Have you done a threat analysis with every vendor who provides service? How up to date are your processes and policies? How educated and competent are your employees?
- [Instructor] Here's another thought for you. Even if your own systems are secure, how secure are the systems of your service vendors? Weaknesses on their end could provide backend access for malicious actors to your system. If you don't currently conduct risk evaluations on vendors, you should start. Even if it's self certification on their part, would you even want to do business with a partner who wasn't willing to declare they were following best practices in regards to patches, firewalls, etc? Of course, this implies that you are doing this on your side too, right? How long has it been since your company conducted an internal risk assessment on your systems? Has your company conducted an internal risk assessment on your systems? We've already talked about how fast things are changing, so if it's been more than a couple of years, it's probably time to go back and take another look.
Now, how do you do that? Well, you can reinvent the wheel, but you have easier options. If money is no object there are a lot of companies out there who will assess you but you have some resources available to you for free. The most important is probably the National Institute of Standards and Technology, which is part of the US Department of Commerce. They publish a list of criteria and update it fairly regularly. At the time of creation of this course, their most recent update is from February 2018, and it's available online at their website.
I'd also recommend checking out the SANS Institute site. SANS stands for System Admin Audit, Network, and Security. The organization was founded in 1989 as a place for industry members to collaborate on best practices and it's grown to probably the most respected source of information worldwide. They've got a big collection of templates and guides that you can use as you're developing your assessment, and they've also got a lot of information on developing robust security policies and training plans overall, which brings me to my next point.
How up-to-date are your security processes and policies? Do you have a set cadence for review? A lot of experts recommend annual reviews. Now that might be too much of a burden for some organizations, but I have to say if you're gonna go more than three years, now how do I put this nicely? You're being overly trusting? I think overly optimistic is more like it. And finally, about those users. How are you sharing with them? How quickly are they updated if things change? Is there a place for them to find information and training easily? You're gonna hear me say this a lot during this course but this is the weakest link in your security chain.
It is imperative that you have an educated and motivated employee base, so you need to pay special attention to developing them. Key takeaway, security awareness is an ongoing program, not an event.
- Identify the group of people to be notified when making a document policy or procedure change.
- Recognize which types of documentation requires higher levels of security.
- Name the two rights available at folder level during collaboration.
- Recall the purpose of version control.
- Determine which application allows multiple libraries with custom permissions.
- Identify the term used for add-ins within the SharePoint application.
- Explain the most common cause of data breaches.