1
00:00:00,005 --> 00:00:01,009
- [Instructor] Every
organization approaches

2
00:00:01,009 --> 00:00:04,005
security policies a
little bit differently.

3
00:00:04,005 --> 00:00:07,003
The details of an
organization's policy will vary

4
00:00:07,003 --> 00:00:09,004
depending upon several factors,

5
00:00:09,004 --> 00:00:11,007
including the culture of an organization.

6
00:00:11,007 --> 00:00:14,006
For example, an
organization with a relaxed,

7
00:00:14,006 --> 00:00:17,005
empowering culture might
have very few policies

8
00:00:17,005 --> 00:00:20,003
that don't contain detailed
security restrictions.

9
00:00:20,003 --> 00:00:23,000
The details of security
policies also depend upon

10
00:00:23,000 --> 00:00:25,002
the industry that the organization is in.

11
00:00:25,002 --> 00:00:27,008
For example, healthcare
providers will likely

12
00:00:27,008 --> 00:00:30,003
have greater control around data privacy

13
00:00:30,003 --> 00:00:32,003
than a publishing company would.

14
00:00:32,003 --> 00:00:34,003
Regulations also play a role.

15
00:00:34,003 --> 00:00:37,002
Organizations that process
credit cards, for example,

16
00:00:37,002 --> 00:00:39,005
will have a large number
of policies dictated

17
00:00:39,005 --> 00:00:42,003
by the Payment Card Industry
Data Security Standard,

18
00:00:42,003 --> 00:00:43,009
PCI DSS.

19
00:00:43,009 --> 00:00:46,004
That said, there are
several standard policies

20
00:00:46,004 --> 00:00:48,006
that every organization should have

21
00:00:48,006 --> 00:00:50,003
in order to provide the foundation

22
00:00:50,003 --> 00:00:52,004
for its information security program.

23
00:00:52,004 --> 00:00:56,007
These are an information security
policy, a privacy policy,

24
00:00:56,007 --> 00:00:58,007
and an acceptable use policy.

25
00:00:58,007 --> 00:01:01,002
The information security
policy sets the tone

26
00:01:01,002 --> 00:01:04,005
for the organization's entire
information security program.

27
00:01:04,005 --> 00:01:06,007
This policy may be long or short

28
00:01:06,007 --> 00:01:08,008
and the contents will
vary from organization

29
00:01:08,008 --> 00:01:09,009
to organization,

30
00:01:09,009 --> 00:01:13,000
but the policy should have
several common elements.

31
00:01:13,000 --> 00:01:16,001
First, it should contain
a clear designation

32
00:01:16,001 --> 00:01:18,006
of a specific individual
who will be responsible

33
00:01:18,006 --> 00:01:20,006
for information security matters.

34
00:01:20,006 --> 00:01:23,002
This doesn't need to include
the name of that person.

35
00:01:23,002 --> 00:01:26,007
What you usually do is assign
the responsibility to a role,

36
00:01:26,007 --> 00:01:29,003
such as the Chief
Information Security Officer,

37
00:01:29,003 --> 00:01:31,003
otherwise known as the CISO.

38
00:01:31,003 --> 00:01:33,009
The information security
policy should also include

39
00:01:33,009 --> 00:01:37,004
descriptions of the roles
that managers, employees,

40
00:01:37,004 --> 00:01:40,001
and other users play in
information security.

41
00:01:40,001 --> 00:01:42,003
You should see a
requirement the organization

42
00:01:42,003 --> 00:01:44,002
follow security standards

43
00:01:44,002 --> 00:01:46,001
as well as the delegation of the authority

44
00:01:46,001 --> 00:01:48,006
to create those standards to an IT group

45
00:01:48,006 --> 00:01:49,009
or other entity.

46
00:01:49,009 --> 00:01:52,003
The policy should describe
the authority granted

47
00:01:52,003 --> 00:01:55,000
to individuals responding
to a security incident,

48
00:01:55,000 --> 00:01:57,006
and it should include a
process for handling violations

49
00:01:57,006 --> 00:01:59,009
and exceptions to the policy.

50
00:01:59,009 --> 00:02:03,005
The organization should also
have a published privacy policy

51
00:02:03,005 --> 00:02:07,002
that covers the ways that the
organization collects, stores,

52
00:02:07,002 --> 00:02:09,007
and shares information about individuals.

53
00:02:09,007 --> 00:02:12,004
If we take a look at the
Linkedin Privacy Policy,

54
00:02:12,004 --> 00:02:14,008
you'll see that it
contains several sections,

55
00:02:14,008 --> 00:02:17,006
an introduction that explains
the overarching principles

56
00:02:17,006 --> 00:02:19,003
included in the policy,

57
00:02:19,003 --> 00:02:20,009
a section that describes the types

58
00:02:20,009 --> 00:02:25,000
of information collected
by the organization,

59
00:02:25,000 --> 00:02:28,002
one that includes how they
will use personal information

60
00:02:28,002 --> 00:02:30,006
that they collect,

61
00:02:30,006 --> 00:02:32,006
a section on an individual's choices

62
00:02:32,006 --> 00:02:35,001
and obligations under the policy,

63
00:02:35,001 --> 00:02:37,002
and other important information.

64
00:02:37,002 --> 00:02:39,005
One of the key elements of this policy is

65
00:02:39,005 --> 00:02:41,008
that it's written in very clear language.

66
00:02:41,008 --> 00:02:44,003
On the right side, you
see the detail legalese

67
00:02:44,003 --> 00:02:46,000
that's required by lawyers,

68
00:02:46,000 --> 00:02:48,004
but on the left side,
you see a very clear,

69
00:02:48,004 --> 00:02:49,008
plain English explanation

70
00:02:49,008 --> 00:02:52,006
of what this long section actually means.

71
00:02:52,006 --> 00:02:55,004
This is really a great
way to do privacy policies

72
00:02:55,004 --> 00:02:57,001
because it provides the legal language

73
00:02:57,001 --> 00:02:58,008
that protects the organization,

74
00:02:58,008 --> 00:03:01,006
while also providing a very clear way

75
00:03:01,006 --> 00:03:03,007
for users to understand
what their agreeing

76
00:03:03,007 --> 00:03:06,003
to when they join this website.

77
00:03:06,003 --> 00:03:08,002
The third policy that should exist in

78
00:03:08,002 --> 00:03:10,007
every organization's policy repository

79
00:03:10,007 --> 00:03:12,008
is an acceptable use policy,

80
00:03:12,008 --> 00:03:16,001
sometimes also called a
responsible use policy.

81
00:03:16,001 --> 00:03:18,009
This policy states the
organization's expectations

82
00:03:18,009 --> 00:03:22,001
for how employees will
use information systems.

83
00:03:22,001 --> 00:03:24,007
For example, an acceptable use policy

84
00:03:24,007 --> 00:03:27,003
should clearly prohibit illegal activity

85
00:03:27,003 --> 00:03:30,006
or activity that would reflect
poorly upon the organization.

86
00:03:30,006 --> 00:03:32,009
It should also describe what, if any,

87
00:03:32,009 --> 00:03:36,002
personal use of computing
resources is acceptable.

88
00:03:36,002 --> 00:03:38,000
These policies should also explain

89
00:03:38,000 --> 00:03:41,001
how the organization implements
several key principles

90
00:03:41,001 --> 00:03:42,007
of information security.

91
00:03:42,007 --> 00:03:45,003
Let's take a look at
four of those principles.

92
00:03:45,003 --> 00:03:47,006
The principle of least privilege states

93
00:03:47,006 --> 00:03:50,001
that an individual should
have only the minimum set

94
00:03:50,001 --> 00:03:53,009
of permissions necessary
to complete his or her job.

95
00:03:53,009 --> 00:03:57,008
Granting excess permissions
increases security risk

96
00:03:57,008 --> 00:04:01,002
by creating the possibility
of unauthorized activity.

97
00:04:01,002 --> 00:04:03,005
The principle of separation of duties says

98
00:04:03,005 --> 00:04:05,005
that an organization should separate

99
00:04:05,005 --> 00:04:08,008
critical business functions
into separate permissions

100
00:04:08,008 --> 00:04:11,006
that are never granted
to the same individual.

101
00:04:11,006 --> 00:04:14,007
For example, no single
person should have both

102
00:04:14,007 --> 00:04:16,006
the permission to create a new vendor

103
00:04:16,006 --> 00:04:18,002
in the accounting system

104
00:04:18,002 --> 00:04:20,009
and the authority to
issue a check to a vendor.

105
00:04:20,009 --> 00:04:23,007
If a single employee had
both of these permissions,

106
00:04:23,007 --> 00:04:25,007
it would be easy for him or her

107
00:04:25,007 --> 00:04:27,002
to create a fake vendor

108
00:04:27,002 --> 00:04:30,004
and then issue checks to that
fake vendor in an attempt

109
00:04:30,004 --> 00:04:32,007
to steal funds from the organization.

110
00:04:32,007 --> 00:04:35,003
The practice of mandatory
vacations requires

111
00:04:35,003 --> 00:04:38,000
that key employees take at least one,

112
00:04:38,000 --> 00:04:42,001
and preferably two, weeks of
consecutive vacation each year

113
00:04:42,001 --> 00:04:44,006
during which his or her system access

114
00:04:44,006 --> 00:04:46,005
is temporarily suspended.

115
00:04:46,005 --> 00:04:48,006
The idea behind this principle is

116
00:04:48,006 --> 00:04:51,004
that fraud may come to light
when the employee is unable

117
00:04:51,004 --> 00:04:53,005
to continue actions that cover it up

118
00:04:53,005 --> 00:04:55,005
during this extended absence.

119
00:04:55,005 --> 00:04:57,007
Finally, the practice of job rotation

120
00:04:57,007 --> 00:05:00,008
serves a purpose similar
to mandatory vacations.

121
00:05:00,008 --> 00:05:04,006
Instead of forcing users to
take vacations to detect fraud,

122
00:05:04,006 --> 00:05:06,004
the job rotation principle says

123
00:05:06,004 --> 00:05:08,008
that personnel in sensitive positions

124
00:05:08,008 --> 00:05:10,009
should rotate periodically

125
00:05:10,009 --> 00:05:13,000
so that they would not retain the ability

126
00:05:13,000 --> 00:05:15,006
to continue covering
up fraudulent activity.