Some security parameters are administratively managed. In this video, you’ll learn about standards for password policies, access control, physical security, and more.
In the technology industry, we rely on standards to let everyone know what the formal process is for handling different situations. This provides extensive documentation, which, of course, lets everyone know what the requirements are and also reduces the amount of risk we have in our environments. Some organizations will create their own list of security standards, especially when that organization has very unique requirements. But some organizations prefer using standards which have already been written. Two organizations that provide a set of security standards are ISO– that’s the International Organization for Standardization– and NIST, or the National Institute of Standards and Technology.
A set of security standards that everyone has to know about and follow are those associated with passwords, specifically what makes a good password. Every organization has their own opinion on what a good password happens to be, and there’s usually a formal policy that defines what the appropriate password complexity might be for an organization.
This standard might also define the appropriate type of authentication that’s used in the organization. For example, an organization may have a standard that says you may not have a local account on a device. So a switch, a router, or a firewall must authenticate using another method to a central authentication database, for example, using LDAP to authenticate to Active Directory.
This same standard might also define how password resets are handled. You want to be sure that anyone resetting a password or making changes to a password is following a specific set of guidelines to ensure the security of that account. And of course, there are other password policies that need to be standardized, such as the frequency for password changes, how passwords might need to be securely stored, what type of password managers are acceptable, and so on.
Once someone authenticates to a system with their password, we need another set of standards that defines how someone can access data on that system or access control. Access control determines what type of information someone can access and at what time they’re able to access that information. For example, there might be a standard that says that no system can use a discretionary access control policy and that a mandatory access control policy is required.
There should also be standards defining how you determine what type of access a particular user might have. This might require a sign-off by management or it might require a user to take a course before gaining access to certain types of data. And just as we have standards that define how users get access to data, we also need standards to define how we remove that access. This might be based on a security issue associated with that user. It may be based on the expiration of a particular account. There may be a user that leaves the organization. Or it may be based on the expiration of a contract.
Physical security is also an important consideration when creating standards for the organization, especially if your organization has a lot of people coming in and out of a building and you need to properly secure that property. An organization might have standards for every user that requires them to present an ID badge when they arrive and use that same badge to gain access through an electronic door lock. That standard might also be different for an employee versus a contractor or a guest.
An organization might have standards that define the type of electronic door locks that are in use. It may require a biometric aspect to the door lock. There could be ongoing monitoring that is required and perhaps even motion detection in some areas. The processes and procedures that are standardized will be different between organizations. In some organizations, there may be a standard for physical security that requires an escort for every visitor at all times. There may be also a different set of standards when someone is offboarded or leaves the organization. These standards are designed to keep everyone inside the organization safe and to prevent anyone from the outside from gaining unauthorized access.
Given the complexities associated with encryption technologies, it’s probably a good idea to have some very well documented standards on how encryption should be used in your organization. This might include standards for hashing or encryption algorithms. But it can also set standards for the implementation of those encryption technologies.
A good example of these might be the way that passwords are stored. There might be a requirement to store those passwords as a hash or perhaps even a salted hash. And there might be a set of standards that defines the exact hashing algorithm that is required for that password storage. And in every organization, we have different states of data– for example, data at use, data in transit, and data at rest. And there might be different encryption requirements depending on the state of data at any particular time.
This means that data at rest may have a particular set of encryption standards associated with it. But data in transit across the network may have a different set of standards. All of these work together to make sure that all of the information that’s being stored is being stored in a way that is protected and confidential to anyone on the outside.