We Bought Some Tools…Now What? A simple guide to starting or refining your Information Security Program Jim Bowker, CISSP
About Me • Jim Bowker • Working in IT over 20 years, information security last 10 • BS Comp. Tech. Purdue, MS IA Northeastern, CISSP • Director Applications & Security economic consulting co. • “The Security Guy” in our office
Agenda • Creating a framework document & what should be in it • What to do when your boss gives you a security checklist he read in a magazine • Strategies of selecting a security framework (SANS Top 20, NIST SP 800-53, ISO 27001, Cyber Essentials, etc) • Establishing a security council • IR plan & template • Policies • Change Management process • Vulnerability Management process • Housekeeping
Information Security Framework • Multi purpose document (sample snippet on next page) • Doesn’t need to include everything – but it should • Helps establish organization and better processes • Serves as a table of contents to information security program • Easiest way to answer question “What does your company do for information security?” (look at red highlighted words on next slide) • Contains a brief description of the different categories of security functions you and your team perform • Include key policies, security council, IR plan, physical security, etc. • Add new items as they come online (DLP, NAC, 2FA)
This document presents a high level summary on xxx’s IT security and confidentiality framework. xxx maintains an up to date security program with annual reviews of all policies, logging of al disk access on project servers, and alerting for anomalous behavior. This document outlines key components of our information security program and provides high-level descriptions of each. When practiced by the firm, this assists in securing the company’s and client’s information. Any questions regarding this policy should be made to PII Stuff@blah.com. The framework is reviewed on an annual basis by the Information Security Council. Most of the controls listed below have their own dedicated policy or document which goes into further detail. This document is just an overall list highlighting some of the main areas, and not meant to be a comprehensive description of each item.
The components are categorized in to three main areas – managerial, operational, and technical. Managerial controls focus mainly on security policies, planning, guidelines, and standards which influence the direction and selection of xxx’s operational and technical controls for information security. The operational controls address the implementation and use of security policies and standards to ensure consistency in xxx’s security operations and to identify any operational deficiencies, focusing mainly on personnel as opposed to systems. The technical controls are implemented for the correct use of hardware and software security capabilities in xxx systems for the purpose of securing critical and sensitive data, information, and IT systems functions.
Data Security Policy The Data Security policy describes the responsibilities for employees and contractors to secure data. It defines xxx’s data classification framework. It describes how staff should report security incidents. Employees are required to sign off on this policy. The policy is published on the company intranet. Employees are required to reaffirm the policy on an annual basis.
Electronic Resources Policy The Electronic Resources Policy defines the acceptable use of electronic
Magazine Management • Step 1: Boss picks up magazine and starts flipping through the pages, or opens a whitepaper sent to him via email • Step 2: Article uses FUD to convince your boss the world is ending unless you follow these five simple steps • Step 3: Boss stops you in the hall to let you know you should drop everything and fix this before the sky starts falling • Step 4? Entirely up to you!
Mag Mgmt cont’d • Don’t tell them that list is crap • Don’t dismiss/avoid the question • Don’t try to argue technical points Instead: • “That list isn’t very far removed from what we are already doing. If you’d like, I’ll compare that list against our current procedures, identify any gaps, and add them to our current list. I’ll email you a summary of the changes.”
Selecting a security framework • Easier ones: – SANS Top 20 (transition to NIST) – Cyber Essentials • Bigger ones: – ISO 27001 (specifically Annex A) – NIST SP 800-53 • Do I need a SOC?
Establish an Information Security Council • Again looking for “complete” security picture • Comprised of people from IT, HR, Legal, & Business • Monthly meetings, published agenda, meeting minutes, reminders for action items • Spend time on changes that will impact the business
Incident Response Plan & Template • Create an outline – Purpose, scope, when to invoke, define incident, roles & resp. – Council, incident owner, response team, process flow (detect, notify, investigate, severity, contain, minimize risk, protect evidence, 3p assistance, security measures, recover systems, post mortem) • Add some detail to each section • Create a template – Date, time, reporter, documenter, severity (definitions), observations, unusual occurrences, owner, team, notifications, actions to contain/isolate, security measures, recovery, outstanding items, business impact, recommendations, post mortem • CRP to test performance • Continually improve based on observations, track revision history & approvals
Policies! Yay! • Provide guidance/clarification in key areas • Forces organization to think about issues • Audit item • Annual review w/date & owner • Capital P policies vs guidelines – check with HR & Legal counsel • Create central repository & mechanism for review/signoff
Change Management • Why is it included here? • Why do clients care? • Process is more important than software used • Looking for process(communication, fallback, approval, etc)
Vulnerability Management • Should be a line item in main framework doc • Should also have its own dedicated document • Vulnerability scanning <> vulnerability management • Good VM process > good tool • Find vulns, prioritize (based on asset criticality, vuln score, prob of exploit, etc) remediate, rescan • Benefit to changing scanners every few years
Housekeeping • List out what you need to do monthly, quarterly, and annually • Provide mechanism for capturing evidence • Risk Register
Oh crap I forgot one! • We left out risk assessments! • Not to worry, based on what we’ve already built: – If we have no assessment in place, add it to the risk register to be prioritized – Else Add it to framework document – Add a description – Create a document referenced in framework doc – Congratulate yourself on having a mature, well-defined, repeatable process
You made it! Questions? Twitter @jobowker13 Linkedin.com/in/jamesbowker Thanks!