Articles tagged with: Security Frameworks

Risk Centered Security

Implementing security in Information Technology is not about locking down and protecting a system.  After all, the best way to secure a computer is to power it down, unplug it, remove all storage devices, and lock them in a vault.  The second you power that computer on, even in an air gapped faraday cage, you begin to assume some level of risk.  The trick to security is knowing your risk and mitigating any unwanted risk.

Risk Analysis

Risk is what we are trying to understand and mitigate against in a cyber security program.  If we are not calculating risk within the organization and using the same formula or even definitions within an organization, we will be approaching security from completely different understandings.

With risk analysis, we need to identify the threat and understand what vulnerability that threat would be compromising.  Then we need to understand the impact that would have to the overall business function and the likelihood of it occurring.  Once we have those variables understood, we can have a healthy conversation of what levels of security in which we should be investing.

Cost Effective Risk Mitigation

Risk. Loss. Impact. Likelihood of threat.  These are all important, and at times, overlooked in a security program.  We need to make sure we are applying the right level and budget into a security program to help the business while not hurting the business.

Imagine if you inherited a bag of gold doubloons valued at $500,000.  This would be an extremely valuable and a prized possession.  Naturally, you would want a secure place to protect your bag of gold.  In your search for a vault to store the gold in, you come across a extremely advanced, high tech vault with a small army standing by to react to any alarm.  This, this is the solution, and it is only $5 million.

We cannot be spending more in security than the value of the asset and this is what we need to do in Information Security.  Your local, family-owned pizzeria does not need to invest in a next-gen firewall and a robust security information event monitoring solution.

This is where we start looking into cost effective solutions to mitigate the risk.  Some of these solutions require some creativity, out-sourcing, and perhaps elbow grease to implement.

Risk Acceptance

As we start maturing our organization and analyze risk from the threats that are circling around us, we are going to come to a situation in which it does not make sense to mitigate.  In these cases, it is important to know that there is an option to assume or accept the risk.

When reviewing a security framework or a best practice, perhaps we will come across a security control that does not make sense to implement.  Perhaps you are a medium-sized organization with 200 employees, you likely do not need to hire 6 individuals to build out a 24/7/365 security operations center.

Risk acceptance is another important component to a security program.  There are elements that should be included when assuming risk.  First, make sure the right person is assuming the risk.  The junior systems engineer should not be making the assumption to continue to have the organization run on Windows XP desktops.  Ensure the acceptance is documented and reviewed on a routine basis or after an event that affects the risk that was assumed.  Also, when possible, implement any possible mitigating controls to limit the risk to the organization.

As your organization centers its security program around risk acceptance/risk mitigation, the program will go from holding the organization back to helping it thrive.

Importance of Security Frameworks

If I had to build an IT organization from scratch, I would absolutely make an applicable security framework the backbone. Why? A security framework (such as NIST Cybersecurity Framework or CIS20) is a methodology featuring security controls that ensure not just a well-balanced security program, but also a well-balanced IT program.  

Security is Woven into Every Functional Area of a Company

My understanding of the makeup of an IT department came atypically.  I was in the United States Air Force when Uncle Sam desired that I become a network engineer. At that time, I couldn’t tell you the difference between an IP address and a subnet mask. It took me a couple of months to understand how those in the help desk, desktop team, virtualization engineers, Linux administrators, Windows administrators, network engineers, security engineers, and project managers all contributed to a functioning Information Technology organization. I observed that while all the verticals work together, they only interact at the edges of each particular service. The lone exception was security.  Security is integrated into each and every other discipline, and for good reason. 

In other words, security is the critical common thread. So, while not a conventional thought, but maybe not too surprising either, all teams across the IT department can benefit from a security-oriented tool. Specifically, I’m referring to security frameworks. Typically used to identify gaps, a security framework usually contains more than 100 controls that strengthen across the various areas of an IT organization. Implementation is typically driven by compliance, but, sadly, most organizations look for the minimum effort to save on time and investment. However, it’s those organizations that look to increase their security posture, and review a security framework to exceed the controls, that separate themselves from the vulnerable.  

Not Just Any Security Framework: The Right Framework

It should be noted, not all frameworks are created equal. Some more closely resemble a speed bump than a high jump event. HIPAA/HITRUST is one of these low-bar frameworks. To illustrate, the password requirements for HIPAA is that an organization must have a password policy. That’s it. No details on what that password policy should consist of with regards to complexity, rotation, etc. Other frameworks have a narrow focus, like NIST 800-171 or PCI-DSS. PCI-DSS, well known for protecting credit card data, only pertains to Cardholder Data Environments (CDE) and many organizations ignore security practices in other areas of their network. NIST 800-171 likewise focuses on Controlled Unclassified Information (CUI) and does not apply to the entirety of the network. Choosing the right framework would positively impact the outcomes.  

One of my favorite frameworks, because of how it is organized, is CIS20. CIS20 comes from the Center for Internet Security, also known for publishing the CIS benchmarks used as system hardening standards for various devices and operating systems. CIS20 is broken out into 20 high-level controls supported by a total of 171 sub controls. This framework further breaks the 20 controls down into three different sections: Basic, Foundational, and Organizational which illustrates the impact of those controls. Additionally, version 7.1 introduced implementation groups to assist with prioritization of roll out. The net result is that CIS20 presents a pretty self-evident roadmap to ensuring your IT organization is secure. 

Security Frameworks Lead to a Better IT Department

What’s not so apparent, is this approach also helps help focus on and develop different areas of IT support that your organization could be expecting from you. Asset Inventory, Administrative Privileges, Monitoring, Email and Web Browsers, Data Recovery, Data Protection, and Incident Response are all addressed by the CIS20 framework. While it also covers more obvious security functions like Firewall, Security Awareness Training, and Vulnerability Management; focusing on that previous list will help address the needed services and structure and IT organization should leverage to offer a quality service to your organization. 

Why would a security framework hit on some of these elements of IT delivery?  It has a lot to do with a basic security concept called the CIA triad. CIA stands for Confidentiality, Integrity, and Availability. All three of these elements are considered critical to security. Losing one of these elements causes the three-legged chair to fall. Importantly, these goals should sync with the goals of an IT department as a whole. Making sure that services are available and reliable should be equally weighed with protecting information and ensuring the integrity is not lost.  

While opportunities don’t come around often to build an IT organization in a greenfield scenario, leveraging a security framework can help provide a quick report card on gaps in your IT services. Based on the relationship between security and IT as a whole, closing these gaps will not only elevate your security posture, but also the level of service your IT department offers your organization.