Needless to say, for CIOs, security has always been on our radar. But it seems like members of our executive teams are just now joining us in our concern. In response to the increased frequency, impact, and media spectacle of security breaches, the government is taking action. For the first time, some companies are being exposed to this regulatory scrutiny. With each new breach, executives are asking you, ‘could it happen to us?’
"Every decision in an effective security framework extends from this classification of data"
CIOs have a responsibility to prepare our organizations to operate securely. Every company drives revenue heavily from their technology investments, and security is how we protect those investments. Experts will tell you that you need an eight day seminar just to get oriented to the topic of security, in other words, there is a lot to this subject. In this article, to help you get started, we have provided a description of each domain of security, organized the same way as the CISSP certification. For each domain, we explain why you should care, and then give you a nudge in the right direction for what to do.
Security and Risk Management
This is about your overall security posture. What regulations do you need to be in compliance with, and what are the policies to which you adhere?
Why do I care? This is where you will spend most of your efforts. The policies, procedures, and guidelines are the management tools that you use to document your decisions.
What do I do? You need to be prepared by gathering all the knowledge that you can about your controls, policies, and technologies. Know your strengths, and your weaknesses.
Protect the security of your assets, identify the sensitivity level of your data, and classify it. Are you protecting a power grid, or a retail chain?
Why do I care? Every decision in an effective security framework extends from this classification of data. An effective security plan is also efficient: maximize protection around your most important assets.
What do I do? Check out the NIST Guide for Mapping Types of Information and Information Systems to Security Categories (SP800-60), a framework for data classification. If you’re a federal contractor, get comfortable with these NIST publications, you’ll be reading a lot of them.
This delves into the design principles and concepts that are the basis for any security solution. Core concepts include perimeter security, defense in depth strategy, onion architecture, and cryptography.
Why do I care? Without the proper approach, you are guaranteed to have a Swiss-cheese solution. Thin, soft, and full of holes. You want the castle walls, drawbridge, and moat (with optional alligators). This takes a comprehensive design.
What do I do? Ask your staff about how they’ve implemented defense in depth principles. If you get blank stares, it might be time to arrange some training on security. Check out the SANS organization and their security training and certification classes.
Communications and Network Security
This domain is about protecting your network, and network based services.
Why do I care? This is all about how you maintain the confidentiality, integrity, and availability of your services.
What do I do? To impress your networking geeks, ask them about next generation firewalls. Expect a confused response. This is because each vendor has a different definition for what constitutes ‘next generation’, so be wary of marketing hype. Have your team do their own testing, and find the feature set that fits.
Identity and Access Control
This is about controlling who can access what, knowing who is accessing what, and preventing unauthorized access.
Why do I care? During the federal background check process, I was surprised to find that they weren’t interested in parking tickets, or youthful transgressions in college. What they were interested in was identifying external stressors that might cause me to try and commit fraud. Effective access controls remove the potential for fraud to occur.
What do I do? Consider adding some control software that monitors access to, and the use of cloud services. Ask your team if employees are allowed to use cloud storage, and then check the actual usage.
Security Assessment and Testing
This is how you demonstrate ROI. Three big topics here are penetration testing, vulnerability assessments, and application security testing.
Why do I care? This is all about how you identify and remove gaps in your controls, and provide reporting that can be used to show that you are serious about security to partners.
What do I do? Don’t forget to have your team remediate the findings of the assessment. Follow-up with an additional assessment within 30 days to demonstrate your progress.
These are the processes that ensure effective security controls: patch management, backups, logging, and disaster recovery testing – to name a few.
Why do I care? This is where the procedures live that keep your organization secure.
What do I do? Identify and learn from mistakes. Implement a daily operations checklist that includes integrity checks. Findings from these checks are then used to make improvements, and are fed into your incident David Mason handling process.