Domain 2D: Disclosure Controls: Data Leakage Prevention

Hi-Tech Keys

"Intelligent keys" are keys with a built-in microprocessor, which is unique to the individual key holder and identifies the key holder specifically (Figure 2.16). The lock also contains a minicomputer and the key exchange data, allowing the lock to make valid access decisions based on the parameters established for the key holder. For example, the key will know if the employee is allowed access into the facility after normal business hours; if not, the key will not work. Also, it will keep track of whose key is being used to access specific locked doors and when the attempts are taking place. When an employee resigns from the organization, the relevant key is disabled.

Passive Infrared (PIR) Sensors

A PIR sensor is one of the most common interior volumetric intrusion detection sensors. It is called passive because there is no beam. A PIR picks up heat signatures (infrared emissions) from intruders by comparing infrared receptions to typical background infrared levels. Infrared radiation exists in the electromagnetic spectrum at a wavelength that is longer than visible light. It cannot be seen, but it can be detected. Objects that generate heat also generate infrared radiation, and those objects include animals and the human body. The PIR is set to determine a change in temperature, whether warmer or colder, and distinguish an object that is different from the environment that it is set in. Typically, activation differentials are three degrees Fahrenheit. These devices work best in a stable, environmentally controlled space.

Backbone Distribution System

A backbone distribution system provides connection between entrance facilities, equipment rooms, and telecommunication rooms. In a multi-floor building, the backbone distribution system is composed of the cabling and pathways between floors and between multiple telecommunication rooms. In a campus environment, the backbone distribution system is composed of the cabling and pathways between buildings.

Turnstiles and Mantraps

A common and frustrating loophole in an otherwise secure ACS can be the ability of an unauthorized person to follow through a checkpoint behind an authorized person, called "piggybacking" or "tailgating." The traditional solution is an airlock-style arrangement called a "mantrap," in which a person opens one door and waits for it to close before the next door will open (Figure 2.9). A footstep-detecting floor can be added to confirm there is only one person passing through. A correctly constructed mantrap or portal will provide for tailgate detection while it allows roller luggage, briefcases, and other large packages to pass without causing nuisance alarms. People attempting to enter side-by-side are detected by an optional overhead sensing array. The mantrap controller prevents entry into secured areas if unauthorized access is attempted.

Monitoring System Integrity

A comprehensive configuration and change management program should include a mechanism to monitor or periodically validate changes to system configuration. Sophisticated integrity monitors such as Tripwire integrate with the organization's CMDB to produce a detailed history of system changes. Integrity checkers work by taking a "snapshot" of the approved system configuration, including UNIX object properties and Windows registry keys, access control lists, and contents of system configuration files. This snapshot is then hashed and cryptographically signed to protect against modification. Periodically, the snapshot is compared to a hash of the current configuration, and any changes are reported back to the administrator or noted directly in the CMDB, if an automated interface exists.

Motion-Activated Cameras

A fixed camera with a video motion feature can be used as an interior intrusion point sensor. In this application, the camera can be directed at an entry door and will send an alarm signal when an intruder enters the field of view. This device has the added advantage of providing a video image of the event, which can alert the security officer monitoring the camera and he can make a determination of the need to dispatch a security force. Typically, one camera can be associated with several doors along a hallway. If a door is forced open, the alarm will trigger the camera to begin recording and can give the monitoring officer a video view starting one minute before the alarm was tripped, so as to allow the operator all the possible information before dispatching a security response. This system uses technology to supplement the guard force. It can activate upon motion and can give a control center operator a detailed video of actual events during alarm activation.

Protection from Lightning

A lightning strike to a grounding system produces an elevated ground or ground potential rise (GPR). Any equipment bonded to this grounding system and also connected to wire-line communications will most likely be damaged from outgoing currents seeking remote ground. Personnel working at this equipment are susceptible to harm because they will be in the current path of this outgoing current. The equipment damage from a lightning strike may not be immediate. Sometimes the equipment is weakened by stress and primed for failure at some future time. This is called latent damage and leads to premature mean time before failure (MTBF) of the equipment. The best engineering design, for open-ended budgets, is the use of dielectric fiber optic cable for all communications. Obviously, a fiber-optic cable is non-conductive, provided that it is an all dielectric cable with no metallic strength members or shield, making isolation no longer a requirement. This is because physical isolation is inherent in the fiber-optic product itself. This dielectric fiber-optic cable must be placed in a PVC conduit to protect it from rodents.

Safes

A safe is defined as a fireproof and burglarproof iron or steel chest used for the storage of currency, negotiable securities, and similar valuables.

Server Rooms

A server room needs a higher level of security than the rest of the facility. This should encompass a protected room with no windows and only one controlled entry into the area. Remember that once servers are compromised, the entire network is at risk. While some server attacks are merely annoying, others can cause serious damage. In order to protect the organization, it is paramount to protect your servers. Physical access to a system is almost a guaranteed compromise if performed by a motivated attacker. Therefore, server room security must be comprehensive and constantly under review.

patch management process includes the following steps:

Acquisition—Patches are most often supplied via download from the vendor's website. Some patch distribution and management systems may automatically scan these sites for available patches and initiate downloads to a centralized, internal site. Testing—Patches must be tested to ensure that they can be correctly distributed and installed and that they do not interfere with normal system or application functioning. Despite a vendor's best efforts, patches are often created under pressure to fix critical vulnerabilities and may not be thoroughly regression tested. Furthermore, each organization's operating environment is unique, and it is impossible to test these myriad variations, so impacts on dependent services and applications and compatibility with all possible configurations are not always identified during vendor testing. Patches should initially be tested in a laboratory environment that contains replicas of standard target machine configurations. A limited pilot deployment may then be used for further testing in the production environment. Approval—Not all patches will be immediately approved for deployment. Noncritical patches and patches that are not applicable to the platforms and services used in the organization may be deferred to a later date, or to a time when they are included in a more comprehensive vendor update. Patches that cannot be deployed via standard means or those that cause issues on test machines may require further planning and testing before they are approved. The approval process should include provisions for emergency deployments of critical security patches. Packaging—Patches must be packaged or configured for distribution and installation on target systems. Depending on how patches are deployed, packaging can take several forms. Some platforms such as Windows provide installation software or scripts that are bundled with the patch and automatically invoked when distributed. Custom scripts can also be written to execute a series of installation actions. Patch management software typically includes facilities to package as well as deploy patches. Deployment—Having an accurate inventory of machines and their current patch levels is critical to successful deployment of patches. Automated patch management and software deployment tools may maintain an independent inventory or CMDB or may integrate with third-party configuration and asset management software. Deployment features include scheduling, user notification of patch and reboot (with or without a "snooze" option), and ordering options for multiple-patch deployments. Verification—Automated patch management tools should be able to verify correct application of patches and report all successful and unsuccessful deployments back to a centralized console or reporting engine.

gas suppression systems

Aero-K—Uses an aerosol of microscopic potassium compounds in a carrier gas released from small canisters mounted on walls near the ceiling. The Aero-K generators are not pressurized until fire is detected. The Aero-K system uses multiple fire detectors and will not release until a fire is "confirmed" by two or more detectors (limiting accidental discharge). The gas is non-corrosive, so it does not damage metals or other materials. It does not harm electronic devices or media such as tape or discs. More important, Aero-K is nontoxic and does not injure personnel. FM-200—Is a colorless, liquefied compressed gas. It is stored as a liquid and dispensed into the hazard as a colorless, electrically non-conductive vapor that is clear and does not obscure vision. It leaves no residue and has acceptable toxicity for use in occupied spaces at design concentration. FM-200 does not displace oxygen and, therefore, is safe for use in occupied spaces without fear of oxygen deprivation.

Escort and Visitor Control

All visitors entering the facility should sign in and sign out on a visitor's log to maintain accountability of who is in the facility, the timeframe of the visit, who they visited, and in the case of an emergency, have accountability of everyone for safety purposes. All visitors should be greeted by a knowledgeable receptionist who in turn will promptly contact the employee that they are there to visit or meet with. There should be some type of controlled waiting area within the lobby so the receptionist can keep track of the visitor and can direct the employee to them, in the event they have never met previously.

Dual-Technology Sensors

These provide a commonsense approach for the reduction of false alarm rates. For example, this technology uses a combination of microwave and PIR sensor circuitry within one housing. An alarm condition is generated only if both the microwave and the PIR sensor detect an intruder. Since two independent means of detection are involved, false alarm rates are reduced when configured into this setting. Integrated, redundant devices must react at the same time to cause an alarm. More and more devices are coming with dual-technology that will reduce the need for multiple devices and will significantly reduce the false alarm rates.

A configuration management system consisting of a set of automated tools, documentation, and procedures is typically used to implement CM in an organization. The system should identify and maintain:

Baseline hardware, software, and firmware configurations Design, installation, and operational documentation Changes to the system since the last baseline Software test plans and results

Common Major roles in Change Management

Change Manager—Individual in charge of CM policies and procedures, including mechanisms for requesting, approving, controlling, and testing changes. Change Control Board—Responsible for approving system changes. Project Manager—Manages budgets, timelines, resources, tasks, and risk for systems development, implementation, and maintenance. Architects—Develop and maintain the functional and security context and technical systems design. Engineers and Analysts—Develop, build, and test system changes, and document the rationale for and details of the change. Customer—Requests changes and approves functional changes in the design and execution of a system. System Security Officer—Ensures planned changes do not have adverse security impacts by performing security impact assessments for each change. The system security officer is also responsible for assisting the system's owner with updating relevant security documentation.

Policy Creation

Content monitoring and usage policies specify which data is sensitive and define rules for copying or transmitting that data, typically using a combination of predefined labels, keywords, and regular expressions (e.g., nnn-nn-nnnn to identify a social security number) to identify unique data elements.

Content Detection/Monitoring

Data communications over local and wide area networks, data traversing perimeter gateway devices, and data leaving host computers via USB or serial connections are monitored by inspecting the contents of the communication at the file, document, and packet levels. At the network layer, packet-level monitoring can be used to identify and intercept transmission of sensitive data through FTP, SSL, and posting to blogs and chat rooms among other things. Documents transferred as attachments to e-mail and instant messages can also be monitored and blocked at gateways if they contain sensitive content. To identify data transferred to removable storage, software agents are typically employed on target machines to monitor traffic over USB, wireless, and FireWire ports.

Doors, Locks, and Keys

Door assemblies include the door, its frame, and anchorage to the building. As part of a balanced design approach, exterior doors should be designed to fit snugly in the doorframe, preventing crevices and gaps, which also helps prevent many simple methods of gaining illegal entry. The doorframe and locks must be as secure as the door in order to provide good protection. Perimeter doors should consist of hollow steel doors or steel-clad doors with steel frames. Ensure the strength of the latch and frame anchor equals that of the door and frame. Permit normal egress through a limited number of doors, if possible, while accommodating emergency egress. Ensure that exterior doors into inhabited areas open outward. Locate hinges on the interior of restricted areas. Use exterior security hinges on doors opening outward to reduce their vulnerability. If perimeter doors are made of glass, make sure that the material is constructed of a laminate material or stronger. Ensure that glass doors only allow access into a public or lobby area of the facility. High security doors will then need to be established within the lobby area where access will be controlled. All doors that are installed for sensitive areas such as telephone closets, network rooms, or any area that has access control will require the door to have an automatic door closing device

Subject-specific security policies typically address a limited area of risk related to a particular class of assets, type of technology, or business function. Examples of specific security policies include

E-Mail and Internet Usage Policies Antivirus Policy Remote Access Policy Information Classification Policy Encryption Policies

Generator

Generator power should be activated automatically in the event of a utility failure by the transfer switch. The data center load is maintained by the UPS units; however, often this is a short time as the generator should be active and up to speed within 10 seconds of a power failure. A generator (Figure 2.22) is typically run on diesel fuel and can be located outside of the facility or inside a parking garage. The generator room needs to be protected from unauthorized access by either access control devices or key-locked doors. The generator will operate as long as fuel is supplied. Some generators have a 300-gallon capacity, and a facilities manager will have a contract with a local distributor to supply fuel. Most operation centers have more than one generator and test them once a month. If it is located outside, it needs protective barriers placed around it to protect it from a vehicle running into it.

Air Contamination

Harmful agents introduced into the HVAC systems can rapidly spread throughout the structure and infect all persons exposed to the circulated air. To avoid air contamination, place intakes at the highest practical level in the facility. For protection against malicious acts, the intakes should also be covered by screens so that objects cannot be tossed into the intakes or into air wells from the ground. Such screens should be sloped to allow thrown objects to roll or slide off the screen, away from the intake. Many existing buildings have air intakes that are located at or below ground level. For those that have wall-mounted or below-grade intakes close to the building, the intakes can be elevated by constructing a plenum or external shaft over the intake. The following is a list of guidelines necessary to enhance security in this critical aspect of facility operations: Restrict access to main air intake points to persons who have a work-related reason to be there. Maintain access rosters of pre-approved maintenance personnel authorized to work on the system. Escort all contractors with access to the system while on site. Ensure that all air intake points are adequately secured with locking devices.

HVAC

Heat can cause extensive damage to computer equipment by causing processors to slow down and stop execution or even cause solder connections to loosen and fail. Excessive heat degrades network performance and causes downtime. Data centers and server rooms need an uninterrupted cooling system. Generally, there are two types of cooling: latent and sensible. Latent cooling is the ability of the air-conditioning system to remove moisture. This is important in typical comfort-cooling applications, such as office buildings, retail stores, and other facilities with high human occupancy and use. The focus of latent cooling is to maintain a comfortable balance of temperature and humidity for people working in and visiting such a facility. These facilities often have doors leading directly to the outside and a considerable amount of entrance and exit by occupants. Sensible cooling is the ability of the air-conditioning system to remove heat that can be measured by a thermometer. Data centers generate much higher heat per square foot than typical comfort-cooling building environments, and they are typically not occupied by large numbers of people. In most cases, they have limited access and no direct means of egress to the outside of the building except for seldom used emergency exits. Data centers have a minimal need for latent cooling and require minimal moisture removal. Sensible cooling systems are engineered with a focus on heat removal rather than moisture removal and have a higher sensible heat ratio; they are the most useful and appropriate choice for the data center. Cooling systems are dove tailed into the power supply overhead. If there is a power interruption, this will affect the cooling system. For the computers to continue operation, they need to be cooled. Portable air-conditioning units can be used as a backup in case of HVAC failure, but good design should ensure cooling systems are accounted for as backup devices.

Logical Access Controls include

How access rights and privileges are granted Temporal restrictions used to prevent system access outside of allowable work periods Mechanisms used to detect unauthorized transaction attempts by authorized and/or unauthorized users Inactivity timeout periods for system lockout Whether or not encryption is used to prevent access to sensitive files How separation of duties is enforced How often ACLs are reviewed Controls that regulate how users may delegate access permissions or make copies of files or information accessible to other users

Public Access Controls

If the general public accesses the system, the following should be described or detailed: Information classification schemes. What form(s) of identification and authentication will be acceptable? Controls to be used to limit what the user can read, write, modify, or delete. Will copies of information for public access be made available on a separate system? How will audit trails and user confidentiality be managed? What are the requirements for system and data availability?

Anti-passback

In high security areas, a card reader is utilized on both entry and exit sides of the door. This keeps a record of who went in and out. Anti-passback is a strategy where a person must present a credential to enter an area or facility and then again use the credential to "badge out." This makes it possible to know how long a person is in an area and to know who is in the area at any given time. This requirement also has the advantage of instant personnel accountability during an emergency or hazardous event. Anti-passback programming prevents users from giving their cards or PIN number to someone else to gain access to the restricted area. In a rigid anti-passback configuration, a credential or badge is used to enter an area and that same credential must be used to exit. If a credential holder fails to properly badge-out, entrance into the secured area can be denied.

Standards must often be modified in response to:

Introduction of new technology Addition of configurable features to a system Change in business operations Need for additional controls in response to new threats or vulnerabilities

Rack Security

It would be unusual for everyone in a room full of racks to have the need to access every rack; rack locks can ensure that only the correct people have access to servers and only telecommunications people have access to telecommunications gear. "Manageable" rack locks that can be remotely configured to allow access only when needed—to specific people at specific times—reduce the risk of an accident, sabotage, or unauthorized installation of additional equipment that could cause a potentially damaging rise in power consumption and rack temperature.

Key Control

Key control, or more accurately the lack of key control, is one of the biggest risks that businesses and property owners face. Strong locks and stronger key control are the two essentials in a high-security locking system. In most cases, master and sub-master keys are required for most building systems so that janitorial and other maintenance personnel may have access. Thus, the control of all keys becomes a critical element of the key lock system: All keys need to be tightly controlled from the day of purchase by designated personnel responsible for the lock system. Without a key control system, an organization cannot be sure who has keys or how many keys may have been produced for a given property. Not having a patent-controlled key system leads to unauthorized key duplication, which can lead to unauthorized access or employee theft. Most key control systems utilize patented keys and cylinders. These lock cylinders employ very precise locking systems that can be operated only by the unique keys to that system. Because the cylinders and the keys are patented, the duplication of keys can be done only by factory-authorized professional locksmiths.

configuration documentation should include in the hardware list the following information about each device and system:

Make Model MAC addresses Serial number Operating system or firmware version Location BIOS and other hardware-related passwords Assigned IP address if applicable Organizational property management label or bar code

Managerial Controls

Management controls address security topics that can be characterized as managerial. They are techniques and concerns that are normally addressed by management in the organization's computer security program. In general, they focus on the management of the computer security program and the management of risk within the organization.

Infrared Linear Beam Sensors

Many think of this device from spy movies, where the enduring image of secret agents and bank robbers donning their special goggles to avoid triggering an active infrared beam is recalled. This is the device found in many homes on garage doors. A focused infrared (IR) light beam is projected from an emitter and bounced off of a reflector that is placed at the other side of the detection area. A retroreflective photoelectric beam sensor built into the emitter detects when the infrared beam is broken by the passing of a person or the presence of an object in the path of the infrared beam. If the beam is broken, the door will stop or the light will come on. This device can also be used to notify security of individuals in hallways late at night, when security is typically at its reduced coverage.

Automated Configuration Management Tools

Most development platforms include features such as source code comparators, comment generators, and version checkers. When linked to a central repository, these tools use check in/check out functions to copy code from the repository into a development library or desktop environment, make and test modifications, and place the modified code back into the repository. Branching and merging tools help resolve concurrency conflicts when two or more individuals modify the same component. Standalone or add-on tools are available commercially or as open source and typically contain more robust functionality suited to teams of developers. Tool vendors do not always distinguish between features that manage the CM process and those that manage actual configurations. Datacenter CM tools, for example, range from standalone CMDBs to full suites that include workflow engines, access control, policy enforcement, and reporting capabilities.

Typical Information Security Document contains

Objective—This statement provides the policy's context. It gives background information and states the purpose for writing the policy, including the risk or threat the policy addresses and the benefits to be achieved by policy adherence. Policy Statement—A succinct statement of management's expectations for what must be done to meet policy objectives. Applicability—This lists the people to whom the policy applies, the situations in which it applies, and any specific conditions under which the policy is to be in effect. Enforcement—How compliance with the policy will be enforced using technical and administrative means. This includes consequences for noncompliance. Roles and Responsibilities—States who is responsible for reviewing and approving, monitoring compliance, enforcing, and adhering to the policy. Review—Specifies a frequency of review, or the next review date on which the policy will be assessed for currency and updated if needed.

Operational Controls

Operational control policies address process-based security controls that are implemented and executed by people. Examples of operational controls may include the following: Change management processes Configuration management processes Authorization processes

Typical components of a procedure are

Purpose—The reason for performing the procedure, usually the desired outcome. Applicability—Who is responsible for following the procedure, and in what circumstances the procedure is followed. Steps—The detailed steps taken to perform the procedure. Figures—Illustrations, diagrams, or tables used to depict a workflow, values to enter in specific fields, or display screen shots to show formats and to enhance ease of use. Decision Points—Yes/no questions whose answers result in branching to different steps in the procedure. These may be written as steps in the procedure or included in a workflow diagram or decision tree.

Audit Trails

Regardless of who is able to access the system, the SSCP should be able to describe the additional security controls used to protect the system's integrity: What is the process to review audit trails? How often are they reviewed? By whom? Under what conditions? Does the audit trail support accountability by providing a trace of user actions? Are there mechanisms in place to safeguard individual user privacy and confidentiality of user information (PII) captured as part of the audit trail? Are audit trails designed and implemented to record appropriate information that can assist in intrusion detection and remediation? Is separation of duties between those who administer the access control function and those who administer the audit trail used and enforced?

The change control policy document covers the following aspects

Request Submission—A request for change is submitted to the Change Control Board for review, prioritization, and approval. Included in the request should be a description of the change and rationale or objectives for the request, a change implementation plan, an impact assessment, and a backout plan to be exercised in the event of a change failure or unanticipated outcome. Recording—Details of the request are recorded for review, communication, and tracking purposes. Analysis/Impact Assessment—Changes are typically subject to peer review for accuracy and completeness and to identify any impacts on other systems or processes that may arise as a result of the change. Decision Making and Prioritization—The team reviews the request, implementation and backout plans, and impacts and determines whether the change should be approved, denied, or put on hold. Changes are scheduled and prioritized, and any communication plans are put in place. Approval—Formal approval for the change is granted and recorded. Status Tracking—The change is tracked through completion. A post-implementation review may be performed.

a recommended structure for a change management process.

Requests—Proposed changes should be formally presented to the committee in writing. The request should include a detailed justification in the form of a business case argument for the change, focusing on the benefits of implementation and costs of not implementing. Impact Assessment—Members of the committee should determine the impacts to operations regarding the decision to implement or reject the change. Approval/Disapproval—Requests should be answered officially regarding their acceptance or rejection. Build and Test—Subsequent approvals are provided to operations support for test and integration development. The necessary software and hardware should be tested in a nonproduction environment. All configuration changes associated with a deployment must be fully tested and documented. The security team should be invited to perform a final review of the proposed change within the test environment to ensure that no vulnerabilities are introduced into the production system. Change requests involving the removal of a software or a system component require a similar approach. The item should be removed from the test environment and have a determination made regarding any negative impacts. Security Impact Assessment—A security impact assessment is performed to determine the impact of the proposed change to confidentiality, integrity, or availability. Should the change introduce risk, the security impact assessment should qualify and quantify the risk as much as possible and provide mitigation strategies. Notification—System users are notified of the proposed change and the schedule of deployment. Implementation—The change is deployed incrementally, when possible, and monitored for issues during the process. Validation—The change is validated by the operations staff to ensure that the intended machines received the deployment package. The security staff performs a security scan or review of the affected machines to ensure that new vulnerabilities are not introduced. Changes should be included in the problem tracking system until operations has ensured that no problems have been introduced. Documentation—The outcome of the system change, to include system modifications and lessons learned, should be recorded in the appropriate records. This is the way that change management typically interfaces with configuration management.

Critical success factors for any security awareness program are:

Senior Management Support—Security success stories happen when individuals begin to treat security as part of their job function. Too many security programs fail because senior management does not buy in to the security team's mission and message. To get this buy-in, start your awareness program at the top. Involve senior management in the design and oversight of the program, and tie awareness program goals to business goals. Cultural Awareness—There is no such thing as a "one size fits all" awareness program. Is your organization a large, established, hierarchical institution or an agile, high-tech, entrepreneurial firm? Are workers unionized or independent professionals? Does your organization value customer service, operational efficiency, or personal achievement? These and other questions help define your target audience and deliver a message whose content, style, and format are designed to have impact on your specific audience. Communication Goals—Set communication goals and build a strategy to meet these goals. Perform a needs assessment to identify gaps in security awareness and develop objectives to close these gaps. Be as specific as you can when stating your goals. Do you intend to alert users to social engineering threats? Communicate policy? Teach people how to spot and report incidents? Your objectives will dictate how your awareness program is delivered. Taking a Change Management Approach—The end goal of awareness programs is to produce changes in behavior in your target audience. Understanding barriers to change and methods that successfully stimulate people to change will help you reach this goal. People change because they are motivated to change. Motivators include small prizes and awards, financial incentives, time off, peer recognition, feelings of personal pride and accomplishment, feelings of job competency, and just plain fun. Organizations that tie security awareness to their formal system of salary and performance management are the most likely to foster interest in security issues and compliance with expectations. Promoting awareness that "hits home" by spotlighting issues such as identity theft, spyware and malicious code, online shopping safety, and protection of children on the Internet and tying these to workplace issues is an effective way to capture employee interest. Measurement—Measuring success against stated objectives not only helps justify the awareness program to senior management, but will allow you to identify gaps and continuously improve on your delivery.

software inventory should minimally include

Software name Software vendor (and reseller if appropriate) Keys or activation codes (note if there are hardware keys) Type of license and for what version Number of licenses License expiration License portability Organizational software librarian or asset manager Organizational contact for installed software Upgrade, full, or limited license

Information Security Policy Life Cycle

State the Objective—A clear statement of policy objectives answers the question, "Why are we developing this policy?" The statement of objective will guide development of the specific points in the policy statement and will help keep team discussions in scope and focused. Draft the Policy Specifics—The policy statement should be drafted in simple, clear language that will be easily understood by those who must comply with the policy. Avoid vague statements that could be open to multiple interpretations, and be sure to define all technical terms used in the policy document. Identify Methods for Measurement and Enforcement—Policy enforcement mechanisms may include technical controls such as access management systems, content blocking, and other preventive measures as well as administrative controls such as management oversight and supervision. Compliance with policy expectations can be measured through audit trails, automated monitoring systems, random or routine audits, or management supervision. The means of monitoring or measuring compliance should be clearly understood, as well as the logistics of enforcement. The logistics of taking and documenting disciplinary action should be established at this time to ensure that the organization is willing and able to enforce policy and prepared to apply corrective action quickly and consistently. Communication—The timing, frequency, and mechanism by which the policy will be communicated to employees and others should be established before final policy approval. Expectations must be clearly communicated and regularly enforced so that everyone remains apprised of what the appropriate conduct is considered to be. Whenever disciplinary action may be taken in response to policy violations, it is especially important that management make every effort to ensure that employees are made aware of the policy and what they must do to comply. Some organizations require employees to sign a form acknowledging their receipt and understanding of key policies and agreeing to comply with expectations. Periodic Review—Policies should be reviewed at least annually to ensure that they continue to reflect management's expectations, current legal and regulatory obligations, and any changes to the organization's operations. Policy violations that have occurred since the last review should be analyzed to determine whether adjustments to policy or associated procedures or enhancements to communication and enforcement mechanisms may be needed.

Technical Controls

Technical controls are security controls that the computer system executes. The controls can provide automated protection from unauthorized access or misuse, facilitate detection of security violations, and support security requirements for applications and data. The implementation of technical controls, however, always requires significant operational considerations and should be consistent with the management of security within the organization.

Patch Management

The application of software and firmware patches to correct vulnerabilities is a critical component of vulnerability and configuration management practices. Most security breaches that have occurred over the past decade are not the result of the so-called zero-day attacks but rather were perpetrated by attackers exploiting known vulnerabilities. patching, and patching distributed desktop and laptop systems in particular, is not a straightforward process. Vulnerabilities can target a number of systems, including desktop and server operating systems; database management systems; client software such as browsers and office productivity software; and network devices such as routers, switches, and firewalls. The sheer volume of vendor patches to be deployed across these disparate systems necessitates an automated solution that accommodates an organization's core platforms. The patches themselves must be acquired, tested, distributed, and verified in a coordinated and controlled manner, which means processes must be designed and followed religiously to ensure effectiveness. Application of patches can be disruptive to operations, slowing down systems or making them unavailable during the installation window and often requiring reboot or restart after installation, and some can be "bad," meaning that they introduce new vulnerabilities, create downstream impacts, or do not deploy correctly on all target systems. Not all patches are of equal criticality to an organization, meaning that someone must make a decision regarding when and why to deploy patches as they are made available. This is typically done through the organization's change control system.

Electric Strikes

The difference between an electric strike and an electric lock is in the mechanism that is activated at the door. In an electric-lock door, the bolt is moved. In an electric-strike door, the bolt remains stationary and the strike is retracted. As in electric locks, electric strikes can be configured for fail-safe or fail-secure operation. The logic is the same. In fail-safe configuration, the strike retracts when de-energized on loss of power. This allows the door to be opened from the public side. In fail-secure configuration, the strike remains in place, causing the door to be locked from the public side requiring manual key entry to unlock the door from the public side. Again, as with electric locks, unimpeded access is allowed for in the direction of exit by manual activation of the door handle or lever when exiting from the secure side. For retrofit situations, electric strikes rarely require door replacement and can often be done without replacing the doorframe.

Electric Locks

The electric lock is a secure method to control a door. An electric lock actuates the door bolt. For secure applications, dual locks can be used. In some cases, power is applied to engage the handle, so the user can retract the bolt instead of the electric lock door operator actually retracting the bolt. Most electric locks can have built-in position switches and request-to-exit hardware. Although offering a high security level, electric locks are expensive. A special door hinge that can accommodate a wiring harness and internal hardware to the door is required. For retrofit applications, electric locks usually require the purchase of a new door.

Equipment Room

The equipment room serves the entire building and contains the network interfaces, uninterruptible power supplies, computing equipment (e.g., servers, shared peripheral devices, and storage devices), and telecommunication equipment (e.g., PBX). It may be combined with the entrance facility.

Horizontal Distribution System

The horizontal distribution system distributes the signals from the telecommunication room to the work areas. The horizontal distribution system consists of Cables Cross-connecting blocks Patch panels Jumpers Connecting hardware Pathways (supporting structures such as cable trays, conduits, and hangers that support the cables from the telecommunication room to the work areas)

Magnetic Locks

The magnetic lock is popular because it can be easily retrofitted to existing doors. The magnetic lock is surface-mounted to the door and doorframe. Power is applied to magnets continuously to hold the door closed. Magnetic locks are normally fail-safe but do have a security disadvantage. In requirements for the U.S. Life Safety Codes, doors equipped with magnetic locks are required to have one manual device (emergency manual override button) and an automatic sensor (typically a passive infrared sensor [PIR] or request to exit [REX] device) to override the door lock signal when someone approaches the door in the exit direction.[22] All locks are controlled by a card reader that, when activated, will release the secured side portion of the door and allow entry into the facility. While enhancing overall building safety, the addition of these extra devices allows possible compromise of the door lock. In the scenario, where a REX is used with magnetic locks, it not only turns off the alarm when the individual exits but also deactivates the locking device. This can be a problem if an adversary can get something through or under the door to cause the REX to release the magnetic lock.

Locking Cylinders

The pin tumbler cylinder is a locking cylinder that is composed of circular pin tumblers that fit into matching circular holes on two internal parts of the lock. The pin tumbler functions on the principle that the pin tumblers need to be placed into a position that is entirely contained with the plug. Each pin is of a different height, thus accounting for the varying ridge sizes of the key. When the pins are properly aligned, the plug can be turned to unlock the bolt.

Data Discovery

The process of "crawling" distributed files and databases to locate sensitive data is the first step in implementing data leakage prevention tools. The discovery process has intrinsic value, even without implementing loss prevention tools, in that organizations can use it to pinpoint exactly where their sensitive data are stored and design additional safeguards, such as policies and access control mechanisms, to protect the data. One may uncover, for example, cases where users run queries over sensitive data that are stored in a secured database and then save the results to their desktops or to an unsecured public file, where access control safeguards may be weaker. Note—This violates the "*" property of the Bell-LaPadula model!

Entrance Facility

The service entrance is the point at which the network service cables enter or leave a building. It includes the penetration through the building wall and continues to the entrance facility. The entrance facility can house both public and private network service cables. The entrance facility provides the means for terminating the backbone cable. The entrance facility generally includes electrical protection, ground, and demarcation point.

Telecommunication Room

The telecommunication room (TR) typically serves the needs of a floor. The TR provides space for network equipment and cable terminations (e.g., cross-connect blocks and patch panels). It serves as the main cross-connect between the backbone cabling and the horizontal distribution system.

Balanced Magnetic Switch (BMS)

This device uses a magnetic field or mechanical contact to determine if an alarm signal is initiated. One magnet will be attached to the door and the other to the frame; when the door is opened, the field is broken. A BMS differs from standard magnetic status switches in that a BMS incorporates two aligned magnets with an associated reed switch. If an external magnet is applied to the switch area, it upsets the balanced magnetic field such that an alarm signal is received. Standard magnetic switches can be defeated by holding a magnet near the switch. Mechanical contacts can be defeated by holding the contacts in the closed position with a piece of metal or taping them closed. Balanced magnetic switches are not susceptible to external magnetic fields and will generate an alarm if tampering occurs. These switches are used on doors and windows

Acoustic Sensors

This device uses passive listening devices to monitor building spaces. An application is an administrative building that is normally occupied only in daylight working hours. Typically, the acoustic sensing system is tied into a password-protected building entry control system, which is monitored by a central security monitoring station. When someone has logged into the building with a proper password, the acoustic sensors are disabled. When the building is secured and unoccupied, the acoustic sensors are activated. After hours intruders make noise, which is picked up by the acoustic array and an alarm signal is generated. The downside is the false alarm rate from picking up noises such as air conditioning and telephone ringers. This product must be deployed in an area that will not have any noise. Acoustic sensors act as a detection means for stay-behind covert intruders. One way to use the system is as a monitoring device: when it goes into alarm, the system will open up an intercom and the monitoring officer can listen to the area. If no intruder is heard, then the alarm is cancelled.

Uninterruptible Power Supply (UPS)

This is a battery backup system, which maintains a continuous supply of electric power to connected equipment by supplying power from a separate source when utility power is not available. A UPS has internal batteries to guarantee that continuous power is provided to the equipment even if the power source stops providing power. Of course, the UPS can provide power only for a while, typically a few minutes, but that is often enough to ride out power company glitches or short outages. Even if the outage is longer than the battery lifetime of the UPS, this provides the opportunity to execute an orderly shutdown of the equipment.

Some specific vehicles for delivering general security awareness include:

Threat alerts distributed by e-mail Security-specific newsletters or articles in your company's newsletter Security awareness intranet sites Screen savers and computer wallpaper Posters and notices in prominent locations Brochures or pamphlets

Security Staff Training

Training should cover the basics of the seven SSCP domains and offer continuing advancement in each of these specialized areas: Access controls Analysis and monitoring Cryptography Malicious code Networks and telecommunications Risk, response, and recovery Security operations and administration

Rim Lock

a lock or latch typically mounted on the surface of a door. It is typically associated with a dead bolt type of lock.

Reporting

Violations of data disclosure policies are reported, typically showing the policy that was violated, the source IP address, and the login account under which the violation occurred.

Fire Suppression

Wet Systems—Have a constant supply of water in them at all times; once activated, these sprinklers will not shut off until the water source is shut off. Dry Systems— Do not have water in them. The valve will not release until the electric valve is stimulated by excess heat. Pre-Action Systems—Incorporate a detection system, which can eliminate concerns of water damage due to false activations. Water is held back until detectors in the area are activated. Deluge Systems—Operate in the same function as the pre-action system except all sprinkler heads are in the open position.

Prevention or Blocking

When policy violations are detected, user actions may be prevented or network traffic may be dropped, depending on the location of the violation. Alternatively, encryption may be enforced before a write operation to CD, USB, or other removable media.

Interior Intrusion Detection Systems

Within the facility, it is still necessary to maintain levels of security. The layered approach provides for additional security measures while inside the perimeter of the facility. Specifically, not all employees need access to the sensitive areas, such as the phone closets, or need access into the data center. It is not practical or economical to have guards stationed at every security point within the facility; however, an access control system can provide the necessary security controls throughout the building. A card reader can control access into a specific room. This can be controlled through the access control software, which will be maintained within the security control center. If the individual has access to the room, the employee will place his badge up to the reader and it will release the electric lock and allow entry.

Baseline

a detailed configuration standard that includes specific security settings. Baselines can be used as a checklist for configuring security parameters and for measurement and comparison of current systems to a standard configuration set.

Configuration management (CM)

a discipline that seeks to manage configuration changes so that they are appropriately approved and documented, so that the integrity of the security state is maintained, and so that disruptions to performance and availability are minimized. Unlike change control, which refers to the formal processes used to ensure that all software changes are managed, configuration management refers to the technical and administrative processes that maintain integrity of hardware and system software components across versions or releases.

Standard

a formal, documented requirement that sets uniform criteria for a specific technology, configuration, nomenclature, or method. Standards that are followed as common practice but are not formally documented or enforced are so-called de facto standards; such standards often become formalized as an organization matures. Some examples of security standards include account naming conventions, desktop and server antivirus settings, encryption key lengths, and router ACL (access control list) configurations. Standards provide a basis for measuring technical and operational safeguards for accuracy and consistency.

Mortise Lock

a lock or latch that is recessed into the edge of a door rather than being mounted to its surface. This configuration has a handle and locking device all in one package.

Configuration Auditing

a process of logging, reviewing, and validating the state of CIs in the CMDB, ensuring that all changes are appropriately documented and that a clear history of changes is retained in such a way that they can be traced back to the person making the change and provide detail on the delta (difference) between the baseline and the current state of the system. Auditing also compares the information in the CMDB to the actual system configuration to ensure that the representation of the system is complete and accurate, and association between components is maintained.

Containers

a reinforced filling cabinet that can be used to store proprietary and sensitive information. The standards for classified containers are typically from a government. For example, the U.S. government lists a class 6 container as approved for the storage of secret, top secret, and confidential information. The container must meet the protection requirements for 30 man-minutes against covert entry and 20 hours against surreptitious entry with no forced entry.

Release management

a software engineering discipline that controls the release of applications, updates, and patches to the production environment. The goal of release management is to provide assurance that only tested and approved application code is promoted to production or distributed for use. Release management also seeks to meet timeliness goals, minimize disruption to users during releases, and ensure that all associated communication and documentation is issued with new releases of software. The most important role is that of the release manager. The release manager is responsible for planning, coordination, implementation, and communication of all application releases. This function may be situated within a unit of a quality assurance or operational group or may be part of a separate organization responsible for overall change and configuration management. The decision of where to locate release management functions should be based on the need to achieve separation of duties and rigorous process oversight during application installation or distribution and ongoing maintenance. This is essential to mitigate risks and impacts of unplanned and malicious changes, which could introduce new vulnerabilities into the production environment or user community. Release management policy specifies the conditions that must be met for an application or component to be released to production, roles and responsibilities for packaging, approving, moving, and testing code releases, and approval and documentation requirements.

Labeling

ata may be labeled or "tagged" with an identifier that can be used to subsequently monitor movement of that data across the network. This is particularly useful in identifying documents and files containing sensitive information. Labels used may correspond to the sensitivity levels defined in the organization's information classification policy or may identify specific types of data such as PHI (Private Health Information).

Identification

captures and maintains information about the structure of the system, usually in a configuration management database (CMDB). Each component of the system configuration should be separately identified and maintained as a configuration item (CI) within the CMDB using a unique identifier (name), number (such as a software or hardware serial number), and version identifier. The CMDB may be a series of spreadsheets or documents or may be maintained within a structured database management system (DBMS). Use of structured databases is preferred to enforce consistency and maintain the integrity of information (such as preventing duplicate entries and preserving associations between CIs) and to safeguard against unauthorized modifications and deletions. Within the CMDB, changes are tracked by comparing the differences between a CI before and after the change in a change set or delta. The CMDB thus is capable of storing the baseline configuration plus a sequence of deltas showing a history of changes. In addition, the system must maintain a consistent mapping among components so that changes are appropriately propagated through the system. Dependencies between components are identified so that the impacts of logical changes to any one component are known.

Configuration Accounting

captures, tracks, and reports on the status of CIs, change requests, configurations, and change history.

Logical Access Controls

controls authorize or restrict the activities of users. includes hardware and software features that permit only authorized access to the system, restrict users to authorized functions and actions, and detect unauthorized activities.

Vaults

defined as a room or compartment designed for the storage and safekeeping of valuables and has a size and shape that permits entrance and movement within by one or more persons. Vaults generally are constructed to withstand the best efforts of man and nature to penetrate them.

System Architecture/Interoperability of Systems

describes the extent to which systems and devices can exchange data and interpret that shared data. For two systems to be interoperable, they must be able to exchange data and subsequently present that data such that it can be understood by a user. If two or more systems are capable of communicating and exchanging data, they are exhibiting syntactic interoperability. Specified data formats, communication protocols, and the like are fundamental. XML or SQL standards are among the tools of syntactic interoperability. Syntactical interoperability is a necessary condition for further interoperability. Beyond the ability of two or more computer systems to exchange information, semantic interoperability is the ability to automatically interpret the information exchanged meaningfully and accurately in order to produce useful results as defined by the end users of both systems. To achieve semantic interoperability, both sides must refer to a common information exchange reference model. The content of the information exchange requests are unambiguously defined: what is sent is the same as what is understood. With respect to software, the term interoperability is used to describe the capability of different programs to exchange data via a common set of exchange formats, to read and write the same file formats, and to use the same protocols. (The ability to execute the same binary code on different processor platforms is not contemplated by the definition of interoperability.) The lack of interoperability can be a consequence of a lack of attention to standardization during the design of a program. Indeed, interoperability is not taken for granted in the non-standards-based portion of the computing world.

Security Impact Assessment

he analysis conducted by qualified staff within an organization to determine the extent to which changes to the information system affect the security posture of the system. Because information systems are typically in a constant state of change, it is important to understand the impact of changes on the functionality of existing security controls and in the context of organizational risk tolerance. Security impact analysis is incorporated into the documented configuration change control process. The analysis of the security impact of a change occurs when changes are analyzed and evaluated for adverse impact on security, preferably before they are approved and implemented but also in the case of emergency/unscheduled changes. Once the changes are implemented and tested, a security impact analysis (and/or assessment) is performed to ensure that the changes have been implemented as approved and to determine if there are any unanticipated effects of the change on existing security controls. Security impact analysis supports the implementation of NIST SP 800-53r4 control CM-4 Security Impact Analysis.

effective data leakage prevention strategy

includes use of both host- and network-based components that perform the following functions:

Cipher Lock

is controlled by a mechanical key pad, typically 5 to 10 digits. When it is pushed in the right combination, the lock will release and allow entry. The drawback is someone looking over a shoulder can see the combination. However, an electric version of the cipher lock is in production in which a display screen will automatically move the numbers around, so if someone is trying to watch the movement on the screen, they will not be able to identify the number indicated unless they are standing directly behind the victim.

Configuration changes and release control

must be controlled through the life cycle. Control mechanisms are implemented to govern change requests, approvals, change propagation, impact analysis, bug tracking, and propagation of changes. Control begins early in systems design and continues throughout the system life cycle. Before changes are implemented, they should be carefully planned and subjected to peer review. Implementation and rollback plans (in case of change failure) should accompany the change request. Technical controls to enforce this aspect of CM include access control for development, test, and production environments, as well as to the CMDB itself.

the term standards is used in two special contexts:

ndustry standards and open standards. Industry standards are generally accepted formats, protocols, or practices developed within the framework of a specific industrial segment, such as engineering, computer programming, or telecommunications. Industry standards may be developed by leading manufacturers, such as IBM's ISA (Industry Standard Architecture) PC bus standard, for use in its equipment and compatible equipment developed by other vendors. They may also be developed by special-interest groups such as the Institute of Electrical and Electronic Engineers (IEEE), American National Standards Institute (ANSI), or International Telecommunications Union (ITU). Industry standards are not always formally developed and accepted but may be so widely adopted by organizations across industries that they become necessary for the industry to incorporate them in products and services in order to serve their customers' needs. Examples of these de facto industry standards include the PCL print control language developed by Hewlett-Packard and the Postscript laser printer page description language developed by Adobe. In contrast to industry standards, open standards are specifications that are developed by standards bodies or consortia and made available for public use without restrictions. They are designed to promote free competition, portability, and interoperability among different implementations. The standards themselves are platform independent and are published as source code or as a set of detailed specification documents that can be used to develop new products and services that can be integrated into existing, standards-based products.

Guidelines

recommended practices to be followed to achieve a desired result. They are not mandatory and provide room for flexibility in how they are interpreted and implemented; therefore, they are rarely enforced except through an organization's culture and norms. Guidelines are often instructional in nature. They are useful for cases where an organization wishes to provide enough structure to achieve an acceptable level of performance while allowing room for innovation and individual discretion. Some examples of security guidelines include methods for selecting a strong password, criteria for evaluating new security technology, and suggested training curricula for security staff.

Change Control and Management

refers to the formal procedures adopted by an organization to ensure that all changes to system and application software are subject to the appropriate level of management control. Change control seeks to eliminate unauthorized changes and reduce defects and problems related to poor planning and communication of changes. Change control is often enforced through use of a Change Control Board, which reviews changes for impact, ensures that the appropriate implementation and backout plans have been prepared, and follows changes through approval and post-implementation review.

Security Awareness

seeks to reduce the risk related to human error, misjudgment, and ignorance by educating people about the risks and threats to confidentiality, integrity, and availability, and how they can help the organization be more resistant to threats in the performance of their daily job functions.

less common DLP systems

solutions that tackle confidentiality of data at rest in files, databases, and mass storage facilities.

Procedures

step-by-step instructions for performing a specific task or set of tasks. Like standards, procedures are often implemented to enforce policies or meet quality goals. Despite the fact that writing documentation can be one of a technical person's least favorite activities, the importance of documenting security procedures cannot be overemphasized. When followed as written, procedures ensure consistent and repeatable results, provide instruction to those who are unfamiliar with how to perform a specific process, and provide assurance for management and auditors that policies are being enforced in practice. In addition, clear procedures often allow organizations to delegate routine functions to entry-level staff, or develop programs to automate these functions, freeing up more experienced practitioners to perform higher-level work. For example, account provisioning software has been implemented in many organizations to automate procedures that contain multiple steps such as establishing login credentials, home directories, assigning users to groups and roles, and the like. This software can be used by junior staff who lack the depth of knowledge and understanding of the systems configuration behind these procedures. Organizations justify the cost based on savings in salaries, an ability to free up senior staff to perform more complex activities, improvements in consistency and quality by reducing human error, and eliminating the manual effort needed to create an audit trail of account management activity.

Identification and Authentication

the SSCP should discuss the identification and authentication security controls that are used to protect the system. These include the following: The system's user authentication control mechanisms along with the processes used to control changes to those mechanisms should be detailed. If passwords are to be used as a control element in a system, the minimum and maximum values for password length should be provided. If passwords are to be used as a control element in a system, the character sets to be used for password creation should be provided. If passwords are to be used as a control element in a system, the procedures for password changes of a voluntary nature should be provided. If passwords are to be used as a control element in a system, the procedures for password resets due to compromise should be provided. The mechanisms used to create accountability, audit trails, and the protection of the authentication process should be described. All policies that allow for the bypassing of the authentication system along with the controls used should be detailed. The number of invalid access attempts to be allowed and the actions taken when that limit is exceeded should be described. The procedures for key generation, distribution, storage, entry, use, archiving, and disposal should be detailed. How biometric and token controls are to be used and implemented should be described.

Cable Plant Management

the design, documentation, and management of the lowest layer of the OSI network model—the physical layer. The physical layer is the foundation of any network, whether it is data, voice, video, or alarms, and it defines the physical media upon which signals or data is transmitted through the network. Approximately 70% of your network is composed of passive devices such as cables, cross-connect blocks, and patch panels. Documenting these network components is critical to keeping a network finely tuned. The physical medium can be copper cable (e.g., cat 6), coaxial cable, optical fiber (e.g., single or multimode), wireless, or satellite. The physical layer defines the specifics of implementing a particular transmission medium. It defines the type of cable, frequency, terminations, etc. The physical layer is relatively static. Most change in the network occurs at the higher levels in the OSI model. Key components of the cable plant include the entrance facility, equipment room, backbone cable, backbone pathway, telecommunication room, and horizontal distribution system.

Systems Assurance and Controls Validation

the process of validating that existing security controls are configured and functioning as expected, both during initial implementation and on an ongoing basis. Security controls should never be assumed to be functioning as intended. Human error, design issues, component failures, and unknown dependencies and vulnerabilities can impact the initial configuration of security controls. Even once properly implemented, controls can lose effectiveness over time. Changes in the control environment itself, in the infrastructure that supports the control, in the systems that the control was designed to protect, or in the nature of threats that seek to bypass controls all contribute to reduced control effectiveness. Even in the absence of known changes, a "set it and forget it" mentality can expose an organization to risk. Therefore, controls should be tested on a periodic basis against a set of security requirements.

Standards differ from policies in that

they are typically more technical in nature, are more limited in scope and impact, do not require approval from executive management, and are more likely than policies to change over time. Standards are often developed to implement the details of a particular policy. Because of their more detailed technical nature, security practitioners responsible for administering security systems, applications, and network components typically play a more active role in the development of standards than in policy development, which largely occurs at management levels in an organization. Many organizations have formal standards and procedures review committees composed of IT practitioners, whose role is to assist in the development of standards documents; review documents for clarity, accuracy, and completeness; identify impacts; and often implement approved standards.

two most common DLP systems

those that protect transfer of sensitive data to mobile storage devices such as USB keys and smartphones and those that prevent data leakage via web and e-mail at an organization's Internet gateway.

DLP systems should be supplemented with

traditional safeguards such as physical and logical access controls, encryption, and auditing. It must also be kept current to accommodate changes in applications, business processes and relationships, and infrastructure.

Awareness training

typically more formal in nature and produces more directly measurable results. It is a good idea to make security awareness training a mandatory annual or semiannual event by partnering with Human Resources or training areas. Some organizations require specific training on security policies and procedures and appropriate use of information systems, and may maintain a record of attendance and formal, signed acknowledgment that training has been received. Training can be general or it can focus on specific areas such as: Labeling and handling of sensitive information Appropriate use policies for e-mail, Internet, and other services Customer privacy laws, policies, and procedures Detecting and reporting security incidents Protecting intellectual property and copyright