2 pages apa style answer the question

 

Assume you are responsible for Developing an Email Classification System and Handling Standards for your organization (you can choose any business/organization that you are familiar with).

Write 2 page paper and describe your classification and handling standards.

Security Program and Policies
Principles and Practices

by Sari Stern Greene

Chapter 6: Human Resources Security

1

Copyright 2014 Pearson Education, Inc.
2
Objectives
Define the relationship between information security and personnel practices
Recognize the stages of the employee lifecycle
Describe the purpose of confidentiality and acceptable use agreements
Understand appropriate security education, training, and awareness programs
Create personnel-related security policies and procedures

2

The Employee Lifecycle
Represents stages in the employee’s career
Lifecycle models can vary but most include the following stages
Recruitment
Onboarding
User provisioning
Orientation
Career development
Termination
Copyright 2014 Pearson Education, Inc.
3

Copyright 2014 Pearson Education, Inc.
4
What Does Recruitment Have to Do with Security?
Risks and rewards of posting online employment ads:
A company can reach a wider audience
A company can publish an ad that gives too much information:
About the network infrastructure and therefore allow a hacker to footprint the internal network easily and stealthily
About the company itself, inviting social engineering attacks

4

Copyright 2014 Pearson Education, Inc.
5
Job Postings
Job descriptions are supposed to:
Convey the mission of the organization
Describe the position in general terms
Outline the responsibilities attached to said position
Outline the company’s commitment to security via the use of such terms as non-disclosure agreement
Job descriptions are NOT supposed to:
Include information about specific systems, software versions, security configurations, or access controls
It’s harder to hack a network if one doesn’t know what hardware & software
If the above information is deemed necessary, two versions of the position can be created. The second, more detailed version should be posted internally and shared with candidates that have made the “first cut”

5

Candidate Application Data
Companies are responsible for protecting the data and privacy of the job seeker
Non-public personal information (NPPI) should not be collected if possible

Copyright 2014 Pearson Education, Inc.
6

Copyright 2014 Pearson Education, Inc.
7
The Interview
Job Interview:
The interviewer should be concerned about revealing too much about the company during the interview
Job candidates should never gain access to secured areas
A job interview is a perfect foot-printing opportunity for hackers and social engineers

7

Copyright 2014 Pearson Education, Inc.
8
Screening Prospective Employees
An organization should protect itself by running extensive background checks on potential employees at all levels of the hierarchy
Some higher level positions may require even more in-depth checks
Many U.S. government jobs require prospective employees have the requisite clearance level

8

Copyright 2014 Pearson Education, Inc.
9
Types of Background Checks
The company should have a basic background check level to which all employees are subjected
Information owners may require more in-depth checks for specific roles
Workers also have a right to privacy: Not all information is fair game to gather – only information relevant to the actual work they perform
Companies should seek consent from employees before launching a background check

9

Copyright 2014 Pearson Education, Inc.
10
Types of Background Checks Cont.
Educational records fall under FERPA. Schools must first have written authorization before they can provide student-related information
Motor vehicle records fall under DPPA, which means that the DMV – or its employees – are not allowed to disclose information obtained by the department
The FTC allows the use of credit reports prior to hiring employees as long as companies do so in accordance with the Fair Credit Reporting Act

10

Copyright 2014 Pearson Education, Inc.
11
Types of Background Checks Cont.
Bankruptcies may not be used as the SOLE reason to not hire someone according to Title 11 of the U.S. Bankruptcy Code
Criminal history: The use of this sort of information varies from state to state
Worker’s compensation records: In most states, these records are public records, but their use may not violate the Americans with Disabilities Act

11

What Happens in the Onboarding Phase?
The new hire is added to the organization’s payroll and benefit systems
New employees must provide
Proof of identity
Work authorization
Tax identification
Two forms that must be completed
Form I-9
Form W-4
Copyright 2014 Pearson Education, Inc.
12

What Is User Provisioning?
The process of:
Creating user accounts and group memberships
Providing company identification
Assigning access rights and permissions
Assigning access devices such as tokens and/or smartcards
The user should be provided with and acknowledge the terms and conditions of the Acceptable Use Agreement before being granted access
Copyright 2014 Pearson Education, Inc.
13

What Should an Employee Learn During Orientation?
His responsibilities
Information handling standards and privacy protocols
Ask questions
Copyright 2014 Pearson Education, Inc.
14

Copyright 2014 Pearson Education, Inc.
15
The Importance of Employee Agreements
Confidentiality or non-disclosure agreements
Agreement between employees and organization
Defines what information may not be disclosed by employees
Goal: To protect sensitive information
Especially important in these situations:
When an employee is terminated or leaves
When a third-party contractor was employed

15

The Importance of Employee Agreements cont.
Acceptable Use Agreement
A policy contract between the company and information systems user
Components of an Acceptable Use Agreement
Introduction
Data classifications
Applicable policy statement
Handling standards
Contacts
Sanctions for violations
acknowledgment

Copyright 2014 Pearson Education, Inc.
16

Copyright 2014 Pearson Education, Inc.
17
The Importance of Security Education and Training
Training employees
According to NIST: “Federal agencies […] cannot protect […] information […] without ensuring that all people involved […]:
Understand their role and responsibilities related to the organization’s mission
Understand the organization’s IT security policy, procedures and practices
Have at least adequate knowledge of the various management, operational and technical controls required and available to protect the IT resources for which they are responsible”

17

Copyright 2014 Pearson Education, Inc.
18
The Importance of Security Education and Training cont.
Hackers adapt: If it is easier to use social engineering – i.e., targeting users – rather than hack a network device, that is the road they will take
Only securing network devices and neglecting to train users on information security topics is ignoring half of the threats against the company

18

Copyright 2014 Pearson Education, Inc.
19
What Is the SETA Model?
What is SETA?
Security Education Training and Awareness
Awareness is not training: It is focusing the attention of employees on security topics to change their behavior
Security awareness campaigns should be scheduled regularly
Security training “seeks to teach skills” (per NIST)
Security training should NOT be dispensed only to the technical staff but to all employees

19

Copyright 2014 Pearson Education, Inc.
20
Summary
A security policy that does not include personnel as a permanent threat to the data owned by the company is incomplete. Social engineering is more virulent than ever.
Failing to train users on security topics is a bad mistake and may result in a lack of compliance for some federal mandates.
All users should sign the Acceptable Use Agreement before receiving access to company’s systems and equipment

20

Security Program and Policies
Principles and Practices

by Sari Stern Greene

Chapter 7: Physical & Environmental Security

1

Copyright 2014 Pearson Education, Inc.
2
Objectives
Define the concept of physical security and how it relates to information security
Evaluate the security requirements of facilities, offices, and equipment
Understand the environmental risks posed to physical structures, areas within those structures, and equipment
Enumerate the vulnerabilities related to reusing and disposing of equipment
Recognize the risk posed by the loss or theft of mobile devices and media
Develop policies designed to ensure the physical environmental security of information, information systems, and information processing and storage facilities

2

Understanding the Secure Facility Layered Defense Model
If an intruder bypasses one layer of controls, the next layer should provide additional defense and detection capabilities
Both physical and psychological
The appearance of security is deterrent
Copyright 2014 Pearson Education, Inc.
3

Copyright 2014 Pearson Education, Inc.
4
How to Secure the Site
All implemented controls to physically protect information are dictated first by a thorough analysis of the company’s risks and vulnerabilities, along with the value of the information that requires protection
From what are we protecting information assets?
Theft
Malicious destruction
Accidental damage
Damage that results from natural disasters

4

How to Secure the Site cont.
The design of a secure site starts with the location
Location-based threats
Political stability
Susceptibility to terrorism
Crime rate in the area
Roadways and flight paths
Utility stability
Vulnerability to natural disasters
Critical information processing facilities should be inconspicuous and unremarkable
Copyright 2014 Pearson Education, Inc.
5

Copyright 2014 Pearson Education, Inc.
6
How to Secure the Site Cont.
The physical perimeter can be protected using:
Berms
Fences
Gates
Bollards
Man traps
Illuminated entrances, exits, pathways, and parking areas
Manned reception desk
Cameras, closed-circuit TV, alarms, motion sensors
Security guards

6

Copyright 2014 Pearson Education, Inc.
7
How Is Physical Access Controlled?
Physical entry controls:
Access control rules should be designed for:
Employees
Third-party contractors/partners/vendors
Visitors
Visitors should be required to wear identification that can be evaluated from a distance, such as a badge
Identification should start as soon as a person attempts to gain entry

7

Copyright 2014 Pearson Education, Inc.
8
How Is Physical Access Controlled? Cont.
Physical entry controls:
Authorized users should be authorized prior to gaining access to protected area
Visitors should be identified, labeled, and authorized prior to gaining access to protected area
An audit trail should be created

8

Copyright 2014 Pearson Education, Inc.
9
Securing Offices, Rooms, and Facilities
The outer physical perimeter is not the only focus of the physical security policy
Workspaces should be classified based on the level of protection required
Some internal rooms and offices must be protected differently
Parts of individual rooms may also require different levels of protection, such as cabinets and closets

9

Copyright 2014 Pearson Education, Inc.
10
Working in Secure Areas
Goal: Define behavioral and physical controls for the most sensitive workspaces within information processing facilities
Policy controls are in addition to – and not in place of – existing physical controls, unless they supersede them
Policy should include devices not allowed on premises, such as cameras, smartphones, tablets, and USB drives
Sensitive documents should be secured from viewing by unauthorized personnel while not in use
Copiers, scanners, and fax machines should be located in nonpublic areas and require use codes

10

Copyright 2014 Pearson Education, Inc.
11
Protecting Equipment
Both company and employee-owned equipment should be protected
Hardware assets must be protected from:
Theft
Power spikes
Power loss
One way to reduce power consumption is to purchase Energy Star certified devices

11

Copyright 2014 Pearson Education, Inc.
12
Protecting Equipment Cont.
Potential power problems include:
Brownout: Period of low voltage
Power surge: Increase in voltage
Blackout: Interruption or loss of power
Power equipment that can be used:
Uninterruptible Power Supply
Back-up power supplies
Power conditioners
Voltage regulators
Isolation transformers
Line filters
Surge protection equipment

12

How Dangerous Is Fire?
Three elements to fire protection
Fire prevention controls
Active
Passive
Fire detection
Fire containment and suppression
Involves responding to the fire
Specific to file classification
Class A
Class B
Class C
Class D
Copyright 2014 Pearson Education, Inc.
13

Copyright 2014 Pearson Education, Inc.
14
What About Disposal?
Formatting a hard drive or deleting files does not mean that the data located on that drive cannot be retrieved
All computers that are discarded must be sanitized prior to being disposed of
Policy should be crafted to disallow access to information through improper disposal or reuse of equipment
Disk wiping
Degaussing
Destruction

14

Copyright 2014 Pearson Education, Inc.
15
Summary
The physical perimeter of the company must be secured.
Some internal rooms and offices must be identified as needing more security controls than others. These controls must be deployed.
Environment threats such as power loss must be taken into account and the proper hardware must be deployed.
A clean screen and desk policy is important to protect the confidentiality of company-owned data.

15