WEBVTT 00:00.940 --> 00:05.830 The fun part about security controls is that well a lot of them are. 00:05.920 --> 00:07.120 How should I describe. 00:07.120 --> 00:08.580 Interesting. 00:08.590 --> 00:16.180 You see the thing is for a nerd like me if you tell me that installing a firewall is a security control 00:16.180 --> 00:17.590 and like OK I can buy that. 00:17.710 --> 00:23.890 Or if you tell me that we have to provide training for users as a security control and like OK I could 00:23.890 --> 00:25.090 buy that too. 00:25.540 --> 00:29.850 Fortunately the world of I.T. Security can make things a bit more challenging. 00:29.860 --> 00:36.520 So what I want to do now is go through some examples of rather interesting security controls. 00:36.520 --> 00:42.520 Now before we get into this I also want to warn you that other people may not call the security controls 00:42.550 --> 00:47.730 but in general if you look at these in terms of security controls you'll do fine on the security plus. 00:47.740 --> 00:51.560 So let's dive into the world of interesting security controls. 00:52.490 --> 00:57.280 The first type of interesting security control I'd like to discuss is mandatory vacations. 00:57.280 --> 01:03.350 Yep that's a security control mandatory vacation simply requires individuals to take vacations usually 01:03.350 --> 01:04.960 at different times of the year. 01:05.330 --> 01:10.580 The whole idea behind of mandatory vacation is that it's used to detect fraud and unauthorized activity 01:10.580 --> 01:14.810 so if something bad is happening and then it quits happening when Bob's on vacation. 01:14.840 --> 01:16.040 That could be a clue. 01:16.040 --> 01:21.050 Second is job rotation job rotation means periodically switching people around to work in different 01:21.050 --> 01:22.220 positions. 01:22.220 --> 01:27.080 Now this is handy in that it will enable rapid replacement of somebody who's mission critical suddenly 01:27.080 --> 01:28.710 becomes sick or quits. 01:28.760 --> 01:31.520 But it also avoids contempt of position. 01:31.520 --> 01:35.230 Everybody gets jealous of Bob because he gets to work in that first position. 01:35.330 --> 01:39.260 And in that way it keeps people happy and doing their job. 01:39.260 --> 01:44.810 Third is multi-person control and that simply means that more than one person is required to accomplish 01:44.840 --> 01:46.220 a task or function. 01:46.340 --> 01:52.570 So it prevents one person from initiating an action that could be bad like launching missiles or formatting 01:52.580 --> 01:53.690 hard drives. 01:53.690 --> 02:00.380 But it also allows multiple people to make sure that something is done in a right way so for example 02:00.410 --> 02:03.980 entering secure areas accessing sensitive documents. 02:04.040 --> 02:10.760 There's lots of places where a multi-person control comes into play next separation of duties is by 02:10.760 --> 02:16.490 the way security plus wants to make sure you know this is an administrative control means that single 02:16.490 --> 02:20.990 individuals should not perform all critical or privileged duties across the board. 02:20.990 --> 02:26.900 So for example the auditing department should do auditing and the security folks should do security 02:26.900 --> 02:28.640 and the salespeople should do sales. 02:28.700 --> 02:34.010 We shouldn't have them intermixing last as principle of least privilege. 02:34.010 --> 02:38.840 This simply means that users are granted only the level of privilege necessary for them to perform their 02:38.840 --> 02:39.230 job. 02:39.230 --> 02:46.400 So when we hear the term privilege we usually use the word need to know and then that way people don't 02:46.490 --> 02:49.100 get into privileges that they shouldn't have. 02:49.100 --> 02:54.410 I always love exposing people who are new to security on these terms because they're not ones that we 02:54.410 --> 03:15.910 really think about as we first enter the world of I.T. security but boy are they important.