Every organization uses numerous processes and procedures during the normal course of business. In this video, you’ll learn about user agreements, on-boarding, licensing, export controls, and many other policies.
<< Previous Video: Remote Access Next: Physical Security >>
If you’re responsible for servers, network, security, or almost anything else in information technology, then you probably have access to all of the data associated with your organization, but just because you could have access to the data, doesn’t mean that you should access that data. There are expectations on you as a technology professional to use the highest ethics when it comes to protecting this data. This means if you’re managing a server or a database, that you will normally use the non-privileged methods to be able to perform whatever functions are required.
There will obviously be times when you do need to use privileged access to get into that data, but this also means that you will only be doing this for job related functions. Because your access to this data is so different than anyone else’s in the organization, you may be asked to sign a privileged user agreement. This means that you will maintain the highest levels of professionalism and maintain the confidentiality of the company’s data.
We all know that it’s important to make sure that our passwords are constantly being updated, and many organizations have a formal password policy. This formal policy will require that users update their passwords after a certain amount of time, for example, every 30 days or 60 days or 90 days. In organizations where there is a high level of security associated with this data, you may see password policies that require a change even more frequently.
This change process for updating the password should be relatively straightforward for the end user, but if someone finds themselves locked out and they need to recover an account, there should be a formal process, and that process should require an absolute identification of that user before that account is reset for access. This is a great opportunity for someone to use social engineering to gain access to someone’s account, so you want to be sure the entire process is well documented and secure.
There are a number of important processes that have to be followed during the on boarding process. This is when you’re hiring someone new from outside the organization, or it might be somebody that’s transferring from one part of the organization to another. From an IT perspective, you may require that someone understand the policies that are outlined in the employee handbook, or there may be a completely separate acceptable use policy that you want to be sure that everyone signs during the on boarding process.
There will also be a number of processes that happened behind the scenes during the on boarding process. You need to create user account information, you need to associate that user with particular groups or departments, and you need to make sure they have email access and create all of the other accounts necessary for that user. And of course, we need to make sure someone has all the hardware required to do their job. We need to provide them with a desktop or laptop computer they’ll be using, and we’ll provide them with a mobile device, or we’ll add their mobile device to our mobile device manager.
Just as we have processes during the on boarding process when someone joins the organization, we also need formal processes and procedures when someone is off boarded as they’re leaving the organization. These should be processes that have already been laid out and are very well documented, so you know exactly what to do when someone leaves the company. For example, there needs to be a process when someone turns in their hardware. You need some type of documentation to show that you’ve received the hardware and that you’re able to process that hardware for the next person, and of course, what happens to this user’s data?
We don’t want to simply delete everything associated with their account. There may be important company data that we want to be sure that we keep. That’s why it’s very common to deactivate a user’s account and not delete everything associated with a user’s account. There may be important encryption keys associated with that user, and by maintaining that account, we’ll still have access to all of those important encryption keys.
If you’re someone who has ever had to maintain a set of licenses in your organization, you know this can be a challenge. There may be separate licensing for operating systems that you use, for applications that are in use, or even for individual pieces of hardware that are in use, and of course, each one of these different types of services has a completely different method of performing licensing.
One reason we want to have all of these licenses up to date is we could run into problems with availability if this license was to expire. For example, some applications will work perfectly normally until the date the license expires and at that point, the application won’t work at all. Some devices may work after a licensing period expires, but perhaps with a subset of functionality. So if you want all of your systems running exactly the way they are today, you want to be sure to document and have a process available for updating those licenses.
Sometimes a license expiration means that certain important features of an application are suddenly no longer available. For example, if the license expires for your malware scanning gateway, it may still allow traffic to pass through that gateway, but of course, there’s no checks at that point for any malicious software. When you’re working with equipment or software inside of your own country, it may be relatively straightforward to understand how all of that information is maintained. But if you ever need to send any of that information to another country, there may be specific rules and regulations in place on what happens with all of that hardware and software.
These days these international export controls not only apply to the hardware that we might send to another country, they also are associated with the data that we might send to another country. Many countries have created significant regulations associated with personally identifiable information and what information may leave the country and what information must stay in the country.
You may also find the components that could be used for both civilian and military use may have a different set of international export controls associated with them. For example, there may be a completely different set of export controls for something like a firewall, an intrusion prevention system, or a hacking tool. If you don’t follow these international export controls, sometimes the penalties can be quite severe, so it’s important to check with your local legal team to make sure that the hardware and software you’re sending to another country is complying with all of these regulations.
Every organization needs to have a formal set of policies and procedures related to DLP, or data loss prevention. These will be policies that dictate how your organization will be handling social security numbers, credit card numbers, or any other type of personally identifiable information. For example, if you’re in an organization that works with medical data, you need to understand exactly how that sensitive information may be transferred across your network. Do you use encryption to make sure that information is secure, and how is that encryption enabled for that data?
Many organizations will also deploy data loss prevention technologies on their servers and their networks to watch for this data going across the network. That’s another way to validate that your policies and procedures are being followed, and if someone goes outside the scope of your policies and procedures, you can block that information before it gets into the hands of someone else.
When people are sitting at desks inside of the building, it’s relatively easy to control the flow of data from one side of the network to the other, but of course, not everybody is inside of the building. Many people will be working remotely, so there need to be a series of policies that define how do you manage this data and this process of communication when people are outside of the building. Of course, this policy is not only something that applies to your employees, but it also applies to third parties that may be connecting to a VPN to gain access to resources that are on the inside of your network.
These policies usually have very specific technical requirements. For example, it may require that you’re using an encrypted connection, and it may specify the type of encryption that you have to use. It may specify the type of credentials that you need to supply when you log in, and it may dictate exactly how the network, the hardware, and the software should be used over this remote communication.
It’s also important that your organization have a set of policies and procedures for when a particular security incident occurs. For example, if someone receives an email with an attachment and clicks on that attachment and installs malware, there needs to be policies on how to handle that. But what if it’s something more broad, like a distributed denial of service attack?
There needs to be a set of policies for that type of security incident, as well. Sometimes confidential information is stolen or is made public, and sometimes the thieves of that information would like money to be able to keep that information secret, or it may be that someone on the inside has installed peer to peer software, and now someone who is external to your organization can easily gain access to your internal resources.
The security policies that are looking for these incidents should first start with how you would identify one of those incidents in your organization. For example, there should be an automated monitoring system that is constantly looking for these types of security issues. You want to be able to alarm if an issue is discovered and alert all of the appropriate people that need to react to that particular security incident. Each type of attack will obviously need a different type of response.
Your processes and procedures should already know how to handle different categories of attacks. An email issue, for example, may be handled very different than a brute force attack. You should also have a set of policies that determines who gets contacted for these types of attacks. If it’s something relating to email, it may be a very small group of people that are contacted, but if this is a distributed denial of service attack, there may be a much larger group of people in your organization who need to respond. All of these procedures need to be created well before an incident occurs, everyone needs to understand what these processes and procedures are, and there needs to be training and exercises so that everyone knows exactly what to do when a security incident happens.
The use of our mobile devices is blending together these days between our personal life and our professional life, and an organization needs to have a set of policies and procedures on how to handle the BYOD, which is bring your own device. You may also see this referred to as bring your own technology. With BYOD, the company doesn’t own the mobile device. Since the end user owns this device, there will certainly be personal email messages and personal pictures and other data on that device, but since it’s also used for business, there may be company information on this device, as well. That’s why it’s important to establish a policy early on on exactly how this data is managed.
For example, you may require that the user has a lock screen that locks this device and has a certain type of password to protect both their data and the company’s information. And of course, there needs to be a change process in place if this particular device is traded in, if it’s upgraded, or if it’s sold to someone else. All of your end users should be aware of these processes and know exactly what to do if any one of these situations occurs.
Can your end users send personal email messages from your corporate email account? What types of websites are appropriate for someone to visit when they’re using a corporate laptop? This type of information should be well documented in your AUP, or your acceptable use policies. The AUP doesn’t just cover a laptop or desktop computer, but it covers every type of device a user may have access to. This might be the telephones that you have in your organization, computers, laptops, mobile devices, tablets, and anything else that is touching the network.
Every organization has a different philosophy when it comes to what is acceptable on the network, which is why it’s important that all of this information is documented. If this ever comes up in a third party environment, like a court system, you’ll be able to document that this user knew that this particular thing that they were doing was inappropriate on this network. And if someone happens to be dismissed from the organization by violating these acceptable use policies, you have documentation that proves that the user knew exactly what they were doing was unacceptable to the organization.
In your technology career, at some point you may be asked to sign an NDA. This is a nondisclosure agreement. It’s a confidentiality agreement between two parties that says that you’re not going to tell anyone else about this confidential information. This may be an NDA that you’re signing with the company that you’re employed by to make sure that all of the information that you’re learning as an employee is not going to be provided to anyone outside the organization, or this might be an NDA that you sign with a third party that you’re working with. Perhaps you’re setting up a partnership with an external organization and you want to be sure that anything learned is part of that partnership is not made public to anyone else.
What happens to all of your technical assets when they reach the end of their usable life? There needs to be a set of policies and procedures that helps you understand how to manage the disposal of these assets. This may not only be technical procedures, but there may also be legal procedures, as well. Your type of business may have certain requirements on how data is stored, so you may find that certain devices may have to be stored for a certain amount of time before you would ever consider disposing of them. And on the technical side, you need to make sure that anything that is disposed or provided to a third party has all of its important confidential company information deleted from that device before it ever leaves your building.
This is why it’s common for many organizations to physically destroy these devices instead of having that data somehow find its way outside the building. You might have a shredder or a pulverizer that destroys the equipment. Some people will simply drill through storage devices or use a hammer to make sure that they could never be used again, and some type of storage media, like magnetic tapes, can have everything deleted by using a degausser. And of course, some components and documentation can be permanently destroyed through the use of incineration.
There should also be well-established safety procedures and policies at your organization. The server, the printers, and the other pieces of hardware that we’re using will use a lot of electricity, so we need to make sure that we have safety policies in place for all of this electrical equipment. We also need to think about the safety of our employees. If they’re working around manufacturing equipment, we may have a very specific jewelry policy. If they’re working with cables, there may be cable management policies, and of course, it’s important that everyone use proper lifting techniques and have fire safety procedures in place.
IT professionals also handle a lot of toxic waste. There’s acid inside of batteries and printer toner can be dangerous if it’s not disposed of properly. All of the different components in your organization have a material safety data sheet or what’s now called a safety data sheet. The SDS will tell you exactly how these components should be handled, how they should be disposed of, and they’ll provide first date information if that that’s required.
There is also undoubtedly local government regulations associated with safety procedures and policies in your organization, so make sure you understand what your local safety laws are, what the building codes are required for your organization. And of course, all of the environmental regulations associated with the products and the equipment that you use.