CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [222]
FIGURE 8.8 Parties in a certificate-based transaction
If a dispute occurs, these terms will be used to identify all the parties in the transaction. Your certificate policies should clearly outline who the valid subscribers and third parties are in any transactions. These policies provide your organization with a framework to identify parties, and they provide the rules detailing how to conduct transactions using e-commerce, e-mail, and other electronic media.
The practices or policies that an organization adopts for the certificate process are as important as the process that uses them. Your organization needs to develop practices and methods for dealing with certificate validity, expiration, and management. These policies tend to become extremely complicated. Most CAs require a Certificate Practice Statement (CPS), which defines certificate issue processes, record keeping, and subscribers’ legal acceptance of the terms of the CPS.
The CA should also identify certificate expiration and revocation processes. The CA must clearly explain the certificate revocation list (CRL) and CRL dissemination policies.
Incident-Response Policies
Incident-response policies define how an organization will respond to an incident. These policies may involve third parties, and they need to be comprehensive. The term incident is somewhat nebulous in scope; for our purposes, an incident is any attempt to violate a security policy, a successful penetration, a compromise of a system, or any unauthorized access to information. This includes systems failures and disruption of services in the organization.
It’s important that an incident-response policy establish at least the following items:
■ Outside agencies that should be contacted or notified in case of an incident
■ Resources used to deal with an incident
■ Procedures to gather and secure evidence
■ List of information that should be collected about an incident
■ Outside experts who can be used to address issues if needed
■ Policies and guidelines regarding how to handle an incident
According to CERT, a Computer Security Incident Response Team (CSIRT) can be a formalized or ad hoc team. While you can toss a team together to respond to an incident after it arises, investing time in the development process can make an incident more manageable. Many decisions about dealing with an incident will have been considered in advance. Incidents are high-stress situations; therefore, it’s better to simplify the process by considering important aspects in advance. If civil or criminal actions are part of the process, evidence must be gathered and safeguarded properly.
Let’s say you’ve just discovered a situation where a fraud has been perpetrated internally using a corporate computer. You’re part of the investigating team. Your incident-response policy lists the specialists you need to contact for an investigation. Ideally, you’ve already met the investigator or investigating firm, you’ve developed an understanding of how to protect the scene, and you know how to properly deal with the media (if they become involved).
Your policies must also clearly outline who needs to be informed in the company, what they need to be told, and how to respond to the situation. Incidents should not only include intrusions, but also attempts.
Enforcing Privilege Management
Privilege management involves making decisions about what information is accessed, how it’s accessed, and who is authorized to access it. Unlike hardware access control, these concerns deal with policy and implementation issues. Additionally, the issue of auditing is a key factor: You should ensure that your organization doesn’t provide more access or privileges than individuals need to do their work.
The following sections cover user and group roles, privilege escalation, single