Week 2: Security Best Practices & Data Protection

Essential Questions

• How do you know when data or information is secure? What can I do to keep data more secure?
• Who has access to data and how do I know it's them?
• What rights do I have for using the software on my computer?

Big Ideas

Before someone has access to a resource on an IT infrastructure, they should go through some form of authentication to prove that they truly have the right to use that resource. IT Support specialists set up different types of authentication methods, and not just passwords. Even when passwords are used, different levels of access can be configured for files, folders, and devices.

Whether intended or not, IT support specialists can also come across a variety of information that should be kept secure, such as Personally Identifiable Information (PII) or Protected Health Information (PHI). IT technicians are responsible for establishing a system of permissions that allow only the appropriate people to access secure information and how that information may be kept secure through encryption. They are also responsible for being proactive about establishing procedures and technology solutions for Data Loss Prevention (DLP) and policies for recovering data, when necessary.

Connection to Student Lives

How do you know your information is safe? You probably use a password for a lot of the sites you visit as well as those you use for school or work. Do you use the same password over and over? Do you use strong passwords? How do you know?

Passwords are just one way to authenticate someone using technology, but they're not flawless, especially if you don't follow guidelines for creating strong passwords. You'd be surprised how many people never change their password, or use passwords you can guess easily, like using their pet or child's name or a birthday. As an IT support specialist, you can set up policies that can enforce people to keep the information and devices you support more secure.

You can create policies that require people to use strong passwords or other ways to authenticate themselves. You can also set the permissions to files, folders, and other resources on your network. You may also encrypt different kinds of data so people can't access it. As an IT support specialist you need to understand technology and behavioral best practices for keeping data secure and enforce those best practices from those who use your network's resources.

Framing Problem

How can you ensure data is kept secure, so it can only be accessed by those who have permission to, and what do you do if there is an incident in which data may be at risk?

Cornerstone Assessment

Students configure data protection in Windows and should be able to explain how files, folders, and disks can be made more secure. They can also review or propose policies to enforce security best practices, helping to keep data secure and what to do if an incident occurs that risks the exposure or loss of data.

DPI Standards

• NCCTE.2020.II22.01.06 - Use Microsoft Windows control panel utilities.
• NCCTE.2020.II22.02.02 - Explain logical security concepts.
• NCCTE.2020.II22.02.03 - Compare wireless security protocols and authentication methods.
• NCCTE.2020.II22.02.06 - Compare Microsoft Windows OS security settings.
• NCCTE.2020.II22.02.07 - Implement security best practices to secure a workstation.
• NCCTE.2020.II22.04.06 - Explain the processes for addressing prohibited content activity, privacy licensing, and policy concepts.

A+ Standards

TOPIC 13C Protect Data During Incident Response

TOPIC 13A: Implement Security Best Practices

TOPIC 13B: Data Protection Policies

Vocabulary

Implement Security Best Practices

Authentication factor

Radio Frequency Identification (RFID)

Key fob

Biometric information

• False negative
• False positive

Two-factor authentication

Three-factor authentication

Software token

Replay attack

RADIUS

TECACS+ (Terminal Access Controller Access Control System Plus)

Access Control List (ACL)

Implement Data Protection Policies

Information Content Management (ICM)

Personally Identifiable Information (PII)

Protected Health Information (PHI)

Payment Card industry Data Security Standards (PCI DSS)

Permission

Access Control List (ACL)

• Access Control Entries (ACE)

Encrypting File System

Full Disk Encryption

• BitLocker
• Trusted Platform Module

Data Loss Prevention

End User License Agreement (EULA)

• Original Equipment Manufacturer (OEM)
• Retail
• Volume
• Server and Client Access Licenses (CAL)

Shareware

Freeware

Open Source

Digital Rights Management (DRM)

Protect Data During Incident Response

Incident response policy

Incident

Computer Security Incident Response Team (CSIRT)

Computer forensics

• Latent

Chain of Custody

Lesson Ideas

There are a lot of security practices and terms students must become comfortable with in these topics. Depending on the level of access your students have to devices and a network, they may have limitations applying some of the skills referenced in these topics.

Preferably, students will be able to engage in Activity 13-3: Configuring Data Protection as the primary focus of their hands-on applications during these topics. Students should become aware of how file permissions, folder encryption, and disk encryption can and may not protect data on fixed disks and removable media. This is another activity that relies on virtual machines. If not available, consider how students can at least observe the use of security measures, such as the Advanced Security Settings and BitLocker.

Potential Resources

The Official CompTIA A+ Core 1 & Core 2 Instructor Guide for Exams 220-1001 and 220-1002

• Topic 13A: Discussing Security Best Practices Implementation (pp. 754-761)
  • Activity 13-1: Discussing Security Best Practices Implementation (pp. 762-763)
• Topic 13B: Data Protection Policies (pp. 764-772)
  • Activity 13-2: Discussing Data Protection Policies (pp. 773-774)
  • Activity 13-3: Configuring Data Protection (pp. 775-780)
• Topic 13C: Protect Data During Incident Response (pp. 781-784)
  • Activity 13-4: Discussing Data Protection During Incident Response (pp. 785)

Professor Messer at ProfessorMesser.com and YouTube offers numerous free videos of various lengths for many of the topics for the CompTIA 220-1001 A+ Exam. They are easy to understand, narrated videos with visuals. If you are teaching a CompTIA course, the site notes "You're welcome to use them as much as you'd like, provided you embed the videos with the associated YouTube link or link directly to my site. Please click the "Contact Us" link at the top of our web page and let me know how you're using them."

• Professor Messer's 220-1001 Core 2 CompTIA A+ Training Course videos on ProfessorMesser.com. Search or scroll to find the topics you're interested in.

Entry Level I.T. Training from Technology Gee

• Logical Security Concepts (Article | Video – 5:34) introduced previously
• Wireless Security Protocols & Authentication (Article | Video – 8:38)
• Workstation Security Best Practices (Article | Video -13:02) introduced previously
• Microsoft Windows Control Panel (Article | Video – 8:27) introduced previously
• Microsoft Windows OS Security Settings (Article | Video – 12:31) introduced previously
• Prohibited Content, Privacy, Licensing, & Policy Concepts (Article | Video – 8:39)

Microsoft Support

• Windows commands
• Configure security policy settings
• Local Group Policy Editor
• How to encrypt a file
• Turn on device encryption using BitLocker
• Windows sign-in options and account protection

Other Articles and Resources:

Disk vs File Encryption – Which is Best for Your Organization? From The Purple Guys, an IT support group in Kansas City, KS.

Guidance on the Protection of Personal Identifiable Information from the U.S. Department of Labor

What is Shareware? – How it works and how to protect yourself from kaspersky, a digital security company (contains advertisements)

Your Guide to Using BitLocker Encryption on Windows 10 by Andre Da Costa for groovypost. Thorough step-by-step tutorial. (contains advertisements)