Chapter 6-Business Security Process
-
Upload
aavish-krishali -
Category
Documents
-
view
221 -
download
0
Transcript of Chapter 6-Business Security Process
-
8/10/2019 Chapter 6-Business Security Process
1/23
OBJECTIVES
Describe the role of security in personnel practices
Develop secure recruiting & interviewing
procedures
Evaluate confidentiality & employee securityagreements
Understand appropriate security education, training& awareness programs
Design an incident reporting program
Create personnel-related security policies andprocedures
1
-
8/10/2019 Chapter 6-Business Security Process
2/23
INTRODUCTION
Personnel-related policies are mostly theresponsibility of the Human Relations (HR)department
Aspects of personnel security may involve thetraining department, legal counsel and employeeunions or associations
Employees are simultaneously the organizations
most valuable assets and its most dangerousrisks
Employees must receive information securitytraining
2
-
8/10/2019 Chapter 6-Business Security Process
3/23
FIRSTCONTACT
Risks and rewards of posting online employment
ads:
A company can reach a wider audience
A company can publish an ad that gives too much
information:
About the network infrastructure and therefore
allow a hacker to footprint the internal network
easily and stealthily
About the company itself, inviting social
engineering attacks
3
-
8/10/2019 Chapter 6-Business Security Process
4/23
JOBDESCRIPTIONS
Job descriptions are supposed to:
Convey the mission of the organization
Describe the position in general terms
Outline the responsibilities attached to said
position
Outline the companys commitment to security
via the use of such terms as non-disclosure
agreement
4
-
8/10/2019 Chapter 6-Business Security Process
5/23
JOBDESCRIPTIONSCONT.
Job descriptions are NOT supposed to:
Include information about the internal network,
such as types of servers deployed, types of
routers deployed, and any other information that
would allow a hacker to map the infrastructure of
the internal network
Its harder to hack a network if one doesnt knowwhat hardware & software
If the above information is deemed necessary,
have the ad be anonymous
5
-
8/10/2019 Chapter 6-Business Security Process
6/23
THEINTERVIEW
Job Interview:
The interviewer should be concerned about
revealing too much about the company during
the interview
Job candidates should never gain access to
secured areas
A job interview is a perfect foot-printing
opportunity for hackers and social engineers
6
-
8/10/2019 Chapter 6-Business Security Process
7/23
WHOISTHISPERSON?
An organization should protect itself by running
extensive background checks on potential
employees at all levels of the hierarchy
Some higher level positions may require even
more in-depth checks
In the military, information andusers have a
clearance level Note the clearance level is not all they need: they
also need a demonstrated need to know to access
data
7
-
8/10/2019 Chapter 6-Business Security Process
8/23
TYPESOFBACKGROUNDCHECKS
The company should have a basic background
check level to which all employees are subjected
Information owners may require more in-depth
checks for specific roles
Workers also have a right to privacy: not all
information is fair game to gatheronly
information relevant to the actual work theyperform
Companies should seek consent from employees
before launching a background check
8
-
8/10/2019 Chapter 6-Business Security Process
9/23
TYPESOFBACKGROUNDCHECKS
CONT.
Educational records fall under FERPA. Schools
must first have written authorization before they
can provide student-related information
Motor vehicle records fall under DPPA, which
means that the DMVor its employeesare not
allowed to disclose information obtained by the
department
The FTC allows the use of credit reports prior to
hiring employees as long as companies do so in
accordance with the Fair Credit Reporting Act
9
-
8/10/2019 Chapter 6-Business Security Process
10/23
TYPESOFBACKGROUNDCHECKS
CONT.
Bankruptcies may not be used as the SOLE reason
to not hire someone according to Title 11 of the
US Bankruptcy Code
Criminal history: the use of this sort of
information varies from state to state
Workers compensation records: in most states,
these records are public records, but their usemay not violate the Americans with Disabilities
Act
10
-
8/10/2019 Chapter 6-Business Security Process
11/23
THEIMPORTANCEOFEMPLOYEE
AGREEMENTS
Confidentiality agreements
Agreement between employees and organization
Defines what information may not be disclosed by
employees
Goal: to protect sensitive information
Especially important in these situations:
When an employee is terminated or leaves
When a third-party contractor was employed
11
-
8/10/2019 Chapter 6-Business Security Process
12/23
THEIMPORTANCEOFEMPLOYEE
AGREEMENTSCONT.
Affirmation Agreements
Focuses on why acceptable use policies were
created and how important compliance is
It is a teaching tool that serves as a guideline
when an employee is faced with a situation not
explicitly covered in the policy
12
-
8/10/2019 Chapter 6-Business Security Process
13/23
THEIMPORTANCEOFEMPLOYEE
AGREEMENTSCONT.
Affirmation Agreements
Should include the following topics:
Acceptable use of information resources
Internet use
E-mail use
Incidental use of information resources
Password management
Portable computers
13
-
8/10/2019 Chapter 6-Business Security Process
14/23
THEIMPORTANCEOFEMPLOYEE
AGREEMENTSCONT.
Affirmation Agreements
Agreement should end with a commitment
paragraph acknowledging that:
The user has read the agreement
The user understands the agreement
The user understands the consequences of
violating the agreement
The user agrees to act in accordance with the
policies set forth
14
-
8/10/2019 Chapter 6-Business Security Process
15/23
THEIMPORTANCEOFEMPLOYEE
AGREEMENTSCONT.
Affirmation Agreements
The agreement should be dated and signed by
the employee.
The signing of the agreement should be
witnessed
An appendix of definitions should be provided tothe user
15
-
8/10/2019 Chapter 6-Business Security Process
16/23
TRAININGIMPORTANT?
Training employees
According to NIST: Federal agencies *+ cannot
protect *+ information *+ without ensuring thatall people involved *+:
Understand their role and responsibilities relatedto the organizations mission
Understand the organizations IT security policy,procedures and practices
Have at least adequate knowledge of the variousmanagement, operational and technical controlsrequired and available to protect the IT resourcesfor which they are responsible
16
-
8/10/2019 Chapter 6-Business Security Process
17/23
TRAININGIMPORTANT? CONT.
Hackers adapt: if it is easier to use social
engineeringi.e. targeting usersrather than
hack a network device, that is the road they willtake
Only securing network devices and neglecting to
train users on information security topics is
ignoring half of the threats against the company
17
-
8/10/2019 Chapter 6-Business Security Process
18/23
SETA FORALL
What is SETA?
Security Education Training and Awareness
Awareness is not training: it is focusing the attentionof employees on security topics in order to changetheir behavior
Security awareness campaigns should be scheduledregularly
Security training seeks to teach skills (per NIST)
Security training should NOT be only dispensed tothe technical staff but to all employees
18
-
8/10/2019 Chapter 6-Business Security Process
19/23
SETA FORALLCONT.
What is SETA?
Education: a common body of knowledge should
be developed for all employees
Specific bodies of knowledge should bedeveloped for specific roles in the company
SETA funding should be codified in the security
policy so that it is not slashed at the firstopportunity
GLBA and HIPAA both include security trainingrequirements as part of compliance
19
-
8/10/2019 Chapter 6-Business Security Process
20/23
SECURITYINCIDENTREPORTINGIS
EVERYONESRESPONSIBILITY
It is the responsibility of ALL employees to report
security incidents
Anytime data confidentiality, integrity and/oravailability is threatened, a security incident
report should be filed
Users must be vigilant and trained to recognize
and report security incidents
Reporting security incidents must become a part
of the corporate culture
20
-
8/10/2019 Chapter 6-Business Security Process
21/23
SECURITYINCIDENTREPORTINGIS
EVERYONESRESPONSIBILITYCONT.
A security incident reporting program should
feature the following three ingredients:
Training users to recognize suspicious incidents
Implementing an easy incident reporting system
Staff involved in the investigation of the incident
should report back to the employees who
reported it to show that the report was not
dismissed and encourage future reports
21
-
8/10/2019 Chapter 6-Business Security Process
22/23
TESTINGTHEPROCEDURES
The security incident reporting program should
be tested to make sure that it works and that it
provides investigators with the information they
need
Testing should not occur without knowledge and
approval from senior management
Testing should NOT be advertised to employeesto get accurate results
22
-
8/10/2019 Chapter 6-Business Security Process
23/23
TESTINGTHEPROCEDURESCONT.
Testing the security incident reporting system
should focus on the two following topics:
How did the employees respond to the incident?
Did they apply techniques and procedures learned
during training?
Did the employees report the incident?
Results should be documented and analyzed. Ifnecessary, training material should be edited for
clarity or new procedures
23