At this point, I’m convinced that the book is randomly throwing some exciting chapters (social engineering, embedded systems) in the mix to keep up moral between chapters like this one, haha. Not that policies aren’t important, they’re just… not the most exciting thing to read about. 🤓
This chapter is entirely for people who are Lawful Good or Lawful Neutral.
This is a continuation of my blog post series on the CompTIA Security+ exam.
Policies and procedures govern the operation of an organization. Where do they come from? They’re driven by internal requirements, as well as external requirements such as laws, regulations, contracts, and customer specifications.
Standard Operating Procedures
Procedures are step-by-step instructions on how to implement policies within an organization. Standards are mandatory elements regarding the implementation of a policy.
If you put these two together, you get standard operating procedures:
Mandatory step-by-step instructions set by the organization so that in the performance of their duties, employees will meet the state security objectives of the firm.
When setting up these requirements and procedures, the legal time will likely be involved. Doubly true if other businesses (a customer, a partner, etc.) are involved.
Business partnership agreements (BPA) are legal agreements between partners. This is a legal agreement that outlines the terms, conditions, and expectations between the partners.
A service level agreement (SLA) is a negotiated agreement between two parties that outlines expectations of service. This is between a customer and a service provider. Technical metrics, like uptime or performance, will be outlined in this agreement.
An interconnection security agreement (ISA) is a specialized agreement between organizations that have interconnected IT systems. An ISA documents the security requirements that result from that connections.
A memorandum of understanding (MOU) and memorandum of agreement (MOA) are legal documents that describe a bilateral agreement between parties. The parties have some kind of shared goal; the MOU/MOA lays out a set of intended actions.
Non-disclosure agreements (NDAs) are standard corporate documents between a company and personnel. It outlines the boundaries of company secret material, and disclosure of that information to unauthorized parties.
Acceptable Use Policies (AUP) are documents that outline what the organization considers to be appropriate user of its resources. This includes computer systems, email, internet, networks, and so on. The goal is to allow for normal business productivity while also limiting inappropriate use. These AUPs should have teeth. Whether you want to go the “zero tolerance” route or instead, discretionary action, is up to you.
This is the establishment, enforcement and monitoring of all things personnel-related. In true Security+ study guide fashion, we’re gonna blitz through a bunch of related-ish topics.
This book recommends enforcing mandatory vacations. No, not because they’re feeling nice. Employees who are engaging in activities like fraud or embezzlement need to be around all the time. If you force employees to take vacation every year, then of course, they can’t do that. Unless they had an accomplice, I suppose. This means you need a deep bench of training in the organization to cover people who are out of the office.
It also recommends job rotation. This gives people exposure to new roles, so they can understand how each part of the business can work towards (or against) the company’s goals. Plus, this allows you to avoid relying on one person for security expertise.
Separation of duties has been mentioned in previous chapters. This book loves redundancy. Separation of duties means that you ensure that no single individual has the ability to conduct transactions alone. This means you trust each person a little bit less, but you also reduce the chances for catastrophic damage from one person. No one should have “the keys to the kingdom.” You don’t want to overshoot it though and cause an overhead nightmare.
Clean desk policies–enforced even on bathroom trips–mean that a workstation is clean of sensitive information while the user is absent. This includes things like sticky notes hidden under keyboards. Clean it up, pals.
Hiring, onboarding and off-boarding
Background checks! Thankfully, you don’t have to wonder if your employees have shady pasts. You can pay someone to figure it out and report back to you. I’m pretty sure that this is common practice in most white collar jobs.
When someone is being onboarded into the company, they should learn about security issues, responsibilities and policies. This helps establish the importance of their role from the get-go.
The book talks about exit interviews as a tool for gathering information when someone is on the way out of the company. After about one sentence of that, it stops. Then it reminds you (again) that it’s important to review and terminate user accounts after someone leaves. You’re welcome.
Everyone should have general security training. However, you should also provide role-based awareness training so that people see how security relates to their specific job duties. You should include retraining, as well as continual evaluation of people’s roles (do they have more responsibilities that warrant new training?). Continuing education is important.
The book goes through a bunch of different roles. Each one has its own place in the company, and has unique training needs.
- Data owners are in charge of data ownership (big surprise there). This is a business function, where requirements for security, privacy, retention, and other business functions are established.
- System administrators are administrative users who are responsible for maintaining a system within its defined requirements. They don’t get to create the requirement. System owners do that. Similar to data ownership, system ownership is another business function. This is where requirements for security, privacy, retention and other business functions are established, this time for an entire system.
- Users refer to normal users who have limited access and privileges, based on their job role and tasks.
- Privileged users have more permissions than normal users. An example is a database administrator.
- An executive user is a special subset of user. The book gives the example of C-suite people who don’t need access, but will be given access anyway when they ask for it. However, they’re natural targets for phishing attacks, so be careful.
General Security Policies
This is a high-level statement (or maybe set of statements?) that outlines “what security means to an organization.” This would be developed by senior management. This sounds very Office-Space to me, but you’ve probably seen these before. A book example is “this organization will exercise the principle of least privilege in its handling of client information.”
Social Media Networks
One possible AUP clause is the restriction of social media usage while at work or on work equipment. Social media opens the company up to data loss, malware, and phishing attempts.
I could probably go the rest of my life without hearing about personal email usage as a bad thing. But, it’s in here for a reason. If personal data and work data get mixed up, especially if the data resides on company servers, this is a legal and HR headache waiting to happen.