ISACA CISM – Domain 03 – Information Security Program Development part 13

98. IS Liaison Responsibilities Part2

So as we continue to look at some of the other liaisons that you’d work with, obviously there would be one in the training world. In the training world, besides initial orientation, we should be making sure that we are working with training to make everybody understand what security is to some aspect. I mean, not that they’re going to become firewall experts, but mainly to make sure that they have an awareness of what a security issue is. Maybe that they know where to go. Like the incident response team. If they do see some sort of security violation or some other strange things going on with the quality assurance, they’re going to really be taking a look at making sure we’re at acceptable levels, acceptable levels of security. And that’s what their jobs are supposed to do.

They may even be the ones that are working with the auditors. As far as insurance, most organizations have different types of insurance policies like business interruption. And that also may be a way of trying to reduce some of the risk or ways of changing the risk. As an example, back in the days of hurricane Katrina, a lot of the casinos that were over, in, bulky got washed away or washed out. Most of them had a business interruption insurance, at least from the stories I read, so that the employees were still able to draw a paycheck while they rebuilt the casinos and the casinos still made money. And so that means you may have similar types of insurance, maybe not to that extent, but we want to work with them. Third party management would be any of your outsourced functions.

Even if it’s something like your internet service provider, because obviously they’re going to control traffic that’s coming in and out of your network. And it may be good to work with them to understand what traffic they’re allowing in what we can do to work with them under our security program and even the project management office where again, especially projects. Projects have their own set of risks that we to work with. But it’s important that we are aware of all the projects, especially those that are It projects across the organization. And we should be working with somebody that is a part of that project management or of that project so that we know that we can think about future risks especially or adding in new risks into our network.

99. Cross-Organizational Responsibilities

Now, when we take a look at cross organizational responsibilities, we have to remember that as the information security manager and being directly responsible for the critical aspects of your information security program, that you may be working with a variety of different businesses. When I say businesses, I should say organizational units within your company. And so if they are working, working across these multiple areas, then one of the things we should do is assign separate responsibilities to senior managers, because we want to try to avoid a conflict of interest. And that way, if you think about it, if I’ve got a manager of HR and I’ve got a manager over here of it, and maybe I’m working with liaison over here in legal and here I am.

I’m the is manager over here, and I have to work with all these. Rather than my putting my fingers into each one of these organizations, I should be able to basically do what we call a separation of duties and be able to assign responsibilities and roles to those senior managers. And that way they can do their work independently without any conflict of interest of what the Is or allowing somebody else to try to interfere with another department. So it’s kind of a good idea, I guess you could say, as far as a strategy, a good one for incorporating the ideas and support of the organization that you want to impart by, as I said, assigning the activities or responsibilities to these senior managers.

100. Security Reviews and Audits Part1

Another important aspect of our information security program development management is having security reviews and audits. So when we talk about a security review and if you’re thinking, well, they kind of sound the same. Well, they have some similar types of activities. But when we’re doing a security review, what we’re really trying to do is find a I guess you could say a consistent standard ##ized approach to assessing and evaluating the states of various aspects of the program and when we do it. It’s not just an ad hoc, right? So an ad hoc means you just one day wake up and say, you know, I’m going to look and see how the firewall is working. No, say no to ad hoc. So when we do a security review, number one, you got to have a target. You have to have a goal and objective of what we’re trying to do. We also have to keep that within a scope as well.

That’s one of the hardest things. Sometimes when you have independent people come in and do security reviews, some people will call it trying to do a white hacking type of a job. And maybe the scope says, I want you to look at the web server. And while they’re doing that work, maybe they come across a database server somewhere. And here’s the thing, just because you see it doesn’t mean you have the permission or the objective to go and test it as well. We have to stay within the scope of what we’re doing. You could also almost call that a constraint. And remember, that’s going to be a part of a statement of work if it’s from an outside party that you’re hiring to do this. And I call it the get out of jail free card. Because if you have permission to test the security, maybe you’re trying to do an intrusion into a machine and it’s a part of your statement of work.

You have the contract, you have the scope, the constraints of knowing what you’re doing. You’re not going to get in trouble for breaking into the machine if you’re successful because you’ve got the contract, you got to get out of jail. But if you said suddenly, oh, I saw an HR server, let’s go test it while I’m here, yeah, no, then you’re in some trouble. We also have to have an approach. There should be almost like a checklist. What is it that you’re going to do? Why are you doing it? And again, make sure it’s a part of that statement of work. And of course our goal is to have a result. And the result, it could be as easy as pass fail. But whatever the result is, it should be more than that. But it should be pretty good documentation about your findings, maybe even your recommendations to what’s occurred.

So that’s kind of the security review. Now, an audit, like I said, has similar goals towards the controls. But one of the things an audit does for us is it gets us into, I guess, to make sure where we are in compliance, you know, as a security review. I’m just looking to assure that the assumptions we made about our security are, in fact, being realized. An audit is going to map a control to a control objective. And again, remember, the idea of a control is a countermeasure. We’re also going to show what tests were conducted that’s going to be put into documentation. And it has to be right. It has to be something that somebody could go back and do a repeat if they wanted. Based on what you’ve done, and then based on what those tests are in the results, we link those to the final assessment.

101. Security Reviews and Audits Part2

Of course we’re going to have somebody in the role of auditor. It’s a very important responsibility within the security review and audit process. It’s the group of people. You don’t have to think of it just as a single person, but it could be. But they’re the ones that are going to be performing these tests, the ones that will come up with these plans. Unfortunately, many times they have a negative light in the eyes of the It members, mainly because It members are sometimes is worried that their jobs are on the line or somebody’s going to make fun of the work they’ve done, or said that they’re being incompetent. But that’s in the eyes of the It member, the auditor’s job is to help the It members come up with a more secure solution, or to be able to say, hey, you guys are right on target.

Which also means they need to be unbiased, unbiased also by vendor as well. If I worked for a Company A routing and you asked me to start doing an audit of your network, I’d probably tell you all the Company B stuff is garbage and you need to get rid of It to sell more of Company A. Also, they should work within the appropriate organizational unit. That means that there has to be a schedule too. Scheduling is important because in some types of testing you might crash a server. That would not be a good time to do an audit where you’re crashing a server at noon when it’s needed. And of course, auditing can be done internally and or externally. Nothing wrong with an internal audit at all. If you’re trying to get some sort of certification, it’s better to have an even more unbiased external audit, somebody external to the organization.

102. Management of Security Technology

When we take a look at the management of security technology, it’s typically when we think of what happens inside of your security program, is that you have a lot of different vendors, and that’s what we call this heterogeneous type of setup. And even though trying to be vendor neutral, what I mean is you might have Cisco Routers, HP switches, maybe Juniper Firewall, and we just go on and on and on. And not that there’s anything anything wrong with that, by the way. As long as they’re all running open standards, it’s pretty straightforward, but it’s just a different types of controls within your organization. And the goal, of course, was that you got the best tool for the purpose of what you needed. It also could be that maybe you’re an all vendor, a shop.

But you have some of the older equipment and newer equipment, and so it could be also a combination of new versus legacy equipment, even by the same vendors. What’s important to make sure of through the management is that you are managing each of those controls in an appropriate way through the best practice. Everything we’ve talked about. But we have to remember, too, as well as we have to have competencies, we have to have different members that have a mixture of competencies. And sometimes that could be a problem. Could be a problem. If you’re worried about some really being good with vendor A, but just mediocre with vendor B, and does that introduce any potential risk for your security program?

103. Due Diligence Part1

Now the standard, or the term I should say due diligence is a term that is what we refer to as a standard of due care. And I know it starts to people say, well, I’m not exactly sure what you mean. It means that really we’re taking the steps that a reasonable person would to make sure that we meet a certain standard of security. You can think of it like this. If I have a list of best practices, and let’s say somebody steals credit cards from my customers in my network, and as they begin the lawsuits for the damages done to them, and they come after your company and they start studying and realizing that you were below the best practice level, were you reasonable? And if you were below those standards, could that make you more liable? Could that be a huger penalty made towards your company? Nothing wrong with being better than the best practices.

But again, it’s just have you done your due diligence to make sure that you are at least at that baseline? So that means that there should be some basic components that we look at as examples of reasonable security programs. The first one, of course, is the senior management support. You’ve heard me say many times that the senior management has to buy in to what’s happening. We need to know we have comprehensive standards, procedures and policies in place. It’s unreasonable to say for all controls or for all situations, I should say instead of controls. And that’s because there are going to be some situations we might just not have planned for because we may have never thought that it occur like a meteor coming out of the sky and destroying your building. But for most of those very well known issues and events, risks, threats, vulnerabilities, we could certainly show that we have these policies in place to deal with protecting our information and telling us basically what procedures we should follow and what standards we want to adhere to.

We want to show that we have the appropriate education and awareness training. By the way, that’s not just like I talked about with employees and giving them some security and awareness training. But if I’m going to, let’s say, buy firewall A, did I give the people in my company training on how to use firewall A? Do they have the appropriate education and awareness of issues to be able to work correctly with that? Have I sent any of my people to maybe at the latest Sans conference or maybe if it’s security and you like to send people to Blackhat or the list goes on, so many of them am I giving them training? And I realize that’s an extra cost. Are you doing periodic risk assessments? In other words, don’t treat your controls as a fire and forget they need to be constantly assessed to make sure that we are still within that at least baseline or basic security.

Have you implemented or have the implementation, I should say, of adequate security controls. And that’s another issue in today’s world, right? There’s so many things going on. We have people using wireless WiFi throughout the network that’s an entryway. Are we using proper encryption for that security control? What are we doing for that person who brings in their smartphone and connects to that wireless network but still has a cellular connection to the outside world? Is that posing another intrusion? Right. What are we doing for that? And those are just two examples of so many hundreds that you can come up with. And of course, can we show that we have tested our business continuity and disaster recovery plan? Even if it’s something like testing your backups, right? Can you do a restore of your backups to make sure that they are restorable, so that if they’re not, you’re going to fix that right away so that if something goes down, a server crashes, that you can bring it back to life very quickly? Bye.

104. Due Diligence Part2

So as we continue to think about due diligence, it just is important that the Information Security Manager is aware of the various standards for managing and controlling access to information resources. Now, depending on the type of company you are, there may be different standards that you want to try to adhere to, like the AICPA, which is something that is kind of a set of standards that would do with accounting. The CICA would be similar, but in Canada, obviously, the International Standards Organization has a lot of different standards or guidelines we can follow. So does Osaka. The NFPA would be like, even with the fire prevention, right, many of your industries are going to have these different standards that you want to be able to say that you are adhering to.
Again, trying to get into that dual or that due diligence here, even like the Federal Energy Regulation Commission or FERC have these standards. As well as doing your due diligence, you, if you’re, the Information Security Manager, or even if you’re just involved in security, should be doing continuing research into the newest security threats. You’ve should be reading the different boards, the different CVE sites, look at Microsoft, look at Cisco, look at whatever corporation publishes updates or security warnings or new vulnerabilities. It’s just again, it’s a way of making sure that you are on top of the current issues so that you are doing your due diligence to make sure that you are secure.

105. Compliance Monitoring and Enforcement Part1

Now when we take a look at compliance monitoring and enforcement. Compliance enforcement is really a process that you have to consider during the program development. And as I wrote here, you can think of it as any activity within the information security program to ensure compliance with your standards, policies and procedures. In other words, if you’ve written it down and you’ve made sure everybody has the training, the understanding of what those standards, policies and procedures are, what do you do if they’re not being used? What if you have somebody going outside of policy? Now, like I said, it’s impossible to make a policy for every contingency, but you can certainly make them for most. And if you’re going outside of a policy, well, number one, how do you know? Well, hopefully that’s because you have a system of monitoring in place to be able to verify compliance.

Hopefully you have a system in place where if somebody goes outside of policy, they’d have to document why they did so. And sometimes maybe it helps lead to an improvement of a policy or something new. That’s why I said here that designing these policies or procedures could be complicated. All right? So policy compliance is our basis for accountability and we do hold people accountable. If they’re not staying within policy, they may not be working there any longer. They are certainly introducing more risk to the corporation. That’s why we said we can hold people accountable. As I said, they should be comprehensive to cover as many situations as possible. It is impossible to do all of them and make sure there’s no orphans. In other words, if you have a piece of equipment that’s sitting in your network that doesn’t have a policy, that talks about it, that has anything that tells us what its minimum standards are, what its desired state is, why is that there? So orphans are those items that aren’t being addressed.

• Category: Uncategorized