Comptia Sec+ SYO-601, 5.3
Standard user account
Standard User - This is the account for everyday usage of the system. It is good practice for an admin to use a standard account for anything other than admin duties.
Data Roles - Privacy Officer
• As a Chief Privacy Officer (CPO) is responsible for all the privacy of the data in an organization, one major part of their job is to avoid data breaches, especially if the organization is a large corporation. • Being able to use business strategies and procedures and apply it to the business • Being able to organize plans and lastly looking at privacy program reviews by checking and analyzing the information to ensure it is correct
Change Management
• Change Management process is the process of requesting, determining attainability, planning, implementing, and evaluation of changes to a system. • Before implementing a change in coding for an application on your production servers, your change management procedures should be followed. • When changing/updating a system or application, be sure to include system roll-back procedures in case the change causes the system to crash or become unstable.
data sensitivity labeling - Confidential
• Confidential • Highly sensitive data intended for limited, specific use by a workgroup, department, or group of individuals with a legitimate need-to-know. • Explicit authorization by the Data Steward is required for access because of legal, contractual, privacy, or other constraints. • Confidential data have a very high level of sensitivity.
Data Roles - Custodian
• Data Custodians are responsible for the safe custody, transport, storage of the data and implementation of business rules. • A data custodian ensures: • Access to the data is authorized and controlled • Technical processes sustain data integrity • Technical controls safeguard data • Change management practices are applied in maintenance of the database • Data content and changes can be audited
File system security
• When managing File systems it is important to have parameters and permissions set to ensure sensitive data is less accessible.• Make use of least privilege to allow certain employees to access only what is necessary.• Make sure all relevant data is backed-up and secured in ace of any event that may otherwise result in data-loss.
Guest Account
.• Guest - The guest account is usually to allow temporary access to the system. They usual just have some access to the internet and some programs. However, this account can be taken advantage of by a malicious hacker so it is always a good idea to disable this account.•
MOU (memorandum of understanding)
A MOU (Memorandum Of Understanding) is a loose agreement between two parties to work together towards some common goal. It's one step up from a "gentleman's agreement". • One thing to be careful of when you have a MOU to share data with another party is that this "loose" agreement may not have strict procedures on exactly how to keep that data secure. •
Service Level Agreement (SLA)
A Service Level Agreement (SLA) is an end-to-end traffic performance guarantee made by a service provide to a customer. • An SLA will guarantee a certain amount of system uptime to a client, as well as other service details. • Also guarantees the levels of performances for the service provided. • Outlines penalties in case the provider is unable to supply the guaranteed service levels.
Agreement Types
A business partnership agreement (BPA) is a contract between partners in a partnership which sets out the terms and conditions of the relationship between the partners, including: Percentages of ownership and distribution of profits and losses, description of management powers and duties of each partner.
Data Roles - Steward
A data steward is a person responsible for the management and fitness of data elements - both the content and metadata. • Data stewards have a specialist role that incorporates processes, policies, guidelines and responsibilities for administering organizations' entire data in compliance with policy and/or regulatory obligations. • The overall objective of a data steward is data quality, in regard to the key/critical data elements existing within a specific enterprise operating structure, of the elements in their respective domains.
ISA (Interconnection Security Agreement)
An ISA (Interconnection Security Agreement) is a detailed document that defines the technical details of how two different company IT networks will be connected together.
Data destruction
Data destruction is the process of destroying data stored on tapes, hard disks and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes. • Data destruction software must be used to overwrite the available space/blocks with random data until it is considered irretrievable. • Data can also be destroyed through degaussing, which destroys data on magnetic storage tapes and disk drives by changing the magnetic field.
Organizational Security Personnel
Personnel - Acceptable use policy - Job rotation - Mandatory vacation - Separation of duties - Least privilege - Clean desk space - Background checks - Non-disclosure agreement (NDA) - Social media analysis - Onboarding - Offboarding - User training - Gamification - Capture the flag - Phishing campaigns - Phishing simulations -Computer-based training (CBT) - Role-based training
NDA (Non-Disclosure Agreement)
• A NDA (Non-Disclosure Agreement), also known as a Confidentiality Agreement, is a legal contract between two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another, but wish to restrict access to third parties. • Before revealing any secrets to a new party, have him/her sign an NDA first! • If you need to outline the consequences of revealing confidential information to outsiders, use an NDA.
Retention Policy
• A Retention Policy is a set of guidelines that a company follows to determine how long it should keep certain records, including e-mail and web pages. • Important for many reasons including legal requirements that apply to some documents. • If you need to make sure that all log files on your secure servers are available for later review: • This type of information needs to be noted in the retention policy
Personnel Management
• A background check or background investigation is the process of looking up an individual's criminal, commercial, and financial history. This should outline the potential risks associated with hiring this employee. • Background checks are common for many types of professions, but are especially important when a new employee is entering a position of trust.
MOA (Memorandum of Agreement)
• A memorandum of agreement is not a legal document, and is not enforceable in court. In most cases, by calling a document a memorandum of agreement, the signers are showing that they don't intend to try to enforce its terms. • In health and community work, memoranda of agreement are usually used to clarify and/or specify the terms of a cooperative or collaborative arrangement involving two or more organizations.
security policy
• A security policy is a document that outlines the rules, laws and practices for computer network access. • HR should be trained about security policy guidelines and enforcement. • Creating a security policy should be the first step in creating a security baseline.
SOP
• A standard operating procedure, or SOP, is a set of step-by-step instructions compiled by an organization to help workers carry out routine operations. • SOPs aim to achieve efficiency, quality output and uniformity of performance, while reducing miscommunication and failure to comply with industry regulations.
administrator account
• Administrator - The administrator is who should be in charge of a Windows system. The admin has permissions to change any settings. It is always a good idea to rename this account if you can
Acceptable Use Policy
• An Acceptable Use Policy is a set of rules applied by the owner/manager of a network, website, or large computer system that restrict the ways in which the network site or system may be used. • Defines how to handle certain types of data. • Employees must sign an Acceptable Use Policy that describes the proper methods and use of the network systems.
Acceptable Use Policy
• An Acceptable Use Policy is a set of rules applied by the owner/manager of a network, website, or large computer system that restrict the ways in which the network site or system may be used. • Defines how to handle certain types of data. • Employees must sign an Acceptable Use Policy that describes the proper methods and use of the network systems.
Data destruction
• Data destruction is the process of destroying data stored on tapes, hard disks and other forms of electronic media so that it is completely unreadable and cannot be accessed or used for unauthorized purposes. • Data destruction software must be used to overwrite the available space/blocks with random data until it is considered irretrievable. • Data can also be destroyed through degaussing, which destroys data on magnetic storage tapes and disk drives by changing the magnetic field.
private
• Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the owner. • By default, all data that is not explicitly classified as Confidential or Public data should be treated as Private data. • A reasonable level of security controls should be applied to Private data.
public
• Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would results in little or no risk to the company and its affiliates. • Examples of Public data include press releases, course information and research publications. • While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.
exit interview
• Exit interviews are interviews conducted with departing employees, just before they leave. • From the employer's perspective, the primary aim of the exit interview is to learn reasons for the person's departure, on the basis that criticism is a helpful driver for organizational improvement. • Exit interviews (and prior) are also an opportunity for the organization to enable transfer of knowledge and experience from the departing employee to a successor or replacement, or even to brief a team on current projects, issues and contacts.
Proprietary
• Internally generated data or documents that contain technical or other types of information controlled by a firm to safeguard its competitive edge. Proprietary data may be protected under copyright, patent, or trade secret la • To stay competitive, organizations take serious measures to protect their sensitive data. Typically organizations require anyone working with them to sign a contract that includes a non disclosure agreement.
Rotation of Duty/Job Rotation
• Job rotation would be when you have to change roles with another administrator every few months. • According to industry best practices, you would institute a mandatory rotation of duties policy: • To detect an inside threat. • Continuity of operations in the event of absence or accident.
Least Privilege Policy
• Least privilege requires that a user or a program must be able to access only information and resources that are necessary to its legitimate purpose.• The process of least privilege falls under confidentiality. • When assigning permissions you should go by the least privilege principles.• Least privilege implementation is a technical control.
Mandatory Vacation
• Mandatory vacations are a tool that organizations use to verify if employees have been involved in malicious activities. • Detecting fraud is a security benefit of mandatory vacations.
Personally Identifiable Information (PII)
• Personally Identifiable Information (PII) is any information that can identify an individual and can include: • Mailing address • Credit card number • Bank Account Info • Social Security number • Birth date • PII requires special handling and explicit policies for data retention and data distribution. This is commonly called PII Handling and abides by the Principles of Data Handling.
Privileged Accounts
• Privileged accounts are any account that holds access to everything on your network. These can be in the form of admin, root, SYS, or other credentials that would give administrative all-access passes to your applications.• When using a generic account make sure that the privileges are set to as low as possible as it can be difficult to keep track of credibility.
Protected Health Information (PHI)
• Protected health information (PHI) is information, including demographic data, that relates to: • the individual's past, present or future physical or mental health or condition, • the provision of health care to the individual, or • the past, present, or future payment for the provision of health care to the individual, • the individual's identity or for which there is a reasonable basis to believe it can be used to identify the individual.
role-based training
• Role-based training relates to a function in a company. It includes customized training, task-based training, and collaboration and work flow. • This approach takes into account a number of factors unique to the specific role and organization. It puts the training in the context of the role and what it takes to perform in that role.
Separation of Duties
• Separation of duties is taking a job and breaking into smaller tasks and assigning more than one person to complete a task. • This is done so error checking can happen between the assigned persons. • This also helps in preventing fraud. • Separation of duties is when someone can administer file and folder permissions, but not administer auditing functions. • Separation of duties can be implemented to ensure system abuse by administrators does not go undetected in the log files.
Onboarding/Offboarding
• The process of bringing in and moving out assets from the network, respectively.• As employees get hired, fired, promoted, etc. it is important to make sure that relevant accounts are either removed from their relevant network. • Neglecting this may leave would leave some employees with undesirable access.
Secure Disposal of Computers
• The storage and retention policy defines the document destruction requirements. • To securely dispose of computers you should: • Sanitize the computer media. • Use a certified wipe application to erase the data.