How Current Is Your Information Security Policy?
By Dan Williams
You are only as secure as your last audit, and if that audit was almost a year ago it is safe to say your Information Security Policy (ISP) has been dead in the water for quite some time. Our operational environments comprised of networked information systems are not static; thus they are not impervious to threats based on an audit that was conducted to verify minimum compliance with a standard. Neglecting regular maintenance of your ISP is the quickest, surest path to failure.
Get started on your cybersecurity degree at American Military University.
Rear-View Mirror Risk Management
Annual audits and vulnerability assessments should never be used as a strategic defensive strategy. At best an audit is a snapshot in time of the very moment when assets and procedures are scrutinized. Also, with the threat landscape evolving at the speed of light we have to understand this practice is not good enough anymore. Audits and vulnerability assessments are the minimum baselines for compliance, which is vastly different from proactively defending your organization from pragmatic threats.
Keeping your ISP aligned with operational reality requires you to answer several preliminary questions:
- Where is your organization’s ISP located? In today’s world three-ring binders stuffed with antiquated loose-leaf pages as the authoritative ISP may be far behind you.
- If these documents are now stored digitally, are they centrally located and are the versions managed by a formal change management process? Are they scattered across several shared directories with no means of determining the legitimate, current draft?
- Is the digital copy of your policy included in your data backup and retention plan?
- Does your ISP include an Information Security Management Plan to provide operational guidance and strategic objectives to continuously keep your policy current?
Don’t Be Afraid to Start from Scratch
How does an ISP maintain relevancy when compared to the current threat landscape? The very first step is to conduct an asset inventory to know what you need to defend. After all, if you don’t know you have it, you can’t defend it, can you? Based on the results of your asset inventory assessment, researching known techniques, tactics, and procedures (TTPs) your assets may be susceptible to can assist with threat modeling and scenario development exercises. The MITRE ATT&CK framework can provide a wealth of information for this task, especially if remaining current with known TTPs is not your security team’s strong suit. Making assumptions about theoretical yet possible attacks and drawing logical conclusions about which controls to implement can effectively reduce risk.
Following up with a risk assessment allows prioritizing and implementing proactive countermeasures that will require an updated ISP. Prioritizing controls implementation is crucial, especially as the next big data breach could involve your organization. Attempting to remediate detected vulnerabilities for low-impact, less probable attacks leaves your greatest weaknesses unmanaged for a longer period of time. The debate between which is better, qualitative and quantitative risk analysis, still rages on. However, the inclusion of both types when prioritizing risk offers a broader set of advantages depending on the circumstances and the type of risk being analyzed.
The Power of Intelligence
As a general rule, we need to be implementing our safeguards to mitigate risk, then monitoring our infrastructures for when (not if) our controls fail. The adoption of practices that seek to leverage internal monitoring data provides the situational awareness that is absolutely necessary to ensure cohesion between policy and practice. This diagnostic capability also allows organizations to detect security events that may be a legitimate compromise that would have otherwise gone undetected.
Generating your own intelligence product to better inform your decision-makers and harden defenses still leave a large amount of uncertainty. Open Source Intelligence (OSINT) collection for external threats realistically goes only so far due to its immense drain on human resources. The quality of the intelligence product is directly proportionate to the amount of data collected as well as the reliability and timeliness of that data.
This is where most organizations decide to utilize a threat intelligence feed service to receive valid, up-to-date information on active threats and campaigns. Choosing an in-house effort versus a paid service needs to be subjected to the same cost-benefit analysis as anything else in your organization. Start by assessing your personnel according to their experience and aptitude and then determining whether or not they have time to prioritize threat hunting efforts during their usual day-to-day operations.
A New Mindset
Applying controls or new procedures and failing to account for them in your policy leads to a brand of shadow IT that means decision-makers have a source of record that does not represent the reality of operational practices. Following any changes to procedures or controls, your ISP needs to be updated, as well as at least a quarterly review to ensure you are staying on track. It is difficult for most of us to be as enthusiastic about ISP maintenance as we are about computer hacking, especially when the media romanticizes it to an almost cartoonish degree. However, in this perceived battle between good and evil in cyberspace, until you align your policy with the threat landscape your organization is operating in a hall of mirrors.
About the Author
Dan Williams is an Information Security consultant with experience as a five-year veteran of the U.S. Marine Corps with over 15 years in IT Operations. Dan’s career has spanned various specializations to include systems analysis, network monitoring and defense, software development, and cloud engineering solutions, all with a central theme of security administration and strategic cyber intelligence.
He has a bachelor’s degree in Information Systems Security, a master’s degree in Cybersecurity Studies, and is a Systems Security Certified Practitioner through the (ISC)2. More recently Dan’s focus as a consultant has been on conducting research regarding DevOps security practices and cloud infrastructure penetration testing and vulnerability assessments to maintain pace with threats towards advancing and quick-adopting technologies. On a volunteer basis, Dan mentors future and junior cybersecurity personnel in both an academic setting and in the workplace to offer guidance to the next generation of Information Security professionals.