An organization starts with security plan, and then policies are created to help execute and enforce the security objectives. Join Lisa Bock as she explores creating the security plan, key players involved, data classification systems, and the control families that are used when enforcing policies.
- [Voiceover] In order to take steps to reduce the risk to information assets, an organization starts with a security plan and then policies are created to help execute and enforce the organization security objectives. If an organization does not have a well-defined security plan, steps should be taken to create one. A guideline for developing a security plan can be found at NIST. In this website shows special publication 800-18, a guide for developing security plans for federal information systems.
Now you might not be a federal information system, but you could modify this to meet your own needs. Creating the plan is a multidisciplinary approach as it is an everyone's best interest to improve the protection of information systems and the resources. It is an overview of what security controls are required and a cost effect of plan for meeting the requirements that protect the confidentiality, integrity and availability of the information systems.
The plan should outline responsibilities on appropriate behavior of anyone who interacts with the system and should be reassessed on a regular basis at least every three years. Key players include the chief information officer who oversees all activity related to an organizational wide security program The information system owner who is responsible for the life cycle of the information system and as a key contributor in outlining design specification, testing and implementation of the system.
The information owner ensures that the information is classified appropriately and assign the appropriate level of protection. And the senior agency information security officer. This is essentially where the plan is passed on to become the policies, procedures, controls and guidelines for expected behavior. When creating security policies, rules of proper conduct defines how the system is to be used, by whom and what is expected to the users.
Appropriate limits on interconnections along with clear system boundaries are defined. And most importantly, the consequences of any violations in the policies should be listed and enforceable. The following policies are generally covered but could be expanded if required by regulations. Remote access, internet use, copyrighted works, passwords and backup. All data is not treated equally. Data should be classified whereby the level of sensitivity is assessed as to what affect the bridge would have on the organization.
The security team identifies individuals and their level of access to information according to the principle of least privilege. A formal data ownership and classification system could be devised internally or by following a template. An example of a classification system is used in government and military where disruption to a security objective is classified according to the damage that might occur. With top secret, this is where disclosure could be expected to cause exceptionally grave damage to national security.
Secret, the unauthorized disclose could be expected to cause serious damage to national security. Confidential is where the unauthorized disclosure is expected to cause damage to national security. It's worth noting. Unclassified is not a classification. This is simply information that can be released to anyone. In a business environment, the model security level classifications can be represented in the following manner: confidential, private, sensitive, and public.
In order to protect data, there are control families such as technical, operational and management which oversee policy adherence and are commonly grouped into classes. There are maybe some overlap in protection. For example, management might deal with planning, security assessments and program management. Operational might include physical and environmental protection, awareness and training. And technical might deal with access control, audit and accountability or configuration management.
So the life cycle starts with a plan then a policy then a control family manager that will oversee policy adherence. Remember reassess policies on a regular basis at least every three years.
Security expert Lisa Bock starts with an overview of ethical hacking and the role of the ethical hacker. She reviews the kinds of threats networks face, and introduces the five phases of ethical hacking, from reconnaissance to covering your tracks. She also covers penetration-testing techniques and tools. The materials map directly to the "Introduction to Ethical Hacking" competency from the CEH Body of Knowledge, and provide an excellent jumping off point for the next courses in this series.
Note: Our Ethical Hacking series will map to the 18 parts of the EC-Council's certification exam. Find more courses in the series on Lisa's author page.
- Ethical hacking principles
- Managing incidents
- Creating security policies
- Protecting data
- Conducting penetration testing
- Hacking in phases