1 00:00:00,000 --> 00:00:01,290 In this section of the course, 2 00:00:01,290 --> 00:00:04,200 we're going to discuss Documentation and Processes. 3 00:00:04,200 --> 00:00:06,600 Now, when we discuss documentation and processes, 4 00:00:06,600 --> 00:00:07,740 most of these are going to tie back 5 00:00:07,740 --> 00:00:10,290 to a larger concept known as a policy. 6 00:00:10,290 --> 00:00:11,820 Now, when I talk about a policy, 7 00:00:11,820 --> 00:00:13,110 I'm not specifically talking about 8 00:00:13,110 --> 00:00:14,460 technical controls anymore, 9 00:00:14,460 --> 00:00:15,780 like adding access control lists 10 00:00:15,780 --> 00:00:17,130 to our firewalls and routers, 11 00:00:17,130 --> 00:00:19,320 or enabling MAC filtering, or enforcing encryption, 12 00:00:19,320 --> 00:00:21,900 and things like that to better secure your network. 13 00:00:21,900 --> 00:00:23,400 This is because technical controls 14 00:00:23,400 --> 00:00:25,560 aren't the only way for us to secure our network. 15 00:00:25,560 --> 00:00:27,570 In fact, a lot of our network protections 16 00:00:27,570 --> 00:00:29,940 are going to come in the form of administrative controls, 17 00:00:29,940 --> 00:00:31,080 such as policies, 18 00:00:31,080 --> 00:00:32,910 and these policies are then documented 19 00:00:32,910 --> 00:00:34,530 and translated into processes 20 00:00:34,530 --> 00:00:36,000 that our network administrators will follow 21 00:00:36,000 --> 00:00:37,740 when they conduct their daily work. 22 00:00:37,740 --> 00:00:40,260 Now, policies are one part of a larger concept 23 00:00:40,260 --> 00:00:42,090 known as IT governance. 24 00:00:42,090 --> 00:00:43,470 IT governance is used to provide us 25 00:00:43,470 --> 00:00:45,600 with a comprehensive security management framework 26 00:00:45,600 --> 00:00:47,700 for our organizations to build upon. 27 00:00:47,700 --> 00:00:49,200 This is done using policies, 28 00:00:49,200 --> 00:00:52,500 standards, baselines, guidelines, and procedures. 29 00:00:52,500 --> 00:00:53,670 Now, policies are going to be used 30 00:00:53,670 --> 00:00:56,250 to define the role of security inside the organization 31 00:00:56,250 --> 00:00:57,900 and establishes the desired end state 32 00:00:57,900 --> 00:00:59,730 for that security program. 33 00:00:59,730 --> 00:01:01,770 This is usually provided by your senior management, 34 00:01:01,770 --> 00:01:02,910 and it's going to clarify the level 35 00:01:02,910 --> 00:01:05,069 in which the organization will enforce security 36 00:01:05,069 --> 00:01:07,230 and how the organization will categorize the controls 37 00:01:07,230 --> 00:01:08,700 that are being applied. 38 00:01:08,700 --> 00:01:10,290 Policies tend to be very broad, 39 00:01:10,290 --> 00:01:11,640 and they provide the basic foundation 40 00:01:11,640 --> 00:01:12,840 upon which the standards, 41 00:01:12,840 --> 00:01:16,140 baselines, guidelines, and procedures are going to be built. 42 00:01:16,140 --> 00:01:17,100 Now, security policies 43 00:01:17,100 --> 00:01:19,350 are going to be further divided into three levels. 44 00:01:19,350 --> 00:01:20,640 These are organizational, 45 00:01:20,640 --> 00:01:23,040 system-specific, and issue-specific. 46 00:01:23,040 --> 00:01:24,690 Organizational security policies 47 00:01:24,690 --> 00:01:26,580 are going to provide direction and goals. 48 00:01:26,580 --> 00:01:27,690 They're going to give you a framework 49 00:01:27,690 --> 00:01:29,730 to meet the business goals and define the roles, 50 00:01:29,730 --> 00:01:32,250 responsibilities, and terms associated with it. 51 00:01:32,250 --> 00:01:34,740 System-specific policies are going to address the security 52 00:01:34,740 --> 00:01:36,090 of a specific technology, 53 00:01:36,090 --> 00:01:38,550 application, network, or computer system. 54 00:01:38,550 --> 00:01:40,140 These system specific policies 55 00:01:40,140 --> 00:01:41,580 will tend to be much more technical 56 00:01:41,580 --> 00:01:42,750 and they tend to focus on protecting 57 00:01:42,750 --> 00:01:44,070 a certain piece of the system 58 00:01:44,070 --> 00:01:46,230 or a certain piece of technology. 59 00:01:46,230 --> 00:01:48,150 Issue-specific policies are built to address 60 00:01:48,150 --> 00:01:50,760 a specific security issue, such as email privacy, 61 00:01:50,760 --> 00:01:54,060 employee termination procedures, or other specific issues. 62 00:01:54,060 --> 00:01:55,590 As we move beyond policies, 63 00:01:55,590 --> 00:01:57,360 we're going to enter the world of standards. 64 00:01:57,360 --> 00:01:59,400 Now, standards are going to be used to implement a policy 65 00:01:59,400 --> 00:02:00,990 inside of an organization. 66 00:02:00,990 --> 00:02:02,940 These include things like mandatory actions, 67 00:02:02,940 --> 00:02:05,790 steps, or rules that need to be followed and achieved 68 00:02:05,790 --> 00:02:07,320 to be able to get the desired level of security 69 00:02:07,320 --> 00:02:08,880 that you want in your network. 70 00:02:08,880 --> 00:02:10,949 After standards, we have baselines. 71 00:02:10,949 --> 00:02:11,970 And baselines are going to be used 72 00:02:11,970 --> 00:02:14,970 as a reference point in our network architecture and design. 73 00:02:14,970 --> 00:02:16,740 These baselines are going to be used to document 74 00:02:16,740 --> 00:02:17,820 any kind of system, 75 00:02:17,820 --> 00:02:19,140 and that way we can go back later 76 00:02:19,140 --> 00:02:21,600 and compare it for analysis against the baseline. 77 00:02:21,600 --> 00:02:23,880 For example, we may have a baseline configuration 78 00:02:23,880 --> 00:02:25,050 for our network switches, 79 00:02:25,050 --> 00:02:25,883 and then we can compare 80 00:02:25,883 --> 00:02:27,660 the running configuration on any switch 81 00:02:27,660 --> 00:02:29,520 to our baseline at any given time 82 00:02:29,520 --> 00:02:31,740 to see what changes have been made by our administrators 83 00:02:31,740 --> 00:02:33,450 or a possible attacker. 84 00:02:33,450 --> 00:02:34,950 Next, we have guidelines. 85 00:02:34,950 --> 00:02:36,540 Now, it's important to note that guidelines 86 00:02:36,540 --> 00:02:38,700 are not required or mandatory actions, 87 00:02:38,700 --> 00:02:40,770 but instead they're simply recommended actions 88 00:02:40,770 --> 00:02:42,240 that we should do. 89 00:02:42,240 --> 00:02:44,280 Guidelines tend to be very flexible in nature, 90 00:02:44,280 --> 00:02:46,110 and they allow for exceptions and allowances 91 00:02:46,110 --> 00:02:47,940 when a unique situation occurs. 92 00:02:47,940 --> 00:02:49,860 For example, let's pretend I have a guideline 93 00:02:49,860 --> 00:02:51,900 that every employee gets 1 terabyte of storage 94 00:02:51,900 --> 00:02:53,250 on our cloud servers. 95 00:02:53,250 --> 00:02:55,380 Now, that might be fine for most people who work here 96 00:02:55,380 --> 00:02:58,500 like our salespeople, or our accountants, or folks like that 97 00:02:58,500 --> 00:03:00,000 because they work mostly with text files 98 00:03:00,000 --> 00:03:01,860 and those files are small in size. 99 00:03:01,860 --> 00:03:03,660 Now, these users are going to have plenty of space 100 00:03:03,660 --> 00:03:05,490 with that 1 terabyte of storage limit, 101 00:03:05,490 --> 00:03:07,890 but my video editor might come up and say 102 00:03:07,890 --> 00:03:09,000 they're running out of space 103 00:03:09,000 --> 00:03:11,040 and they need 5 terabytes of storage. 104 00:03:11,040 --> 00:03:12,900 Now, because our storage size limitations 105 00:03:12,900 --> 00:03:14,040 are based on a guideline 106 00:03:14,040 --> 00:03:15,930 and not a standard or a baseline, 107 00:03:15,930 --> 00:03:17,520 we can actually make an exception to it 108 00:03:17,520 --> 00:03:20,100 and allow the video editor to get 5 terabytes of storage 109 00:03:20,100 --> 00:03:21,630 instead of 1 terabyte of storage 110 00:03:21,630 --> 00:03:22,980 because they have the need for that 111 00:03:22,980 --> 00:03:24,840 in their specific job role. 112 00:03:24,840 --> 00:03:26,460 Next, we have procedures. 113 00:03:26,460 --> 00:03:27,900 Now, procedures or processes 114 00:03:27,900 --> 00:03:30,060 are going to be detailed step-by-step instructions 115 00:03:30,060 --> 00:03:31,680 that we create to tell our personnel 116 00:03:31,680 --> 00:03:34,950 how they can perform a given task or a series of actions. 117 00:03:34,950 --> 00:03:37,170 Now, these procedures are where those high-level policies 118 00:03:37,170 --> 00:03:38,550 are transformed all the way down 119 00:03:38,550 --> 00:03:40,110 through the standards and guidelines 120 00:03:40,110 --> 00:03:42,990 into actionable steps that we can take on a daily basis. 121 00:03:42,990 --> 00:03:44,640 For example, your service desk 122 00:03:44,640 --> 00:03:45,570 probably has a procedure 123 00:03:45,570 --> 00:03:47,430 on how to create a new user account. 124 00:03:47,430 --> 00:03:48,690 This procedure will encompass 125 00:03:48,690 --> 00:03:50,250 all the security-related policies, 126 00:03:50,250 --> 00:03:51,600 standards, and guidelines, 127 00:03:51,600 --> 00:03:52,890 so that your frontline employees 128 00:03:52,890 --> 00:03:54,780 will simply follow a step-by-step actions 129 00:03:54,780 --> 00:03:56,310 necessary to create the user account 130 00:03:56,310 --> 00:03:57,750 by following this procedure 131 00:03:57,750 --> 00:03:59,580 and then give the account the proper permissions, 132 00:03:59,580 --> 00:04:00,690 the correct password strength, 133 00:04:00,690 --> 00:04:02,580 and all those other types of things. 134 00:04:02,580 --> 00:04:03,960 For the exam, I want you to remember 135 00:04:03,960 --> 00:04:05,280 the different types of policies 136 00:04:05,280 --> 00:04:06,480 as we work our way down 137 00:04:06,480 --> 00:04:08,670 from the more generic to the more specific. 138 00:04:08,670 --> 00:04:10,380 This includes policies, standards, 139 00:04:10,380 --> 00:04:12,870 baselines, guidelines, and procedures. 140 00:04:12,870 --> 00:04:13,980 Now, as I said before, 141 00:04:13,980 --> 00:04:15,390 in this section we're going to be focused 142 00:04:15,390 --> 00:04:17,370 on documentation and processes, 143 00:04:17,370 --> 00:04:18,450 and we're going to focus solely 144 00:04:18,450 --> 00:04:20,370 on Domain 3: Network Operations 145 00:04:20,370 --> 00:04:22,710 and Objective 3.1 in this section. 146 00:04:22,710 --> 00:04:24,180 Objective 3.1 states 147 00:04:24,180 --> 00:04:25,710 that you must be able to explain the purpose 148 00:04:25,710 --> 00:04:28,470 of organizational processes and procedures. 149 00:04:28,470 --> 00:04:29,550 Now, first, we're going to look 150 00:04:29,550 --> 00:04:30,960 at common types of documentation 151 00:04:30,960 --> 00:04:32,430 that you're going to use in your networks, 152 00:04:32,430 --> 00:04:35,130 including things like physical and logical diagrams. 153 00:04:35,130 --> 00:04:36,990 Then, we'll discuss asset inventories 154 00:04:36,990 --> 00:04:38,130 and how they're used for tracking 155 00:04:38,130 --> 00:04:40,080 our hardware, software, licensing, 156 00:04:40,080 --> 00:04:42,360 and warranty support within our networks. 157 00:04:42,360 --> 00:04:45,030 Next, you're going to learn about IP address management. 158 00:04:45,030 --> 00:04:46,980 IP address management, or IPAM, 159 00:04:46,980 --> 00:04:49,680 is a method used to plan, track, and manage the assignment 160 00:04:49,680 --> 00:04:52,890 and use of IP addresses within our networks over time. 161 00:04:52,890 --> 00:04:55,260 After that, we're going to explore some common agreements, 162 00:04:55,260 --> 00:04:56,730 including a non-disclosure agreement 163 00:04:56,730 --> 00:04:58,440 and a service-level agreement. 164 00:04:58,440 --> 00:05:01,380 Then, we'll cover an overview of the product lifecycle, 165 00:05:01,380 --> 00:05:03,180 including a discussion about end of life 166 00:05:03,180 --> 00:05:05,250 and end of support considerations. 167 00:05:05,250 --> 00:05:06,780 Next, we'll look at changes 168 00:05:06,780 --> 00:05:08,160 and how they're implemented in our networks 169 00:05:08,160 --> 00:05:09,570 using change management. 170 00:05:09,570 --> 00:05:11,670 Now, change management is a systematic approach 171 00:05:11,670 --> 00:05:13,860 to dealing with the transition or transformation 172 00:05:13,860 --> 00:05:16,740 of an organization's goals, processes, or technologies 173 00:05:16,740 --> 00:05:18,450 from one state to another. 174 00:05:18,450 --> 00:05:21,090 After that, we'll explore configuration management. 175 00:05:21,090 --> 00:05:22,230 Configuration management 176 00:05:22,230 --> 00:05:23,280 is the process of maintaining 177 00:05:23,280 --> 00:05:24,870 a consistent and functional state 178 00:05:24,870 --> 00:05:27,390 of an organization's information technology assets 179 00:05:27,390 --> 00:05:28,470 through version control 180 00:05:28,470 --> 00:05:30,900 and the management of your environmental settings. 181 00:05:30,900 --> 00:05:33,060 Then, we'll discuss patch management. 182 00:05:33,060 --> 00:05:34,920 Patch management is a process of distributing 183 00:05:34,920 --> 00:05:36,510 and applying updates to software 184 00:05:36,510 --> 00:05:37,830 to correct security vulnerabilities 185 00:05:37,830 --> 00:05:39,690 and improve their functionality. 186 00:05:39,690 --> 00:05:41,130 Finally, we'll take a short quiz 187 00:05:41,130 --> 00:05:43,110 to see what you learned during this section of the course 188 00:05:43,110 --> 00:05:44,280 and review your answers 189 00:05:44,280 --> 00:05:46,050 to ensure you know why the right answers were right 190 00:05:46,050 --> 00:05:47,640 and the wrong answers were wrong. 191 00:05:47,640 --> 00:05:50,130 So, if you're ready, let's get started with our coverage 192 00:05:50,130 --> 00:05:51,840 of documentation and processes 193 00:05:51,840 --> 00:05:54,340 in this section of the course.