Focus on IT Operations Basics of Information Security for Value
Scott D. Smith - CISSP, HCISPP, CISA
I am an IT Audit & Security consultant, often operating as an Interim Executive in the Information Security space. In this role, I am involved in frequent conversations related to the business value of security controls. I thought I’d take the time to write this short article to summarize points of those discussions for friends and future clients.
Information Security controls can save you money and result in greater efficiencies in your overall IT operations.
This is a true statement. While not ALL controls will provide such a glaringly high cost to benefit ratio, many of the fundamental ones will. Here is a list of my favorites.
Software Portfolio/Hardware Inventory – It is a generally accepted truth that tracking assets such as cash and inventory leads to greater control, efficiencies and lower cost. IT can benefit from that discipline as well and I’m often surprised by the arguments I get over this issue.
Consider the value of understanding what software you have and how well it is used….or used at all. How many times have we had a conversation over a software portfolio and someone blurts out…” I didn’t know we still had that application running. We converted to X two years ago.” After the requisite smiles and minor embarrassment all around there is a note or two written to follow up with the stakeholders to see why it has not been decommissioned. How many times have you seen follow up actions on that? You’d be amazed. A year….even two years later those applications complete with the overhead costs and licensing continue to operate. Not to mention the inherent risk to the firm of another application to secure.
Hardware Inventory controls are even more obvious. How do you know what devices in your environment are potentially “rogue” if you don’t know what you have to begin with? How do you know if you’ve got currently updated firmware and operating systems if you don’t know what you have? How do you know if you may have an undersized component on your network creating a bottleneck if you don’t know what you have?
Configuration Management & File Integrity Management – well thought through and executed image definition and management for servers and devices will pay huge dividends operationally through lower volume of help desk issues, easier management AND a stronger fundamental security base.
I added file integrity management as a complement since it’s an oldie but goodie with hackers to mask files as part of the OS or simply increase the size of a common file to hide malware. An ounce of preventive control is worth more than a hundred controls telling you what has already happened. That’s the accountant side of my brain talking but I’m good with it.
Patch & Vulnerability Management – This one is famous and rightfully so. If you are scanning for vulnerabilities and don’t patch them….well, Experian comes to mind as a poster child. Reality is that these are out there and the security threat is real. Operationally, many of these patches will also improve, as well as secure, operating systems. Don’t forget to read the patch notes for configuration settings that may need to change as well.
Exception Management (*Across the Board) – This is my soapbox issue. I admit it. I’m a bit evangelical about Exception Management as a process. So much could be avoided by proper management of exceptions to our policies and procedures on the whole that a book should be written on the topic. It’s also the most sadly under addressed issue I run across.
Yes. You will have exceptions due to any number of points but mostly around legacy applications and operating systems. How long will you tolerate it if you have no visibility into the scale of the issue(s)?
Same with patching and vulnerabilities, some simply can’t be addressed in as timely a manner as we’d like. Application incompatibilities come into play as well as conflicts between database versions and operating system versions. We need to know what the issues are and why. You also need to have an answer when you are asked what steps you are taking to mitigate the risk until the exception is resolved.
In conclusion, I’ll say that there are many more information security controls/procedures you can implement that will also provide operational value. This is just a first pass and taking these seriously will move the needle forward in every organization I’ve worked with. Security controls should always provide value or they shouldn’t be implemented to begin with if the risks addressed can’t show cost/benefit. As with most things in life, some provide more benefit than others.
Very well put Scott! So many organizations are just now starting to address Security concerns and integrating within their control environment. It will be especially interesting to see where many in financial services and healthcare take this initiative and how the CISO role evolves within the compliance organization.
I agree particularly about the need for a solid exception process. No mater the situation, there will always be circumstances where an exception may be the best option for the business. As security executives, our job is never to say no. you can't do that but to 1) communicate the inherent risks to all decision-makers in business language, 2) to provide potential solutions to mitigate the risks as best as possible and 3) communicate the resulting residual risks again to executives and the Board of Directors. Sometimes exceptions are the proper business decisions, so long as the decisions are risk-informed.
Scott, very solid points for the security controls playbook and, as noted, more to follow -- looking forward to reading more! Now, just need to determine the best approach to encourage organizations within and across industry sectors to work together to collaborate on lessons learned to create a greater collective of "good guys" trying to minimize impact from the growing numer of the 'bad guys" out there.
Excellent and insightful piece on how security leaders like Scott can work with colleagues in development and operations to reduce the attack surface, strengthen technical controls, and bolster security through best practices. Nice work Scott--this will surely prove to be helpful for security and technology executives!
Great article Scott D. Smith!