Understanding the Fundamentals
IS Centurion understand the importance of understanding the fundamentals first and getting the basics right before making life more difficult than it ever needs to be. This is why IS Centurion insists that all our Consultants have earned their knowledge and skills by working through the ranks and have now achieved the required experience to be regarded as highly respected Security Generalists. Much like the rank of General, this is not an easy status to achieve and requires a long and successful career, being able to demonstrate competence in strategic decision making to assist businesses in designing suitable defences for the protection of their assets.
Before a business does anything else, it needs to identify their most critical assets - the systems and data assets that if compromised or stolen would have the biggest impact on the organisation. Having identified these assets, the business can then seek to investigate the types of aggressor who would be seeking to gain un-authorised access to these business assets.
Building on the Foundations
Next comes the initial Risk Assessment. This is essential for ensuring that you decide on the best defensive approach to suit your business operation. For example, if the asset is highly confidential data which needs to be securely retained for 25 years but no one will need access to it, you may choose the most effective course of action would be to lock it in a strong box and encase the strong box in concrete, buried under the ground.
However, if this is not the case and you will need to allow authorised persons to have access to the asset, then your next course of action is to develop the appropriate policies that need to be applied and followed. If the assets are located in a building, you will need a policy that articulates how physical access is to be securely maintained. During the development of this policy, you will identify any supporting technologies that will be needed to support this policy. For example, the development of the Physical Security policy could help mitigate the risks of Theft, Natural Disaster and Espionage, by insisting that physical barriers, environmental systems and visitor control processes are implemented. Of course, having writing the policy, you will need to implement the technical measures and ensure that appropriate procedures are developed.
Having developed and applied suitable policies, technologies and procedures you will have mitigated a great deal of the risks presented by your identified threat vectors. However, having the human factor involved in the maintenance of these defensive measures, you will still have an inherent risk that needs to be assessed and managed, through effective Incident Management, Security Education and Disciplinary action.
After a maturity InfoSec strategy has been implemented and developed, an organisation will fully understand the assets that they are protecting, the appropriateness of the defences being applied and the risks being mitigated against. In fact, it is recommended that risks be assessed during each phase of your policy development, so that you are able to recognise the value of the protective measures being applied.
Once all of this has been successfully implemented, as part of your InfoSec Strategy, you will have some residual risks remaining which you should be comfortable with and that are within your risk appetite.
With the greatest risk of a data breach originating from poor processes, it is highly recommended that businesses recognise the importance well-tailored and written policies and procedures provide in the defence of your realm. The documentation is far more than 'ticking a box' because a framework states you need a one or because it is recognised as an audit failing.
Effective documentation is the skeletal structure of your defences and failure to adhere to the policies and procedures are are good indicator of an ineffective policy that increases the risks. For example, a business employs a robust password policy (12 characters, mix of uppercase/lowercase/special characters, changed every 30 days, password history of 8), supported by daily checks of the access logs. The daily checks reveal a high number of personnel are forgetting their passwords, so from this it is easy to evaluate that there is a higher chance that other employees are writing down or storing their passwords somewhere, or are reusing the same password across multiple applications/accounts. This increases risk of their account credentials becoming compromised.
Ensure that you are periodically reminding your personnel, through security awareness training of the What must be done? (Policies), How things should be done? (Procedures/Standards) and Why this is important?(Risks)
You will have noticed that there has been no mention of compliance, throughout this page. This is a strategic approach to InfoSec Management, applying the lessons-learned from Centuries of conflicts, battles and defending the realms. However, this model can be applied to meet and exceed your compliance obligations.
If you are interested to know more or would like any assistance in developing or enhancing your defences, against the ever-present and growing threats, then why not see what IS Centurion could do for you.