Leaving Process

Consider and implement personnel security measures, starting from the selection and hiring of staff or contractors to relieving them of their duties.

Provide orientation sessions explaining the company background, along with their roles and responsibilities, and security policies

Insert clauses in the contract to enforce personnel security for contractors and audit their compliance

Remove access rights and collect all company assets from employees and contractors when they leave the organization

Hire employees after a thorough identity verification and background check

Contractors should be hired with the same due diligence as in-0house employees

Employee Monitoring

The organization should conduct indiscriminate monitoring of employees activities to detect any act related to the policy violation

Use employee monitoring tool such as Spytech SpyAgent to monitor employee behavior.

Summary

Security policy outline constraints using rules and regulations concerning every aspect of an organizations network secrutiy

The security policy is an integral part of the Information Security Management Program for organizations

Policy statements must be written in a very clear and formal style

Information system security policy defines guidelines to safeguard an organizations information systems from malicious use

A BYOD policy provides a set of guidelines to maximize business benefits and minimize risks while using an employees personal device on an organizations network

Security policy training and awareness is required for effective implementation of security polices