Read to learn more about policies, including: firewall rules, system hardening standards, data retention policies, and of course, password policies.
The following information is a part of our free cybersecurity and compliance Academy course.
Having issues accessing the video above? Watch the video here.
A lot of your data security and compliance process should be spent on documenting your policies and procedures. These documents will serve as the foundation for data security at your organization. They’ll be used for compliance, employee training, and most importantly, setting the tone for your security culture.
In our policies and procedures section, we’ll discuss things like:
We’ll also talk about the data security compliance mandates you may be required to follow—like PCI, HIPAA, and GDPR.
You’ll learn what documentation you need to create, and why you need it. We’ll also cover employee policies about passwords, access, and mobile devices.
To get started on your policies and procedures, take a few minutes to read the following sections and note the areas where you’re lacking. And most importantly, make updating your policies and procedures a regular, scheduled event.
Having issues accessing the video above? Watch the video here.
First, your security policies and procedures should be written down and easily accessible to all employees.
Security policies may help protect your business from potential liability in the event of a breach, as thorough and accurate documented security policies and procedures help forensic investigators see what security measures your company has in place. However, the main purpose of a documented security policy is to help you avoid a data breach.
Documents you’ll want to include in your security policy:
Regularly updated documentation of all security measures and actions is key.
Your documentation should answer questions, such as:
In order to keep your security documentation up to date, you must constantly revise and add to it.
Just like all your other weekly activities, documentation should be an ongoing part of your entire business-as-usual security strategy. Try to examine and adjust at least one piece of documentation each week or as you make organizational updates. Don’ t pile it into one day or one month at the end of the year.
Having issues accessing the video above? Watch the video here.
Unknown to many organizations, devices are often installed and used without changing their default passwords.
However, most default passwords and settings are well-known throughout hacker communities and are easily found via a simple Internet search. When defaults aren’t changed, it provides attackers an easy gateway into a system. Changing vendor defaults on every system with sensitive data (or in network zones where sensitive data exists) protects against unauthorized users.
In one SecurityMetrics forensic investigation, it was discovered that a third-party IT vendor purposely left default passwords in place to facilitate easier future system maintenance. Default passwords might make it easier for IT vendors to support a system without having to learn a new password each time; but convenience is never a valid reason to forgo security.
Even if default passwords are changed, but a username and password aren’t sufficiently complex, it will be that much easier for an attacker to gain access to an environment. An attacker may try a brute-force attack against a system by entering multiple passwords (via an automated tool entering thousands of password options within a matter of seconds) until a password works.
Remember, secure passwords should be at least 8 characters long, and include an upper and lower-case letter, number, and special character. Passwords that fall short of these criteria can easily be broken using a password-cracking tool. In practice, the longer a password is and the more characters it has, the more difficult it will be for an attacker to crack.
An easy way to remember complex passwords is by using passphrases. Pass phrases are groups of words with spaces in between (e.g., “We Never Drove Toward Vancouver?”). A passphrase can contain symbols, upper- and lower-case letters, and it doesn’t have to make grammatical sense.
Passphrases are generally easier to remember, but harder to crack than passwords.
In addition to strong passphrases, password management software can help you use different passwords for all your accounts. Some password managers can even work across multiple devices and sync across the Cloud.
You really need different passwords for different services, so if one service gets compromised, it doesn’t bleed into other passwords for other sites. For example, if your email account password is compromised and you use the same password across devices and websites, you have a major security problem on your hands.
Although organizations may have ID credential policies in place--such as requiring each employee to use a unique ID credential and complex password, employees often don’t follow these policies. Employees might have unique ID credentials, but they often share it with other workforce members, thinking that they can share usernames and passwords with individuals who have access within their system, such as co-workers, IT providers, and receptionists.
You should also establish an account lockout that is set to six consecutive failed login attempts within at least a 30-minute period. Requiring an administrator to manually unlock accounts will prevent attackers from guessing hundreds of passwords consecutively. If an attacker only has six chances to guess the correct password, their attempts will likely fail. Once locked out, they will move on to an easier target.
Convenience is never a valid reason to forego security.
Having issues accessing the video above? Watch the video here.
You should have a role-based access control (RBAC) system in place, which grants access to sensitive data and systems to individuals and groups on a need-to-know basis. Configuring administrator and user accounts prevents exposing sensitive data to those who don’t have a need to know.
You should have a defined and up-to-date list of the roles with access to sensitive data. On this list, you should include each role, the definition of each role, access to data resources, current privilege level, and what privilege level is necessary for each person to perform normal responsibilities. Users must fit into one of the roles you outline.
You also need to think about staff members who change roles within your organization and when they no longer work for your organization.
User access isn’t limited to your normal office staff. It applies to anyone who needs access to your systems or the area behind the desk, like that IT guy you hired on the side to update your software. You need to define and document what kind of user permissions they have.
Have a defined and up-to-date list of the roles with access to systems with access to sensitive data.
Electronic systems access: Usernames are a great way to segment users by role. It also gives you a way to track specific user activity. The first question you need to ask yourself is, does each staff member have a unique user ID? If not, that’s a great place to start.
Physical access: Make sure anyone not on your regular staff is escorted around the office by a staff member. Visitors should be ID’ed and logs should be kept that document details such as their name, the reason for being at your organization, what company they’re from, time they entered, and when they left.
Having issues accessing the video above? Watch the video here.
Mobile devices require additional security measures to make sure sensitive data is protected. Companies often forget about mobile devices--such as phones or iPads–when writing security policies and procedures. It’s potentially difficult to apply a policy written for workstations and laptops to a mobile device. You need to address their security issues separately.
In addition, when an organization uses their own personal smartphone or tablet to access data, these devices are vulnerable due to other apps on the device. With each downloaded app, your risk grows.
Think about others accessing that mobile device outside the office. For example, sometimes employees let their kids play with their personal or work smartphone, then someone accidentally downloads a malicious app that can read the keyboard patterns of a user. The next time that employee uses the mobile device in your network, that malware may steal passwords to your systems.
To address these concerns, consider using the National Institute of Standards and Technology (NIST) mobile guidelines for security engineers and providers.
There are some obvious things you should and shouldn’t do with your sensitive data while using your mobile device. For example:
If you don’t secure mobile devices, your organization’s sensitive data is at risk. Even though it can be hard to fit mobile devices into a traditional network or data security model, you need to consider them in your information security planning.
Having issues accessing the video above? Watch the video here.
Although most workers aren’t malicious, they often either forget security best practices or don’t know what they’re required to do.
Unfortunately, many hackers will take advantage of human error to gain access to sensitive data. For example, when workforce members leave mobile devices in plain sight and unattended. Hackers may access networks because workforce members set up easy-to-guess passwords. And the list goes on.
By holding your employees accountable, you can protect your business and customers more effectively.
To help protect sensitive data, employees need to be given specific rules and regular training. Regular training will remind them of the importance of security and keep them up to date with current security policies and practices. Here are some tips to help employees protect your sensitive data:
Having issues accessing the video above? Watch the video here.
Employees may think physical security only applies after hours. However, most data thefts occur in the middle of the day, when staff is too busy with various assignments to notice someone walking out of the office with a server, company laptop, phone, etc.
The best way to control physical threats is through a physical security policy that includes all rules and processes involved in preserving onsite business security. For example, if you keep confidential information, products, or equipment in the workplace, keep these items secured in a locked area. If possible, limit outsider access to one monitored entrance, and (if applicable) require non-employees to wear visitor badges at all times.
Don’t store sensitive information (like payment card data) out in the open. For example, many hotels keep binders full of credit card numbers behind the front desk, or piled on the fax machine, for easy reservation access. Unfortunately, the collection of files not only makes life easier for employees, but it puts criminals within reach of data at front desks or fax machines.
Employee access to sensitive areas should be controlled and must be related to an individual’s job function.
Unfortunately, many organizations don’t worry as much about the physical aspect of their security. While they may address many foundational security issues, they’re likely to overlook details such as:
The majority of physical data thefts take than only minutes in planning and execution.
You also need to control employee access to sensitive areas, which should be related to an individual’s job function. You should document:
Access documentation must be kept up to date, especially when individuals are terminated or their job role changes.
Best practice is to not allow mobile devices to leave the office, but if they must, consider attaching external GPS tracking technology, plus installing and enabling remote wipe on all laptops, tablets, and smartphones.
In addition, make sure all workstations have an automated timeout or logout on computers and devices, that’s when a password-protected screen saver pops up on a computer after a set amount of time. This helps to discourage thieves from trying to access data from these workstations when employees aren’t there.
Having issues accessing the video above? Watch the video here.
App developers will never be perfect, which is why updates to patch security holes are frequently released. Once a hacker knows they can get through a security hole, they pass that knowledge on to the hacker community, which then could exploit this weakness until the patch has been updated.
Quickly implementing security updates is crucial to your security posture. Patch all critical components in the card flow pathway, including:
Older Windows systems can make it difficult for organizations to remain secure, especially when the manufacturer no longer supports a particular operating system or version, for example Windows XP and Windows Server 2003. Operating system updates often contain essential security enhancements specifically intended to correct recently exposed vulnerabilities. When using an unsupported operating system that doesn’t receive these updates and patches, your vulnerability potential increases exponentially.
Be vigilant about consistently updating the software associated with your system. Organizations should set up policies to install critical patches within a month of release. Don’t forget about other critical software like credit card payment applications or other non OS components. To stay up to date, ask your software vendors to put you on their patch and upgrade notification list.
Keep in mind that the more systems, computers, and apps your company has, the more potential vulnerabilities it may be exposed to.
Another way to stay on top of vulnerabilities is through vulnerability scanning, which is arguably the easiest way to discover software patch holes that cybercriminals would use to exploit, gain access to, and compromise your organization.
Any system with access to sensitive data needs to be hardened before use; the goal of hardening a system is to remove any unnecessary functionality and to configure the system in a secure manner.
Organizations should address all known security vulnerabilities and be consistent with industry-accepted system hardening standards. Some good examples of hardening guidelines are produced by:
Don’t forget to develop and test applications in accordance with industry accepted standards like the Open Web Application Security Project (OWASP).
Be vigilant about consistently updating the software associated with your system.
In addition to updating and securing applications, you should implement web application firewalls (WAFs) in front of public-facing web applications to monitor, detect, and prevent web-based attacks. They can also be used when performing application security assessments. Remember, these web application firewall solutions typically don’t perform the many functions of an all-purpose network firewall (for example, network segmentation), but they specialize in one specific area: monitoring and blocking web-based traffic.
Question 1:
What is an example of a WEAK password? (Choose only ONE best answer.)
Question 2:
You should train employees on… (Choose only ONE best answer.)
Question 3:
Your organization should review its security policies and procedures… (Choose only ONE best answer.)
Question 4:
Where should sensitive information (like payment card data) be stored? (Choose only ONE best answer.)
Choose only ONE best answer.
Answer Code: Q1: 1, Q2: 3, Q3: 3, Q4: 3
.svg)
