This document discusses organizational security and is divided into three main topics: policies, education and training, and disposal and destruction. It outlines the importance of security and describes policies around acceptable use, privacy, passwords, and disposal. It emphasizes providing security training to educate all staff levels. Finally, it covers securely disposing of or destroying IT equipment and data when no longer needed.
2. WHY IS THIS IMPORTANT TO ME?
2
Keeping a job
Protecting your
company
Less work to recover
from “Ounce of
prevention versus a
pound of cure” –
Benjamin Franklin
3. OBJECTIVES
Create organizational policies
Identify the educational and training needs of users
and administrators
Properly dispose of or destroy IT equipment and
data
3
4. TOPIC A
Topic A: Organizational policies
Topic B: Education and training
Topic C: Disposal and destruction
No Virtuals
4
9. (1) SECURITY POLICY CONTENTS
Acceptable use
Due care
Privacy
Separation of duties
Need-to-know information
Password management
Service-level agreements
Account expiration
Destruction or disposal
Clean Desk Policy (nib) 9
10. ACCEPTABLE-USE POLICY
Defines how computer and network resources can
be used
Protects information and limits liabilities and legal
actions
Addresses productivity issues
Employees should read and sign document
10
11. DUE CARE
Judgment or care exercised in a given
circumstance
Identifies risks to organization
Assesses risks and measures to be taken to ensure
information security
11
12. PRIVACY
Privacy of customer and supplier information
Contracts
Sales documents
Financial data
Personally identifiable information
Compromised information causes entities to lose
trust
12
13. SEPARATION OF DUTIES
Avoids one person having all knowledge of a
process
Potential for abuse
Knowledge leaves with person
Distribute tasks throughout staff
Document all procedures
Security divided into multiple elements
Each element assigned to different people
13
14. NEED TO KNOW
Sensitive information accessed only by those who
must use it
Give IT team just enough permissions to perform
duties
Give explicit access to those who need it
14
16. SERVICE-LEVEL AGREEMENT
Contract between service provider and end user
Defines levels of support
Documents penalties
Covers disaster recovery plans
Contingency plans
16
17. DISPOSAL AND DESTRUCTION
Degauss magnetic media
Zeroize (sanitize) drives
Physically destroy media
Lock recycle bins
Shred or burn documents
17
18. CLEAN DESK POLICY
CDP specifies how employees should leave their
working space when they leave the office
18
19. (2) HUMAN RESOURCES POLICIES
Redundant knowledge, cross-train
Document manual procedures for automated duties
Access policies
ID badges
Keys
Restricted-access areas
Personnel management
Hiring process
Employee review and maintenance
Employee termination
19
20. HIRING
Background check
Reference checks
Past employer
Criminal check
Verify certifications and degrees
20
21. EMPLOYEE REVIEW AND MAINTENANCE
Periodic review
Performance
Identify potential security risks
Evaluate security clearances
Job rotation - reduce chance of fraud
Mandatory vacations – avoid burn-out
Separation of duties – no one holds too much
power
21
23. CODE OF ETHICS
Defines organization’s information security
policies
Employees act
Responsibly
Legally
Honestly
Provide proficient service
Act ethically
Prove reliability of organization
Customers
Suppliers
Other employees
23
24. (3) INCIDENT RESPONSE POLICY
Details how to deal with security breach or
disaster
Incident
Event that adversely affects the network
Virus
System failure
Unauthorized access
Service disruption
Violation of security policies
Legal consequences
24
25. INCIDENT RESPONSE POLICY CONTENTS
a) Preparation
b) Detection
c) Containment
d) Eradication
e) Recovery
f) Follow-up
25
26. (A) PREPARATION
Plan ahead - allows quick, efficient response
Balance easy access with effective controls to
prevent incidents
Identify steps that incident response team should
take
List of Incident Response team members
Document acceptable risks
Identify hardware and software used for analysis
and forensics of incident
Document contingency plan
26
27. (B) DETECTION
Assess the state of affairs
Figure out what caused the incident
Estimate scope of incident
Number of systems affected
Number of networks affected
How far intruder got
Level of privileges accessed
Information or systems at risk
Paths of attack
Who knows of incident
Extent of vulnerability 27
continued
28. DETECTION (CONTINUED)
Document the incident
Share with
CIO
Affected personnel
PR department
Incident response team
Legal department
Law enforcement, government agencies
Include
Fundamental details
Incident type
Resources used to deal with incident
Source of incident
Consequences
Sensitivity of compromised information 28
29. (C) CONTAINMENT
Specific to different types of incidents
Increase monitoring levels
Malicious attack
Stop using compromised equipment or data until
incident is resolved
Alert appropriate individuals
Gather information to identify perpetrator
29
30. (D) ERADICATION
Begins after containment
Eradicate cause of incident
Clean or delete affected files
Restore data
Verify that backups are clean
30
31. (E) RECOVERY
Document where new equipment can be procured
Quick replacement
Borrow
Vendor-sponsored
Full system restore
Change passwords
31
32. (F) FOLLOW-UP
Learn from what occurred
Document the entire process
Justify expense of implementing security policy and
incident response team
Use as training
Use for legal proceedings
32
33. (4) CHANGE MANAGEMENT
Procedures for network changes
Initiated with RFC document
RFC sent for approval
Priority is set
Assigned to whoever makes the change
Document decisions
RFC scheduled
Complete when change owner and requester
verify successful implementation
Review of RFC 33
34. TOPIC B
Topic A: Organizational policies
Topic B: Education and training
Topic C: Disposal and destruction
34
35. EDUCATION
Educate staff about security
Network administrators
End-users
Enables regular users to see potential security
problems or security violations
Customize to provide level of knowledge
needed by students
Big picture for end-users
Detailed knowledge for administrative users
Exhaustive knowledge for security administrators
35
36. COMMUNICATION
Identify what information can be shared and with
whom
Identify what information can never be shared
Prove identity inside company
Training should include social engineering threats
36
37. SECURITY TRAINING INCLUDES:
Reason for training
Whom to contact about security incidents
Policies about system account use – password
policies
Policies about personally owned devices
Policies regarding disclosure of sensitive
information including personally identifiable
information
Compliance with laws, best practices, and
standards
Internet, e-mail, social networking, and P2P
policies
Threat awareness including viruses, social engineering
attacks, tailgating, phishing
37
38. TYPES OF TRAINING
On-the-job
Learn from the experience
Document what was done
Classroom
Online
38
39. TOPIC C
Topic A: Organizational policies
Topic B: Education and training
Topic C: Disposal and destruction
39
40. DISPOSAL
Data and equipment
Implement policies and procedures to prevent loss of
data
Determine value of data
Actual data
Configuration and settings that might reveal security
controls
Intrinsic properties – brand, model
40
41. DATA SECURITY AND DESTRUCTION
Data destruction utilities
Paper documents
Configuration destruction – reset to default settings
or just destroy equipment
Intrinsic properties destruction – probably not
necessary unless for national defense
41
42. DISPOSAL OF ELECTRONICS
Cost of upgrading or repairing vs. replacing
Disruption to user
Cost of IT time
Factors specific to your organization
Recycling
Hazardous materials cannot be sent to landfill
MSDS indicate how to handle and dispose of
42
43. DISPOSAL OF COMPUTER EQUIPMENT
Batteries cannot be sent to landfill – recycler
CRTs contain lead and phosphorus – recycler
LCD monitors – recycler
Computers
Circuit boards - recycler
Storage disks – erase completely
Reuse equipment OR Repurpose equipment
43