Security+ All-In-One Edition Chapter 2 – Organizational Security. Brian E. Brzezicki. no security that is not designed. An organization cannot expect to be secure, unless security is directed from the top-down. Management must realize the need for security
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Brian E. Brzezicki
An organization cannot expect to be secure, unless security is directed from the top-down.
A security program needs to be implemented with, procedures, standards and guidelines. These are all part of an organizations security plan. We will talk about each of these in a few slides.
Corporate polices, standards and guidelines help show and implement Due Diligence and Due Care.
Due Diligence – The idea that a company researches and attempts to understand the risk it faces. Risk analysis is a form of Due Diligence.
Due Care – shows that a Company makes reasonable efforts to minimize risk and protect a companies assets. Having polices, procedures and guidelines show a company is exercising Due Care.
Policies – high level non-specific broad statement explaining the companies need and commitment to security. Very much like a mission statement.
The corporate Policy will be very non-specific, there will be system/issue specific security policies that attempt to lay the security foundation for the organization
Standards – mandatory elements regarding the implementation of a policy.
Example: All users will wear a ID badge when on the premises, all employees will report any people that are not displaying an ID badge.
Recommendations relating or supporting a policy, when no specific standard or rule exists.
Specific step by step actions in relating to implementing part of a policy.
The policies, standards, guidelines and procedures will change as the company changes, it is a lifecycle
These are just some specific examples of specific policies that give the legs to a corporate security policy.
Humans are the weakest link in computer security, what's more we are the most prevalent part of an organization. There must be policies specific in regards to HR practices. A few of these are very important.
Once hired you should have an orientation, and all policies should be reviewed and signed.
An organization must take careful steps when an employee is leaving either on their own or through firing/layoffs. Each situation may be different and may have to evaluate
If an employee is being terminated they should
Either way, there should be written policies describing what procedures to take with terminations, also there should always be an exit interview.
HR should enact
These are discussed on the next slides.
Individuals rotate through various jobs responsibilities, such that no one person is solely responsible for something.
All employees are REQUIRED to take their vacation.
What is social Engineering?
An attacker attempts to obtain sensitive information from a user by masquerading as a trusted entity via email, or instant messaging.
Signs of phishing
A gentleman in one of my classes pointed out an old attack that I had forgotten about. One of the predecessors to modern phishing… 5-10 years ago people used to put up fake ATMs that would read and store you ATM numbers and PINs. After you swiped the card and put in your PIN you’d get a “system down” message… most people never would realize that they had their info stolen… this is a predecessor to modern phishing.
Phishing, but with phone system (voice communications)
What is this?
Anyone Heard of Kevin Mitnick?
Q. What is the best countermeasure against phishing attacks?
Q. Why is a hoax still a security concern?
Q. Installing camera to read credit card numbers at gas pumps is what type of attack?
Q. Does an Organization Security Policy Statement detail specifics such as how to properly encrypt data?
Q. What is the difference between Due Diligence and Due Care?
Q. What is the term for a set of “required steps to be taken” when doing some action called?