LinkedInGitHubPortfolioMediumTwitter

5.3 Policies for Organizational Security

Personnel Security

Acceptable use policy (AUP) = this covers how all different technologies in an environment should be used, internet use, telephone use, computers/mobile device use

Business policies: - job rotation = keep people moving between responsibilities, no one person maintains control for long periods of time - mandatory vacations = rotate others through the job, the longer the vacation the better chance to identify fraud - separation of duties = concept of having more than one person required to complete a task - split knowledge: no one person has all the details, each person holds separate data items - dual control: two people must be present to perform the business function

Least privilege = setting user privilege to the bare minimum, only allowing required tasks nothing more than that

Third-Party Risk Management

Supply chain = the whole system involved when creating a product

Business partners = much closer to your data than a vendor and still very risky if they got compromised

Common agreements - SLA (service level agreement) - MOU (memorandum of understanding) - MSA (measurement system analysis)

End of life (EOL) = manufacturer stops selling a product - may continue support the product - important for security patches and updates

End of service life (EOSL) = manufacturer stops selling a product - support is no longer available for the product - no security patches or updates

Managing Data

Data governance = rules, processes and accountability associated with an organization's data - data steward = manages the governance process, responsible for data accuracy, privacy, and security

Data retention = practice of storing data for a specific period of time - keep files that change frequently for version control

Credential Policies

Personnel accounts = account on a computer associated with a specific person - no privileged access to the operating system

Add additional layers of security to all accounts such as MFA (multi-factor authentication) and audit the security posture, also don't allow account sharing among other users

Organizational Policies

Change management / change control - determine the scope of the change, analyze the risk associated with the change

Asset management - track license - verify devices that are up to date - respond faster to security problems

Previous5.2 Regulations, Standards, FrameworksNext5.4 Risk Management Process and Concepts

Last updated

Was this helpful?