Security Policies

Personnel management

Mandatory vacations

• This is where the company make is mandatory for employees to make a vacation.

• This method is used to help an organization to identify any fraud within the environment.

Job rotation

• This method ensure employees keep moving between different responsibilities within the organization.

• Ensures one person does not have or maintains control of a system for a long period of time. 

 Separation of duties

• Organizations implement separation of duties to ensure no one person has all the information of details about a system.

• An employee may be given some details but not all details for a system.

• This leads to Dual Control which ensure 2 persons uses their combination of knowledge to person a critical business function or task. 

Clean desk

• This policy ensures when an employee leaves their desk or workstation for the day, the desk does not have anything left behind.

• This policy limits the exposure of any confidential documents or other pieces of sensitive information laying around.

Background checks

• Many organizations will person a background check to determine the claims of an applicant or any criminal records.

• Background checks are usually a pre-screening phase before an organization hires a potential candidate for the job.

Adverse actions

• This is an action that simply denies or prevent someone from gaining employment based on the background check person by the organization.

Non-disclosure Agreement (NDA)

• Organization may need to prevent employees or contractors from disclosing sensitive information to others.

• An NDA is a legal document which is used to prevent the disclosure of any confidential information.

Onboarding

• The onboarding process is usually done when an organization hires a new employee.

• During this phase, the employee is trained in the business process, tasks and security policies of the organization.

Continuing education

• During the term of employment, companies will offer continuous training to their employees to improve process and security awareness. 

• Training done during the start of a person's employment within a business is not enough to help prevent cyber-attacks.

• Continual training ensures all employees are up-to-date with the latest user-awareness training. 

Acceptable use policy/rules of behavior

• An Acceptable Use Policy (AUP) defines what an employee can and cannot do on the company's systems.

• This is a clearly written document which fines the rules of behavior while the person is employed under the organization.

Exit interviews

• This the done when an employee is leaving an organization.

• This formal process usually includes asking the employee why they are leaving, what they like and dislike about the company, and so on.

Role-based awareness training

• This type of training is provided to a person who has a specific job role.

• This type of training is usually provided to the user before the person is granted access to the resources or data.

General security policies

• Contains the guidelines for ensuring the security of an organization.

• Resources:

  • https://csrc.nist.gov/glossary/term/security_policy

  • https://csrc.nist.gov/glossary/term/information_security_policy

  • https://www.nist.gov/cyberframework

Social media networks/applications

• Companies usually create a policy that defines which type of information can be shared on any social media platform.

• The policy many also outline the code of conduct, the person responsible for making online posts and the expectations.

• This type of policy is important to many organizations are confidential information should not be leaked outside the company.

• Typically, there is a designated person who is responsible for public relations and making comments on the Internet. 

Personal email

• Within many industries, persons are using their corporate email for personal use.

• Personal email policies defines the purpose and the corporate email should use by the employee.

• Such policies are used for compliance and regulatory purposes to prevent data leakage in an organization.

General Concepts

Least privilege

• A user account that is configured with the minimum requirements needed for a user to perform their job.

Onboarding

• Onboarding is hiring a new person to the company or transferring a person.

• Ensuring the new user reads, understands and signs the Acceptable Usage Policy (AUP).

• The IT team is responsible for creating a user account and assigning the necessary privileges to the user to perform their job.

Offboarding

• This is the process when a person is leaving the company.

• The process should ensure any user account is disabled rather than deleted.

• The user is required to return any hardware such as computer equipment to the company.

Permission auditing and review

• This process ensure each user and groups within the organization is assigned the correct permissions.

• This is a continuous process that is done routinely.

Usage auditing and review

• This process help identify how resources are being used.

Time-of-day restrictions

• Provides limits to when a user is able to access a resource on the system or network.

Standard naming convention

• Within organization, there may be a policy for naming user accounts. 

• The policy should define usernames should not conflict with others, usernames should not be used to identify a job role, the username should always be consistent throughout the organization for the duration of the user employment. 

Account maintenance

• The account maintenance usually begins with creating the user account. 

• During a user employment period, permissions may be adjusted and password changed frequently. 

• When the user leaves the organization, the account is de-provision by disabling it.

Group-based access control

• A user group contains multiple user accounts.

• Permissions assigned to a group will be inherited by all the user accounts that belongs to the group.

Location-based policies

• This type of policy uses a the location of a user such as their GPS location or their source IP address.

• An example is restricting traffic on the firewall that is originating from a certain country.

Account policy enforcement

Credential management

• Your user account is used to access the resources you need on a system or network.

• Ensuring your user credentials such as username and password should always be kept safe and secure.

• Whenever you are logging-in to an online web application ensure the connection is encrypted.

• Disablement

• Lockout

• Password history

• Password reuse

• Password length

Group policy

• Within Windows desktop and Windows Server, the Group Policy Management allows an administrator to assign policies to users and groups on the system and network. This is a feature as part of Active Directory (AD) on Windows Server. 

Password complexity

• Defines the requirement a password must met such as the use of numbers, uppercase and lowercase letters, special characters and symbols.

• The policy can be used to prevent a user from re-using older passwords again on the same system.

• The policy can also define the minimum length of a password. 

Expiration

• Passwords should be configured to automatically expire with every 30 or 60 days.

Recovery

• This is a process which allows a user to recover their password or gain access to their user account.