Chapter 5 - 03 - Learn to Design and Develop Security Policies - 08_ocred_fax_ocred.pdf
Document Details
Uploaded by barrejamesteacher
null
EG-Council
Tags
Related
- Chapter 3 - 02 - Discuss Network Security Fundamentals - 01_ocred.pdf
- Chapter 3 - 02 - Discuss Network Security Fundamentals - 02_ocred.pdf
- Chapter 3 - 02 - Discuss Network Security Fundamentals - 04_ocred.pdf
- Chapter 5 - 03 - Learn to Design and Develop Security Policies - 08_ocred.pdf
- Final-module1-ppt (1).pptx
- VAC2-Introduction to Cyber Security.pdf
Full Transcript
Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Internet Usage Policy Design Considerations ® @ 0 o o o =* Internet usage limit for official as well as personal use e QO e @ = Time frame for personal use = Method adoption for web Internet usage poli...
Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Internet Usage Policy Design Considerations ® @ 0 o o o =* Internet usage limit for official as well as personal use e QO e @ = Time frame for personal use = Method adoption for web Internet usage policy governs SR the way the organization’s Internet connection is used by every device on the network TN A = Levels of privacy for employees = Restricted content Internet Usage Policy Internet usage policy governs the way the organization’s internet connection is used by every device on the network. It informs employees about the rules to be followed while accessing the corporate Internet network. The implementation of such policies helps an organization maintain a secure network. Using an Internet policy keeps the systems secure and helps the user understand the types of risks a network can encounter. The policy should make employees aware that browsing prohibited sites or downloading files from unreliable sources can attract disciplinary action. Design Considerations =* |nternet usage limit for official as well as personal use * Time frame for personal use = Method adoption for web usage monitoring = Levels of privacy for employees = Restricted content A small negligence from an employee or administrator end can lead to a major vulnerability in the network. The Internet usage policy must be accepted by all employees and it must be signed by them to acknowledge their understanding of the policy. Security professionals should (in consultation with top management) ensure the following: 1. Limited Usage: Employees should be aware that corporate Internet is used for official use only. Employees should refrain from using the Internet for their personal use such as for downloading movies. Module 05 Page 591 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 2. Setting a Timeframe for Personal Use: If an organization plans to allow employees to use the Internet for personal purposes, it can set a timeframe for the use. 3. Method for Monitoring Web Use: Security professionals should set monitoring standards to keep track of user activities on the Internet. These monitoring standards should follow the policies drafted in the document. 4. Discuss and Decide What Content Should Never be Allowed: Security professionals should discuss with top management and decide on a list of sites that should be denied or can be added to a list of non-trusted sites. Module 05 Page 592 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 User Access Control Policy O User access control policy gives an organization the ability to control, restrict, monitor, and protect corporate resource | availability, integrity, and @ Design Considerations Who can access (people, process, or 0 What system resources can be accessed? machines)? confidentiality What files can be read? T How to share data with other entities? What programs can be executed? User Access Control Policy The access control policy provides a way to control the interaction between users, systems, and resources. An access control policy helps an organization control, constrain, and defend the resource availability of an organization. Design Considerations *= Who can access (people, process, and machines)? = What system resources can be accessed? = What files can be read? = What programs can be executed? = How to share data with other entities? The policy should address the typical access control practices such as: = Undefined user or unknown account logins should be prohibited. = Powerful accounts such as an administrator account must be monitored continuously. = Lock access to accounts after crossing a limited number of unsuccessful login attempts. = Remove unused accounts. = Administer strict access criteria. = Enforce the need-to-know and least-privilege practices. = Disable unrequired system features and unused ports. = Restrict global access rules. Module 05 Page 593 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 Privilege Management Policy / QO Q A privilege management policy helps organizations decide what users can and cannot do Separétxon of Duties Separzftxon vv" Y i v’v' security process among multiple people within the ).. ). ¥'¥ The main goal in developing such a policy is to control frauds, insider attacks, data breaches, abuse, theft, and errors Job Rotation Muurnal : Involves the sharing of responsibility for tasks related to a particular organization Ml.nfmal Privileges : Job Rotation Ensures that users are granted only the privileges that are necessary to fulfill v'v their job job roles i : v i : i : Ensures that confidential data do not fall into the wrong hands even when a least privileged account is compromised Involves the rotation of employees among different job roles with the intention of improving their skills and ability to work in different : : : roles and departments v Helps in minimizing risks evolving from insiders such as the abuse of rights and misuse misuse of of power power Privilege Management Policy (Cont’d) Offboarding policy QQO Entails all the necessary procedures and steps that are performed when an employee exits an organization O The offboarding process also includes the following security procedures, which require utmost attention:. ‘ Disable the user account and all other credentials related to the exiting employee. Ensure the handover of all the assets including software and hardware that are under the control of the exiting employee '. Uninstall and delete all the applications and data that belong to the organization from the exiting employee’s personal devices ‘ ’ Ensure that the credentials for accessing the network or other critical resources are changed when the exiting employee is from a security or admin team Privilege Management Policy A privilege management policy helps organizations decide what users can and cannot do. It further helps in implementing strong credential policies and in identifying and mitigating risks from compromised user accounts. Module 05 Page 594 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Administrative Controls Exam 212-82 The privilege management policy includes the following elements. Separation of duties It is @ component included as part of an organization’s internal controls. This process involves sharing the responsibility of tasks related to a particular security process among multiple people within the organization. The main goal in developing such a policy is to control frauds, insider attacks, data breaches, abuse, theft, and errors. Minimal privileges This policy ensures that users are granted only the privileges that are necessary to fulfill their job roles. This policy ensures that confidential data do not fall into the wrong hands even when a least privileged account is compromised. Organizations need to perform regular user-account audits, decide which privileges are required for each user, and grant users with only those minimal privileges. Job rotation Job rotation involves the rotation of employees among different job roles with the intention of improving their skills and ability to work in different roles and departments. The rotation of job roles helps organizations in minimizing risks evolving from insiders such as the abuse of rights and misuse of power. Offboarding policy Offboarding entails all the necessary procedures and steps that are performed when an employee exits an organization. Appropriate offboarding ensures smooth transition for both the organization and the exiting employee. The offboarding process also includes the following security procedures, which require utmost attention. o Disable the user account and all other credentials related to the exiting employee. o Ensure the handover of all the assets including software and hardware that are under the control of the exiting employee. o Uninstall and delete all the applications and data that belong to the organization from the exiting employee’s personal devices such as their smartphone. o Ensure that the credentials for accessing the network or other critical resources are changed when the exiting employee is from a security or admin team. Module 05 Page 595 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.
