CSIT302 Week 6: Security Policy

Questions and Answers

According to NIST's special publications, what is one key aspect of a security policy?

• A wish list of security program objectives.
• A suggestion for the provision of security services.
• A loose guideline for information object protection.
• A set of criteria for the provision of security services. (correct)

What characteristic defines a security policy, ensuring its relevance and effectiveness?

• It is revised every 5 years.
• It remains unchanged to provide a stable point of reference.
• It is only updated when new hardware is installed.
• It is revised and updated regularly or on-demand. (correct)

What elements should a comprehensive security policy include to effectively support information risk management?

• Vague aspirations, broad objectives and optional suggestions.
• Industry standards, procedures, and guidelines. (correct)
• Generalized statements of intent, unspecific procedures, and industry rumors.
• Loosely defined scopes, optional guidelines, and management preferences.

How should the scope of a security policy be defined to ensure clarity and applicability?

It must be stated, indicating whether the policy applies to a certain group or everyone. (C)

What is the primary goal of a security policy concerning the security triad?

To protect the security triad (confidentiality, integrity, and availability). (B)

What are users required to do in relation to the security triad, according to security policy requirements?

Protect and ensure the applicability of the security triad in data and systems. (D)

What should users be aware of regarding security policies?

Their responsibilities and the consequences of violating these policies. (A)

How does a 'policy' document differ from a 'procedure' document in the context of security?

A policy sets high-level expectations, while a procedure outlines how something must be done. (D)

What is the key characteristic of a 'standard' document within security policy documentation?

Establishing technical requirements that must be followed. (D)

In the context of security policy, what is the purpose of 'guidelines'?

Optional or recommended guidance that can be defined by each company. (C)

What role do 'best practices' serve in an organization's security policy?

They are practices to be implemented by the entire company or departments within. (C)

Why is upper management sponsorship important for security programs?

To ensure all security documents are synchronized, managed, and supported. (C)

What is the objective of security awareness training for end users?

To educate them as part of the management control. (B)

Why is security awareness training regarded as a critical component of a security program?

Because a user who is uneducated in security practices can cause tremendous damage to the organization. (C)

What should security awareness training include to be effective?

Real-world examples and practice. (C)

How can social media be a risk to security?

Social medial plays an important role in social engineering attacks. (C)

What action should a user take following a possible security incident?

Immediately report it to IMTS. (D)

What is a key focus of cybersecurity?

Defending IT facilities and services and stored data from unauthorized access. (B)

What are spam campaigns related to malware?

The top cause of malware infestation. (A)

What is the primary reason many companies fail to enforce security policies effectively?

They only focus on endpoints and servers. (C)

What objects does Active Directory organize?

Network objects including users, computers, and other items. (C)

What is the purpose of using Organizational Units (OUs) in Active Directory?

To create a hierarchy for secure administration. (B)

What is a Domain in Active Directory?

A collection of Objects within Active Directory network. (C)

Why is it important to monitor security policies?

Monitoring is indispensable. (D)

Why is application whitelisting important?

To only allow licensed software. (D)

What is the purpose of Group Policy in a Windows environment?

To centrally control the working environment of user and computer accounts. (C)

What condition of AppLocker should be used if you want to create a rule that will evaluate an app that is not signed by the software vendor?

File hash (A)

What does the term 'hardening' refer to in the context of security policy deployment?

Changing settings to better protect computers. (C)

In the context of Active Directory, what is the default type of trust relationship between a parent domain and a child domain?

A transitive two-way trust. (A)

What does NIST Special Publication (SP) 800-53 provide?

A catalog of security and privacy controls for federal information systems and organizations. (B)

What is the definition of appropriate business behavior in social media guidelines for employees?

Definition of appropriate acceptable behavior. (A)

According to the provided text, what services are likely to be not procured if it is procured as a 'software as a service'?

This Policy does not apply to services that are procured as the 'software as a service'. (B)

What guidelines are important to deal with in the work environment?

There should be guidelines to deal with defamatory posts, as well as pornographic posts, proprietary issues, harassment, or posts that can create a hostile work environment. (D)

What does Common Configuration Enumeration (CCE) provide?

Unique identifiers and lists of security issues. (B)

In a three-tier security governance model, who are the key players in the 'Security Management' tier?

Security Officers, Risk Managers. (D)

What is a potential drawback of the federated governance model, particularly in multinational corporations?

Risk of inconsistent security practices across units. (C)

In which environments is policy enforcement needed?

A holistic approach is needed to tackle every single component that is active in the network, including switches, printers, and IoT devices. (C)

What is the function of security governance?

The system by which an organization's information security activities are directed and controlled. (B)

Flashcards

Security Policy

A high-level document that defines the objectives and constraints for a security program.

Security Policy Elements

Industry standards, procedures, and guidelines necessary to support information risk management.

Well-defined scope

A defined statement within the policy of whether the policy applies to everyone or a specific group including contractors.

Policy

The guiding principles in a security policy that provide a basis that will direct the company's decisions and help achieve desired outcomes.

Procedure

A plan of how the security policy will be carried out that contain procedural steps that outline how something must be done.

Standard

A document that establishes technical requirements that must be followed by everyone.

Guidelines

Optional or additional recommendations that give more specific details with practical examples.

Best Practices

Practices that web servers should leverage from the vendor, prior to being deployed in production.

Security Awareness

A security program that includes user security awareness training.

Real-world Examples

Users easily remember things if a situation is shown such as phishing emails and how to identify them.

Group Policy

A feature of Microsoft Windows that controls the working environment of computer and user accounts.

Group Policy Object

A collection of settings that define what a system will look like and how it will behave for a defined group of users.

Group Policy Object (GPO)

A Microsoft tool leveraged to deploy security policies.

Application whitelisting

A list of all the apps that are authorized to be used in the organization.

Application whitelisting.

Tool through which security policy dictates that only licensed software is allowed to run in the user's computer.

Publisher

A tool that evaluates an app, using a rule, through the software vendor.

Path

A tool that evaluates an application path. (Usually on Windows, the application path is either C:\Program Files (x86) or C:\Program Files).

File hash

A tool that evaluates an app that is not signed by the software vendor.

Common Configuration Enumeration

A list that provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools.

Cloud Security Posture Management

Tools provide visibility into new resources, identify deviation from policies, and enforce security best practices.

Security Governance

The system by which an organization's information security activities are directed and controlled.

Security Policy

A core component of security governance, translating governance principles into actionable measures.

Executive Leadership Role

Define security strategy, allocate budgets, set risk appetite.

Security Management Role

Develops security policies, manage risk assessments, oversee compliance.

Security Operations Role

Implements controls, monitors threats, incident response.

Compliance & Legal Oversight Role

Ensures regulatory compliance (e.g., GDPR, HIPAA, SOX).

Study Notes

• Security Policy is covered in Week 6 in CSIT302 Cybersecurity course

What is Security Policy

• Several definitions come from NIST special publications
• It is a set of criteria for the provision of security services
• It is the formal statement of required protection for information objects
• It is a set of rules that governs all aspects of security-relevant system behaviour
• It defines the objectives and constraints for the security program

Outlines

• Reviewing security policy
• Educating end users
• Policy enforcement
• Monitoring for compliance
• Enhancing Security Posture through Security Policies
• Security Governance

Reviewing Security Policy

• Important questions to address
• Do you even have one in place?
• Do you enforce it?
• How often do you review it looking for improvements?
• Security policy is a living document
• It needs to be revised and updated regularly or on-demand
• It should include
• Industry standards, procedures, and guidelines to support information risks in daily operations
• A well-defined scope in the scope section of the policy whether the policy applies to a certain group of people or everyone reading, including contractors.
• Its the foundation of the security policy -It should help protect the security triad (confidentiality, integrity, and availability)
• Requirements from users
• To protect and ensure the applicability of the security triad in the data and system
• To be aware of their responsibilities, and the consequences of violating these policies.
• Various documents are involved in overall security policy
• All users must understand the differences between each document
• Policy
• This is the basis of everything, it sets high-level expectations
• It guides decisions and achieve outcomes
• It is for all participants so it is not too technical
• It must be enforced by a proper authority
• Procedure
• A document that has procedural steps that outlines how something must be done
• Standard
• Establishes technical requirements that must be followed
• Everyone must comply with certain standards that were established
• Must provide enough technical details with accurate explanations to relevant personnel
• All requirements must be covered in associated standard documents with technical specifications
• Guidelines
• Can be optional but can be additonal recommended guidance
• Each company can define whether the guidelines are optional, or recommended
• Must be aligned with the policy and standard documents
• Usually written to give more specific details with practical examples
• Used to guide someone who has substantial knowledge of IT but not cybersecurity
• Best practices
• Implemented by the entire company, or just some departments
• Can be established per role
• Can be a part of the guidelines
• To ensure all documents are synchronized and managed, management sponsorship is needed
• Organization-wide security program

Security through NIST

• Example of an organization-wide security program according to NIST SP 800-53
• Security and Privacy Controls for Information Systems and Organizations
• What is NIST Special Publication (SP 800)?
• Presents information of interest to the computer security community.
• It comprises guidelines, recommendations, technical specifications, and annual reports of NIST's cybersecurity activities."
• NIST SP 800-53
• FIPS Publication 200 is a mandatory federal standard developed in response to FISMA
• Organizations apply the appropriately tailored set of baseline security controls in accordance with FIPS publication 200

UoW Cybersecurity Policy

• UoW defines cybersecurity policy in Cyber Security Policy
• Contents of the Policy include
• Section 1 - Purpose of Policy
• Section 2 – Application and Scope
• Section 3 - Policy Principles
• Section 4 - Roles and Responsibilities
• Section 5 - Definitions
• Section 1 - Purpose of Policy
• This document sets out the University's policy on cyber security
• Cyber security is about defending IT facilities and services and stored data from unauthorized access.
• It ensures integrity, availability, confidentiality and safety of data and services with proportionate controls
• This Policy is supported by a cyber security framework which includes:
• Supplementary policies
• Guidelines on specific topics
• Operational practices
• Action plans
• Technology controls
• Education programs
• Monitoring and assurance activities
• Section 2 - Application and Scope
• Applies to all users and devices of IT facilities and services at the University
• All users should be aware of this Policy, their responsibilities, and legal obligations
• All users and devices are required to comply with this Policy and are bound by law
• Section 4 - Roles and Responsibilities include
• Chief Information Digital Officer
• Cyber Security Team
• Risk, Audit and Compliance Committee
• Staff with responsibility for managing any IT Facility or Service
• Users of IT Facilities and Services which have responsibilities for themselves and their devices:
  • using IT facilities and services according to IT policies at all times;
  • being aware of the security requirements of the IT facilities and services they use
  • taking every precaution to safeguard their access to these systems against unauthorized use
  • Immediately report any known or suspected security incidents and breaches to IMTS
• Section 5 - Definitions
• Cybersecurity - Defending computing devices, networks and stored data from unauthorized access.
• Now take a look at "IT SERVER SECURITY POLICY".
• https://policies.uow.edu.au/document/view-current.php?id=69
• This Policy applies to servers that are connected to a University network
• Servers that are operated for or on behalf of the University regardless of which network they are connected to, and infrastructure as a service and platform as a service.
• Does not apply to services that are procured as the "software as a service"

Educating the End User

• Security awareness training is part of the management control according to NIST SP 800-53
• This is one of the most important pieces of the security program because a user who is uneducated can cause tremendous damage to the organization
• It should be delivered to all employees, and it should be constantly updated
• Many companies are delivering training online via the company intranet
• Contents of the security awareness training
• Real-world examples: Users will remember things if a real scenario is shown
• Practice: Well-written text and rich visual elements plus computer based interaction using spear phishing or a fake social media campaign
• Training outcomes
• All users should acknowledge that they successfully finalized the training
• All users are aware about the security threats and countermeasures covered in the training
• All users are also aware about the consequences of not following the company's security policy
• A case study uses Symantec Internet Security Threat Report Volume 24
• Spam campaigns are the top cause of malware infestation, and the largest malware spamming operations are relying on social engineering techniques.
• In 2016 invoice was the most common word used in major malware campaigns
• The problem of BYOD (Bring Your Own Device)
• Users will access company info using their own device becoming targets for hackers
• Hackers able to compromise the user's system, gaining access to the company's data
• BYOD should not be allowed in some environments where maximum confidentiality is required.
• Social media guidelines for users and HR. -Social media plays an important role in social engineering attacks
  • Should focus on the definition of appropriate business behaviour with disciplinary actions for boundary crossing
• There should be guidelines to deal with defamatory posts, proprietary issues, harassment
• Shows the employer promotes a wealth social environment within the company

Policy Enforcement

• Policy enforcement based on a network architecture diagram to;
• Understand fully what:
• endpoints are
• what servers an organization has
• how the information flows
• where the information is stored
• who has and who should have data access
• Many companies fail because they only enforce at endpoints and servers
• Policy enforcement on network devices
• A holistic approach is needed to tackle every component that is active in the network, including switches, printers, and IoT devices

Preliminary: Active Directory

• Purpose
• Arrange network objects, users, computers, etc, into logical and hierarchical structure
• Provide authentication and authorization for these objects
• OUs (Organizational Units)
• A container for Objects
• Administrator can create hierarchy that reflects the structure of the organization
• Trust relationship
  • The default relationship between the parent domain and the child domain is a transitive two-way trust
  • Other types are possible depending using a one-way or non-transitive two-way trust
• Group Policy is a Microsoft Windows NT family of operating systems feature -Centrally controls the working environment of user accounts and computer accounts.
• It was created to overcome the problem with the Windows registry
• Group policy makes it easy to reverse any previous configuration made for a user.
• Execution of Group Policy
• Group Policy Object(GPO) is a collection of settings that define what a system will look like and how it will behave for a defined group of users

Policy Enforcement Tools

• Group Policy Object (GPO) can be leveraged to deploy security policies.
• If different departments have different needs, the deployment of group policies assigned per OU.
• Application whitelisting means security policy dictates that only licensed software can run in the user's computer
• Running unlicensed software is prevented as IT IT restricts it
• Only authorized applications will run
• NIST guidance on application whitelisting - SP 800-167:
• Download it from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf
• After creating a list of all authorized apps, consider
  • Installation path for each app,
  • Vendor's update policy,
  • Executable files are used by these apps?
• AppLocker: https://docs.microsoft.com/en-us/windows/device-security/applocker/applocker-overview
• Apple OS: Gatekeeper
• Linux OS: SELinux Microsoft AppLocker
• Three types of conditions to evaluate an app
• Publisher - use to create a rule that will evaluate an app that was signed by the software vendor.
• Path - if the application path. (Usually on Windows, C:\Program Files (x86) or C:\Program Files
• File hash: used when an app not signed by the software vendor is used
• Hardening - A consequence of policy deployment addressing which setting to better protect computers.
• Computers are "hardened" to reduce the attack vector.
• Common Configuration Enumeration (CCE) can be applied to the computers, available at https://nvd.nist.gov/config/cce/index.
• Linux hardening security guidance available on each distribution

Monitoring for Compliance

• Monitoring security policies compliance is indispensable
• policies defined based on CCE guidelines can be monitored with Azure Security Center and not confused wwith CVE
• Common Vulnerability and Exposure (CVE) requires deploying a patch
• See more information about CVE at https://cve.mitre.org/.

Continuously Enhancing Security Posture through Security Policies

• Constant environmental changes, demand ongoing policy adaptation
• CSPM (Cloud Security Posture Management) tools provide visibility into new resources
• Identify deviation from policies, and enforce security best practices
• E.g., Azure Security Center for real-time workload assessment.
• Microsoft Defender for Cloud uses Secure Score as a KPI to measure compliance and security posture.
• A score of 100% reflects optimal security and guide improvements

Security Policy vs. Security Governance

• Security governance is the system by which an organizations information security activities are directed and controlled (ISO/ICE 27014) It establishes the high-level objectives and risk appetite for the organization.

• A governance framework might dictate that the organization must comply with GDPR regulations or that risk tolerance for data breaches is minimal.

• Security policy is a core component of security governance, translating governance principles into actionable measures

• If governance mandates GDPR compliance

• Specify e.g., data encryption, user access controls, and incident response protocols related to personal data handling. Three-Tier Security Governance Model

• Tier 1: Executive Leadership who:

• Board, CEO, CISO define security strategy, allocate budgets, set risk appetite

• Tier 2: Security Management who Security Officers, Risk Managers develop security policies, manage risk assessments, oversee compliance

• Tier 3: Security Operations who implement controls, monitor threats, incident response

• Use Case with large enterprise clear hierarchical structure and strong role separation

• Can be rigid and slow to react to evolving threats Four-Tier Security Governance Model

• Tier 1: Executive Leadership who Define security strategy, allocate budgets, set risk appetite.

• Tier 2: Compliance & Legal Oversight responsible for Ensure regulatory compliance

• Tier3: Security responsible for Developing Security protocols and manage risk.

• Tier4: SOC to test Admin and monitor threat Federated Governance Model where:

• Set global complaiances to Central Governance: CISO, Teams

• Local security can adjust for local custom

• Matriix Model security is collaborative

• Cross Functional Teams for security and compliance

• Secuity Committees give oversight

• Devops Model

• Unclear Ownership

• Conflicts can arrise