[MUSIC] In today's lesson, I'll talk about technical policies. This is part two of our policies module, where we are talking about both organizational policies and technical policies. Our organizational policies should map to technical policies. So we'll discuss the differences between technical and organizational policies and explain where they might be configured, and perhaps some examples of technical policies that you may implement. Technical policies actually show what is allowed and what is denied. We can configure technical policies to enforce things on users. This are mainly in the form of configuration items. Technical verses organizational policies, they are a little different. So organizational policies tell us what we need to do. Technical policies define how we actually enforce those. These are technical controls on systems that map directly, may map directly to our organisational policies. These types of policies go hand in hand. So let's talk about password policy real quick. So in your acceptable use policy you may see that passwords should be strong. In a technical policy that may map to configuring Active Directory to have numbers. Characters, a certain length of password, maybe 12 characters in your overall password configuration policy. So, this is the technical control that implements the organizational policy. Technical policies allow us to make sure that we are controlling users and protecting them not only from others but themselves. So, think about if we do something accidentally. So, deleting some information or passing some information over the Internet that shouldn't be passed. So think about social security numbers in the US, for example. Those are highly sensitive, critical information that we don't want leaked out. Well, you can configure it depending on a system. We use sofos, for example, for some of our more sensitive systems. It has a module built in that looks at data streams. And if it sees a social security number in the clear go out of a system it actually blocks it. That's an example of a technical policy being implemented. We might also find technical policies in software configuration or hardware configuration like firewalls, for example. Let's look at. Some of the industry standards. So two big industry standards where we see organizational policies map to technical policies is both in the US is HIPPA and across the world PCI. PCI stands for payment card industry and there's a data security standard that not only maps organizational policies but it also maps technical policies. The PCIDSS has 12 overall requirements for protecting cardholder information and cardholder data environments which you can call the CDE. The CDE is highly protected So nearly all 12 of those requirements have organizational policies built in. And requirements 1 through 11 could be transformed into technical policies that you put on systems. For example, one of the requirements is antivirus. Have antivirus on systems. Well you could ensure that antivirus is put on systems through a technical policy. That one is very easy to comply with. But what about making sure that there's no credit cards in the clear anywhere or stored. That's another way we can have technical policies map to organizational policies. Some more examples of technical policies could include things like passwords, encryption, anti malware, user accounts, back ups and disaster recovery controls. All these can be configuration items implemented across all kinds of different systems that again, map to organizational policies that do not include specific technology. So in conclusion, both technical policies and organizational policies work hand in hand to provide an overall picture of either security or our sense of what people should be doing. Technical policies should be used across all systems to not only handle incidental exposure but also intentional exposure.
