WEBVTT

00:00.670 --> 00:04.380
I have to admit it but I have a real aversion to paper.

00:04.450 --> 00:06.900
I can work on computers and networks all day long.

00:06.910 --> 00:13.780
But the moment you start making me fill in forms and checklists and meetings and all that stuff I start

00:13.780 --> 00:16.590
to collapse pretty fast anyway.

00:16.750 --> 00:17.860
With that in mind.

00:17.980 --> 00:19.030
Guess what.

00:19.030 --> 00:23.160
Security plus is full of different types of security policies.

00:23.170 --> 00:27.220
Now there are hundreds and hundreds I mean literally hundreds of different types of security policies

00:27.220 --> 00:28.040
out there.

00:28.180 --> 00:34.330
But luckily for us security plus only covers in detail a very few of them and this episode my friends

00:34.690 --> 00:36.560
we're going to pound every one of them out.

00:36.760 --> 00:41.620
So let's go ahead and get started and take a look at a number of important security policies you're

00:41.620 --> 00:42.640
going to see on security.

00:42.630 --> 00:50.920
Plus first is the famous acceptable use policy the Acceptable Use Policy is the most well known simply

00:50.920 --> 00:57.160
because just about everybody who gets on is a new hire with a company usually has to sign this and acceptable

00:57.160 --> 01:03.070
use policy defines what a person can and cannot do on company assets.

01:03.070 --> 01:08.230
Now when we talk about I.T. security what we're really talking about is what can you do on the computers

01:08.290 --> 01:11.620
and on the Internet that you're accessing through the company.

01:11.620 --> 01:17.620
So an acceptable use policy is going to be covering things like personal use of the computer.

01:17.650 --> 01:22.900
It's going to talk about you know you can't look at pornography you can't be buying and selling things

01:22.900 --> 01:24.940
on eBay during company hours.

01:24.940 --> 01:29.260
It's going to define where you get to store stuff and where you can't store stuff.

01:29.260 --> 01:35.380
The problem with acceptable use policies is that nobody can predict all the things that we don't want

01:35.380 --> 01:35.830
you to do.

01:35.830 --> 01:41.910
So they tend to use very broad strokes as a policy should to make sure you're being a good little employee.

01:41.920 --> 01:49.630
Next our data sensitivity and classification policies data sensitivity and classification just means

01:49.810 --> 01:54.140
you have to define how important different types of data are.

01:54.370 --> 02:02.500
So within an organization we can classify this data by applying labels to it in the big federal government.

02:02.500 --> 02:04.740
You'll see things like top secret and stuff like that.

02:04.810 --> 02:09.770
But even in the private sector we'll see stuff like that is highly confidential.

02:09.880 --> 02:15.790
A lot of organizations will generate their own gradation of classification of data sensitivity and at

02:15.790 --> 02:21.460
least gives people an idea of how important different types of data are and what we are to do with them

02:21.750 --> 02:22.600
next.

02:22.660 --> 02:31.360
Our access control policies and access control policy defines how people get access to our data and

02:31.360 --> 02:32.450
other resources.

02:32.470 --> 02:37.270
So when we're talking about an access control policy that can actually cover a lot of different stuff

02:37.570 --> 02:44.000
for example it will it could define how do you use passwords or Bob's or smart cards or whatever you

02:44.000 --> 02:46.290
might want to use for authentication.

02:46.330 --> 02:53.050
It can define based on the type of job you have what type of access to what type of classify data you

02:53.050 --> 02:54.480
have access to.

02:54.520 --> 03:01.300
It can define based on your job title what you can and cannot do so an access control policy tends to

03:01.300 --> 03:02.660
be a fairly big document.

03:02.680 --> 03:08.080
In fact even though it's a big document a lot of times access control policies will be incorporated

03:08.080 --> 03:12.430
into things like Acceptable Use Policies data classification policies.

03:12.430 --> 03:16.480
There's no fixed rule that says you have to have each and every one of these policies but I assure you

03:16.480 --> 03:20.380
this you will have a policy on access control.

03:20.380 --> 03:27.490
Next is a password policy a password policy defines how you deal with passwords.

03:27.490 --> 03:32.980
Now a password policy is another one those policies that can often get snuck into different policies

03:32.980 --> 03:38.220
so it's not real common to see a password policy is its own standing document.

03:38.230 --> 03:42.160
Now the thing about password policies is that it's easy to remember stuff like that.

03:42.280 --> 03:44.400
We need to use long and complex passwords.

03:44.410 --> 03:49.450
But a good password policy will cover more than that it will cover things like for example if someone

03:49.450 --> 03:50.680
loses their password.

03:50.680 --> 03:52.520
How do we go about getting it back.

03:52.780 --> 03:59.950
If someone logs in wrong too many times how do we deal with that if we have a password change requirement

03:59.950 --> 04:00.880
as part of this.

04:01.000 --> 04:08.080
Can they use a password that they use two times before so a password policy covers more than just the

04:08.080 --> 04:10.380
length and the complexity of passwords.

04:10.390 --> 04:13.270
Because I know there's a lot to passwords.

04:13.270 --> 04:16.870
The next type of policy is care and use of equipment.

04:17.080 --> 04:23.160
So without even telling you anything if you're reading this you might be going Gee care and use of equipment

04:23.170 --> 04:25.780
wouldn't that be kind of under acceptable use policy.

04:25.900 --> 04:28.560
Well yeah and also no.

04:28.600 --> 04:31.260
First of all you can't put this policy as part of acceptable use.

04:31.270 --> 04:36.160
But when we talk about care of equipment what we're really talking about is not so much the data and

04:36.160 --> 04:42.820
what you're doing with the equipment but how you maintain the equipment how you borrow the equipment

04:43.030 --> 04:49.920
if you're given different pieces of equipment and you're issued a phone or anything like that.

04:49.990 --> 04:54.260
What are your responsibilities for it what do you do if it's broken.

04:54.280 --> 05:01.660
All of those things that underneath this particular policy next are privacy policy ease privacy policies

05:01.660 --> 05:06.790
are kind of interesting because up to this point pretty much every policy that we've talked about is

05:06.790 --> 05:10.450
kind of an in-house policy what do we do with just us.

05:10.450 --> 05:16.640
But privacy policies can actually be applied for the first time to customers as well as just in-house.

05:16.640 --> 05:21.190
Now you can still have privacy policies in-house but they tend to be kind of boring.

05:21.340 --> 05:26.410
In-house privacy policies basically tell the employees everything you do on the computers here in the

05:26.410 --> 05:29.860
office we can look at we can snoop on we can do whatever we want to do.

05:30.880 --> 05:36.040
Where it gets interesting is when we have privacy policies that are applied to our customer base and

05:36.040 --> 05:41.100
probably the best example of this are the many many different types of web apps we have out there.

05:41.110 --> 05:47.740
Facebook of course eBay Google and whenever you use these or at least the first time you do there really

05:47.740 --> 05:54.850
is a policy that you have to agree to in order to use Google or Facebook or eBay or whatever it is and

05:55.420 --> 06:00.040
they say in these policies what they're going to do with your privacy.

06:00.040 --> 06:07.690
For example Facebook probably the most famous of privacy policy questionable antics says things like

06:08.290 --> 06:11.380
we can use your photographs wherever we want you.

06:11.380 --> 06:18.730
I know there's adjustments but you need to read this stuff to understand what your privacy can and can't

06:18.730 --> 06:19.170
do.

06:19.300 --> 06:25.930
Google clearly says we will use your data to give you customized advertisement.

06:25.930 --> 06:31.110
Basically they're reading all your stuff they're reading your Google Docs and they're reading your e-mail

06:31.120 --> 06:35.070
and they're using this stuff to put up different ads which essence it's Google.

06:35.070 --> 06:36.010
What are you going to do.

06:36.970 --> 06:41.110
I don't know about you guys but when it comes to privacy policies in-house Well there's not much I can

06:41.110 --> 06:41.720
do about it.

06:41.740 --> 06:48.280
But when it comes to dealing with these different types of Web Apps I read every single lie the last

06:48.280 --> 06:55.510
type of policy I want to talk about are personnel policies a personnel policy has to deal with the people

06:55.570 --> 06:57.560
that are dealing with our data.

06:57.790 --> 07:02.620
So what do you do with people well for example one of the things you might want to do is if this is

07:02.620 --> 07:06.790
really important information you might want to do some background checks or if this is military you

07:06.790 --> 07:09.010
might want to do some kind of security clearances.

07:09.100 --> 07:11.530
And this is where we start dealing with that stuff.

07:11.530 --> 07:15.290
That's the job of the personnel policy personnel policies don't stop there though.

07:15.370 --> 07:20.800
For example they might handle things like we will use job rotation we will have mandatory vacations.

07:20.800 --> 07:26.350
If it has to do with a person and it has to do with a person who's dealing with data it goes under personnel

07:26.350 --> 07:28.140
policy.

07:28.570 --> 07:33.700
Yipe That's a lot of different policies and folks I hate to tell you this but you got to memorize every

07:33.790 --> 07:39.890
single one of these because security plus goes nuts about what type of policy would be discussing not

07:39.970 --> 07:45.640
least privilege and what type of policy would be handling different levels of classification of data.

07:45.640 --> 07:47.090
And they will hit you on this.

07:47.090 --> 07:51.190
So you've got to take some time if there's going to be one episode you'll probably watch a few times

07:51.190 --> 07:52.270
it's going to be this one.

07:52.300 --> 08:01.090
Make sure you know all of these different policies and all the detail thus described in

08:03.760 --> 08:08.770
an

08:11.520 --> 08:16.250
open.