WEBVTT

00:00.000 --> 00:02.475
>> A few additional
policies to be aware of.

00:02.475 --> 00:04.410
Usually within an organization,

00:04.410 --> 00:06.120
there're system
specific policies

00:06.120 --> 00:08.175
and issue specific policies.

00:08.175 --> 00:10.260
We have certain policies
for web servers

00:10.260 --> 00:12.195
that are different from
domain controllers,

00:12.195 --> 00:14.820
which are different from
end-user workstations.

00:14.820 --> 00:17.205
We may have different
policies for each.

00:17.205 --> 00:19.230
For issue specific policies,

00:19.230 --> 00:20.460
we've talked about the need for

00:20.460 --> 00:22.470
a change management policy and

00:22.470 --> 00:24.300
how there has to be
an orderly procedure

00:24.300 --> 00:26.175
to request and approve changes.

00:26.175 --> 00:28.830
We also mentioned the
acceptable use policy that

00:28.830 --> 00:31.950
dictates how employees are
to use company resources.

00:31.950 --> 00:34.245
The next thing for
privacy policy,

00:34.245 --> 00:36.960
we can certainly have policies
for private information

00:36.960 --> 00:38.480
>> of our customers and how we

00:38.480 --> 00:40.520
>> store and protect that
private information,

00:40.520 --> 00:41.780
but we also have to think about

00:41.780 --> 00:43.430
the privacy of our employees.

00:43.430 --> 00:46.010
Do we have a business
need to monitor email?

00:46.010 --> 00:48.890
Do you have a business need
to record phone calls?

00:48.890 --> 00:50.225
If so, that's fine.

00:50.225 --> 00:52.070
But one of the most
important elements of

00:52.070 --> 00:53.960
a privacy policy is
ensuring that we

00:53.960 --> 00:55.610
notify the employees if there is

00:55.610 --> 00:57.910
going to be an
infringement on policy.

00:57.910 --> 01:00.400
People expect policy
in the workplace.

01:00.400 --> 01:01.850
I don't have to provide it,

01:01.850 --> 01:03.140
but if that's the case and I'm

01:03.140 --> 01:04.745
going to infringe upon policy,

01:04.745 --> 01:06.620
folks need to be notified.

01:06.620 --> 01:09.410
We also have to be
very clear on who owns

01:09.410 --> 01:12.200
the data and who own
systems for operation.

01:12.200 --> 01:13.670
As a general rule,

01:13.670 --> 01:16.505
the individual or individuals
that own the data

01:16.505 --> 01:17.990
determine the classification of

01:17.990 --> 01:19.940
the data and the protection.

01:19.940 --> 01:22.550
Data ownership is very
important and it should be

01:22.550 --> 01:25.225
clearly defined who
fulfills that role.

01:25.225 --> 01:28.250
Also, you usually see
roles of data custodian

01:28.250 --> 01:29.660
and that individual would be

01:29.660 --> 01:31.760
responsible for
maintaining the data.

01:31.760 --> 01:33.320
That said, the data owner

01:33.320 --> 01:35.944
>> determines its
classification.

01:35.944 --> 01:40.040
>> Separation of duties, which
is a very important policy,

01:40.040 --> 01:42.485
make sure that we don't
have conflict of interest,

01:42.485 --> 01:43.760
and also makes sure that

01:43.760 --> 01:46.040
no one is too powerful
on the network.

01:46.040 --> 01:48.440
I worked for a company at
one point in time that had

01:48.440 --> 01:50.180
a single network admin and

01:50.180 --> 01:52.235
this person was
really all powerful.

01:52.235 --> 01:53.550
In all seriousness,

01:53.550 --> 01:54.860
if somebody offended him,

01:54.860 --> 01:56.300
he could lock those users out of

01:56.300 --> 01:58.760
their own account and not
respond for 30 minutes,

01:58.760 --> 02:01.460
which is a tremendous
abuse of power.

02:01.460 --> 02:02.990
That really goes back
to whoever signed

02:02.990 --> 02:05.120
off on a configuration
of that sort.

02:05.120 --> 02:07.670
There should never be a
single network admin.

02:07.670 --> 02:09.230
A series of network admins

02:09.230 --> 02:12.035
performing different
activities is good.

02:12.035 --> 02:14.680
Mandatory vacations.

02:14.680 --> 02:16.370
I think many of us probably wish

02:16.370 --> 02:18.125
we could get a
mandatory vacation.

02:18.125 --> 02:19.370
You'll see this in banks and

02:19.370 --> 02:21.290
other financial institutions,

02:21.290 --> 02:23.150
but you don't see it everywhere.

02:23.150 --> 02:25.880
Let's say I get hired
to work in a bank.

02:25.880 --> 02:27.650
I come on board and they say,

02:27.650 --> 02:31.279
>> "Kelly, you're going to
get 10 days of paid vacation.

02:31.279 --> 02:34.010
>> Five of those days must
be taken consecutively,

02:34.010 --> 02:35.389
>> and during those five days,

02:35.389 --> 02:37.010
>> you may not come
into the office,

02:37.010 --> 02:38.765
contact anybody at the office,

02:38.765 --> 02:39.950
you can't check email,

02:39.950 --> 02:41.420
you can't remote in, you have

02:41.420 --> 02:43.490
nothing to do with this
work environment."

02:43.490 --> 02:45.260
That way, if the bank is coming

02:45.260 --> 02:47.315
up a couple of 100
bucks short every week,

02:47.315 --> 02:49.100
suddenly Kelly's out
of the office in

02:49.100 --> 02:51.815
the Bahamas and the bank
balances to a penny.

02:51.815 --> 02:53.960
That might be an important
detective control

02:53.960 --> 02:56.495
and an indicator that
something is going on.

02:56.495 --> 02:59.570
Mandatory vacations are
generally only present in

02:59.570 --> 03:02.030
financial institutions
and job rotation

03:02.030 --> 03:04.010
is another detective control.

03:04.010 --> 03:06.230
I maybe database administrator

03:06.230 --> 03:07.738
>> database 1 for six months,

03:07.738 --> 03:10.449
>> then move over in
administrator database 2.

03:10.449 --> 03:13.610
>> Someone else comes in behind
me to database 1 and they

03:13.610 --> 03:16.610
can detect any activity
that I made up, performed,

03:16.610 --> 03:19.235
either mistakes I've made
or fraudulent activity.

03:19.235 --> 03:20.975
Least privilege
and need to know,

03:20.975 --> 03:22.685
those two go hand-in-hand.

03:22.685 --> 03:24.110
Least privilege and need to know

03:24.110 --> 03:25.849
>> are very close related.

03:25.849 --> 03:29.090
>> Principle of least privilege
is usually about action.

03:29.090 --> 03:30.710
I will allow you
the only actions

03:30.710 --> 03:32.560
that you must have
to do for your job.

03:32.560 --> 03:34.950
Need to know is
about information

03:34.950 --> 03:36.950
>> and I'm going to let
you know what information

03:36.950 --> 03:38.404
>> you need to do your job.

03:38.404 --> 03:40.370
>> For instance, I only allow

03:40.370 --> 03:42.995
certain users to change
the system date and time.

03:42.995 --> 03:45.170
That's the principle
of least privilege.

03:45.170 --> 03:46.700
If you're not on the sales team,

03:46.700 --> 03:48.995
you don't get to the axis
of the sales folder.

03:48.995 --> 03:52.340
That's need to know.
Very closely related.

03:52.340 --> 03:55.880
Then we have dual control
and M of N control.

03:55.880 --> 03:57.980
Dual control is for
those actions on

03:57.980 --> 04:00.590
the network that are of
such a sensitive nature.

04:00.590 --> 04:02.150
You don't want to
allow a single person

04:02.150 --> 04:03.815
to perform that action alone.

04:03.815 --> 04:06.790
Maybe for things
like key recovery.

04:06.790 --> 04:09.800
When we talk about security
and security plus,

04:09.800 --> 04:12.140
>> we're going to cover the
very significant element of

04:12.140 --> 04:13.550
>> a private key and how

04:13.550 --> 04:15.805
a private key is bound
to your identity.

04:15.805 --> 04:17.930
It provides
authentication for you.

04:17.930 --> 04:20.225
If my private key
gets corrupted,

04:20.225 --> 04:22.805
they're going to be activities
that I can't perform.

04:22.805 --> 04:24.860
We need our private keys.

04:24.860 --> 04:27.410
For that purpose, we may back
up our private keys with

04:27.410 --> 04:30.490
the idea that if it gets
corrupt, we can restore it.

04:30.490 --> 04:32.150
Problem is usually

04:32.150 --> 04:33.230
network administrator is

04:33.230 --> 04:35.175
relegated to that
responsibility.

04:35.175 --> 04:36.875
If my private key is mine,

04:36.875 --> 04:39.280
but a network admin backs
it up and recovers it,

04:39.280 --> 04:42.050
now that network admin
has my private key.

04:42.050 --> 04:44.735
We might require two network
admins to be present

04:44.735 --> 04:47.555
and both enter password before
a key can be recovered.

04:47.555 --> 04:49.845
There's also M of N control,

04:49.845 --> 04:52.515
which M and N are
just variables.

04:52.515 --> 04:54.770
Out of a total number
of administrators,

04:54.770 --> 04:56.544
>> so many have to be present.

04:56.544 --> 04:58.385
>> 4 out of 10 network admins,

04:58.385 --> 05:01.150
3 out of 7, doesn't matter
what the numbers are.

05:01.150 --> 05:04.100
Again, it's the idea of
making sure we don't have

05:04.100 --> 05:05.180
one single person with

05:05.180 --> 05:08.370
too much authority
or too much control.

05:10.100 --> 05:13.155
Just wrapping up the
idea of this section.

05:13.155 --> 05:14.970
Documentation is critical,

05:14.970 --> 05:16.550
making sure that we can rebuild

05:16.550 --> 05:18.455
the network in the
event of a disaster,

05:18.455 --> 05:20.390
but also that at
any point in time,

05:20.390 --> 05:22.130
you can go back to
our documentation

05:22.130 --> 05:23.770
and figure out what's what.

05:23.770 --> 05:25.580
We talked about logical versus

05:25.580 --> 05:27.945
physical documentation
that whereas physical

05:27.945 --> 05:29.510
helps us get an
understanding of how

05:29.510 --> 05:31.790
traffic moves on the
network or physical

05:31.790 --> 05:33.860
really shows this
physical devices and

05:33.860 --> 05:36.695
where the cable is moving
from point A to point B.

05:36.695 --> 05:39.710
Our network devices and
various network equipment,

05:39.710 --> 05:41.210
those need to be labels,

05:41.210 --> 05:43.175
configurations need
to be backed up,

05:43.175 --> 05:46.490
access control lists, the
firewalls and routers,

05:46.490 --> 05:48.145
those should be well-documented.

05:48.145 --> 05:50.720
Racks and wiring,
label, label, label,

05:50.720 --> 05:53.585
keep them neat, keep
them well organized.

05:53.585 --> 05:55.550
Then also we make
sure that we have

05:55.550 --> 05:58.445
documentation on our
policies, our procedures,

05:58.445 --> 06:00.650
our baseline performance
information so

06:00.650 --> 06:02.870
that anyone within our
organization can go to

06:02.870 --> 06:04.670
those documents and either learn

06:04.670 --> 06:06.800
standard operating procedures or

06:06.800 --> 06:08.560
take the information
that they need.

06:08.560 --> 06:10.815
Policies should be published,

06:10.815 --> 06:12.380
policies should apply to

06:12.380 --> 06:14.450
all individuals
in the workforce.

06:14.450 --> 06:16.550
We generally look at
these administrative

06:16.550 --> 06:18.530
directive controls and in that,

06:18.530 --> 06:21.455
management states their
expectations for behavior.

06:21.455 --> 06:24.170
We look at things like
acceptable use policy,

06:24.170 --> 06:26.560
separation of duties,
dual control.

06:26.560 --> 06:28.700
All of those policies
we discussed adds

06:28.700 --> 06:30.050
an additional important layer to

06:30.050 --> 06:32.640
security in our environment.