There are many processes and procedures associated with a common security policy. In this video, you’ll learn about password policies, acceptable use policies, BYOD, DLP, and more.
One significant stumbling block that keeps the attackers out of our systems is the credentials that we have when we log in. Our usernames and passwords are some of the most common security controls that we use to keep out the attackers. This means that if we’re deciding on a password, we want to be sure that password is strong and is resistant to any type of brute force attack.
We need our passwords to be unpredictable. This means that they will have increased password entropy. Entropy is a measurement of unpredictability, and our passwords need to be very unpredictable so that we can be assured that a brute force attack would be as difficult as possible to gain access to our systems.
So this means we need to avoid using obvious passwords, or single words that would be easily found inside of a dictionary. You don’t want to use the name of a pet or a friend. Instead, you want to use a mixture of uppercase, lowercase, and special characters. You also don’t necessarily want to replace different characters with something that might be similar.
For example, replacing the letter O with a 0, or the letter T with a 7. These are very common tactics. They don’t add a lot of unpredictability, and the attackers already know that people try these particular techniques, and they use brute force attacks that take that into account.
Today, we generally think of a strong password as being eight characters or greater. It would be common to create a password that’s multiple words or phrase in order to create this extended length and unpredictable password. Another technique that’s important is that you prevent someone from reusing a password. Most systems will remember the password history that someone uses, and if someone does try to reuse a password, it will recognize that reuse and prompt them to use a different password instead.
Organizations also have to be sure that you’re in-users are not misusing the technology that’s been assigned to them. In order to avoid this, most organizations will create a formal document called an acceptable use policy, or an AUP. This is something that is probably in your employee handbook, or it may be documented in a Rules of Behavior. This would obviously cover a very large range of technologies, including our desktop and laptop computers, our telephones and mobile phones, and our connections to the internet.
Having a documented AUP avoids any confusion about what may be acceptable and unacceptable when using these technologies on the network. This is especially useful to the organization if they have to dismiss someone for misusing these technologies, because that misuse is very well documented in the acceptable use policy.
Before everyone had their own mobile phone that they took with them everywhere, organizations would purchase phones for their employees. Now that we all have a phone that we carry with us 24 hours a day, most organizations will use BYOD, or Bring Your Own Device. You may see this also referenced as Bring Your Own Technology.
This means that, as long as the employees phone matches the requirements of the company, they can use their own device for work purposes. Instead of having to carry around two separate phones everywhere you go, you can simply carry around the phone that you would normally use.
This does create some obvious security challenges of course. Because now we have a home device that has company data on it, we want to be sure that both the home information is secure, and that the company information is secure. Not only do we have to be sure that this information is separated on this mobile device, we also have to keep track of what happens to this data if this device is traded in or exchanged for a different device. Many organizations while formal policies on this, and may use a Mobile Device Manager, or MDM, to ensure that this security remains in place.
As we found in recent years, more people have been working away from our offices than inside of our buildings. When users are in the building, we know exactly where that data is, and we can manage exactly where the data is going. But when someone leaves the building, we have a security concern about who may have access to that data as it’s traversing the network.
Most organizations will create a remote access policy that documents exactly what security methods should be in place when you’re accessing the network from outside the building. Not only do these remote access policies commonly apply to your employees, but they can also apply to your third party vendors and partners as well.
These policies can be very detailed. They can specify exactly the type of encryption that should be used over the connection, the type of credentials that should be in place, how the network should be used, and what hardware and software is required to have this remote connection.
When a new person starts with the organization, or they’re transferred from one area to another, they go through a process called on-boarding. This ensures that the user will have the proper resources and security in place to be able to do their job.
This is where the user might sign agreements from IT, such as an employee handbook, or an acceptable use policy, all of their accounts would be created with the proper permissions and rights to access the files and documents they might need, and it might put in place the process for getting that user their laptop, mobile device, or tablet computer. This is usually a well-documented and well-established process, because you want to be sure that people that are hired get exactly the resources they need to be able to do their jobs.
Of course, we also need policies and procedures when someone leaves the organization. This is called off-boarding. With off-boarding, there’s a set of documented processes and procedures, so you know exactly what to do when someone leaves the organization. For example, there needs to be a process for the user to turn in their laptops or mobile devices, we need to know what happens to the data that’s on those devices, and that data remains secure, and we not only need to make sure that the user’s account is deactivated, but we want to be sure that we still have access to their data.
Just as the on-boarding process was very well-documented and detailed, the off-boarding process is just as well-documented and detailed, and everyone will know, when someone leaves the organization, where their hardware, their data, and the status of their accounts might be.
You often see reports in the news where someone has transferred files outside of the organization that contains sensitive information, and now that information is in the hands of a third party. You would be able to stop this transfer of data if you had a data loss prevention solution, or DLP.
DLP is designed to look for sensitive data and block it before it’s transferred across the network. So it can look for Social Security numbers, credit card numbers, medical records, and anything else that might be sensitive data. Most DLP solutions will allow you to set policies that will allow sensitive data if it’s properly protected. So you may be able to send sensitive data if it’s being encrypted across the network, but block that data if it’s being sent in the clear.
Many implementations of DLP involve more than one type of technology. You might have a DLP solution that’s on a server that’s watching all of the files, and a separate DLP implementation that’s on your firewall that’s examining all of the data going in and out of your network. By having DLP in these key locations, you can be assured that catching the sensitive data before it gets in the hands of a third party.
Of course, every organization should have a document that details all of the processes and procedures associated with IT security. This is the security policy for the organization, and it includes everything we’ve talked about in this video, and so much more. If you want to know about the on-boarding process, or the policy for remote access, it will be contained within this security policy.
And as you can imagine, this is not a document that is simply created one time and then is simply referenced as time goes on. Security policies change constantly, and any documentation you have around IT security will be constantly updated in this security policy document.