Many Technology Industries says they are well protected from the Security threats due to their strong technical controls, management controls and validation processes and others says we wanted to implement the processes that give 100% protection. In general, every industry has Security policies and so many processes in place and the question is does these existing policies and processes alone provide security assurance to an enterprise. This article highlights key best practices that would provide a security assurance to an enterprise.
The Security Assurance is level of confidentiality an enterprise can provide on their deployed IT Technology and Business Processes. The Cyber Security Framework and Standards would only provide a minimum level of security to an enterprise. However, the security assurance practices on each of the critical process may provide true confidentiality level to safeguard their assets.
Would an enterprise provide 100% assurance level?
The answers are ‘No’. An enterprise might have deployed tons of processes and controls to handle the security scenarios unless these scenarios are tested, reviewed in a periodic manner and mitigate the identified gaps, none of the industry can provide better assurance level. The identified security activities in this article are part of an enterprise's operational activities; However, implementing these process as mandatory, very structured and seamless process across the business units certainly provides great assurance to an enterprise.
Possible scenarios that may decrease security assurance level
As every security experts know that ‘People are weakest link’ in the information security. Many reputed enterprises have been successfully attacked due to the negligence of few people and they felt that no one can detect them, but sophisticated technology advancement and constantly hunting attackers make use of negligence and perform a successful attack against an enterprise’s assets and create damage to the reputation of an enterprise.
A major part of security incidents happening due to inadequate information security training to internal employees and negligence from employees. Nevertheless, Non-Disclosure Agreement (NDA) exists between enterprise and their employees and contractors, the NDA would act only as deterrent control. Negligence and lack of information security training would result in reputation and financial damages to an enterprise. Furthermore, some enterprise does not allow their temporary contract employees to participate in their internal information Security orientation program just after onboarding them and thereafter ignoring periodic internal security training.
Some of the security breaches happened in the recent past is due to negligence from part of an employee or from a security unit of an enterprise itself. Once the vulnerability is detected, it is enterprise's responsibility to address the security issues by means of path management and enhance the security controls without any further delay. The hackers use this period to attack an enterprise and steal the confidential and Personally Identifiable Information.
Best Practice to provide an IT security assurance to an enterprise
Identify potential insider attackers by monitoring their strange behavioral approach and increase the controls on their user IDs and monitor their logs for any dubious activities.
Figure: Security Assurance Practices
Increase the frequency of internal audit practices of the enterprise’s critical assets. Do not allow remote access for the Privileged user to access enterprise’s assets. Deploy automated migration process from the lower environment to higher environment and completely eliminate manual deployment process wherever it is possible. In many cases, intentional or unintentional human error in manual deployment may cause operational failures result in IT Infrastructure downtime.
In general, the Information Security Manager performs an investigation on Security Incidents and submits the investigation report to management to take action against the violator. The details of the security incidents are known among senior management, the Information Security Officer, and the violators. As a practice, this kind of information is not shared to educate bigger audience within an enterprise for the reason to protect its value and image. It is recommended for an enterprise to share business impact, reputation and Cost and effort of resolving such security incidents, action taken on the employees without telling the identity of the violator during their internal meeting would create a big impact on employee’s mind that may result in additional precaution on their activities.
The mandatory and periodic information security awareness training would reduce the security incidents as many employees are getting into phishing attack traps without realizing that their personal information going to be stolen soon. Based on critical nature of the job, the frequency of such training shall be increased.
The senior management should encourage their business units to perform self-assessment to assess the effectiveness of their internal control in a periodic manner and submit the report to management. Create new business unit to constantly monitor their security practices, security incidents and continually thrive for the best benchmark to meet an enterprise security objective.
Perform Risk Assessment on critical business processes, or business critical assets such as IT infrastructure components before its deployment into operational environment and mitigate the risk and maintain the risk register to track the risks for its closure. Before procuring of security products, determine security evaluation level of product using Evaluation Assurance Levels (EALs) and identify its strong areas and define appropriate controls to mitigate identified weak areas before deployment into an operational environment.
Perform Vulnerability Assessment on the IT infrastructure both internal and external exposed systems and remediate the identified vulnerabilities before deploying into an operational environment will also provide assurance to an enterprise. Providing least level of access to users and systems also provide confidence to an enterprise overall operation.
Maximize the security measurement practices to maintain a high level of security assurance and these measurements include a number of incident management tickets, vulnerability scan coverage, patch management coverage on critical applications, the percentage of application scan findings using scan tool will provide cybersecurity awareness level among the developers. We also need to cover adequate security requirements and not many understand different meaning of use case, misuse case and abuse cases on software requirements and clear understanding of each scenario will help to develop a highly secured software product.
Proactive security measures provide better security assurance to an enterprise. Stringent and periodic security measurement practices and taking immediate corrective action would act as yet another defense to an enterprise in addition to performing security practices such as internal audit, Vulnerability Assessment, Security Response, Risk Assessment processes. As a high priority, increased frequency of information security awareness training to employees, least privileged access controls, periodic technical components scanning practices and we defined secure software development practices, secure testing and deployment practices would certainly provide a high level of security assurance to an enterprise. It takes many years to build the reputation of an enterprise and it takes few days to damage the reputation of an enterprise and loss of business to their competitors if an enterprise fails to take proactive measures and apply better security assurance practices on their IT infrastructure.
About the Author
Ananda Narayanan G
Ananda Narayanan G is playing multiple roles such GRC Consultant, pre-sales consultant, backup ISM with Tata Consultancy Services (TCS) – Cyber Security Practice and has been working with TCS for about 20 years and has several Information Security Certifications such as CISSP, CISA, CPISI, ITIL V3, COBIT5 and ISO 27001 LA. He has significant experience in application development and maintenance, Operational Risk, Vendor Risk Management, Application Security, Reverse Engineering, End-User Computing, Data Privacy, IT Security Assessment, security trainer and many more.