The further one delves into the advanced principles of security, the more apparent it becomes that security goes far beyond the boots-on-the-ground stuff like cryptography, firewalls, packet sniffers, complex passwords, and locked doors. Security practitioners spend a lot of time fussing over the managerial and regulatory aspects such as security policies, process life cycles, business documents, contracts, and privacy requirements. Similar to how the U.S. Constitution methodically lays out various laws for the country, security policies carefully define the intentions and requirements for securing the information, resources, facilities, and people of an organization.

This would be challenging enough even if businesses, industries, laws, and regulations weren’t in a constant state of change. Organizations are forced to evolve on operational, tactical, and strategic levels due to various internal and exchange changes. For today’s organizations to sustain the successful delivery of their business objectives, organizations will need to approach security with the same top-down documents and methodologies like that of governance.

In this chapter, we’re going to dive into security policies, privacy principles, and procedures based on company requirements. We must also consider life cycle management for the security policies based on the inevitable changes to the organization, its technology, customers, and the regulatory environment. The demands placed on organizations are more complex and mission-critical than ever; therefore, security practitioners must work closely with human resources, legal departments, and management to create and enforce a “culture of security” from the top-down. With the help of decision makers, we will craft various security business documents to ensure that everyone understands what is expected of them, the organization, and all other parties. Taking this top-down approach to security, organizations will be steered by upper management for not only the achievement of business objectives but also security objectives.

Policy and Process Life Cycle Management

Important in any organization’s approach to implementing security are the policies, processes, standards, guidelines, procedures, and baselines used to detail what users and administrators should be doing to maintain the security of the environment. Collectively, these documents communicate the requirements and methods needed to determine how security will be implemented throughout an organization. They are inspired by various internal and external influences, including local, state, and federal regulations, competition, auditors, customers, business partnerships, and even international laws. Security policies have to account for a lot of moving parts, including the following:

•   Organizations are always changing.

•   New technologies are constantly being added or modified.

•   Employees come and go.

•   New roles and responsibilities are created.

•   New local, state, federal, and international laws are being created.

•   Hackers are multiplying in number, scope, and skill at an alarming rate.

In order for businesses to deal with these intricacies, they’ll need a little help from their executive friends. Taking a top-down approach to security will require decision makers, and other departments, to collectively evangelize the integration of security into all business processes and objectives. If upper management cares about security, it’ll go a long way in getting the rest of the organizational staff to go along.

Policies

Security policies are documents that provide the foundation for organizational security goals. They provide information and high-level guidance to all parties in an organization with respect to the goals and objectives associated with a specific aspect of the business. Depending on the organization, security policies may number in the dozens or more. With each security policy, a life cycle exists to manage the policy through creation, implementation, and its eventual retirement, as noted next.

Several steps are involved in policy life cycles:

1.   Perform a risk assessment to identify risks to organizational assets.

2.   Utilize policy templates to guide policy creation.

3.   Seek policy input from executives and other stakeholders.

4.   Establish penalties for policy violations.

5.   Publish the policy to all employees in the organization.

6.   Ensure staff members read, understand, and sign the policy.

7.   Utilize technology to enforce policies whenever possible.

8.   Educate staff about the policy contents.

9.   Schedule reviews for the policy on an annual or semi-annual basis.

10.   Retire the policy when it’s no longer applicable.

As a general principle, the internal policies created by organizations are a reflection of the external laws and regulations that apply to the organization. When you are creating security policies, it is important that the policies fully comply with any pertinent laws and regulations; otherwise, you risk running afoul of the law. Since executives should understand the legal aspects that affect the business, seek their input and gain their approval before publishing the policy company-wide. Also, don’t forget to review the policies every once in a while. Policy reviews should be conducted at least once or twice a year to ensure they remain relevant in your environment. Businesses change often enough to invalidate certain aspects of security policies; plus, the regulatory environment is rarely stationary. In fact, the policies should include a section that explicitly requires scheduled reviews to ensure compliance.

Policy Types

Before we dive into the numerous examples of security policies, it is important to cover how security policies are categorized. Understanding these categories will help you to adopt a big-picture perspective on the (seemingly) endless supply of security policies. These categories vary in terms of the scope of the policy (what it affects) as well as the enforceability of the policy (requirements versus recommendations):

•   Organizational policies   These policies focus on matters that relate to all aspects of an organization. They are umbrella policies that encapsulate the business as a whole.

•   System-specific policies   These policies focus on specific computers or network systems as well as the necessary security controls that protect them.

•   Issue-specific policies   These policies focus only on specific organizational issues such as department issues, business products and processes, and others. They are not concerned with the overall organization, nor do they target specific computer and network systems.

Now that we talked about how security policies are categorized, we’re going to dig into examples of actual security policies. Most study resources only provide a handful of examples and move on. This All-In-One exam guide goes the extra mile in listing out a great many of the most popular security policies so that you are not only better prepared for the exam but also for the security field itself. Once we’ve sufficiently covered examples of policies, we’ll discuss the remaining building blocks of policies which include standards, guidelines, processes, procedures, and baselines.

Acceptable Encryption Policy

Organizations may use this policy to detail the requirements that cryptographic algorithms—also known as ciphers—must meet in order to be trusted for use within the organization. These requirements may include whether or not an algorithm has widespread usage in the field, the existence of published studies, and peer reviews. Such policies should also mandate that only well-known algorithms should be used, and to avoid all “home-grown” algorithms. This is important because some individuals mistakenly feel that utilizing a self-made algorithm is superior to well-known algorithms due to their inherent obscurity. This logic suggests that if no one has ever heard of an algorithm, then no one will attack it—or know how to. This is not only untrue but a dangerous assumption to make. Attackers will generally be able to reverse-engineer a self-made cryptographic algorithm with relative ease due to its lack of depth and complexity.

Acceptable Use Policy

An acceptable use policy (AUP) is a popular policy that documents all of the acceptable and unacceptable uses of computers, networks, and data. Like with most policies, employees are expected to read, understand, consent to, and sign the AUP. Organizations rely heavily on this to limit their liability. Failure to sign this document will likely lead to immediate termination. Plus, users aren’t expected to be able to access computer resources until their signature has been received. Failure to abide by all the requirements of the AUP will possibly result in the disciplinary actions indicated in the policy.

Access Control Policy

This critical policy specifies the resources that require protection, the methods of protection, and the individuals, roles, or clearance levels that are to be granted access. It also defines circumstances in which special access can be granted, including the “need-to-know” scenarios, conflicts of interest, authority demands, and others. Access control is often centered around access control lists (ACLs), which can vary in meaning based on file system, networking, or database contexts.

In security jargon, we will often substitute “subject” for a user and “object” for a resource. In simple terms, security subjects access security objects. In general, we define an ACL as a list that describes the permissions granted to users of a resource. The access control policy may also outline the usage of one or more access control methods, which are defined next.

Discretionary Access Control (DAC)   This common access control method describes how the owner of an object determines which subjects can access the object—and to what degree. In other words, access control is at the owner’s “discretion.” The Windows NTFS file system is a good example of discretionary access control since it utilizes the concept of file/folder owners.

Role-Based Access Control (RBAC)   Becoming increasingly popular, this access control method uses an organizational or departmental role to determine the access granted to individuals. Rather than leave it to the self-governing discretion of an object owner, the company role that an individual belongs to is used to determine access. For example, Sales users are added to the Sales department role, and the Sales department role is granted “read” access to the Sales folder. Neither the users, the owners, nor the resources determine access. This allows greater consistency and predictability of access since roles are well-defined across many groups of people.

Mandatory Access Control (MAC)   Frequently used by the military and other high-security environments, mandatory access control often revolves around the usage of security clearance levels of subjects as well as the sensitivity or classification labels of objects. In other words, certain airmen, marines, sailors, or soldiers have the required clearance level to access materials that have a Confidential security classification.

Rule-Based Access Control   This access control method is focused on implementing standardized rules for all users of a system rather than customizing the rules to the users, as with DAC. For example, a network appliance such as a router or firewall will utilize high-level packet-filtering rules that apply to everyone. Put another way, these rules are focused on situations, not individuals.

Acquisition Assessment Policy

This policy defines the roles, responsibilities, and processes for organizations that have acquired another organization. It may mandate security onboarding processes, training requirements for all parties, security reviews, background checks, reviews of laws and regulations, and offboarding processes should acquisitions be reversed in the future.

Clean Desk Policy

Although its important enough for your work area to be aesthetically clean, that is not what this policy is referring to. Our work areas often have sensitive materials in plain sight, such as passwords on sticky notes as well as paperwork with personally identifiable information (PII), including names, phone numbers, e-mail addresses, Social Security numbers, account numbers, credit card details, medical records, intellectual property, trade secrets, religious preferences, and so on. This policy requires that we lock away all of these materials so that only authorized parties are able to access them.

Change Management Policy

Change management policies detail the formal process of requesting, deliberating, approving, and scheduling changes to IT systems. This ensures that all changes are documented, in congruence with organizational policies, and that ill-advised changes are unlikely to take place. Granted, this policy does frustrate many individuals due to the inevitable implementation slowdowns it produces, but it should be preferred to wait for positive outcomes versus racing toward negative ones.

Data Retention Policy

Much to an organization’s chagrin, data retention policies require that certain data types be retained for a certain number of years—despite the possibility of the data losing its usefulness, and the lingering fear that buried and incriminating information may one day expose the organization to liability.

On the plus side, such policies will help keep organizations on the straight and narrow due to the variety of losses that can be incurred through noncompliance. Retention requirements may include length of time, data accessibility requirements, and methods of archival and destruction. Like most policies, they are subject to the organization’s industry and geographical location.

Disaster Recovery Plan (DRP) Policy

This important policy documents the recovery methods for various worst-case scenarios, including system, application, and data failures. Although DRPs are generally part of the more critical business continuity plans (BCPs), they aren’t the same thing. Whereas BCPs focus more on grander business survival needs, DRPs fixate on the technological recovery aspects of the organization. It is crucial that management allocates sufficient budget to the needs of the DRP to ensure all documented disaster types have meaningful mitigations in place and are recoverable in the promised timelines.

E-mail Policy

Considering the criticality of e-mail communications, most organizations will need to thoroughly police its usage. E-mail policies help standardize the proper use of e-mail systems, while also raising awareness regarding procedures and guidelines. This policy may contain many requirements for e-mail handling, including the following:

•   Creation, reading, downloading, and transmission of messages

•   SPAM filtering

•   Attachment handling

•   Disabling HTML

•   Malware protection

•   Combat social engineering

•   Confidentiality

•   Privacy

•   Digital signatures

•   Encryption

•   Business versus personal usage

Ethics Policy

This is a human-level policy that mandates the exercise of lawful behaviors, good judgment, professionalism, and fairness to all customers, employees, partners, vendors, and other parties. It seeks to prevent wrongdoing or illegal actions, regardless of whether such negative outcomes were intentional. This policy also promotes an open-door culture for information requests, information sharing, the exercise of due diligence for issues that are real or indeterminate, and accountability for mistakes.

Extranet Policy

Organizations within and across various industries often have a need to connect to each other’s network through the Internet. This policy helps to establish many requirements, including the following:

•   Roles and responsibilities

•   Resources to be protected

•   Methods of resource protection

•   Data ownership

•   Backup and recovery methods

•   Connectivity methods to be used

•   Points of contact

•   Termination of access

Firewall Policy

This policy stipulates the recommendations and/or requirements for the usage of host-based or network-based firewalls throughout an organization. It should indicate who the responsible parties are for firewalls. The responsible party will usually be listed as a job role or job title, as opposed to an individual’s name, to account for employee turnover. It must also specify the rule types that determine which traffic types will be permitted or dropped. It also specifies the procedures for proper management of the firewall, and, if necessary, any provisions for maintenance windows and recovery procedures.

Internet Usage Policy

Considering the Internet is an equally helpful and dangerous asset, it is important for organizations to curtail its usage as needed. This policy defines how the Internet can and cannot be used via company computers and networks, at the company facilities, during company time. It explains various scenarios of Internet usage, including e-mail, web browsing, and maybe even social media. Considering how many threats come to fruition as a result of the Internet, extra emphasis must be given to Internet policies, procedures, and awareness to protect the business from malicious software, social engineering, and hackers.

Media Disposal Policy

Since full data or fractions of data (called data remnants) can survive typical drive formatting and file deletions, proper sanitization and disposal techniques are required for discarded media types like hard drives, flash drives, floppies, and optical discs. Notwithstanding the obvious environmental benefits gained from proper disposal, assurances must also be provided that all confidential data has been fully erased from media.

Media disposal policies will call for various sanitization methods such as hard drive shredding, pulverizing, drilling holes, degaussing, or “zeroing out” to ensure the confidentiality of company data long after the media has been disposed of. The physical media destruction techniques can be particularly expensive; therefore, you should research whether it is more cost-effective to outsource this capability to another provider versus having your own media destruction equipment in-house.

Password Protection Policy

To this day, the most ubiquitous security method for computer systems is the use of passwords. A policy is needed to ensure that all parties, including employees, contractors, and vendors, fully understand the expectations of proper password management for the protection of company assets. Such password policies typically include the following requirements:

•   Complex passwords   Three or four character sets, including uppercase, lowercase, numbers, and special characters.

•   Long passwords   Typically eight or more characters.

•   Maximum password age   From 30 to 90 days is the average.

•   Password history   Passwords cannot be reused until changed at least three to five times.

•   Minimum password age   A minimum aging requirement helps circumvent password history abuses (in other words, users seeking to change their passwords too frequently to bypass password history requirements).

Physical Security Policy

The one thing that will never change about security is that physical security is the most important type of security. A physical security policy puts into motion the requirements for various physical security countermeasures needed to secure business data, facilities, and people. Many examples of physical security countermeasures include armed and unarmed security guards, locked doors, video surveillance systems, mantrap doors, proximity cards, biometric devices, sign-in sheets, and more.

There are also physical security requirements for the protection of your cabling, environmental considerations such as location and protection of HVAC controls, and uninterruptable power supplies and generators to mitigate power failures. You can have all the strong passwords, encryption, firewalls, and ACLs in the world, but if someone walks into a data center, grabs a server, and tosses it into the back of their van, you’ve been compromised.

Remote Access Policy

Today’s workers remotely connect to the corporate network nearly as often as they do locally; therefore, a policy is needed to mandate secure connections regardless of device type or network origin. Remote connections are inherently risky due to the user devices often connecting from an unprotected home or public Wi-Fi network; therefore, assurances must be provided that connections will be secured in all circumstances. The security requirements may include utilizing a VPN connection with SSL/TLS or IPSec-based security, in addition to multifactor authentication. Other requirements may exist that constrain connections based on time of day, connection time limits, idle period limits, and limitations on network segments and servers to be accessed.

Removable Media Policy

External hard drives and, particularly, flash drives have become taboo for many organizations due to the dual threats of malicious content being brought into the organization (ingress) and critical content being unlawfully extracted from the organization (egress). A removable media policy will define permissible media types, what data types (if any) can be placed on them, any encryption requirements, and possible consequences of unauthorized use of such devices. Many organizations will terminate employees on the spot if they’re caught with removable media on company premises.

Social Engineering Awareness Policy

They say that the weakest link in security is the human element. Whereas a computer will generally do what it’s told, with vulnerabilities that disappear as quickly as proper configurations or security patches are put into place, human weaknesses are far better understood by attackers and are therefore more difficult to mitigate. Unlike most security threats that are countered by technological, physical, and managerial means, social engineering countermeasures are largely an endeavor of policies, procedures, and awareness. A social engineering policy should go over terminology, common examples, frequent targets, proper responses to social engineering attacks, and ongoing employee training initiatives.

Wireless Communication Policy

Virtually all organizations have wireless networks. Corporations are pretty much a given, but also libraries, coffee shops, airports, airplanes, cars, cheap hotels, and even the occasional restaurant or park. The majority of corporate wireless networks are bridged to the corporate wired network and are set up insecurely. This makes them valuable targets since hackers will assume wireless networks to be the weakest link in the chain. Organizations must create wireless security policies that define which personal and/or business mobile devices, if any, are permitted to connect to the organization’s network. Encryption and authentication requirements must also be defined, in addition to the types of corporate content that can be accessed. Finally, the policy must decide whether or not to permit access to the Internet and app stores.

Standards

Standards are required elements regarding the implementation of controls or procedures in support of a policy. They are accepted specifications that provide specific details on an objective. Some standards are externally motivated. For example, regulations for healthcare providers and financial institutions require certain security measures be taken by law. Other standards may be set by the organization to meet its own security goals. Due to their ironclad nature, it is important that—like policies—standards be reviewed on an annual or semi-annual basis to ensure ongoing alignment with policy objectives.

Guidelines

Guidelines are the opposite of standards in that they specify optional and recommended security controls or processes to be followed. Think of these as good pieces of advice as opposed to orders or requirements. They can provide end users with a generalized reference to security practices, but not go as far as providing specifics into those practices.

Processes

Processes are a predictable series of steps needed to achieve an objective. For example, the process of creating a new user account in Microsoft Active Directory requires a few steps. One part of the process is the hiring of a new employee, followed by notifying the appropriate staff member to create the username and set the password, and then communicating the newly created account information to the new hire. Another process will exist to change the user’s password, disable the account, delete the account, or unlock the account. It is important that processes are well-documented and communicated to necessary staff, so that everyone can do their jobs in an efficient manner. Don’t make the mistake of creating processes unofficially and only telling people on a need-to-know basis. Document the process and communicate it to all required staff upfront.

Procedures

Procedures are operational-level, step-by-step details on how to achieve specific business processes. Because procedures are close to the specific operations of a business, then even minor changes can affect the efficacy of a procedure. For instance, changing the brand/make/model or upgrading the software of a firewall can result in a need to change the procedures used to manage the firewall ruleset. The high-level policy associated with what ports are open/closed will remain fine, but the details on how to enact the policy through operational actions may need updating.

Procedures are different from processes in that processes explain what needs to be done, whereas procedures explain how to actually do it. They describe exactly how employees are expected to act in a given situation or to accomplish a specific task.

Baselines

Think of a baseline as a point-in-time measurement of what we agree is the acceptable level of normal performance. This baseline measurement is not necessarily an exact value but rather can be thought of as a “range of normal,” much like a needle on a compass pointing in the general direction of north. Whether that “direction” guides us toward an acceptable level network performance, Internet performance, server performance, employee attrition levels, or a specific level of security, baselines will help us stay on track or will aid us in refocusing our efforts to becoming productive again.

In everyday terms, if your baseline body temperature is 98.6 degrees, then any of your measurements in excess of that temperature may indicate that you are trending toward illness. Steps must be taken to return your body temperature to (or around) the 98.6 degree baseline for you to have the best shot at being well again. The best time to capture baselines is when technological or security solutions are first implemented. At this stage, the solution is likely in its purest state; therefore, establishing a baseline here will help us to sustain this purified state indefinitely.

New Business and Environmental Changes

A major part of policy and process life cycle management stems from reviews. Policies are living documents that need to be updated as changes to the organization occur. Some of these new business changes include the following:

•   Organization acquires an organization.

•   Organization is acquired by an organization.

•   Organization merges with an organization.

•   Organization demerges from an organization.

•   Organization begins a divestiture.

Not only do business changes result in policy changes, but policy changes will also result in process changes. Since processes exist to carry out the requirements of a policy, the organization—and its security practitioners—must weigh the benefits of process modification against the negatives of risks being introduced. Just as proposed policy changes require analysis, so do process changes.

New business changes can be thought of in terms of acquisitions, mergers, and the like—yet changes to the environment will take place in the form of new products, technologies, regulatory requirements, and emerging risks. New products like smartphone apps might be added to assist customers with online orders and in-store pick-ups as well as provide support services. New applications come with a few security considerations, including access control, auditing, upgrades, patching, configuration management, training, and documentation. Product changes can be more grandiose, like in the case of Amazon. What began solely as an e-commerce organization has now expanded into separate industries, including brick-and-mortar bookstore locations, self-checkout grocery stores, video streaming, cloud computing, and literally dozens of other products. You can only imagine the scope and impact of security challenges introduced by such scale of change.

Regardless of the new business change types, security practitioners must evaluate the risks introduced prior to, during, and after the changes are implemented. They must also document their risk assessments, analysis, and mitigations to control these risks. The documentation will also serve as a knowledge base for lessons learned. Always keep in the back of your mind that policies, laws, and regulations must be considered with respect to business changes.

New Technologies

Since the early 1970s, Gordon Moore, Intel’s co-founder, has relied on his famous “Moore’s Law” to accurately predict that computing power will double roughly every two years. Yet, this progress has become, in some ways, too much of a good thing. Technology has advanced so vastly, and so quickly, that organizations often fall behind, fail to implement it correctly or fully, or neglect security entirely to expedite implementation. People had just gotten accustomed to mobile and cloud computing; now they have to wrap their heads around artificial intelligence (AI), machine learning, blockchain, Bitcoin, Internet of Things (IoT), wearables, drones, augmented reality, virtual reality, and more. It is the job of IT and security staff to ensure that organizations continue to gravitate toward these technological waves and master them. These organizations are the most likely to achieve their objectives—whereas others who cling to the old ways are headed toward certain doom. After all, nobody thought Blockbuster or Toys “R” Us would disappear.

New technology brings a wealth of benefits to the organization, and a fair share of risks. Security professionals must sit down with stakeholders to discuss and document the risks brought about by the new technology. You can learn more about technology-specific risks in the following ways:

•   Performing Internet research

•   Browsing industry magazines

•   Attending conference events

•   Contacting vendor support

This will also be a good time to review some of the previous policies we listed to ensure congruence between technology, security, and business objectives. If adjustments to the policy are needed, make those changes while also keeping an eye on the new processes that will surely come about.

There is much to consider in terms of specific risks and threats. Attackers may try to socially engineer the users in person, through e-mail, over the phone, or via social media to harvest company credentials. Malware may be specifically written for the technology like in the case of the point-of-sales terminal malware used in the Target hack of 2013. If the technology is software-based, attackers may attempt to eavesdrop on any network traffic sent. Data might be inadvertently stored, used, or transmitted, which can cause data leakage. Plus, there are the performance, reliability, and infrastructure integration considerations that can make the technology difficult to use. Employees also have to be trained in the technology, which can be expensive.

All technologies must balance three competing factors: security, features, and ease of use. Security refers to the relative protections against risk, threats, exploits, vulnerabilities, and exposures. Features refers to the capabilities or functions of the technology. Ease of use refers to how user-friendly and easy the technology is to use. If you draw a triangle, place each of these three factors into their own corner, and place a single dot somewhere within the triangle. You are faced with an obvious dilemma:

•   When you move the dot toward security, it moves further away from features and ease of use.

•   When you move the dot toward features, it moves further away from security and ease of use.

•   When you move the dot toward ease of use, it moves further away from security and features.

As you can see, the dot can only be in one position at a time, and this position reflects the relative balance of security, features, and ease of use. The reality is, technology cannot be outstanding in all three of these areas simultaneously. In the end, we must “rob from Peter to pay Paul.” Understanding the tradeoffs between these three competing areas helps you to have the right expectations about the inevitable strengths and weaknesses of a piece of technology. You will need to evaluate the technologies through the lens of risk assessment, analysis, and mitigation to ensure you maintain a proper risk profile.

Regulatory Requirements

Organizations have to comply with various laws and regulations from the local, state, and federal government. As described at length in Chapter 1, many popular laws and regulations can apply to an organization, including HIPAA, PCI DSS, SOX, FISMA, GLBA, and so forth. Although NIST special publications are required with government and military organizations, they are often adopted voluntarily by corporations. ISO standards are voluntary rather than mandatory, yet are implemented all over the world for security’s sake, as well as to distinguish organizations from the competition. PCI DSS was created by credit card organizations and is therefore not actually a law. Despite this, certain states will treat PCI DSS as law, so you may have to personally investigate whether or not your state treats it as law.

To get a head start on learning more about the regulations that affect your organization, consider your organization’s industry, country, state, size, and partnerships, as well as whether it’s publicly or privately held. Seek assistance from HR, internal or external legal entities, or management to learn about the precise laws and regulations that apply to your organization. The survival of the organization and the avoidance of fines (and possibly a stint in jail) depend on it.

Emerging Risks

As customer demands, technologies, and hackers continue to unfold, so too has the emergence of new risks. Historically, risks have followed a bit of a pattern. In the beginning, risks primarily centered around the physical—doors, locks, surveillance, security guards, and so on. As our isolated organizations began internetworking with other organizations, risks were extended from the facility’s boundary to the network perimeter boundary. Such risks were met with perimeter security controls for our firewalls, routers, VPNs, DNS, and proxy servers—among others. Then it occurred to us that many attackers are already inside the organization, hence the proliferation of internal security controls like packet sniffers, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), security information and event management (SIEM) products, and multifactor authentication.

The present-day security landscape is, in a word, awesome—for the hacker community, that is. Attackers are now utilizing a new generation of AI to collect vast stores of information about their targets that can influence and automate the payloads of their attacking tools. For example, if the attacker is targeting passwords of an American organization headquartered in Seattle, the attacking tool could factor in the organization’s region, industry, language, demographics, cultural considerations, products, and more, to influence password guesses. Utilizing such intelligence, the password-cracking rules would automatically disqualify huge portions of password possibilities. This will greatly improve the efficacy of password attacks. We, too, will need to add AI-based security tools to our security portfolio to offset the risk of AI-based attacks.

Malware has been all over the mainstream media recently. Today’s malware frequently resorts to encrypting the victim’s files, and demanding credit card or bitcoin payment, like in the case of the WannaCry crypto-malware. This kind of malware is also known as ransomware since it holds your files for ransom. Plus, malware has become smart enough to know when it’s being sandboxed inside of a virtual machine. This has resulted in the malware escaping from the virtual machines and attacking the hypervisors and host operating systems. Not only do we need to continue using antimalware software, but also supplementary controls like patching, next-generation firewalls, IDS, IPS, hardware security modules (HSMs), digitally signed applications, hypervisor-level firewalls, the principle of least privilege, restricted user accounts, security baselines, and much more.

Upwards of 30–50 billion IoT devices are expected to be connected to the Internet by 2020. These devices will include wearables, communication platforms like the Amazon Echo, security systems, sensors, lighting, temperature controls, appliances, door locks, cars, and countless more. The scary part is most of these devices will have little to no security features built in or set up by default. Then there’s the fact that our devices often have built-in cameras, microphones, hard drives, and Internet connections; therefore, they’re in prime position to perform surveillance on us, while collecting and sharing our data with third parties.

The onus is on us to create and disseminate IoT policies, securely configure these devices to the extent possible, isolate them, and educate users about effective usage. Be sure to contact IoT vendors for official recommendations on implementation and use. We must also learn what data collection and sharing methods are being utilized by these devices and, if possible, disable such features. Such data collection can violate organizational security policies, which in turn can be extended to violations of laws and regulations.

Something that should scare everybody is the rise of state-sponsored hacking, also known as military or government-sponsored hacking. Given our global dependency on technology—not to mention technology’s increasing role on warfare—nations are leveraging their respective militaries to perform various espionage and hacking attacks against other nations, and sometimes against their very own people. Such cyberwarfare is repeatedly demonstrated by the superpower nations, regardless of whether or not the target is considered an ally.

Although not always related to state-sponsored hacking, there are lethal hacker groups all over the world, including Anonymous, APT28, Dragonfly, and Morpho. Some of these groups are global; others are localized to a particular region. The most famous of these, at least to the American population, is the Anonymous group. Although hackers don’t always spell out their intentions, their social media accounts sometimes include warnings and plans against their targets. For example, Lizard Squad warned Sony and Microsoft about their plans to attack their gaming networks—and shortly after, they did. Sometimes these hacker groups attack a target “just because,” and other times there are deeply rooted reasons. As a result, it’s important to do research on what the popular hacker groups are saying on social media to help anticipate and protect yourself, and others, from any forecasted attacks.

The moral of the story is to do research on the emerging risk so you can develop policies, procedures, guidelines, and awareness on how to combat such risks and threats. Patch management continues to be a vital tool for the security of an organization due to hackers often looking to exploit specific hardware or software vulnerabilities. Above all, train your users and raise awareness about the current security climate. Although human beings are often considered the weakest link in security, we can greatly minimize that weakness and even turn it into a much-needed strength.

Support Legal Compliance and Advocacy by Partnering with HR, Legal, Management, and Other Entities

Policies and procedures govern the operation of the business and are in response to a set of requirements developed from both internal and external requirements. External requirements may come from laws and regulations, contractual terms such as PCI DSS, or customer specifications. Many times, the best expert with respect to a specific requirement may come from an ancillary department such as legal, HR, or marketing. Building relationships and utilizing the breadth of expertise in an organization can be of tremendous value when addressing security requirements.

Understand Common Business Documents to Support Security

Business operations involve actions between many different parties—some within an organization, and some in different organizations. These actions require communication between the parties, defining the responsibilities and expectations of the parties and the business objectives, and the environment within which the objectives will be pursued. To ensure an agreement is understood between the parties, written agreements are used. Numerous forms of legal agreements and contracts are used in business. This section covers several business documents that slant toward IT and security requirements.

Risk Assessment

A risk assessment is a documented process of determining the prioritization of responses to threats. Because resources are limited with respect to the opportunities to apply security controls, prioritization based on risk reduction ensures the best result for a given level of expenditure. For example, a risk assessment document might include assets such as company vehicles, campuses, information, and people. Other aspects of the document might include columns containing threats, vulnerabilities, risk status, risk impact, and risk mitigations.

Business Impact Analysis (BIA)

Frequently, you’ll see a business impact analysis conducted as part of a broader business continuity plan. BIAs document the various risks to an organization and the resulting impact from disasters should those risks come to fruition. By understanding all of the worst-case scenario costs, businesses can prioritize the order and timeline of critical business functions that require restoration.

Interoperability Agreement (IA)

Interoperability agreements are a broad category of agreements that include data, technology, and communication sharing requirements between two or more organizations. Some examples of these agreements include the following:

•   Interconnection security agreement

•   Memorandum of understanding

•   Service level agreement

•   Business partnership agreement

Interconnection Security Agreement (ISA)

An interconnection security agreement is a specialized agreement between organizations that have connected IT systems to document the security requirements associated with the interconnection. An ISA can be a part of an MOU detailing the specific technical security aspects of a data interconnection.

Memorandum of Understanding (MOU)

A memorandum of understanding (MOU) is a legal document used to describe a bilateral agreement between parties. It is a written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal. It is more formal and detailed than a simple handshake, but it generally lacks the binding powers of a contract. It is also common to find MOUs between different units within an organization to detail expectations associated with the common business interest.

Service Level Agreement (SLA)

A service level agreement (SLA) is a negotiated agreement between parties detailing the expectations between a customer and a service provider. SLAs are typically included as part of a service contract and set the level of technical expectations. An SLA can define specific services, the performance level associated with a service, issue management and resolution, and so on. These specifications should include expected response times to customer service escalations via phone or e-mail, downtime recovery expectations, and so forth. They should also include compensation requirements should service levels dip below the promised amounts.

Business Partnership Agreement (BPA)

A business partnership agreement is a legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners. These details can cover a wide range of issues, including typical items such as the sharing of profits and losses, the responsibilities of each partner, the addition or removal of partners, and any other issues. A uniform partnership act (UPA), established by state law and convention, lays out a uniform set of rules associated with partnerships to resolve any partnership terms. The terms in a UPA are designed as “one size fits all” and are not typically in the best interest of any specific partnership, so it is best to have specifics worked out in a BPA.

Operating Level Agreement (OLA)

An operating level agreement (OLA) is an internal document that defines the relationships between internal parties to support business activities. Frequently used in combination with SLAs, OLAs define the expectations inside a business to support the overall business goals established in the SLA.

Nondisclosure Agreement (NDA)

A nondisclosure agreement (NDA) is an agreement between parties defining and establishing the rules for which information can be shared. There are times when information needs to be shared between parties for a specific purpose, but where further dissemination or sharing is not desired. The parties involved can draft an NDA, detailing the information to be shared and the rights and responsibilities of all parties with respect to use of the information. Frequently these documents allow information to be shared with one of the parties, but further sharing, release, or even additional use by the party is restricted. Executed as contracts, these documents can be legally enforced, with penalties for disclosures, including damages.

Master Service Agreement (MSA)

As relationships between multiple organizations evolve in length and complexity, additional agreements are likely to be created. Future agreements run the risk of containing redundancies from previous agreements—which may slow down the agreement process—or produce contradictions and confusion. Rather than solve the issue reactively, we can proactively create an all-encompassing master service agreement to serve as the building block for future agreements, transactions, and business documents. This is important for organizations that anticipate having lengthy relationships with other businesses.

Research Security Requirements for Contracts

Despite the normalcy of businesses signing contracts with vendors, today’s security climate heightens the need for security requirements to be integrated not only into product negotiations but also in the drafting of the contracts. There’s a right and a wrong way to request information on product offerings, specifications, and pricing—in addition to knowing how to bake security requirements into contracts. Failure to observe negotiation etiquette and formalities may result in not only time wasted but also the signing of bad contracts, unnecessary security risks and gaps, and a poor relationship with the vendor. Check with legal counsel to learn the particulars of security requirements and contracts to ensure organizational and regulatory requirements are met.

Request for Proposal (RFP), Request for Quote (RFQ), and Request for Information (RFI) are three basic contract documents used in the procurement process that we are concerned with in terms of product negotiations and security requirements.

Request for Proposal (RFP)

The RFP can be a lengthy document that takes considerable time to complete. The RFP accomplishes several goals, including informing potential vendors of a product or service that is being sought, providing specific details on what it is that the organization wishes to purchase, and providing a basis from which to evaluate interested vendors. For IT products and services, the requirements should also include specifications for expected security features that may include the following (items might not be applicable in all situations):

•   The need for personnel to have a background investigation or security clearance

•   Specific training or certification requirements for personnel

•   Regulations or standards that must be adhered to

•   Security tests or assessments that must be completed on products or networks

•   Specific firewall, router, or intrusion detection settings or reviews

•   Physical security checks

•   Software security checks

•   Threat modeling requirements

•   Security policy reviews

•   Expected best practices

Request for Quote (RFQ)

The RFQ may be used to further restrict the list of companies that will receive the full request by asking for price ranges for services or products. The RFQ may also be rolled into the full Request for Proposal.

Request for Information (RFI)

The RFI is issued by organizations seeking information regarding specific products or services in the marketplace that could be used to fill a specific need. It is often a short document and is sometimes used as a “pre-qualifier” to determine who to send follow-up requests to.

Understand General Privacy Principles for Sensitive Information

Personally identifiable information (PII) is information collected by a business for the purpose of identifying a person. Because of the rise of identity theft as a major criminal enterprise, PII has value to identity thieves. An organization has security controls to protect its data from unauthorized use and disclosure. Once an organization gathers PII, it becomes sensitive data that requires appropriate protection. The first step is to define the requirements for protection, and in the case of PII, these requirements are part of the organization’s privacy policy. Privacy is defined as the desire to control the use of one’s personal data. With respect to personal data, the organization’s privacy policy sets the terms and conditions that one should expect concerning protection of their personal data. By establishing and publishing the requirements associated with PII, an organization can ensure that the awareness of privacy requirements is spread throughout the organization and incorporated into plans, policies, and procedures.

The components of a privacy policy can vary by organization, but some common components include the following:

•   Clearly designate the elements of PII that are being collected and those that are stored.

•   Clearly state what the PII will be used for, including any transfer to third parties.

•   Designate security provisions and storage time for stored PII.

Many of an organization’s privacy requirements will stem from laws and regulations. In Chapter 1, we talked about many laws and regulations that include privacy requirements; therefore, we will not go over them at length again. However, here is a brief reminder:

•   HIPAA   Healthcare law, including security and privacy requirements

•   GLBA   Financial law, including privacy requirements

•   FISMA   Government/military law, including privacy requirements

•   PCI DSS   Not required by federal law but may be indirectly treated as law in some states

•   EU Directive 2002/58/EC and Directive 2009/136/EC   EU legal requirements aimed at ISPs and telecommunication companies

•   GDPR   EU law affecting many EU and potentially non-EU nations, for the privacy protections of people and businesses

Since organizations must incorporate some of these laws into their privacy policies, such policies will incorporate much of the “legalese” into their documentation. Many of the privacy principles inherent in policies are for the protection of an individual’s PII.

An effective way to get started with the management of PII is to conduct a privacy impact analysis (PIA), which is a structured framework used to determine the level of risk associated with the collection, handling, and storage of PII. The PIA is used to evaluate privacy risks so that they can be compared to business risks and allow appropriate decisions to be made. The PIA does not change the process associated with protecting PII; it only defines a method of determining accountability and compliance levels with respect to security requirements defined for PII.

In Chapter 1, we briefly highlighted the General Data Protection Regulation (GDPR) law. This legislation is, perhaps, the most significant privacy law of its kind in decades. Drafted in the European Union (EU) in April 2016 and fully implemented as of May 2018, it promises to unify the data privacy laws for the EU, while also simplifying the rules for people and organizations. It also promises to impose stiff penalties for noncompliance. It applies to all forms of personally identifiable information, including names, financial details, e-mail addresses, social media content, medical information, location data, IP addresses, and much more.

Support the Development of Policies Containing Standard Security Practices

Policies are developed in response to a perceived need of guidance due to some driving force. This driving force can be in the form of requirements, from either an internal or external source. The driving force can come from senior management in an effort to communicate corporate goals and objectives. For many policies, such as the security policy, this is important because buy-in by senior management is essential. For other policies, such as a remote access policy, the source may be the security department because the required level of technical will not be readily available from senior executives.

The challenge for policies drafted from the bottom up is to get senior management buy-in. When the wording of a policy is presented in a form that makes sense in business terms, is clearly aligned with the organization’s overall goals and objectives, and can be seen to specifically support these goals and objectives, the policy is a better candidate for senior executive buy-in.

Since policies—and their subsequent glories—ultimately stem from executives, so can liabilities. When policies, or even laws and regulations are violated, executives may also share culpability with the original offender individual. Although executives may not have explicitly done something wrong, they may have failed to effectively enforce the policies. Executives must exercise a certain degree of due care and due diligence in order to offset their liability with someone else’s policy violation.

It is clear that senior management plays a stronger role in the drafting of security policies than just giving their approval. In addition to the enforcement, testing, and auditing requirements, there are certain security practices that should be baked into organizational policies. What follows are several of the most important standard security practices.

Separation of Duties

Separation of duties is a tried-and-true method of handling sensitive or high-value transactions. The basic principle is that for any high-value or sensitive transaction, a minimum of two personnel are required to perform the function. Put another way, if the intentions of the personnel are negative, the two-person requirement would serve as a form of collusion to achieve a nefarious end. Additionally, these transactions need to be designed so that a single party or group cannot both approve and execute the transaction, thus forcing a form of checks and balances.

Job Rotation

Job rotation policies can serve a number of useful functions. Cross-training, a requirement before shifting jobs, provides a risk-reducing cushion in the form of a better-trained staff. This periodic movement of employees from one job to another can assist in reducing boredom and burnout, as well as reducing risk due to employee fraud. In small organizations, where many jobs are covered by a single person, job rotation provides additional qualified personnel for periods of vacation and illness. Nobody wants to be contacted during vacation because the staff members back at the office are unfamiliar with vital procedures.

Mandatory Vacation

Organizations have provided vacation time to their employees for many years. Few, however, force employees to take this time if they don’t want to. At some companies, employees are given the choice to either “use or lose” their vacation time. From a security standpoint, an employee who never takes time off increases the potential risk associated with their job. The employee might be involved in nefarious activities, such as fraud or embezzlement, and might be afraid that if they leave on vacation, the organization will discover their illicit activities. As a result, requiring employees to use their vacation time through a policy of mandatory vacations can help expose malicious activities. In the financial world, among banks and other financial organizations, not only are mandatory vacations required, but minimum lengths are set to ensure other employees have to take over critical actions.

Least Privilege

Two common security principles are that of “need to know” and “least privilege.” The guiding factor here is that each individual in the organization is supplied with only the absolute minimum amount of information and privileges needed to perform their work tasks. To obtain access to any piece of information, the individual must have a justified need to know. Least privilege means the individual will be granted only the bare minimum amount of privilege necessary to perform their job. A policy spelling out these two principles as guiding philosophies for the organization should be created. The policy should also address who in the organization can grant access to information or assign privileges to employees.

Incident Response

Incident response is a team-led activity of preventing, detecting, and responding to security breaches. The key aspects are detection and response. It requires significant advance planning for successful execution. This is a complex event that requires coordination between multiple work entities, which makes it an ideal candidate to establish and communicate expectations via a policy such as an incident response policy. The policy defining roles and responsibilities for incident response will establish the governing authority for management to use resources appropriately. The policy should establish responsibilities for incident response team formation, activities, and reporting. The policy should establish responsibility for the development of incident response plans. This is a technically driven policy, but one that ultimately can touch every aspect of an organization and, as such, requires strong senior management support and backing.

Forensic Tasks

Digital forensics is a task involving the collection and perseverance of digital evidence. It is highly dependent on exacting steps that need to be performed before data can be damaged or destroyed. This requires significant coordination across business units, requiring the roles and responsibilities to be detailed in a policy statement. In the case of an e-discovery case, the notice that data needs to be preserved will first appear to the general counsel office. From there, many departments can potentially become involved, including legal, IT, networking, and assorted business units, depending on the nature of the request. To ensure that the enterprise can react in a coordinated and appropriate manner requires extensive coordination between multiple parties. These coordination requirements can be presented in the policy, engaging the management of the separate elements to work together and improve the organization’s response.

Employment and Termination Procedures

The people inside the building present the greatest security risk to the organization. With, essentially, unlimited access to organizational assets, employees are in prime position to do damage. To combat this, organizations must take precautions at all stages of the recruiting and hiring processes, including the following:

•   Careful crafting of job descriptions on the Internet and with recruiting agencies

•   Thorough interviewing

•   Conducting employee background checks, calling references, checking credit history, and testing for drugs

•   Employee training

•   An onboarding process that includes reading, understanding, consenting to, and signing security policies

•   Mandating the wearing of ID badges at all times

•   Restricting access to all areas not explicitly required by employees

•   Implementing separation of duties to limit privileges

•   A security offboarding process that includes an exit interview, the turning over of all company materials, the disabling of all accounts, the signing of a nondisclosure agreement, and, if necessary, secure escort off the premises

Continuous Monitoring

Continuous monitoring in any system takes place after initial system security implementation. It involves tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls. Continuous monitoring reduces the latency between system changes and security changes to a minimal period. This requires greater intervention on the part of security professionals, but is built around the idea of a bunch of small changes rather than major implementations described by the certification and accreditation process. The true goal of continuous monitoring is the maintenance of an ongoing understanding of the exact security posture of the organization.

Continuous monitoring requires a significant level of automation to facilitate the level of monitoring and decision making required to keep abreast of the myriad changes a system faces in use. As the threat environment changes, this can lead to security changes. As the system is adapted through minor changes or interconnected to other systems, system-level interactions can result in security changes. To manually subject a system to complete reviews through a certification and accreditation process is neither feasible nor desirable. The business requirement is to maintain levels of risk commensurate with the reward associated to the system, and this business decision requires analysis of how a system stands as it is being operated, not just at static intervals.

Automation of elements such as log collection and analysis, patch and antivirus updating, user auditing, and threat monitoring can assist security personnel in deploying their resources where they can best influence the required level of change necessary to keep risk at a responsible and acceptable level. Additional information can be found on NIST’s website.

The continuous monitoring process involves the following three activities:

•   Configuration management and control

•   Documentation of information system changes

•   Security impact analysis

•   Security control monitoring and impact analysis of changes to the information system

•   Security control selection

•   Selected security control assessment

•   Status reporting and documentation

•   System security plan update

•   Plan of action and milestones update

•   Status reporting

The objective of these tasks is to observe and evaluate the information system security controls during the system life cycle. These tasks determine whether the changes that have occurred in the information system will negatively impact the system security.

Ongoing Security

Security is not a destination, but a manner of travel. In this regard, what becomes important is the sets of activities employed to achieve continuous security-monitoring solutions. Because the system will change with new technologies, and the threat environment changes due to the shifting nature of adversaries, it is important to have a coordinated effort that can move protection priorities in response to the shifting threat landscape and requirements. These activities can be coordinated and communicated with respect to roles and responsibilities in the form of a corporate policy for ongoing security operations.

Training and Awareness for Users

Users can represent both a strength and a weakness for a system’s security. One of the strongest tools to improve the security posture of users is a robust security awareness program. Training and awareness of phishing, attacks, and consequences to the enterprise can enable users to become a useful security advantage. Establishing the training and awareness program via policy, and initiated at the time of employee hiring, will assist in communicating the business value to all concerned.

An important element that should be stressed in training about social engineering is the type of information that the organization considers sensitive and that may be the target of a social engineering attack. There are signs that the organization could point to as indicative of an attacker attempting to gain access to sensitive corporate information. All employees should be aware of these indicators because they are the first line of defense. The scope of information that an attacker may ask for is very large, and many questions attackers pose might also be legitimate in another context (asking for the phone number of an employee, for example). Employees should be taught to be cautious about revealing personal information and should especially be alert for questions regarding account information, personally identifiable information, and passwords.

Auditing Requirements and Frequency

Security is accomplished by designing control systems and implementing these systems as part of ongoing operations. Although this looks great conceptually, there are numerous opportunities for this system to fail to provide the desired level of protection. An internal audit functions as a set of checks and balances to ensure that the desired level of security control is actually present and functioning as designed. What systems need to be audited, how often, how are results handled? These are all simple questions with complex answers that cut across multiple business lines. An internal audit policy can communicate to all participants what the required expectations are and what responsibilities are assigned to which entities. This is the place to provide detailed references back to all applicable laws, regulations, and any other higher-level security requirements by which the organization may be audited for compliance. In addition, this is where the organization should set its own auditing requirements and the frequency with which it will perform self-assessments or have external audits. Because the security environment is ever-changing, a robust audit process can be used to ensure that the security responses are aligned with the shifting threat environment.

Information Classification

Important to many corporations, governments, and militaries is the need to formally classify information. Classifications are specialized security labels placed on assets like files and folders to indicate their value and sensitivity. Understanding the criticality and sensitivity of our data allows us to assign the appropriate security controls to that data—chiefly in the areas of access control, auditing, data retention, archival, and data destruction. More critical and sensitive materials will require more rigorous security controls.

Government and military environments are strictly regulated in their usage of classifications. This ensures that all the different branches of government, government agencies, and the military can agree on what they mean by the word “Classified.” For legal, documentation, process, and communication purposes, the following classification structure is frequently used by the U.S. government:

1.   Top Secret

2.   Secret

3.   Confidential

4.   Public Trust (sensitive material but unclassified)

5.   Unclassified (Not sensitive material and unclassified)

The classifications given to files are based on the relative dangers presented to national security if materials are unlawfully accessed, disclosed, modified, stolen, lost, or damaged. If Top Secret materials are compromised, this could cause “exceptionally grave damage to national security.” If Secret materials are compromised, this could cause “serious damage to national security.” The danger to national security is proportionally decreased as you progress backward through the remaining classifications, like Confidential, Public Trust, and Unclassified.

Businesses unrelated to government and military have more freedom with regard to file classifications. You’ll frequently see variations of classifications (listed from the highest to lowest levels) like Confidential, Private, Sensitive, and Public. Other than their naming differences, the purposes behind these file classifications are the same as the ones listed earlier for the government and military.

Chapter Review

In a nutshell, this chapter provided a comparison and contrasting of security policies, privacy policies, and procedures based on organizational requirements. Organizations are always being battered about the ocean of change with many ups and downs to disrupt their risk profile. Security professionals must proactively head off the risks introduced by changes, as per the requirements of security policies.

We started from the beginning by going over policy and process life cycle management concepts, which included extensive coverage of a few dozen security policies. With organizational changes so frequent, policies serve as a rulebook to help guide our security efforts during times of change and uncertainty. Such changes will involve new business opportunities, technologies, environmental changes, regulatory requirements, and emerging risks. Once these changes have been properly weighed and measured, as per security policy requirements, we then provided coverage on the supporting of legal compliance and advocacy by partnering with human resources, legal, management, and other entities. Top-down policy management is the best route to go since alignment of business objectives, and security objectives, can be evangelized by both a common set of decision makers and a unified language and communication style. When business goals and security goals are joined at the hip, organizations are more likely to succeed.

We then discussed common business documents to support security, including risk assessments, business impact analysis, interoperability agreements, interconnection security agreements, memorandums of understanding, service level agreements, operating level agreements, nondisclosure agreements, business partnership agreements, and master service agreements. The key to these documents is ensuring that your organization (consumer) and third parties (provider) fully understand and agree on their respective roles and responsibilities to one another. Each side must put certain promises in writing; define leadership, communication practices, and contact information; and communicate requirements during failures, security responsibilities, contingency plans during failures, ownership of processes and procedures, and termination requirements. Each of these documents also plays a critical role in documenting, establishing, and implementing various security requirements for both the local and other organizations.

Speaking of other organizations, we also covered the researching of security requirements for contracts, including Request for Proposal, Request for Quote, and Request for Information. When negotiating with other organizations regarding product availability, product features, and product pricing, not only do you need to know what you’re talking about, but you have to “play the game” when it comes to formal documentation and negotiation tactics.

We touched on privacy policy requirements, including documentation efforts and the collection and sharing requirements of personally identifiable information. Since privacy policies are written in large part for the identification and protection of PII, it is important that everyone agrees on what PII is, and the unique risk and threats to it, so that people have a better understanding of, and sense of urgency for, how to safeguard it from unauthorized access or disclosure.

The final section of the chapter focused on supporting the development of policies containing standard security practices, including separation of duties, job rotation, mandatory vacation, least privilege, incident response, forensic tasks, employment and termination procedures, continuous monitoring, training and awareness for users, auditing requirements and frequency, and, finally, information classification. Many of those policy requirements help to prevent security breaches by limiting the privileges of individuals, in addition to exposing nefarious activities through forced vacations and job rotations. A big part of security policy requirements is the logging or auditing of human activities as well as determining the appropriate accountability for the actions taken in those logs. Although not as important as the prevention of breaches, the detection of breaches is still a very important security goal because you cannot prevent all breaches.

Chapter 3 covers risk mitigation strategies and controls. This is an important transition from the previous chapters because they largely focus on the managerial and documentation requirements that vaguely say we need to implement security controls. The topics of Chapter 3 put us on a path to the actual implementation of those required security controls to protect our assets.

Quick Tips

The following tips should serve as a brief review of the topics covered in more detail throughout the chapter.

Policy and Process Life Cycle Management

•   Organizations are forced to evolve on operational, tactical, and strategic levels due to various internal and exchange changes.

•   Security policies are documents that provide the foundation for organizational security goals.

•   Policies created by organizations are a reflection of the external laws and regulations that apply to the organization.

•   Policy life cycle management involves the creation, usage, and retirement of policies.

•   Perform a risk assessment to identify risks to organizational assets.

•   Utilize policy templates to guide policy creation.

•   Seek policy input from executives and other stakeholders.

•   Establish penalties for policy violations.

•   Publish the policy to all employees in the organization.

•   Ensure staff members read, understand, and sign the policy.

•   Utilize technology to enforce policies whenever possible.

•   Educate staff about the policy contents.

•   Schedule reviews for the policy on an annual or semi-annual basis.

•   Retire the policy when it’s no longer applicable.

•   Organizational policies focus on matters that relate to all aspects of an organization.

•   System-specific policies focus on specific computers or network systems, and the necessary security controls that protect them.

•   Issue-specific policies focus only on specific organizational issues such as department issues, business products, processes, and others.

•   Regulatory policies ensure that organizations are following the legal requirements of a compliance law.

•   Advisory policies provide strong recommendations as to the appropriate behaviors and actions that can be exhibited by employees.

•   Informative policies are gentle recommendations or reminders for employees to consider.

•   Standards are required elements regarding the implementation of controls or procedures in support of a policy.

•   Guidelines specify optional and recommended security controls or processes to be followed.

•   Processes are a predictable series of steps needed to achieve an objective.

•   Procedures are operational-level, step-by-step details on how to achieve specific business processes.

•   Baselines are a point-in-time measurement of what we agree is the acceptable level of normal performance.

•   Policies need to be consulted and periodically revised due to changes to the business, including new business, technologies, environmental changes, regulatory requirements, and emerging risks.

Support Legal Compliance and Advocacy by Partnering with Human Resources, Legal, Management, and Other Entities

•   Policies are often driven by a combination of internal and external requirements.

•   The security requirements of policies are often best described by other departments within your organization, including human resources, legal, management, or others.

•   Relationships with other business units, and utilization of their skill sets, are vital to the success of an organization’s security program.

Understand Common Business Documents to Support Security

•   Business operations involve actions between many different parties.

•   Numerous forms of legal agreements and contracts are used in business.

•   Risk assessments are a documented process of determining the prioritization of responses to threats.

•   Business impact analysis documents the various risks to an organization and the resulting impact from disasters should those risks come to fruition.

•   Interoperability agreements are a broad category of agreements that include data, technology, and communication sharing requirements between two or more organizations.

•   Interconnection security agreements are specialized agreements between organizations that have connected IT systems to document the security requirements associated with the interconnection.

•   Memorandums of understanding are legal documents used to describe a bilateral agreement between parties.

•   Service level agreements are negotiated agreements between parties detailing the expectations between a customer and a service provider.

•   Operating level agreements are internal documents that define the relationships between internal parties to support business activities.

•   Nondisclosure agreements are agreements between parties defining and establishing the rules for which information can be shared.

•   Business partnership agreements are a type of legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners.

•   Master service agreements are all-encompassing agreements between multiple organizations that serve as the building blocks for future agreements, transactions, and business documents.

Research Security Requirements for Contracts

•   A business partnership agreement is a legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners.

•   Contract signings with other businesses require formal documentation requests and security requirements to be baked into the contracts.

•   Request for Proposals accomplish several goals, including informing potential vendors of a product or service that is being sought, providing specific details on what it is that the organization wishes to purchase, and providing a basis from which to evaluate interested vendors.

•   A Request for Quote may be used to further restrict the list of companies that will receive the full request by asking for price ranges for services or products.

•   Requests for Information are issued by organizations seeking information regarding specific products or services in the marketplace that could be used to fill a specific need.

Understand General Privacy Principles for Sensitive Information

•   Personally identifiable information is information collected by a business for the purpose of identifying a person.

•   Once an organization gathers PII, it becomes sensitive data that requires appropriate protection.

•   Privacy is the desire to control the use of one’s personal data.

•   Establishing and publishing the requirements associated with PII allows an organization to ensure that the awareness of privacy requirements is spread throughout the organization and incorporated into plans, policies, and procedures.

•   Organizations must clearly designate the elements of PII that are being collected and those that are stored.

•   Organizations must clearly state what the PII will be used for, including any transfer to third parties.

•   Organizations must designate security provisions and storage time for stored PII.

Support the Development of Policies Containing Standard Security Practices

•   Policies are developed in response to internal and external requirements.

•   Policies are best created and implemented with top-down support.

•   Due care addresses whether the organization has a minimal set of policies that provides reasonable assurance of success in maintaining security.

•   Due diligence requires that management actually do something to ensure security, such as implement procedures for testing and review of audit records, internal security controls, and personnel behavior.

•   Separation of duties requires multiple individuals to work together to complete a single function.

•   Job rotation provides cross-training benefits in addition to reducing employee fraud.

•   Mandatory vacations force employees to take time off in order to possibly expose malicious activities that can only be concealed while employees are actively working.

•   Least privilege ensures that each individual in the organization is supplied with only the absolute minimum amount of information and privileges needed to perform their work tasks.

•   Incident response is a team-led activity of preventing, detecting, and responding to security breaches.

•   Forensic tasks involve the collection and perseverance of digital evidence.

•   Employment and termination procedures require organizations to take precautions at all stages of the recruiting and hiring processes to ensure that the best people are selected to work for the organization.

•   Continuous monitoring involves tracking changes to the information system that occur during its lifetime and then determining the impact of those changes on the system security controls.

•   Ongoing security is a coordinated effort that can move protection priorities in response to the shifting threat landscape and requirements.

•   User training and awareness ensure employees understand what security expectations are placed on them so that they can better protect the organizational assets and business objectives of the company.

•   Auditing requirements and frequency function as a set of checks and balances to measure that the desired level of security control is actually present and functioning as designed.

•   Information classification is a specialized security label placed on assets like files and folders to indicate their criticality and sensitivity to an organization.

Questions

The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question.

1.   Establishing security controls that require multiple employees to complete a task is an example of what?

A.   Mandatory vacations policy

B.   Least privilege

C.   Separation of duties

D.   Job rotation

2.   Senior management has decided to restrict access to social media sites such as Facebook and Twitter. To accomplish this, administrators will perform which of the following security practices on users?

A.   Least privilege

B.   Defense in depth

C.   Separation of duties

D.   PII restrictions

3.   To ensure proper privacy protections are in place in an organization, which of the following business documents are used?

A.   BPA

B.   NDA

C.   ISA

D.   PIA

4.   To ensure that business processes are not dependent on single employees, senior management has decreed that for designated sensitive positions, people must change jobs every six months. This is an example of what?

A.   Separation of duties

B.   Principle of least privilege

C.   Performing a PIA

D.   Job rotation

5.   Which of the following security principles can management implement to communicate high-level goals and objectives to the workforce?

A.   Standards

B.   Guidelines

C.   Policies

D.   NDA

6.   Two parties need to document an agreement associated with pursuing a common action. Which document would they use?

A.   SLA

B.   BPA

C.   NDA

D.   MOU

7.   A new piece of equipment is placed into production to improve security during the communication of orders between internal organizations. Which of the following documents would need updating?

A.   Procedures

B.   ISA

C.   NDA

D.   MOU

8.   Which of the following security policies is most appropriate for requiring that all sensitive paperwork be kept out of plain sight at your work area?

A.   Access control policy

B.   Clean desk policy

C.   Physical security policy

D.   Removable media policy

9.   True or false? A business impact analysis specifies data, technology, and communication sharing requirements between two or more organizations.

A.   True

B.   False

10.   When considering the product offerings of a vendor, which of the following requests are you likely to generate first?

A.   Request for Proposal

B.   Request for Quote

C.   Request for Information

11.   As the new Chief Privacy Officer, you are tasked with protecting PII. Your first step would be to do what?

A.   Collect PII securely.

B.   Store PII securely.

C.   Perform a PIA.

D.   Create a privacy policy.

12.   As the head of the database group, you have a responsibility to provide data for enterprise applications. To meet overall SLAs, your group must provide services that are in alignment with them. To communicate these requirements, what would be the best vehicle?

A.   OLA

B.   Subordinate SLA

C.   MOU

D.   BPA

13.   You have been tasked with setting up a partner program where participants are bound by the rules of the program. The best vehicle would be which of the following?

A.   MOU

B.   Implicit contract

C.   BPA

D.   ISA

14.   A new regulation has been issued that applies to your operations. Which of the following are used to document the required changes? (Choose all that apply.)

A.   Policies

B.   Procedures

C.   Standards

D.   PIA

15.   Common components of a privacy policy include which of the following? (Choose all that apply.)

A.   Clearly designating the elements of PII that are being collected and those that are stored

B.   Clearly stating what the PII will be used for, including any transfer to third parties

C.   Designating security provisions and storage time for stored PII

D.   Cost benefit analysis

16.   Which of the following policy types focuses on specific organizational issues such as department issues, business products, and processes?

A.   Organizational policies

B.   System-specific policies

C.   Issue-specific policies

D.   Administrative-specific policies

17.   Which of the following indicates the difference between advisory and informative policies?

A.   Advisory policies provide strong recommendations as to the appropriate behaviors and actions that can be exhibited by employees. Informative policies are gentle recommendations or reminders for employees to consider.

B.   Informative policies provide strong recommendations as to the appropriate behaviors and actions that can be exhibited by employees. Advisory policies are gentle recommendations or reminders for employees to consider.

18.   True or false? Master service agreements are designed to serve as a single agreement that prevents the need for future agreements.

A.   True

B.   False

19.   The Chief Security Officer of a large corporation is curious as to how information classification levels are ranked in federal government environments. She is hoping that by duplicating a federal classification system, overall file security for the corporation can be improved. From most sensitive data to least sensitive, what order of information classifications would you advise her of?

A.   Public Trust, Top Secret, Secret, Confidential, Unclassified

B.   Confidential, Top Secret, Secret, Public Trust, Unclassified

C.   Top Secret, Secret, Confidential, Public Trust, Unclassified

D.   Top Secret, Confidential, Secret, Public Trust, Unclassified

20.   As part of a merger, your organization acquired a smaller organization that has specialized SLAs with its customer base. Now that the two IT systems are connected, which of the following can you use to document the security requirements between the two systems?

A.   SLA

B.   OLA

C.   ISA

D.   BPA

Answers

1.   C. The use of multiple people to complete a task is known as separation of duties, which creates an opportunity for checks and balances.

2.   A. Assuming social media is not required, then least privilege is the granting of access to only what is needed to perform work functions.

3.   D. A privacy impact assessment (PIA) is used to determine whether privacy-related data is properly handled.

4.   D. Job rotation involves the moving of people among jobs in an organization to reduce the risk of only one person knowing/performing a particular task.

5.   C. Policies are the documents used by management to communicate high-level goals and objectives.

6.   D. An MOU is a written agreement defining a common cause and actions on behalf of parties.

7.   A. Procedures are work-level step-by-step documentation that is dependent on the people, technology, and task. A change of equipment would necessitate a new procedure.

8.   B. Clean desk policies require all sensitive materials on your desk, including PII and other sensitive data types, are locked away and kept out of plain sight from unauthorized users.

9.   B. A business impact analysis documents the various risks to an organization and the resulting impact from disasters.

10.   C. Request for Information is considered a “pre-qualifier” for future proposal and quote requests.

11.   D. The first step is to define the privacy policy because this provides the needed guidance for all privacy activities.

12.   A. An operating level agreement (OLA) is an internal document that defines the relationships between internal parties to support business activities.

13.   C. A business partner agreement (BPA) contains the complete terms and conditions that both the partners agree to be bound by as participants in the partner program. This program is set in motion once the application to participate in the program is accepted by both partners.

14.   A, B. Changes in regulation can create the need for new policies and procedures.

15.   A, B, C. The components of a privacy policy can vary by organization, but some common components include clearly designating the elements of PII that are being collected and those that are stored; clearly stating what the PII will be used for, including any transfer to third parties; and designating security provisions and storage time for stored PII.

16.   C. Issue-specific policies target issues at the department, product, and process levels.

17.   A. Advisory policies provide strong recommendations as to the appropriate behaviors and actions that can be exhibited by employees. Informative policies are gentle recommendations or reminders for employees to consider.

18.   B. Master service agreements are all-encompassing agreements between multiple organizations that serve as the building blocks for future agreements, transactions, and business documents.

19.   C. Government and military environments typically use Top Secret, Secret, Confidential, Public Trust, and Unclassified as their most-sensitive-to-least-sensitive classification levels.

20.   C. An interconnection security agreement (ISA) is a specialized agreement between organizations that have connected IT systems to document the security requirements associated with the interconnection.