Scribd Logo
Upload

Welcome to Scribd!

  • Chapter 9

    Uploaded by

    Joshua Carelo
    33 views14 pages
    The document discusses implementing compliance and operational security through physical security controls, legal compliance, security awareness training, and integrating systems with third parties. It covers physical security measures, environmental risks and controls, safety procedures, applicable laws and regulations, types of legal requirements, computer forensics standards, security policies and training, personal information handling, and risk management with business partners and third party systems.

    Original Description:

    Original Title

    Chapter 9 (1).pptx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses implementing compliance and operational security through physical security controls, legal compliance, security awareness training, and integrating systems with third parties. It covers physical security measures, environmental risks and controls, safety procedures, applicable laws and regulations, types of legal requirements, computer forensics standards, security policies and training, personal information handling, and risk management with business partners and third party systems.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    33 views14 pages

    Chapter 9

    Uploaded by

    Joshua Carelo
    The document discusses implementing compliance and operational security through physical security controls, legal compliance, security awareness training, and integrating systems with third parties. It covers physical security measures, environmental risks and controls, safety procedures, applicable laws and regulations, types of legal requirements, computer forensics standards, security policies and training, personal information handling, and risk management with business partners and third party systems.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 14

    Implementing Compliance and Operational Security

     Physical Security
     Legal Compliance
     Security Awareness and Training
     Integrate Systems and Data with Third Parties

    Physical Security Controls


    Physical Security Control Types
     Locks
     Logging and visitor access
     Identification systems
     Video surveillance
     Security guards
     Signs
     Bonded personnel
     Mantrap doors
     Physical barriers
     Alarms
     Motion detection
     Protected distribution
    Environmental Exposures
     Power fluctuations and failures
     Water damage and flooding
     Fires
     Structural damage

    Environmental Controls
     HVAC systems
     Hot and cold aisles
     EMI shielding
     Alarm control panel
     Fire prevention
     Fire detection
     Fire suppression
    Safety
     Affects both personnel and property.
     Deter intruders with fencing and CCTV.
     Protect employees with locks and proper lighting.
     Formulate an escape plan/route and perform drills.
     Test your controls to verify they are up to standard.

    Compliance Laws and Regulations


     Ensuring that the requirements of legislation, regulations, industry codes and standards, and organizational
    standards are met.
     Identify requirements.
     Review pertinent law and regulatory documentation.
     Review policies and other legal documents.
    Legal Requirements
    • Consider overall legal obligations.
    • Work with civil authorities.
    • Comply with other departmental policies.
    • Observe legal limitations and civil rights.
    • Consider legal issues for different groups.

    Types of Legal Requirements


    • Employees
    • Customers
    • Business partners
    Forensic Requirements

    Forensics - refers to the process of identifying what has occurred on a system by examining the data

    Computer forensics - the process of investigating a computer system to determine the cause of an incident.
    Part of this process would be gathering evidence

    Chain of custody - ensures that each step taken with evidence is documented and accounted for from the
    point of collection. Chain of custody is the Who, What, When, Where, and Why of evidence storage.
    Security Policy Awareness
     Ensures all users comply with guidelines.
     Should be accessible.
     Training sessions and documentation.

    Role-Based Training
     Job roles and organizational responsibilities: Users, managers, and executives
     What information can be shared.
     Incident reporting and response.
    Personally identifiable information (PII) - a catchall for any data that can be used to uniquely identify
    an individual. This data can be anything from the person’s name to a fingerprint (think biometrics), credit card
    number, or patient record.

     Information used to identify, contact, or locate an individual.


     What PII is can vary depending on legal jurisdiction.
     Common examples:
    Full name
    Fingerprints
    License plate number
    Phone number
    Street address
    Driver’s license number
    Classification of Information
    • Depends on type of business and how data is stored.
    • Hard or soft classified data:
    Hard: concrete information
    Soft: ideas, thoughts, and views
    • Levels of sensitivity:
    High/Medium/Low
    Restricted/Private/Public
    Confidential/Restricted/Public
    • Other terms:
    Corporate Confidential
    Personal and Confidential
    Private
    Trade Secret
    Client Confidential
    The Employee Education Process
    User Security Responsibilities
    Validation of Training Effectiveness
    • Ensure compliance.
    • Increase overall security of the organization.
    • Identify which components have the greatest impact.
    • Establish metrics:
    Impact, or behavioral change
    Compliance tracking
    Risk assessments

    Business Partners
    • Suppliers, customers, agents, resellers, vendors, etc.
    • Formal or informal partnerships are possible.
    • Information needs to be shared.
    • On-boarding and off-boarding processes.
    Social Media Networks and Applications
    • Public nature of social media brings new risks.
    • Sensitive information that is posted spreads quickly.
    • Social engineering is a big concern.
    • Are administrators trained on social media apps?
    • Do they have the proper tools?
    • What privacy concerns do you have?

    Interoperability Agreements
    • SLA (Service-Level Agreement) - defines the level of service to be provided
    • BPA (Blanket Purchase Order) - an agreement between a government agency and a private company
    for ongoing purchases of goods or services
    • MOU (Memorandum of Understanding) - a brief summary of which party is responsible for what
    portion of the work
    • ISA (Interconnection Security Agreement) - an agreement between two organizations that have
    connected systems
    Risk Awareness
    • Keep informed about day-to-day partner operations.
    • Keep employees on the lookout for risks in their own departments.
    • Establish preparation for risk management.

    You might also like