Welcome back to part 6 of the series. In this one we are going explore compliance and operational aspects of security. You will learn what control types we have, what is false positive, and what kind of policies are used in real life. Take a deep breath we starting at 3..2..1.
Control types define how we are going to enforce security policy in our company. They are defined in NIST Special Publication 800-53. Generally it can be broken into three categories.
The first one is Technical, and it can describe for example how we are going to filter web content traffic or how are going to enforce that only authenticated users will connect to wireless network.
The second category include Management control types. An excellent example from this category is change management process. For example, It describes how we are going to handle firewall change requests, what approvals are needed, how the change is tracked.
The last category include Operational control types. This category may state what level of security awareness us required from personal, how to respond to incidents and security breaches.
This term is used to describe when Intrusion Prevention System fires an alert on traffic that was not harmful. This is undesirable because the IPS effective killed our production traffic, therefore when deploying IPS in productions it is good idea to use some time to fine tune the inspection engine.
This term is also used in IPS realm, it describes an event when IPS did not caught the malicious traffic and an attack took place. Again, this event is undesirable and it may when attacker pulls out a 0-day (unknown) exploit to take advantage of unpatched vulnerability.
Importance of policies in reducing risk
Company’s policies have a major role in reducing overall risk. They can specify what actions are allowed and disallowed within company and how to react in certain situation e.g. fire, floods. These information should be shared with each employee.This not only limited to IT system usage but also to general work environment. Some examples of policies include: Acceptable Encryption Policy, Acceptable Use Policy, Clean Desk Policy, Email Policy, Password Protection Policy and many more.
Acceptable use policy may be part of security policy or a standalone document. As the name implies its purpose is to define how IT services can be leverage and how to handle corporate resources and information.
Security policy is a another written document that defines rules that must be followed within an organization. It may describe what behavior is allowed or prohibited. For example it may defined what site categories is employee allowed to visit on the Internet. An example of this and other types of policy documents can be found at SANS. They may be used as your starting points when defining security policy for your own organization.
Often found in many companies, mandatory vacations mean that employees are required to some days off to avoid becoming crazy and clear their heads from work, or to reveal a fraud. Mandatory vacation can be requested by your manager or boss.
Job rotation is common practice where people from different teams such as engineering and operational swap their roles for certain period of time. This is useful to get a broader picture how each team works and should help increase the level of cooperation between people.
Separation of duties
With great power comes great responsibility as uncle Ben would say. Separation of duties in IT means that tasks are divided between many people. One group may handle change supervising, next group handles change implementation, other group is in charge of change approval and review.
The main point here that no single person has all roles. It is always required that more eyes look at the change before it gets implemented. This approach reduces risk.
In our company we may have multiple teams that handle different parts of IT delivery. We may have service desk which essentially answers to service requires. We may have guys at Network Operation Center who monitor network health, and we also many have hardcore admins doing heavy duty troubleshooting.
All these roles have different privilege requirements. For example Level 1 NOC may have only read-only access for basic checking and the L3 guys may have root access. This approach also increases overall security and it often required to comply with security audits.
And with that sentence this article came to its ending. I hope you learned something new today and see you in next one which will be spinning around risk calculation.