Chapter 5 - 03 - Learn to Design and Develop Security Policies - 07_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Software/Application Securit}rfi""' Policy RS M QO Application security policy mandates proper measures that enhance the security of in-house and purchased applications..... ’ Design Considerations Error Handling and Configuration Management Authentication Data Protectionin Storage and Transit User and Session Management Logging and Auditing Authorization Data Validation Encryption Exception Management [4: Copyright © by E IL All Rights Reserved. Reproductionis Strictly Prohibited. Software/Application Security Policy Application security involves securing the inbuilt and purchased applications running on the system. The security policy covers the application throughout its complete life cycle. The threat to an application is caused by software tampering, parameter manipulation, authorization, or cryptography. Drafting the guidelines for application security mandates application, further enhancing how the system works. the proper functioning of the The key factors in documenting a software/application security policy are: 1. Data validation 2. User and Session Management 3. Authentication 4. Authorization 5. Encryption 6. Logging and Auditing y Data Protection in Storage and Transit 8. Configuration Management 9. Error Handling and Exception Management A security professional’s role in enforcing application policies is: 1. Criteria for Data Validation: It is required to set measures to validate data flowing in and out of the application. Module 05 Page 586 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls 2. Exam 212-82 Authentication Process: Security professionals should set up an authentication policy for all systems. If a user is attempting to install a third-party application, the system will prompt for an administrator password. This will restrict users from installing such applications without administrator rights. 3. Authorization Standards: Security professionals should authorize application use for only those who need it. The authorization can also be limited to certain parts of the application’s data. 4. Encryption Policy: Security professionals can encrypt the sensitive application data, preventing users from gaining access to it. 5. Monitoring: Every employee application session should be monitored. Module 05 Page 587 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Data Backup Policy QO The backup policy helps an organization recover and safeguard information in the event of a security incident/network failure Location of data backup Name and contact of authorized personnel who can access backups Backup schedule (i [l [ I N © Design Considerations I Type of backup method used Hardware and software requirements for taking backups Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Data Backup Policy Creating a backup policy is one of the most important things you can do for your data security plan. Optimized backup policies and procedures will save your organization time and money. The backup policy helps an organization recover and safeguard information in the event of a security incident/network failure. One important reason for this policy is to bring the backup and recovery process in line with actual requirements. It will also ensure a smooth recovery process in the event of a hard drive failure, virus attack, or natural disaster. Backup policies and procedures vary according to the needs of an organization and industry. There are certain elements of a data backup and restore process that every company should identify: = Determining What Files Should Be Backed Up: Before implementing a backup policy on a system, the security professional should identify the important files for business activity. Data that help run the business should be backed up. Data that include financial, tax, or personal employee information are important and should be backed up. = Determine Who Can Access Backups: Administrators should assign privileges to access backups to only those employees who work on the data. It is important to keep track of the backup data. Keep the backup logs updated regularly. = Determine How Often to Backup: An organization backup policy should define the backup schedule employees must use. Informing employees beforehand helps them prioritize their data for this requirement. Module 05 Page 588 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 The schedule should be created by considering the business of an organization and the criticality of the data on the machines. It is not necessary to run a backup on all devices simultaneously. Certain files or databases have to be backed at a different time. The backup policy should also mention the time the backups should run. Usually an organization prefers to perform backups after business hours. Based on the backup policy, the backup process can be initiated by administrators. What Type of Backup is Required? While drafting the backup policies and procedures, the security professional should also determine the type of backup required. The type of backup depends on an organization’s needs. The three basic types of backup include: o Full Backups: This includes a backup of all data. It is the simplest form of backup, but a highly time-consuming process. o Incremental Backups: Here, the backup is created only when the data are changed since the last full backup. It is a less time-consuming process. o Differential Backups: It backs up all selected files that are new and changed since the last full backup. Where to Back Up Data: The backup policy should mention the location of the backed-up data and where they will be stored. Administrators can store the data on a physical external device, cloud, or both. Design Considerations Location of data backup Name and contact of authorized personnel who can access backups Backup schedule Type of backup method used Hardware and software requirements for taking backups It is important to test and evaluate all backup policies. Module 05 Page 589 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. rity Technician Certified Cybersecu strative Controls Controls = Admini Network Security Policy" pData Retention es for policy is a set of rul The data retention eratloml or op data for and maintaining E preserving ts ance requiremen regulatory compli ations Design Consider s es, rules, and act regulations, polici s, law e abl lic App % » personnel t of authorized Name and contac m Y be included » Types of data to edule and deletion sch Record retention A data ite responsible for each. ? NI ~ 9 ts for data tware requiremen Hardware and sof retention data is Policy that all important ré su en Data Retention to cy li tention po taining develop a data re eserving and main pr ld r ou fo sh s le on ru ti of za ni t Every orga required licy is @ se data retention po licy defines the po e Th e Th. ed. or ts st en em ly roying satisfactori ce requir standards for dest gulatory complian re m or mu ni l mi na io e at th er ts data for op and also se erent data types, ff di r fo s od ri pe retention s n. ems in all countrie st sy d an s, se certain informatio es units, proc s, rectors, employee ied to all business di pl , ap rs ce is fi of cy li ‘s po on n an organizati collect, A data retentio. It is applied to ers who can es id at ov er pr op e on ic ti rv za se sors, or ch as where an organi consultants, advi all documents su s, to or d ct ie ra pl nt ap co is , it es Moreover, agents, affiliat erent data types. ff di files, etc. t0o ss ce ac audio and video s, nt me process, of have cu do py soft co documents, emails, hard copy ions Design Considerat and acts s, policies, rules, on ti la gu re , ws la = Applicable to pbe included item = Typesof data ble for each data si on sp re l ne on rs pe act of authorized « Name and cont schedule ion and deletion = Record retent tention ements for data re ir qu re re wa ft so = Hardware and ule 05 Page 590 council Copyright © by gerity Technician prohibited. ly ict Str is Certified cVbersecu ion Reproduct All Rights Reserved.