Fundamental Security Processes
IT security has always been a top priority at my organization given the number of remote individuals we employ and the vast amount of government contracts and research projects we support. From my perspective, employees across my organization have always had great confidence in our IT security measures. That is until we recently experienced two substantial cyber-attacks that ultimately compromised a minimal amount of confidential data. Both cyber-attacks were handled effectively and the experience proved to be instrumental in my organization comprehensively updating our IT security policies and procedures.
The experience of the cyber-attacks made me reflect on fundamental IT security processes and the most significant concerns that I have with my organization’s IT security policies and procedures.
In the article “The Security Processes You Must Get Right”, Rob McMillan discusses the catalog of core security processes integral in keeping pace with the industrialization of IT. McMillan focuses on six core security processes and five supplementary security processes that all organization’s must define, document, and execute to ensure effective IT security processes are established, maintained, and consistently reviewed. The six core security processes include:
- Security governance
- Policy management
- Awareness and education
- Identity and access management (IAM)
- Vulnerability management
- Incident response.
The five supplemental security processes include:
- Change management
- Business continuity management (BCM)
- Disaster recovery management
- Project life cycle management
- Vendor management
In all, I think my organization takes these security processes very seriously and expends the appropriate amount of resources on each to ensure they are upheld. I do feel that our awareness and education should be more transparent for employees to better understand our standards and practices of IT security. This is particularly important given our continued interest in cloud computing and the security concerns associated with cloud solutions. Also, my organization offers optional trainings and classes on essential IT security measures and best practices that I feel should be mandatory given how large our organization is and the sheer amount of classified and personally identifiable information (PII) we maintain.
References
McMillan, R. (2013, January 23). Gartner. The Security Processes You Must Get Right.
Formalizing Security Processes
Once an organization establishes their IT security processes based on the fundamental security contexts proposed by McMillan, a formalization plan should be implemented to serve as an organization-wide standard approach to document, assess, and modify (if deemed necessary) each process. Due to limited resources, immediately formalizing newly established or existing security processes isn’t realistic for most, if any organizations. Instead, it is recommended that an organization prioritize individual security processes based on the following criteria:
- Essential processes that help the organization meet the minimum standard of due care (This includes both newly established and existing security processes)
- Existing processes identified as needing to be updated and improved
- New and existing processes that address critical risks
After an organization effectively prioritizes their security processes, a comprehensive formalization plan should be followed that includes all of the following components:
- An assignment (or verification) of process ownership
- A process description that outlines the scope and objectives of the primary process and sub processes
- A process flowchart that provides a visual representation of the flows between the primary process and sub processes
- An integration matrix table that indicates the integration points of the process with other security, operations, and service management processes
- Staffing and education/skill requirements for managing and carrying out the process
- A RACI matrix identifying the roles and responsibilities of the process functions
- Any metrics used to measure and track process performance
- Any current or future automation opportunities that may be feasible for the process
A formalization plan should also include an established time frame for revisiting each process to avoid any processes falling into disuse and/or disrepair.
Including these components in the formalization plan ensures a unified security process portfolio that can serve as a critical reference point for an organization. This can prove to be particularly important during a crisis when resources may be strained and efficient, critical decisions need to be made.
References
Scholtz, T. (2013, January 21). Gartner. Formalizing Security Processes.
Risks of Cloud Services
The primary obstacle that my organization encounters when exploring the implementation of cloud services is finding the balance between the benefits of such services and the acceptable level of risk associated with them. What complicates matters more is the fact that every service provider manages security a bit differently that may or may not be based on industry best practices. These concerns have significantly inhibited our adoption of cloud services and will continue to do so until we truly understand the risks associated with them.
The difficulty in conducting an accurate risk assessment on cloud computing is the continuously evolving control standards and unique technology solutions incorporated into these services. Therefore, these highly complex, distributed, and often virtualized infrastructures create risk assessment challenges that are difficult to evaluate. To help address these concerns, Gartner has conducted extensive research and in-turn developed a set of evaluation factors capable of dissecting complex computer models to be more thoroughly understood and better assessed.
To analyze a cloud service, it is best to begin by examining complexity and location models. Complexity models are capable of estimating the virtualized and non-virtualized operating systems on a network to determine the cloud topography. Location models are able to locate systems in unknown locations administered by unknown individuals. This can help identify the degree to which an application and its data are exposed outside of the organization. Both complexity models and location models are instrumental in pinpointing inherent security risks within complex systems.
Evaluating the Software Development Life Cycle (SDLC) is another important step in determining if a cloud service will provide the expected levels of confidentiality, integrity, and availability. Typically, it is not common practice to allow potential customers to view the SDLC themselves, instead they should seek assurance that an appropriate evaluation of the code, design, architecture, and features have all been carried out.
Determining which security controls are the responsibility of the provider as well as identifying their primary vendors are also key steps in the risk assessment process. Understanding who has control of the data and processing clarifies responsibility and allows potential customers to evaluate the risk related processes and the security and control measures implemented to protect those processes.
Finally, it is important to understand the user type and use duration risks in regards to cloud services. Determining the users of the service, the length of projects, and the duration of sensitive data processing helps to calculate the overall risk (in terms of individuals and time) associated with using cloud services.
References
Heiser, J. (2013, March 15). Gartner. Analyze the Risk Dimensions of Cloud and SaaS Computing.
Leave a Reply