WEBVTT

00:00.240 --> 00:06.320
Probably the biggest problem that we have in the world of I.T. Security are people.

00:06.330 --> 00:08.220
People need training.

00:08.220 --> 00:13.920
So what I want to do in this particular episode is talk about some of the aspects of training and what

00:13.920 --> 00:19.170
people need to be aware of so that our I.T. security infrastructure is sound.

00:19.280 --> 00:26.010
Now the whole idea of training pretty much starts from the moment somebody starts with the company until

00:26.010 --> 00:27.180
the day that they leave.

00:27.180 --> 00:33.180
So what I'd like to talk about first is what we call onboarding now onboarding is simply the process

00:33.180 --> 00:39.030
that takes a person who is outside of your infrastructure and brings them in pretty much new hires but

00:39.030 --> 00:42.970
that can also be contractors temporary workers stuff like that as well.

00:43.290 --> 00:50.100
So when someone is on board and they go through a very big process of making sure that they're the type

00:50.100 --> 00:53.250
of person we want to do and all kinds of training and all kinds of stuff.

00:53.280 --> 00:58.320
However for the exam there's just a very few specific areas that I want to cover.

00:58.320 --> 01:03.960
Onboarding Well in many cases require a good background check making sure that this is the type of person

01:03.960 --> 01:07.000
that you want working for your organization.

01:07.200 --> 01:13.050
In certain cases they might have to sign a non-disclosure agreement and make sure that they're not going

01:13.050 --> 01:17.010
out with information that they shouldn't be talking about.

01:17.030 --> 01:19.590
They should also be aware of standard operating procedures.

01:19.610 --> 01:24.500
Anything that you do within your organization that has a procedure and that is standardize.

01:24.620 --> 01:27.430
This is where they begin to learn about that.

01:27.620 --> 01:33.620
Also specialized issues for example in many organizations there's a requirement for a clean desk by

01:33.620 --> 01:34.850
requiring a clean desk.

01:34.840 --> 01:40.760
It prevents the opportunity for passwords to be written and other bits of critical information to be

01:40.760 --> 01:48.850
left about the other big area that we deal with an onboarding is rules of behavior and in particular

01:48.850 --> 01:52.300
what we're talking about is a good acceptable use policy.

01:52.300 --> 01:58.150
Here's where we go through the process of having the person read the acceptable use policy often signing

01:58.150 --> 02:04.870
the policy in front of someone to make sure they understand exactly what they can and cannot do with

02:04.870 --> 02:06.180
the company's equipment.

02:06.980 --> 02:10.590
On top of that there'll be a number of general security policies for example.

02:10.670 --> 02:12.650
What can they do with social media networks.

02:12.650 --> 02:17.570
What can they do with different applications and even personal email training.

02:17.570 --> 02:20.040
Does it end at the onboarding process.

02:20.210 --> 02:22.830
Training keeps going for ever and ever.

02:22.850 --> 02:27.110
All good employees are always going to be subject to continuing education.

02:27.110 --> 02:32.810
For example if there's a major change in a policy new technology new applications new things that come

02:32.810 --> 02:35.820
along we need to make sure that our people are up and trained.

02:36.020 --> 02:41.660
And also it's always a good idea to give good refreshers make sure people are aware on things like watching

02:41.660 --> 02:48.090
four different types of malware or making sure that their passwords are being handled properly.

02:48.230 --> 02:53.810
Once a person decides to break away from your infrastructure then we go through the process known as

02:54.110 --> 02:55.060
off boarding.

02:55.070 --> 03:00.740
Now A14 is a very complex process and all types of things but at least for the exam the things I want

03:00.740 --> 03:02.870
you to concentrate on is number one.

03:02.870 --> 03:07.610
We're almost always going to disable someone's account we never delete an account because there are

03:07.610 --> 03:09.230
different permissions and such.

03:09.470 --> 03:13.700
We're also going to have them return any credentials they might have that would be very important from

03:13.700 --> 03:15.010
a security standpoint.

03:15.170 --> 03:19.160
But the other one and this is a big one is the exit interview.

03:19.160 --> 03:22.610
We should always have an exit interview during the off boarding process.

03:22.670 --> 03:29.330
For one reason at least from an I.T. security side and that is knowledge transfer this is the opportunity

03:29.330 --> 03:36.020
for us to go to that particular soon to be X employee and say talk about where their data is where their

03:36.020 --> 03:39.330
storage is or anything personal that might be helpful for us.

03:39.410 --> 03:44.480
And this is often a good opportunity to discover that important thumb drive or whatever it might be

03:44.780 --> 03:48.810
that can really help us specially when the next person comes along.

03:50.030 --> 03:57.060
Now speaking of data there's a big issue that comes into play and that is the concept known as personally

03:57.060 --> 04:05.480
identifiable information PIII is a big deal when it comes to security and we need to be training our

04:05.490 --> 04:10.100
people to be aware of personally identifiable information for a myriad of reasons.

04:10.110 --> 04:13.900
There are a number of legal issues involved with that.

04:13.920 --> 04:20.820
There are problems where we run into where we have personal information stolen and we need to watch

04:20.820 --> 04:21.300
out for that.

04:21.300 --> 04:25.710
Now what's interesting is that we have a lot of resources for this.

04:25.710 --> 04:34.560
So let's start off with the good ole NIST NIST document 800 dash 122 goes into great detail on the concept

04:34.560 --> 04:37.500
of personally identifiable information.

04:37.590 --> 04:43.470
Some of the things we need to be watching out for would be for example a full name a home address a

04:43.470 --> 04:49.560
personal e-mail address a identification number here in the United States that would be a Social Security

04:49.560 --> 04:57.600
number a passport number vehicle registration plate numbers their driver's license number any face fingerprint

04:57.630 --> 05:04.410
or handwriting information credit card numbers digital identity and date of birth.

05:04.410 --> 05:10.080
Another big issue when we're talking about personnel are personnel management controls that were actually

05:10.110 --> 05:17.340
in this case talking about how we deal with what people do in terms of their work to be able to keep

05:17.340 --> 05:19.860
our infrastructure as secure as possible.

05:19.860 --> 05:25.590
So let's take a quick look at these very common and very well-known personnel management controls.

05:25.650 --> 05:32.520
First our mandatory vacations a mandatory vacation is a requirement that someone take a vacation get

05:32.520 --> 05:34.590
away from the office for a while.

05:34.590 --> 05:39.110
In many industries people are required to take two weeks at a time.

05:39.130 --> 05:42.980
Now a mandatory vacation does some powerful tools number one.

05:43.020 --> 05:45.210
Others can fill in if needed.

05:45.210 --> 05:51.420
So it shows our infrastructure that if someone's gone for two weeks other people can cover for them.

05:51.420 --> 05:54.000
It also makes fraud much more difficult.

05:54.270 --> 06:00.840
And if more than one person at a time is doing something naughty it prevents collusion by keeping these

06:00.840 --> 06:02.090
people separated.

06:03.400 --> 06:08.980
Another important personnel management control is job rotation job rotation prevents a single person

06:08.980 --> 06:11.970
from being the only set of eyes for a job.

06:11.980 --> 06:18.280
It also makes fraud more difficult and it allows for cross training jobs rotation is fantastic for larger

06:18.280 --> 06:25.800
organizations although it's often difficult to do with smaller ones third is separation of duties separation

06:25.800 --> 06:32.400
of duties simply means that at least two people are required to do a sensitive function.

06:32.400 --> 06:39.540
Again this makes sure that no single person is always and only doing a particular function.

06:39.630 --> 06:47.120
Everybody who touches your secure data in your infrastructure does this under what we call a roll.

06:47.130 --> 06:52.740
Now different people have different roles depending on how and what they do within the infrastructure.

06:52.740 --> 06:59.160
So when we're talking about dealing with data we often use very specific well known industry defined

06:59.430 --> 07:05.310
roles that help us decide what different types of people what different types of roles are done when

07:05.310 --> 07:06.750
it comes to handling data.

07:06.780 --> 07:10.850
The best way to see how this works is actually just to see these very good examples.

07:10.920 --> 07:15.880
So let's go through different well-known role based data controls.

07:15.900 --> 07:21.480
First is a system owner a system owner is a management level role.

07:21.480 --> 07:25.080
Their job is to maintain the security of a system.

07:25.080 --> 07:30.660
Now when I say a system I don't necessarily mean a single computer it could be a network or whatever

07:30.670 --> 07:38.160
you break down as a system a system owner will also define a system administrator who will see next.

07:38.340 --> 07:44.640
And a system owner works with data owners will see who data owners are in a minute to ensure data security

07:46.170 --> 07:53.160
a system administrator is usually someone who is assigned by the system owner to perform day to day

07:53.160 --> 07:55.450
administration of a system.

07:55.470 --> 08:00.710
These are the people who actually implement security controls on that particular system.

08:02.010 --> 08:06.220
A data owner is the person in charge of the data on that system.

08:06.470 --> 08:10.380
They're going to define the sensitivity of the data on that system.

08:10.580 --> 08:15.970
They're also going to define the protection of that data whatever they need to do to protect it.

08:16.040 --> 08:21.100
They're going to work with the system owner to protect that data and then usually the poor system administrators

08:21.110 --> 08:27.770
the one who has to actually implement the controls and it's the data owner who defines access to the

08:27.770 --> 08:28.660
data.

08:28.670 --> 08:33.500
So addenda owners also going to work with a system administrator to see what can people do with that

08:33.500 --> 08:34.180
data.

08:35.690 --> 08:40.670
Next is the user and the user is the most common person.

08:40.730 --> 08:45.140
These are the folks who access and use the assign data responsibly.

08:45.140 --> 08:54.270
The other big job for any user is to monitor and report security breaches a privileged user is a person

08:54.270 --> 09:00.480
who because of a management position or whatever will have special access to data beyond the typical

09:00.480 --> 09:01.250
user.

09:01.260 --> 09:06.180
So like the head of accounting is probably going to have more permissions than a regular accounting

09:06.180 --> 09:08.430
user a privileged user.

09:08.430 --> 09:17.610
Also works closely with system administrators to ensure data security lasts is the executive user and

09:17.610 --> 09:27.200
executive user by definition will have read only access to pretty much all of the business data on a

09:27.200 --> 09:29.330
particular system.

09:29.330 --> 09:31.630
There's a lot to security training.

09:31.640 --> 09:36.950
Make sure you're comfortable with different types of controls and different types of roles because this

09:36.950 --> 09:50.310
is the stuff that really keeps our I.T. infrastructure secure.