Education

Educating all employees, contractors, and other third parties about an organization's security practices, policies, and procedures should be a priority. It is the responsibility of management and human resources to see that all communication, training, documentation, and practices are brought to the attention of employees on a need-to-know basis. All the physical and logical security implementations as well as documented policies are going to do you little good if your general work population is not educated on the fundamental rules and regulations that exist within your organization.

Most business today invest in specialized third-party security training for authorized personal. They also require Human Resource departments to provide mandatory educational meetings on company policy, handbooks, general security, and safety topics. Educating employees and partners with up-to-date security practices can be very beneficial to the overall health of you organization.

Security education and training should be paid for and provided at all levels of an organization. Managers should receive security management training; technicians should be required to take CISSP and Security+ training courses as well as become certified.

If your company is unable to send you for training, CBT (Computer Based Training) courses can be made available or interactive security training over the Web can be sought after.

Some of the benefits that can be seen as a result of security education are an overall increase in productiveness, a decrease in theft, fraud, vandalism, and unauthorized access. Recent world events tell us that emergency planning, disaster recovery, and security training and education should be among our top priorities.

Communication

Communication is the key to educating users and employees with updated security policies and general security awareness. If you don't educate and communicate new policies and procedures to fellow employees, they obviously might not know what to do in the event of a disaster or security related incident. Regularly scheduled meetings should take place to keep users informed of updates or newly introduced policy and general company handbook updated. Documents should also be distributed outlining any policy changes or updates. Communications tools such as reminders, posters and intranet Web site scan also be used to update or educated employees on current practices.

Documentation

The documenting of important company data, procedures, policies, and other vital information is critical to the life cycle of any healthy business. It is important that company data and information be prepared, classified, handled, stored, retained, and disposed of if necessary with great care and instruction. It is likely that you will see many questions on the exam that focus on the proper methods of handling, retaining, and destroying data and important information. Place your study focus on those subtopics in your final exam study preparation of documentation.

Standards, Policies, and Guidelines

Standards are approved, accepted, and defined mandates or rules that apply to activities and functions. An example of a standard is that all people are required to sign in with a security guard, or all employees must be drug tested before being hired. Standards are implemented to support organization or company policy. Many technical and security related organizations provide standards for compliance and acceptance. In other words, in order to receive their services, you must follow their rules or standards.

Policies, which are supported by standards, are typically the collaborative ideas and viewpoints of management, owners, and partners. These policies are intended by management to be used as a road map for employees to follow. In other words, management creates the policy and employees are expected to adhere to these policies, or management viewpoints. In order for the policy to be effective, it must be followed and enforced with punishment if necessary. Policy must also be kept up-to-date and communicated to all employees who it affects.

Guidelines are general courses of action that can be taken or followed based on standards and policy. For example, a company might have a policy that states, 'Smoking in designated areas only.' The guideline for this policy might include the actual designated areas and other information.

Systems Architecture

Documenting a system or network's components and software architecture is a critical part of overall security as well as for the implementation of new code or other components. The need for better documented system architecture and a better communication level between manufactures, programmers, developers, network engineers, and security analysts has become very apparent as technology has progressed. If a system's architecture is not well known and properly documented, the result of a project will typically be failure.

The proper documentation of system architecture should include a 'how-what-why' approach-How the documentation serves it intended audience; what is the actual architecture of this system; and why the architecture has been designed the way it exists.

Documenting a system's architecture provides a set of guidelines or views that can be followed and addressed when new implementations are considered. These views provide a framework that can be used to manage the effectiveness of a project. They can also serve as signal light that determines whether the project should continue or not.

Change Documentation

Change Documentation is needed to preserve integrity to a program, network, system, or business when changes are needed and made to the configurations, policies, or documentation in general. For example, a change control document might exist to provide a structured approach as to how procedures exist for moving test data and programs into a production or a live environment.

Change control procedures are a means of tracking, auditing, and controlling all changes that are made to a particular system or program. The following five accepted procedures are considered the general guidelines that should be followed when implementing a change control process:

1. Applying for the introduction of a change.

2. Cataloging the intended change.

3. Scheduling the change.

4. Implementing the change.

5. Reporting the change to all parties involved.

These additional items should be considered concerning the implementation of a change to a production environment:

• Before the change is moved to production, it is imperative that it has been tested in an orderly and acceptable fashion.

• Users and affected parties must be informed of the change.

• The effects of the change must be analyzed after the change has occurred.

In very simple terms, change control process and sign-off are needed to reduce the risks associated with the implementation of new applications and products into a production environment. In real life, new code and application integration typically goes through the four following processes or phases:

• Development

• Testing

• Implementation

• Review

Data Classification

Classifying data into separate distinct categories is used as a method to comply with company, state, local, and federal regulations. Financial and other accounting businesses as well as many other companies that provide products and services are most often required by law to classify data.

A data classification plan or scheme is important because it helps identify companies' important assets; identifies how data is protected; and provides a means of demonstrating an organization's commitment to security.

Data should be classified by certain criteria. The following criteria are accepted practices for classifying data:

• Data value: How valuable is the data to the company, partner, or client?

• Data age: How old is the data? The data value might decrease as the data gets older.

• Useful life of data: The useful life of the data might change over time. If the data is no longer needed, it might be reclassified or declassified.

• Personal or job association: Data might be identified with a specific person or job function.

There are two main categories of data classification: commercial and government.

Commercial Data Classification

This category consists of the following:

• Public: This data should not be readily available to the public. However, if the general public views this data, it will not cause damage.

• Sensitive: This data needs a high level of protection and should remain confidential at all times.

• Private: This data is personal and intended for business or company use only. Disclosure will generally not result in loss or damage.

• Confidential: This is the highest commercial classification. This is data that is highly sensitive and meant for internal business or company use. The disclosure of this type of data will result in extreme damage or loss.

Government Data Classification

This category consists of the following:

• Unclassified: This data is not sensitive in nature. It has no classification. This information is viewable by the public.

• Sensitive but Unclassified: This data is considered secret. However, if it is released to or viewed by the public it will not cause damage, harm, or loss.

• Confidential: Information that is considered Confidential should not be made public. Moderate to serious damage could result.

• Secret: Unauthorized disclosure of Secret information or data is likely to cause serious damage.

• Top Secret: This is the most classified of the classifications. Grave or extreme damage and/or circumstances can result from the disclosure of this information.

Notification

As documented policies, standards, security procedures, technical information, and other important company information changes, it is important that the proper employees are notified. As mentioned earlier in the chapter, lack of communication can result in disastrous consequences. Some of the negative results that can occur by lack of due care concerning notification and communication are as follows:

• System failure

• Application failure

• Fraud

• Theft

• Disgruntled employees

• Lack of productivity

• Legal issues

Anything negative (within reason) that could possibly happen in an environment should be considered when documenting and providing notification. If company policy changes, the proper employees should be notified. If a disgruntled network administrator or security analyst leaves or threatens the integrity of the company, immediate notification to the proper personnel should occur. If system software discovers malicious code, an immediate alert in the form of an e-mail or a page should be sent directly to the system or network administrator. If the building maintenance crew needs to mop or clean a stairwell, signs or notification should be posted to avoid accidental injury.

Proper notification documentation should include emergency contact information for all company managers, security personnel, Human Resource personnel, network and disaster recovery teams (both local site and enterprise-wide if necessary), and building maintenance. It should include phone numbers for local fire, police, and hospitals. This document should also include whom to contact for what. There should be no question in the person's mind reading the document regarding whom to call. Emergency notification requires quick thinking and response. It is likely that this document will include personal information that should only be used by authorized personnel. It should be available on a need-to-know basis only.

Inventories and Logs

All company assets should be inventoried in a control document. This inventory list should include such assets as licensed hardware, software, applications, products, office equipment, and all other company assets. Every department within an organization should be responsible for keeping their section of the company inventory list up-to-date and accurate. A specific person within each department should be assign with this responsibility. Serial numbers, proof or purchase, and asset numbers should be associated with the various company assets. The inventory list should be audited on a regular basis to account for all assets and verify the inventory list's accuracy and integrity. A duplicate inventory list should be stored off site in the event of an emergency that destroys the original list.

For ease of administration and the collaboration of company inventory, an inventory database software package should be purchased or created. Just be sure that access to certain file or fields within the database are accessible only to those who need access.

System and security logs also require careful consideration and handling. Audit logs are often used to prove that illegal activity such as unauthorized access to confidential information has occurred. Security cameras and magnetic badge systems record and store pictures and logs that can be used as evidence in a court of law or be provided to insurance companies for reimbursement if something negative occurs.

The proper logging of certain system events and firewall activity are critical to the security welfare of a network. If logging is set up properly, hackers and malicious activity can be recorded and tracked. It is important to note that many hackers are well educated at erasing their tracks. They will often delete or remove log files that are typically stored in default locations after they are done doing whatever it is they do. Good security practices suggest that you should rename and move your log files on a regular basis to avoid this activity.

When creating a logging plan, the following items should be considered:

• What events should be logged.

• The storage location of the log files and an estimated file size of the logs.

• Who will require access to the log files.

• Whether the log file should be encrypted.

• Frequency at which the log files should be backed up and stored.

Storage/Retention

Log files and company inventory lists should be stored and retained according to company policy and possible regulations. It is important to note that certain operating system log files are by default limited to a certain sizes and retention periods. For example, by default, the operating system Windows NT limits the size of the system, security, and applications event logs to 512KB each and has a default retention period of seven days. With these settings, the oldest audited events will be removed from the system when the 512KB limit is met or if seven days pass. This is important to consider. You need to coordinate the backups of your audit trails and logs with the setting you have specified in the particular operating system you are using. Auditing and backing up everything all of the time costs money and hampers system recourses and response times. Make an organized plan. You might need to log files from six months ago in order to prove wrongdoing.

Important information (such as that contained in documents and backup media) that is considered valuable to a company should be stored at an off-site, professional, registered storage company. Access to the stored information should require proper identification and signatures where necessary. If your information is stored off site, you should make sure that you can readily gain access to it 24 hours a day, seven days a week.

Destruction

Every business should have a document prevention/destruction plan/policy and associated guidelines to support the policy regarding the destruction of both physical and logical documents. Implementing such a plan and carrying out proper document disposal methods and techniques may save your company or organization from certain fraud, theft, espionage, and possible legality issues.

There are many certified third-party businesses that offer document destruction and the recycling of important and confidential information. Typically, these services provide on-site secure storage containers that confidential information can be placed in and sealed for further destruction and possible recycling. Do not ever place confidential company information in a physical public recycle bin. At the very least, your company should have a two-way shredder that enables documents to be destroyed on site.

As far as logical document destruction goes, do not ever assume that the top-secret document that you just placed in the Windows Recycle Bin has been deleted. If you empty the Recycle Bin, the document can still be recovered from the systems FAT (file allocation table.) If you need to keep and store the top-secret information, encrypt it.

In order to completely remove information from most electronic media, the media needs to be electronically or magnetically erased. For most, encryption is the way to go. For the military, they usually burn all confidential information that is no longer needed. For the exam, multiple reformats of the media are acceptable for most company reuse policies.