In these times of online and shared services, it's not enough to secure your own internal services. This video explains how external services also affect internal security.
- [Instructor] Here's another thought for you. Even if your own systems are secure, how secure are the systems of your service vendors? Weaknesses on their end could provide backend access to malicious actors to your system. If you don't currently conduct risk analysis evaluations on vendors, you should start. Even if it's self-certification on their part, would you even want to do business with a partner who wasn't willing to declare that they were following best practices in regards to patches and firewalls, et cetera? Of course, this implies that you are doing this on your side too, right? I mean, how long has it been since your company conducted an internal risk assessment on your systems? Has your company conducted an internal risk assessment on your systems? We've already talked about how fast things are changing. So if it's been more than a couple of years, it's probably time to go back and take another look. Now, how do you do that? Well, you can reinvent the wheel, but you have easier options. If money is no object, there are a lot of companies out there who will assess you, but you have some resources available to you for free. The most important is probably the National Institute of Standards and Technology, which is part of the US Department of Commerce. They publish a list of criteria and update it fairly regularly. At the time of creation of this course, their most recent update is from February, 2020 and it's available online at their website. I'd also recommend checking out the SANS Institute site. SANS stands for System Admin Audit Network and Security. The organization was founded in 1989 as a place for industry members to collaborate on best practices. And it's grown to probably the most respected source of information worldwide. They've got a big collection of templates and guides that you can use as you're developing your assessment. And they've also got a lot of information on developing robust security policies and training plans overall. Which brings me to my next point. How up-to-date are your security processes and policies? Do you have a set cadence for review? A lot of experts recommend annual reviews. Now that might be too much of a burden for some organizations, but I have to say, if you're going to go more than three years, how do I put this nicely? You are being very trusting. I think overly optimistic is much more like it. And finally, about those users how are you sharing information with them? How quickly are they updated if things change? Is there a place for them to find information and training easily? You're going to hear me say this a lot during this course, but this is the weakest link of your security chain. It is imperative that you have an educated and motivated employee base. So you need to pay special attention to developing them. Key takeaway: security awareness is an ongoing program, not an event.
- Identify the group of people to be notified when making a document policy or procedure change.
- Recognize which types of documentation requires higher levels of security.
- Name the two rights available at folder level during collaboration.
- Recall the purpose of version control.
- Determine which application allows multiple libraries with custom permissions.
- Identify the term used for add-ins within the SharePoint application.
- Explain the most common cause of data breaches.