Security Planning Susan Lincke Organizing Personnel Security.
-
Upload
amelia-mccormick -
Category
Documents
-
view
220 -
download
2
Transcript of Security Planning Susan Lincke Organizing Personnel Security.
Security Planning: An Applied Approach | 04/19/23 | 2
Objectives
The students should be able to:
Define and describe security awareness, security training, security education.
Apply segregation of duties to information technology with regard to a business.
Plan allocation of security responsibility, documentation and training.
Describe good practices for hiring and terminating an employee.
Security Planning: An Applied Approach | 04/19/23 | 3
Personnel are the weak link: Social Engineering: phishing, pharming, etc.
Issues to look at include:
Security Issues with Personnel
Background checks
Skills mgmt.
Signed documents
Segregation of Duties
Job descriptions
Need-to-know
Contracts
Policies/procedures
Config Mgmt.
Security awareness & training
Job skill training
Fraud reporting
Return equipment
Disable accounts
Security Planning: An Applied Approach | 04/19/23 | 4
PERSONNEL-FRAUD ISSUES
Segregation of Duties
Documentation:
Configuration management
Change control
Training
Security Planning: An Applied Approach | 04/19/23 | 5
Workbook: Personnel SecurityPersonnel Threats
Threat Role Liability or Cost if threat occurs
Divulging private info
Employee FERPA violation = loss of federal funds
Skim payment cards
Salesperson PCI DSS, state breach violation
Grant abuse Employee with grant
Loss of funds from US granting agencies
Abuse of student
Employee, student, visitor
Bad press – loss in reputation
May incite lawsuit
Security Planning: An Applied Approach | 04/19/23 | 6
Fraud Control TypesTime ofFraud
Detective Controls:Finding fraud when it occurs includes:Anonymous hotline*->Surprise audits*->Monitoring activities->Logged transactionsEmployee badgesComplaint or fraud investigationMandatory vacationsJob rotation
After Fraud Before Fraud:***BEST***
Preventive Controls**:Preventing fraud includes:Segregation of DutiesSecurity rolesEthical cultureInternal controls: Physical & data security Need-to-knowSigned documentsFraud, security awareness trainingEmployee Support ProgramsBackground checks
CorrectiveControls:Punishment->Amend controlsFidelity InsuranceEmployee Bonding
Security Planning: An Applied Approach | 04/19/23 | 7
Security Roles
Chief Information Security OfficerData Owner, Process Owner: Allocates permissions, defines safe processes.Info Security Steering Committee: Management with knowledge of business and/or security functions defines securityIncident Response Management/Team: Decides or performs functions related to incident response.Security Analyst, Security Administrator: Security staff to design or implement security functions.
Security Planning: An Applied Approach | 04/19/23 | 8
Segregation of Duties
Origination Verification
Authorization Distribution
Double-checks
Approves
Acts on
Security Planning: An Applied Approach | 04/19/23 | 9
OrganizationalSegregation of Duties
DevelopmentSystem/Network Admin
Business
Audit
Security/Compliance
QualityControl
advises
deliversS/W to
serves
tests or ensuresquality of S/W or
production
advises &monitors forsecurity
Ensures procedures are professionally done
Security Planning: An Applied Approach | 04/19/23 | 10
IT Segregation of Duties
DevelopmentEnvironment:
Application programmerSystems programmer
Production EnvironmentComputer OperatorSystem AdministratorNetwork AdministratorHelp Desk
Test EnvironmentQuality Assurance
SecurityControl GroupSecurity Admin
Requirements/DesignSystems AnalystDatabase Administrator
UserEnd UserData Entry
Security Planning: An Applied Approach | 04/19/23 | 11
Segregation of Duties Controls
Transaction AuthorizationAsset inventory & custodyData owner’s responsibility is specific and documented • Allocates authorization according to least-privilege and
segregation of duties
Security Administrator implements physical, system & application security• Authorization forms• User authorization tables: who can view/update/delete data at
transaction or field level
Security Planning: An Applied Approach | 04/19/23 | 12
Central repository = electronic library document management system.
Retains Important documents •Software development teams: requirements, design , test documents, and program code•Project, audit and security plans.
Maintains history: holds a snapshot of different versions for each document, •Any version can be retrieved at any time.
Permits users to:•checkout a document; •edit, review or approve the document; and •check it in with increased version #. The reason for revision and author is recorded and later available as version history.
Tools to Control Documents:Configuration Management
Security Planning: An Applied Approach | 04/19/23 | 13
Change management helps to create different configuration management versions.
Maintains state of a change proposal:
1.Starts with a Change Request may be
2.analyzed and approved by management for implementation. The change is then
3.implemented (e.g., programmed or acted upon) and then
4.tested and approved, when the change is ready for deployment.
Documentation for each of these stages is maintained in a change management or configuration management repository,
Emails may notify stakeholders of changes of status.
Tools to Control Documents:Change Management
Security Planning: An Applied Approach | 04/19/23 | 14
Security Awareness & Training
Training covers what is expected of employeesWhy is policy in place?How is policy enforced?
Training may be implemented as:New employee orientationCompany newslettersDetermine effectiveness by interviewing employees
Security Planning: An Applied Approach | 04/19/23 | 15
Awareness Function:Types of Security TrainingAwareness:
Create security-conscious workforce
Employees, partners & vendors
Newsletters, surveys, quizzes, video training, forums, posters
Training:
Necessary skills for a particular position
HR, legal, middle or top mgmt, IT, programmers
Workshops, conferences
Education: High level skills
High-skilled professions: audit, security admin/mgmt,
Risk mgmt…
Organized and gradual development: teaching & coaching
Security Planning: An Applied Approach | 04/19/23 | 16
Awareness Training
Signed employment agreements, video, memos, emails, posters, seminars and training classesA combination of parallel approachesKnowledge areas:• Back-up work-related files• Choosing passwords and avoiding exposure• Avoiding email and web viruses• Recognizing social engineers• Recognizing & reporting security incidents• Securing electronic & paper media against theft & exposure• Spotting malware that could lead to identity theft & desktop spying
Metrics should be established to determine effectiveness of change in behavior and workforce attitude
Security Planning: An Applied Approach | 04/19/23 | 17
Security Certification(s)
Minimum 1-year Requirement
Minimum 3-year
Requirement
CISSP, CISA, CISM, CRISC, CEH
20 120
SSCP, CAP, HCISPP 10 60
Security+ - 50
Other CompTIA certificates
- 20-75
Security Certificates & Continuing Education
Security Planning: An Applied Approach | 04/19/23 | 18
Other Personnel Preventive Controls
Training and written policies and procedures
Ethical Culture: Mgmt must live, mentor, insist on ethical behavior.
Employee Support Programs: Addresses personal/financial problems before they are unmanageable.
Background checks: For handlers of PII.
Need to Know/Least Privilege
Security Planning: An Applied Approach | 04/19/23 | 19
Detective & Corrective Controls
Detective/Deterrence ControlsFraud reporting or hotline
Logged transactions
Internal Audit Dept and Surprise Audits
Mandatory vacations or job rotation.
Corrective ControlsEmployee Bonding: Insurance protects against losses due to theft, mistakes and neglect.
Fidelity Insurance: Insurance against fraud or employee misdeeds is useful for rare but expensive risks
Security Planning: An Applied Approach | 04/19/23 | 20
Workbook: Personnel SecurityPersonnel Controls
Threat Role ControlDivulging private info
Employee
FERPA training: annual quiz review, new employee training
Grant abuse
Employee with grant
Financial controls: employee and administrator and financial office check
Security Planning: An Applied Approach | 04/19/23 | 21
Workbook: Personnel SecurityResponsibility of Security to Roles
Role ResponsibilityRegistrar
Establish FERPA trainingData Owner: student scholastic and financial informationOversee FERPA adherence in Registration dept.
Admin. Attend FERPA trainingRetain locked cabinets with student info
Security Admin
Monitor logs, enable/disable permissions,rebuild computers after malware infection, collect security metrics for incident response, ...
Security Planning: An Applied Approach | 04/19/23 | 22
Workbook: Personnel SecurityRequirements: Training, Documentation
Role Requirements: Training, Documentation
Registrar
FERPA experience in hiring.Training every 3-5 years at
national conference or workshop
Employee
handling student
data
University FERPA documentation, FERPA web page, annual quizzes, sign
acceptable use policy
Security Planning: An Applied Approach | 04/19/23 | 23
PERSONNEL ISSUES
Hiring
Contracts
Termination
Security Planning: An Applied Approach | 04/19/23 | 24
Personnel Issues
Background checks can reduce fraud• More secure position=more checking required• A standard or procedure is usefulTraining & signed contracts Track and document theft• Minor incidents could add up to a major pattern problemEmail can be monitored for potential problem employees• Assuming policy is in place and employees are aware
Security Planning: An Applied Approach | 04/19/23 | 25
Employee Hiring
Document security responsibilitiesScreen candidates for sensitive positionsHave signed agreements regarding • Job responsibilities, conditions of employment• Security responsibilities (incl. copyright)• Confidentiality agreement•Indicate corrective actions taken if security requirements not followed
Security Planning: An Applied Approach | 04/19/23 | 26
New Employee Orientation
New employee signs Privacy Policy document:Has read and agreed to follow security policiesConform to laws and regulationsPromise to not divulge logon IDs and passwordsCreate quality passwordsLock terminal when not presentReport suspected violations of securityMaintain good physical security (locked doors, private keys)Use IT resources only for authorized business purposes
Security Planning: An Applied Approach | 04/19/23 | 27
Signed Agreements
Code of Conduct: Describes general ethical behavior requirementsAcceptable Use Policy: Addresses which and how company data is accessedPrivacy Policy: Defines behavior re confidential info: • password policies, physical security, locked terminals, and
reporting security issues.Service Level Agreement: Contract between a customer and provider.
Security Planning: An Applied Approach | 04/19/23 | 28
Third Party Agreements
Define information security policyDefine procedures to implement policyDeploy controls to protect against malicious softwarePublish restrictions on copying/distributing informationImplement procedures to determine whether assets were compromisedEnsure return or destruction of data at end of job
Security Planning: An Applied Approach | 04/19/23 | 29
A Service Level Agreement (SLA) is a contract to outsource IT or other sensitive service•Can including networking, business continuity, security or information security
An SLA ensures levels of quality for performance, security, legal compliance, by defining: Introduction and Scope of Work Security Performance, Tracking and Reporting Termination of Contract Problem Management Schedules and General Compensation Signatures Customer Duties and Responsibilities Warranties and Remedies
Intellectual Property Rights and Confidential Information Legal Compliance and Resolution of Disputes
Service Level Agreement (SLA)
Security Planning: An Applied Approach | 04/19/23 | 30
Employee Termination
Employees about to leave or who have left the organization cause 70% of internal information theft
Unless continued relationship expected:Disable all corporate accounts and access permissions Return equipmentRevoke accessReturn all access keys, ID cards and budgetsNotify all staff and security personnelArrange final pay Perform termination interview
Security Planning: An Applied Approach | 04/19/23 | 31
Role ResponsibilityChief Info Security Officer: John Doe
Lead Info Sec. Steering Committee and incident response teams.Lead efforts to develop security policy, security workbook.Manage security projects, budgets, staff.Lead security training for required staff on FERPA, PCI DSS, HIPAA.Maintain security program: metrics, risk, testing, and policy revisions.
Personnel: Alice Strong
Participate in Information Security Steering Committee.Tracks and documents theft (to determine pattern).Prepare/manage contracts with Third Party contracts, establishing expectations relative to security.At hiring: Perform background check for persons handling confidential info, major assets or interfacing with students. Write job descriptions considering segregation of duties, security responsibilities.Any Employee:Signs Acceptable Use Policy; Takes security awareness training including compliance, policy training.At termination: Revoke computer authorization, return badges/keys and equipment, notify appropriate staff.
Responsibility of Security to Roles
Security Planning: An Applied Approach | 04/19/23 | 32
Question
Which of the following duties can be performed by one person in a well-controlled IS environment?
1. Software Developer and System Administration
2. Database administration and Data Entry
3. System Administrator and Quality Assurance
4. Quality Assurance and Software Developer
Security Planning: An Applied Approach | 04/19/23 | 33
Question
Which is MOST important for a successful security awareness program?
1. Technical training for security administrators2. Aligning the training to organization requirements3. Training management for security awareness4. Using metrics to ensure that training is effective
Security Planning: An Applied Approach | 04/19/23 | 34
Question
To detect fraud, the BEST type of audit trail to log would be:1. User session logs2. Firewall incidents3. Operating system incidents4. Application transactions
Security Planning: An Applied Approach | 04/19/23 | 35
Summary of Personnel Controls
Personnel Hiring Daily Support & Controls
Security Documentation:Policies & Procedures
Configuration Management and Change Management
Vetting new employees Segregation of Duties
Signed Documents Hotline
Job Descriptions Other fraud controls
Training
Controlled departures Contracts and Service Level Agreements
Security Planning: An Applied Approach | 04/19/23 | 36
HEALTH FIRST CASE STUDY
Designing Physical Security
Jamie Ramon MDDoctor
Chris Ramon RDDietician
TerryLicensed
Practicing Nurse
PatSoftware Consultant
Security Planning: An Applied Approach | 04/19/23 | 37
Workbook: Personnel SecurityStep 1: Define Personnel Threats
Threat Role Liability or Cost if threat occurs
Malpractice
HIPAA violation
Medicare Fraud
Fraud against company
Security Planning: An Applied Approach | 04/19/23 | 38
Workbook: Personnel SecurityStep 2: Define Personnel Controls
Threat Role Control
Training?Need to know?Documentation?
Security Planning: An Applied Approach | 04/19/23 | 39
Look through other chapters. What requirements do you have for:
Risk? Physical security?Business Continuity? Metrics?Information Security? Governing?Network Security? Incident Response?
Someone has to do the tasks allocated in these chapters.Who will be responsible for each?
How is this documented?How will they be trained?
Allocate Responsibility of Security to Roles
Security Planning: An Applied Approach | 04/19/23 | 40
Step 3: Allocate Responsibility of Security to Roles
Role Responsibility
Nurse
Partner
Security Admin