The following are true in terms of security policy
The following policies is best suited to reduce the risk of employees within an organization colluding to embezzle company funds
Acceptable use policy: Acceptable use policy specifies what employees can do with their systems, and network access. The policy may put limits on personal use of resources, and resource access time. AUP defines the intended uses of the resources in an organization and the consequences for non-compliance. AUP ensures that the resources are utilized in a proper way. For example, you may restrict that no social websites be visited by the employees during working hours.
Some issues that need to be taken care of, while planning security policies are:
1. Due Care
3. Separation of Duties
4. Need to Know
5. Password Management
6. Disposal Management
7. Human Resource Policies, and
8. Incident Management
Separation of duties: Separation of duties prevents any single person from performing multiple job functions that might allow the person to commit fraud. Separation of duties happens when the responsibilities have been split between two or more people, thus reducing the incidence of fraud. Separation of duties ensures that the vital activities are bifurcated among several individuals. This ensures that one or two individuals can not perform a fraud.
Clean desk: Clean desk policy ensures that the personnel keeps the desks clean during and after the work. It ensures that login/password information is not inadvertently left on the desk which may lead to hacking or even loss of data or sensitive information.
Job rotation: Job rotation helps in managing the work with different people, thus reducing any down time when one of the employees has quit or on leave. Further, job rotation gives the employee the opportunity to develop skills in a variety of changing jobs.
NDA: It is important to review the NDA (Short for Non-Disclosure Agreement) that Company B has entered into with Company A. It can only enter into NDA with a third party (Company C) only if the NDA between the first and second party permit it. For example, if the NDA rules out sharing data with a third party, then B can not enter into NDA with C. It is important to verify whether the third party provider has relevant experience. However, it is not the first thing to be considered. An NDA with the third party is subject to NDA entered already between the first two parties. Similarly, having security policies in place for C is not relevant at this point.
Example1: A newly hired employee is asked to review security of the computers within the company premises. What he needs to do first?
Solution: He needs to go through the security policy first. A company's security policy outlines the security measures to be taken. Implementing the security policy is the first thing that needs to be done.
Example 2: A security manager observed that the incoming inspection of material as well as payment is done by the same person. He implemented a policy such that one employee does incoming inspection of material and another employee does the payment processing. This is an example of security enhancement by separation of duties.
SLA (Service Level Agreement): Service Level Agreement is the formal negotiated document between two parties. It is a legal document that binds both the parties during the tenure of the agreement. SLA usually pertains to performance expectations such as up-time, and mean-time-between-failures.
BPA (Business Partners Agreement): It defines the relationship between business partners, including their roles and responsibilities toward the partnership.
MOU (Memorandum of Understanding): A memorandum of understanding (MoU) describes a bilateral or multilateral agreement between two or more parties.
ISA (Interconnection Security Agreement): It specifies requirements for establishing, maintaining, and disconnecting a secure connection between two parties.
In the context of risk management, three types of control classes are defined. These are Management (or Administrative), Technical, Operational (or Physical). For each of these classes, there are four types of controls, namely, Preventive, Detective, Corrective, and Compensating.
Account recertification: Account re-certification refers to several account management principles. First, recertification refers to performing a periodic assessment of a user's responsibilities against their account permissions and rights, confirming the principle of least privilege. Recertification can also verify if a user has the proper level of skill or knowledge to have access to a certain account type. Finally, recertification of an IT system's account management controls can also occur, validating if a system can adhere to proper levels of account security.
Federated identity: A federated identity in information technology is the means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
Account maintenance: Account maintenance is the regular or periodic activity of reviewing and assessing the user accounts of an IT environment. Any accounts that no longer required should be disabled, such as those used by previous employees or related to services that have been uninstalled.
Offboarding: Offboarding refers to the IAM(Identity and Access Management) processes surrounding the removal of an identity for an employee who has left the network.
Roles and responsibilities
Multiple personnel in an organization are associated with the control and administration of data. These data roles include data owners, data controllers, data processors, data custodian/stewards, and users
Data owners: All data elements in an organization should have defined requirements for security, privacy, retention, and other business functions. It is the responsibility of the designated data owner to define these requirements.
Data Controllers:The data controller is the person responsible for managing how and why data is going to be used by the organization.
Data Processors:The data processor is the entity that processes data given to it by the data controller. Data processors do not own the data, nor do they control it. Their role is the manipulation of the data as part of business processes.
Data custodian/steward: A data custodian or data steward is the role responsible for the day-to-day caretaking of data. The data owner sets the relevant policies, and the steward or custodian ensures they are followed.
Data Protection Officer(DPO): A data protection officer is a role within a company or organization whose responsibility is to ensure that the company or organization is correctly protecting individuals’ personal data according to current legislation.
International Organization for Standardization (ISO) 27001/27002/27701/31000:
ISO 27001 is the international standard defining an information security management system (ISMS).
ISO 27001 is one of many related standards in the 27000 family. ISO 27002 is a document that defines security techniques and a code of practice for information security controls.
ISO 27701 is a privacy extension to the 27000 series and adds the requirements to establish and maintain a privacy information management system.
The ISO 31000 series is a set of guidelines, principles, framework, and process for managing risk. ISO 31000 addresses all forms of risk and management, not just cybersecurity risk
Payment Card Industry Data Security Standard (PCI-DSS) control objectives include:
Build and maintain a secure network and systems
Protect cardholder data
Maintain a vulnerability management program
mplement strong access control measures
Regularly monitor and test networks
Maintain an Information Security Polity
General Data Protection Regulation(GDPR): GDPR is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And non-compliance could cost companies dearly.
Cyber Security Framework(CSF): The CSF is designed to assist organizations in the early stages of planning their cybersecurity posture.
Center of Internet Security (CIS): CIS is a not-for-profit NGO that develops its own Configuration Policy Benchmarks (CPB).