People
|
· Requirements and Assessments — Security Requirements & Assessments · Policy and Procedures — Background Checks, HR Policy, Third-Party Relationships · Training and Awareness — Security Awareness & Training |
Security
efforts in an organization often overlook organizational aspects that are
critical to helping the organization maintain overall security. This section
reviews those processes within the enterprise governing corporate security
policies, Human Resources processes, and employee security awareness and
training. The People Area of Analysis also focuses on dealing with security as
it relates to day-to-day operational assignments and role definitions. An
organization can mitigate people risk by focusing on the following areas of
people security.|
Requirements & Assessments |
|
|
Subcategory |
Best Practices |
|
Security Requirements |
The organization identifies individuals with subject-matter expertise in security to be involved in all security-related discussions and decisions. The organization identifies what it needs to protect based on the value of the asset, as well as the level of security needed to protect it. All threat vectors are included in the analysis. The resulting strategy balances cost and benefit of the protections, and may include transfer or acceptance of risk as an option. Security requirements, derived from both business and technical representatives, are documented and published for all parties to review and address in future designs. Differences between classes of applications and data may result in different end requirements being identified. |
|
Security Assessments |
Third-party assessments should be conducted to gain a valuable and objective view of an organization's security posture. Third-party assessments might also prove beneficial in meeting regulatory, customer, partner, and vendor requirements. Assessments should cover infrastructure, applications, policies, and audit procedures. These assessments should focus not solely on identifying vulnerabilities, but also on auditing for nonsecure configurations and extraneous access privileges. Security policies and procedures should be reviewed and evaluated for gaps. |
Policy & Procedures |
|
|
Subcategory |
Best Practices |
|
Background Checks |
Background checks should be performed to identify any potential issues, thus reducing the risk exposure to the organization and to other employees. This step also helps identify any potential issues and gaps in the candidate's resume. The hiring process should include a review of the candidate's employment and legal history. A candidate's skills should be evaluated against detailed job descriptions and task requirements to understand strengths and weaknesses. |
|
Human Resources Policy |
Formal exit procedures ensure that all the necessary steps are undertaken when an employment contract is terminated. These procedures should exist to handle both friendly and unfriendly employee exits. These procedures should include: · Notification to all departments—Human Resources, IT, Physical Security, Help Desk, Finance, etc. · Escorting the employee from the premises · Termination of all accounts and network access ·
Collection of company property—laptop, |
|
Third-Party Relationships |
To help reduce the risk of exposure, formal policies and procedures should exist to govern relationships with third parties. These policies and procedures help to identify security issues and the responsibilities of each party in mitigating them. · These policies should include: · Level of connectivity and access · Data presentation and manipulation · Roles and responsibilities (including authority) of each party · Management of the relationship—setup, ongoing, and termination. |
|
Training & Awareness |
|
|
Subcategory |
Best Practices |
|
Security Awareness |
A security awareness program
helps employees contribute to a company's overall security posture by keeping
them up-to-date on security risks. Knowledgeable employees are your best
source for reporting security issues. Implement policies that regulate employee usage of company resources. Awareness programs should be a part of new employee orientation. Updates and refresher courses should be conducted regularly to ensure all employees are aware of the most current practices and risks. Periodic testing should be implemented to ensure employees have absorbed the material. |
|
Security Training |
Work with business owners to determine the acceptable downtime for critical applications. Based on those findings take appropriate measures to meet or even surpass those requirements. Availability and performance of Web-based applications is improved by deploying load balancers in front of the Web servers. To balance server load, a load balancer distributes requests to different nodes within a server cluster with the goal of optimizing system performance. If one Web server in a server cluster fails, then the request is directed to another server to handle the request, providing high availability. Determine acceptable downtime for critical file shares and databases from business owners. Test the failover mechanisms for the applications, and determine if the amount of downtime is acceptable. To minimize downtime, a clustering mechanism should be deployed. Each instance of the clustered application participates in the same security domain, i.e., shares a common user and group database. Management operations within the cluster of machines and within the application instances take effect both in the individual instance and across its peers. Applications that rely on special knowledge of the clustering environment--such as through interactions with load balancers--recognize and handle all foreseeable exception conditions. Appropriate responses include alerting operations staff and effecting a smooth failover. The backup strategy should address worst-case scenarios of a complete system and application restore. For critical applications, the restore process should result in a fully functioning application in minimal time. Perform regular tests of the backup/recovery mechanism that permits restoration of the application to a normal operating state. |
|
Training & Awareness - Resources |
|
|
Microsoft Security Certifications
|
The MCSE: Security for Windows Server2003 certication provides you the skill set to secure a Windows Server environment. References http://www.microsoft.com/learning/mcp/mcse/security/windowsserver2003.mspx |
|
Industry Security Certifications
|
(ISC)2 - CISSP, SSCP Certifications ISACA - CISM, CISA Certifications CompTIA - Security+ References http://www.isc2.org |
