Tag Archives: standards

Fixing a Security Program

I’m still unsettled by how many security programs are so fundamentally broken. Even those managed and staffed by people with impressive credentials. But when I talk to some of these individuals, I discover the key issue. Many seem to think the root cause is bad tools. This is like believing the only thing keeping you from writing the Next Great American novel is that you don’t have John Steinbeck’s pen or Dorothy Parker’s typewriter.

In reality, most of the problems found in security programs are caused inferior processes, inadequate policies, non-existent documentation  and insufficient standards. If buying the best tools actually fixed security problems, wouldn’t we already be done? The truth is that too many employed in this field are in love with the mystique of security work. They don’t understand the business side, the drudgery, the grunt work necessary to build a successful program.

For those people, here’s my simple guide.  I’ve broken it down to the following essential tasks:

  1. Find your crap. Everything. Inventory and categorize your organization’s physical and digital assets according to risk. If you don’t have classification standards, then you must create them.
  2. Document your crap. Build run books. Make sure you have diagrams of networks and distributed applications. Create procedure documents such as IR plans. Establish SLOs and KPIs. Create policies and procedures governing the management of your digital assets.
  3. Assess your crap. Examine current state, identify any issues with the deployment or limitations with the product(s). Determine the actual requirements and analyze whether or not the tool actually meets the organization’s needs. This step can be interesting or depressing, depending upon whether or not you’re responsible for the next step.
  4. Fix your crap. Make changes to follow “best practices.” Work with vendors to understand the level-of-effort involved in configuring their products to better meet your needs. The temptation will be to replace the broken tools, but these aren’t $5 screwdrivers. Your organization made a significant investment of time and money and if you want to skip this step by replacing a tool, be prepared to provide facts and figures to back up your recommendation. Only after you’ve done this, can you go to step 6.
  5. Monitor your crap. If someone else knows your crap is down or compromised before you do, then you’ve failed. The goal isn’t to be the Oracle of Delphi or some fully omniscient being, but simply more proactive. And you don’t need to have all the logs. Identify the logs that are critical and relevant and start there: Active Directory, firewalls, VPN, IDS/IPS.
  6. Replace the crap that doesn’t work. But don’t make the same mistakes. Identify requirements, design the solution carefully, build out a test environment. Make sure to involve necessary stakeholders. And don’t waste time arguing about frameworks, just use an organized method and document what you do.

Now you have the foundation of any decent information security program. This process isn’t easy and it’s definitely not very sexy. But it will be more effective for your organization than installing new tools every 12 months.

 

Tagged , , , , , , , ,

The Security Policy’s Bad Reputation

I had a disturbing conversation with a colleague last night. He told me that he didn’t believe in compliance-only, checkbox security, so why should he waste time on policies and standards? I almost blew a gasket, but because he’s pretty junior, I thought it best to educate him. The following is a summary of what I told him.

Security policies and standards are a foundational set of requirements for your engineering, development and operations teams. Without these boundaries, the entire IT organization floats aimlessly, buying solutions and implementing controls without rhyme or reason. Generally, only oblivious technologists design solutions without referencing policies and most engineers are begging for this guidance from their security teams.  Engineers aren’t mind readers, they just want us to tell them what we want: in writing.  Without policies and standards, the result is reactive inefficiency, because the security team becomes a chokepoint for every implementation.

Security policies help keep organizations ahead of the risk curve. It means that risk has been evaluated to some degree and a decision made (by someone) regarding the level an organization is willing to accept. Any security organization that wants to achieve some level of maturity will spend the cycles to develop its policies or suffer the consequences.

Developing policies and standards isn’t an easy process. Often the right stakeholders haven’t participated in the discussion, the documents are badly written, outdated or compiled by consultants with no organizational context. Moreover, policy debates often degenerate into arguments over semantics, but the how of getting this done isn’t as important as simply getting it done.

Ultimately, when security professionals don’t create and maintain policies and standards, they have abdicated their responsibility to the organization that employs them.

Tagged , , , , ,
<span>%d</span> bloggers like this: