What is Risk Management

One of the things I love about the network plus is that it's such a practical exam
and it really challenges you on how to do certain things about networking.

It's great but there's one place where we kind of have to close the lid and talk a
little bit and that's when we get into the idea of what we call I.T. risk
management.

Now security is a big deal for networks.

No one would argue that point and in fact I'm pretty good at security.

I can configure a router I can set up firewalls I can lock down your wireless
networks.

I can set up a VPN I'm good at that stuff.

I'm kind of a screwdriver tech that way.

But for me I don't think about security as an overall thing so I tend to react to
problems so some threat comes in I'm like oh gosh I've got to do something here or
if something comes over that with all the smoke we've got to do it over here so
that's fine for a small operation like me.

But when you're talking about Enterprise local security people can't afford to go
down the way.

Small networks like mine can and that's why the world of I.T. risk management
exists I.T. risk management is a school of thought.

I mean you can get college degrees and I.T. risk management.

And luckily we're not going to go that deep here for the network Plus we're just
going to touch on it a little bit.

So I want to take a moment we've got a number of videos after this when you get
into it.

But I want to give you a couple of overview ideas so that I you to thinking about
oh what can I do in terms of security but instead think about how do we play in
security.

So when we talk about I.T. risk management we use the word infrastructure.

So we're talking about all of our networking whatever that might be.

So our job is to secure our infrastructure from threats.

Our goal is to mitigate to make it as small as possible or stop dead threats that
are coming into my infrastructure.

So when we're setting up a enterprise level network we hire people big

organizations have chief security our architects chief security officers they've
got all kinds of people who specialize in developing the security we need.

Now what's tricky here is that because you and I are techs you know we want to talk
about you know how do we lock down routers and new how do we lock down our wireless
networks and these were important things.
But when you're talking about I.T. risk management These are people who sit in
boardrooms and wear ties and they set up overview statements that define little
guys like me what we're supposed to do to set this up and they have some terms and
I want to make sure we know them first of all in order to set up your security
infrastructure.

You've got to start with something.

And so what we start with are things like laws here in the United States we have
hips for health care.

There's all kinds of laws out there.

We have standards organizations like here again in the United States the National
Institute of Standards NIST.

They set up rule sets and say these are the things one should do to secure your
network.

On top of that we have best practices.

Microsoft will say look if you're using a Windows network.

Here are some things we do to provide security so you take all the stuff from all
over all over the world and even things common sense all kinds of stuff comes into
play and you pay really smart people a lot of money to generate what we call
security policies security policies or documents and their documents that define
how you will go about doing the security to your infrastructure for your
organization.

We'll go into this in a little bit more detail and later videos.

But for right now I want you to understand that we have these pieces of paper that
say all kinds of stuff Acceptable Use Policy ownership of equipment policy password
policies and these are documents.

And there could be hundreds of them in a single organization.

Now these documents.

Let's talk about password policy for a minute.

There's a password policy would say something an overview statement it would say we
will always use complex passwords.

That's usually about all it says.

So once you generate that policy then what you generate are what we call security
controls and security controls are the cornerstone of everything that is I.T. risk
management.

Now a security control will be something that will say oh we will have all of our
passwords on our windows systems we'll use complex password rule sets on our Linux
systems.

Everything will be a minimum of eight characters using uppercase lowercase and

numbers.
So whereas a security policy is kind of an overview statement a security control
defines more clearly what exactly that is.

Now once you have a security control in place then you go down to actual we call
procedures.

So a security procedure would be when setting up a user in windows on the domain.

Be sure to set the security policy for passwords to complex.

So we've got three big pieces here I need you to be comfortable with.

Number one are policies which are going to be printed documents or at least
electronic documents that define over statements these generate security controls.

Now security control can usually end up just living in like an Excel spreadsheet or
something like that.

But the security controls defined more clearly exactly how we're going to handle a
particular policy and then a procedure is exactly how do we do that security
control.

So these three pieces are important for understanding I.T. risk management.

Now if you want to get into more I.T. risk management and you should I strongly
recommend CompTIA Security+ it takes it a lot farther down from here.

Security Policies are documents with broad overview statements

Security controls provide more details

Procedures discuss specific implementation of policies

Security Policies

How does an organization know what it needs to do in terms of security if it

doesn't have some kind of statement some kind of goals some kind of desire of what
they want to do.

Well that's what security policies are all about.

A security policy is a statement that an organization makes that defines the goals
and motivations of that organization in terms of some aspect of security security
policies are usually written documents.

And for one organization you could have a hundred different types of security
policies.

However for the exam there's only four that we need to cover so I'm going to go
ahead and cover them right now.

Let's start with probably the most famous of all and acceptable use policy now an
acceptable use policy is a document that usually individuals have to sign that
define what somebody can do on company equipment.

So it's good to do stuff right.

For example it's going to define ownership it's going to say that smartphone that
I've loaned you is mine and therefore that's something you need to consider
underneath the Acceptable Use Policy.

It will also define things like for example web sites which Web sites we want you
to go to and which ones do we have a problem with are you going to.

So if we don't want you go into Facebook during the business day that might be
something that we would actually place in to an acceptable use policy.

The third one would be oh say time of day we would say well we don't want you on
company equipment going to Facebook unless it's after five if you're still at the
office after five.

You want to go on Facebook.

Go ahead.

Now there could be lots more than that.

But these are just three quick examples.

Next is going to be a remote access policy or a remote access policy defines how
you can connect to an internal network from somewhere outside the infrastructure.

So one great example of this is that all connections to our internal network will
be through a virtual private network.

You must use a VPN that maybe they might even define things like You must have an
upset VPN.

So it's very very specific in terms of how you make that connection.

It might also include things like authentication and authorization.

It says if you're going to connect remotely You must use a radius server so that
when people log in we can keep track of what they're doing and have good
accounting.

Third is going to be a password policy.

Now we've covered password policy in other episodes in the series but things like
for example complexity we require a certain level of complexity.

Certainly password age comes into play.

We must have a new password every 30 days.

I personally hate that one but it does happen a lot.

And maybe a third one might be a lockout policy.

If you get the password wrong more than five times you're locked out for 15
minutes.

So these are the things that actually fit within a password policy.

Now the last policy I want to mention is something called a safety policy.

We always forget in the world of I.T. that safety really does come into play.
And as an I.T. person I'm lifting up switches and I'm dealing with all kinds of
stuff that has to do with the actual safety of the people and the equipment
themselves.

So lifting for example I rarely have run into an organization that doesn't have
very specific safety policies you will use the hand-truck for anything over 30
pounds.

You will use safety glasses when you're working with something that has glass in it
or whatever it might be.

So equipment handling really comes into play a lot.

When we talk about these different types of policies if you're going to be working
on a particular system you're going to need an anti-static wrist bracelet for
example.

So that's where the safety policies come into play but safety policies even go past
equipment for example something as simple as if you run into a spill.

What do you do about it.

Then there can be very specific goals in terms of what we do with something as
simple as a spill.

You might say well if you tip over a cup of coffee will mop it up with a paper
towel.

But if you dump over a drum of I don't know anything about chemistry hydroxide
Merthyr but erm something that sounds really scary maybe you might want to call
Building Services to take care of that problem.

Speaking of what you do when we talk about policies policies only define a goal but
it's actually the procedures which define how we go about it.

So this is a perfect example when we're talking about policies if you spill
something small.

Well go ahead grab some paper towels and mop it up.

Whereas if you spill something scary Well you're going to have to call somebody.

So policies define the goals and aims of the organization.

But procedures are actually the step by step process by which we make policies
happen.

Wait wait wait wait wait folks.

Hang on just a minute.

Look Mike you did a great job with the security policy stuff but there's a few
other terms that have popped up on the exam and I don't know where else to put
them.

Listen.

Would you mind terribly if we went ahead and covered three more terms that really
aren't security policy per se but they're sort of related and they fit here.
Is that OK with you.

OK why not.

There are three terms that really do not have a great home within this series but
they are on the exam so let's go ahead and cover them.

Number one is NDA an NDA is a non-disclosure agreement a nondisclosure agreement is

something that is signed when one body doesn't want another body talking about
something any anytime either now or in the future.

So if you work for me at total seminars and you're getting all this great inside
information about what Mike Myers is doing well you got to sign a non-disclosure
agreement so that not only now but any anytime the future you're not going to be
giving away company secrets.

Now there are other things that come in.

What we call licensing restrictions the I know it's not a policy but let's go ahead
and cover it anyway.

A licensing restriction is any type of rule set that controls how you handle the
licensing for some particular product.

This is usually for software more than anything else.

Licensing restrictions cover all kinds of stuff.

For example simultaneous usage if you have a particular license does that mean more
than one person can use it at the time and if so how do they use it in that type of
thing.

Next would be transfer of license.

In this particular situation can you transfer this product to another entity.

The question is usually no.

But in some cases it's definitely a yes with very specific rules and another one
would be license renewal if you are using some licensed product and you want to
renew it.

What's the grace period.

What's the cost.

How is it handled.

What's the timeframe.

So license and restrictions are pretty important.

Okay.

Last one your any international export controls.

When we talk about international export controls Now this is a very U.S. centric
kind of thing in my opinion.
The United States is very strict about certain types of information that is sent
outside the U.S. borders.

One great example would be military information if I have something I'm working
with the U.S. military working with some new door for a submarine or something like
that well they might be really really restrictive about what type of information I
send outside of the United States.

Certainly nuclear is a big deal whether it's military or civilian nuclear.

The United States is extremely strict about the type of information that's being
sent out there.

Last would be something like for example license keys a lot of times if I make a
product the United States has a very robust license key on it.

If I want to export that outside the United States I usually have to use a reduced
key size so that Big Brother government I guess can keep an eye on something if it
goes overseas.

So be comfortable with the different types of policies.

And also remember we got a few other terms that have snuck in the exam.

Be sure your comfort with those as well.

Security policies document to users how to accesses system resources and what is
allowable and acceptable

Safety policies apply to the I.T. department too!

NDAs, Software licensing, and data restrictions need to be considered to protect an

organization