Managing risk across an organization requires a lot of different things: setting strategy, determining tolerance, defining metrics. These are critical in your overall risk management efforts, and even more so in information security. But where do you begin? There’s no denying it can feel like a daunting task. It’s hard to make sure that information is available when needed while keeping it safe from people who want to steal or destroy it. However, it’s easier if you use a methodical and easy-to-follow system.
1. Select and Implement Controls
First things first: Decide HOW you will secure your information. This means putting certain controls in place to ensure you’re doing what you need to do, and at the appropriate level, to meet security policy and control risk requirements. These controls can be technical – that is, implemented as settings in software, hardware or system tools – or non-technical, such as processes or administrative tasks.
For example, if it’s company policy that all systems have a configuration management program with a process for formally approving changes, this would be a non-technical control. It’s a process that must be implemented and conducted manually. However, if it’s policy that passwords must be at least 15 characters with at least one upper case, one lower case, a number, and a special character, and that this password policy be automatically enforced, this would be a technical control. It is implemented in and enforced by the system without any human input.
The control level should depend on the sensitivity and criticality of the information the system is processing. For instance, a system that stores archived digital marketing brochures would be less critical than a system that stores medical and dental records for a hospital. So, the records system may require 15- character passwords, as well as a smart card token to access it, whereas the content archiving system may only require a simple eight-character password. Understanding your risk tolerance and the importance of information, along with company policy, will guide your selection of controls, along with how and where they’re implemented.
2. Test to Verify and Monitor for Effectiveness
Once your controls are selected and in place, the job isn’t done. You need to regularly test them to ensure they are meeting the security objectives as intended. Using the non-technical control example from above, you could review configuration management documentation to confirm the program exists and check that all configuration changes have been approved. To test a technical control, such as password length and enforcement, you could try to change a password to less than the required length and ensure that the system won’t allow the change. Of course, this testing process will need to be repeated to cover the entire scope of your controls program, but I think you can see how this can be done.
Now you need to monitor everything going on in the network to make sure that from a security standpoint, controls are doing what you intended. For example, suppose you have an awareness and training policy that says, “All users will complete annual awareness training at least once every 365 days.” But while monitoring the specific control to enforce this policy, you learn that 10 percent of users haven’t completed the training within 365 days. This tells you that something is wrong with the control and requires investigation and, likely, an adjustment. This is a very over-simplified example of one failed control but illustrates why monitoring is necessary.
While the above example would require a manual control action – the administrator would likely have to track user training and manually check dates for compliance as the monitoring step – much of the monitoring could be done automatically and continuously. Done correctly, this provides a near real-time, simultaneous assessment of controls. If you have vast amounts of data on a large network, it’s easy to see why you would need to automate monitoring, but even on a smaller network, the benefits of automation are evident.
3. Adjust, Update, and Repeat
Now that your controls are in place, and you’re actively testing and monitoring them to ensure they continue to operate as expected, what’s next? What good is all this implementing, testing, and monitoring? Well, for one thing, threats are always changing and, if you’re not reorienting for them, you’re putting your information, business, and mission at risk.
Additionally, all too often when we fix one thing or add another to a network, we expose a new risk. This process of select, implement, test, and monitor, coupled with adjusting in a continuous cycle, will ensure that risk is kept to a minimum.
Conclusion
While not the holy grail of cyber security, selecting the proper controls for your organization is a critical first step for ensuring that your information security program meets your risk tolerance. Once implemented, testing and monitoring these controls will help validate and visualize the status of your overall security. If they’re not, adjusting them until they do – while continuing to test and monitor – will put them back on track. While it seems quite a task, and it certainly can be, following these basic steps can go a long way in setting you down the right path. If you’re looking for direction, there’s a lot of information available from the National Institute for Standards and Technology and the Institute for Standards Organization on best practices for implementing controls. If you need additional guidance, or help setting up policies and procedures, you can also tap into the expertise of a professional security consulting firm like Delta Risk.
John LeBrecht is senior security consultant at Delta Risk LLC. Read more Delta Risk LLC blogs here.