Mature IT Processes are Essential to Effective Enterprise Security
Enterprise information security is a function, not a role. While we hire technical folks and call them our “security team,” the expectations around implementing security are distributed throughout the business, especially the IT staff.
The security department is responsible for creating the policies and standards that govern the organization, but we depend on network administrators, system admins, developers, DBAs, projects managers, desktop support and others to ensure that those standards are implemented.
As an example, imagine…
Funding finally gets approved for those critical network security enhancements you’ve needed for years. You purchase and implement the latest and greatest firewalls, DLP, IPS, anti-DDOS and WAF systems. Things are good. Of course you realize that no security is perfect, but you feel comfortable that you’re at an acceptable level of risk.
A few months go by. Your security controls have been able to withstand the best that the bad-guys have thrown at you. Then one fateful day it happens. A harried network administrator sets up a connection from a new ISP. Within minutes of being stood up the bad guys have found recognized the new public IP and have found their way into the soft squishy center of your network.
All it took was one unapproved network change to render all your countermeasures useless. By setting up a new internet gateway without working with the security team the network admin provided the backdoor that gave malicious users no-holds-barred access directly to the corporate treasures.
The reality is that the Information Security team is only as good as the processes of the IT department they work to protect. The most basic tenet of information security governance is that when policies, standards and guidelines are created, they will be followed. Information security governance is only successful when supported by a larger, well-implemented IT governance.
I picked on a network administrator in my story, but they are just the easiest example; certainly not the only one.
- Information security can purchase and implement cutting-edge code-review tools and vulnerability testing systems, but if application developers are making changes to production on-the-fly, those tools can’t keep a web application secure.
- The security team may create standards and baselines for laptop configurations that prevent users from downloading malicious software, but if desktop support gives the user local administrator privileges, all those security tools can easily be disabled.
- The information security organization may have specific requirements for that great new system, but if the Project Management Office (PMO) doesn’t include a security representative in project scoping, the security requirements will never be known, and will not find their way into the final product.
Each member of the IT team is critical to a successful enterprise security program. Information security governance is first and foremost about governance, and that needs to be implemented at a much larger scale.
Normally we might look for signs of an organization’s cyber security fitness in metrics like patch levels, web application vulnerabilities, and firewall configurations. But in order to step back and see the real state of our companies’ information security programs, we need to include measures that capture the state of IT governance overall.
Some key questions include:
- Are our IT teams properly staffed? Overloaded IT technicians are much more likely to skip steps. The steps they’re most likely to skip include testing and documenting, both of which are essential to security.
- Do teams know what they’re in charge of? Every process needs one team to own it, and every team needs to know what it’s responsible for. Documentation around who owns each function is critical.
- Do we have reliable, up-to-date inventory lists and network diagrams? We may have the best intentioned system administrators. They may be fantastic at keeping their systems up to date with all required security controls. Yet, if their documentation does not include every system for which they are responsible, we will likely have systems that are not protected.
- How understood and accepted is the Change Advisory Board (CAB) process? What percentages of changes go through the CAB? Are we ensuring that changes to our systems are reviewed by a cross-functional team to minimize change risk? The CAB process can be a valuable opportunity for potential changes to be reviewed for their impact to the overall environment, and also can serve as a tool in keeping disparate teams informed on one another’s projects.
Enterprise Information Security is a complex subject, and it cannot be handled by the security team by itself. Maturing information security processes must occur hand-in-hand with maturing IT governance.
Cross-posted from Enterprise InfoSec Blog from Robb Reck