Course Introduction and Security Basics
Governance, Compliance and Risk
The course is part of these learning paths
In the last decade the nature and complexity of security attacks have increased tremendously. From simple attacks, which focused on hacking exposed web pages; we have evolved to stealthy attacks, which focus on the hacker staying hidden for years on end inside the victim’s network with the sole purpose of stealing data. To make matters worse, more and more companies have started to store their data in the cloud, thereby transferring part of the responsibility of securing that data to the cloud service provider. Therefore these days the cloud service is entrusted with the task of providing adequate security to the data and services that it provides to customers. While making a decision to move to the cloud, the two main metrics that enterprises look at tend to be cost and security risk.
This domain has controls around safeguarding assets. Some of the controls that this domain deals with are around the imagery of assets, ownership of assets, acceptable use of assets, and return of assets. It suggests controls around maintaining an inventory of assets and whether that inventory is current and kept up to date. Also, it suggests that all information assets must have a clearly-defined owner who is aware of their responsibilities. We'd suggest that there be an acceptable use policy in place and that there is a process in place by which all employees are made aware of such policies. It also suggests controls and/or classification of information and suggests that the organization have a process for deciding priority of information. This is important because if an organization is aware which information as it is more important, then it can focus its resources on securing that first before focusing on less important ones.
You will see that a fundamental recurring theme in all security frameworks, is the assumption that resources such as time and money are scarce. It also suggests that once an information asset is classified, that they be appropriately labeled. Once we have classified and labeled our assets, there needs to be procedures defined about how different classes of information assets be handled. Effectively there needs to be more care given to highly confidential assets rather than an asset lower down on the totem pole of importance. Also, processes around making employees aware of these procedures, needs to be put in place. What is the point of writing a procedure if no one knows about it?
This section also talks about removable media and defining processes around handling of removable media. It is pointless to secure a server than it is in the data center running a cloud application and collecting data, if we are going to place it in a insecure work area when we are doing maintenance. Anybody can then tap in and copy the information that is present in the hard drive. So a lot of importance has to be given to these removable media, such hard drives and USB drives. Also, if there arises a situation when these drives have to be destroyed, we need to make sure that these drives are thoroughly wiped clean of the confidential data that they may possess before being trashed.
Some of these drives may need to be transported from one data center to another. In such situations we need to make sure that they are transported in a safe and secure manner. For example, you may want to make sure that they are encrypted and transported via FedEx in a lockbox. In the case of assets owned by employees while quitting the organization, we need to make sure that those assets are returned and wiped clean of data before they are reissued to other employees.
About the Author
Vish Chidambaram is an Award-winning Enterprise Security Leader with 18+ years of experience skilled in areas spanning Automation, Security Operation Analytics and Reporting, Threat Management Life cycle, Agile/DevOps environments, SaaS/Cloud security, Business Development/Consulting, Program Management and more. Most Recently Vish was the CISO at Rubicon Project, which is a SaaS based ad marketplace where he was responsible for securing a high performance SaaS platform with 40billion transactiions per day. He pioneered the integration of security in DevOps, by using automation, orchestration and machine learning tools He is passionate about teaching security and believes staying current is particularly relevant in the security industry. He also mentors security professionals and advises them thru career transitions. and details can be found at datacoreacademy.com or writing to firstname.lastname@example.org His linked in page is https://www.linkedin.com/in/vish-chidambaram/