How can you make others in your organization aware of the challenges associated with IT security? In this video, you’ll learn about security policy training, network policies, and the principle of least privilege.
It’s very common for organizations to create comprehensive policies and procedures for the security of your environment. But if nobody knows of those policies and procedures, then you’re no more secure than you were when you started. That’s why it’s very common to have all of your security policies available for anybody to read on your intranet.
It’s very difficult, of course, to have people read this information. That’s why it’s very common also to have in-person and mandatory security training sessions. This means you get to have a very detailed overview of all of your security policies, there’s a chance for Q&A, and they get to meet you as the security professional.
This is your opportunity to explain how you deal with these common security problems. If your computer identifies a virus, what’s the next step? If you find that somebody’s inside of your environment, and they don’t have an access card, what’s the proper procedure? This is something you can do throughout all of these security sessions. If you have users that are outside of the building, you may have to set up separate security sessions for your mobile users or break out all of the training by department.
A large organization might also have a network policy. This will govern exactly what types of things are permitted across the network. Each organization has a different philosophy on what type of traffic is allowed and what type of traffic is not acceptable. The network policy is often a subset or is very closely associated with the security policy because everything going across the network is obviously a security concern as well.
These network policies are usually written together and presented as an acceptable use policy. This provides you with all of the rules and everything you’ll need to know about sending information over the network. It’s usually well-documented. And it’s very common for employees to sign a document that says that they have read and that they understand the acceptable use policies.
The types of rights and permissions that you have to the resources that are on your network are usually based on who you are and the type of job you’re doing. We call this the principle of least privilege, which means that you should only have just the rights and permissions necessary to do your job. Exactly what those rights and permissions are will depend on what your job happens to be. So the management of your company will usually determine what your job role is. And then it’s up to IT to match your job role with the rights and permissions on the network.
This principle of least privilege applies to both physical and digital controls. So you might only be limited to a number of rooms that you can enter with your access card. You might also be limited to the number of files and folders that you can access on a particular file server.