Security subjects within this article:
Enterprise Security
Security Governance
IT Risk Management
Information System Management
Threat & Incident Management
Vulnerability Management
Protecting Information Resources
BCP Management
Identity and Access Control Management
Change Management
Physical Security
Enterprise Security Critical Security Functions version 1.0
1. Enterprise Security
- Critical Security Functions
There are several elements to consider to properly protect an organization. In order to
align security adequately, it is possible to refer to an information security standard such
as ISO 27002.
For many organizations, a smaller framework scope can be necessary in order to
quickly implement security controls and bring the organization to an acceptable
security posture.
In this article, we describe the main areas where it is possible to focus to quickly
increase the security posture of an enterprise.
This guide does not encompass all controls and controls objectives and its main focus
is to provide guidance on critical aspects often forgotten or not properly addressed.
Enterprise Security
- Critical Security Functions version 1.0
June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
2. Among the biggest
security challenges
One of the biggest challenge for organization is to established roles for security.
Undefined roles lead to inappropriate security management and practice. In this
circumstance, everyone give best effort to maintain the overall security in an
unstructured way.
It can give positive result for a certain time, but on a long period, the security posture
of the organization will almost always decrease.
The planning, organization, implementation and verification of security is challenging
for every organization.
How to improve?
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
3. Security Governance
Establish authoritative role for Information Security with accountability and
responsibility in a security program.
There must be a management role for Information Security Management such as
CISO, CSO, etc. This person must determine roles and responsibilities of the
Information Security members (incident management, vulnerability management,
system change/update, etc.). Formalize Operational Security Role & Responsibility
and Processes.
Roles and responsibilities must be officially defined and integrated to work functions of
each members of the security team. Interaction with other team such as the system
administration group and other department must be defined and understood by the
security members.
Security members must be adequately trained and a security awareness and training
standard practice must be in place.
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
4. IT Risk Management
An IT Risk Management standard practice must be in place in order to implement
appropriate controls and justify decisions according to the risk and impact on the
enterprise of various situations or scenarios (ex.: cyber-attack, natural disaster, human
error such as misconfiguration, etc.).
Standard methodology and templates must exist for information classification and
risk/impact analysis.
Controls to reduce the capability of threat/attack and controls to reduce vulnerabilities
must be identified, implemented, audit and verified regularly.
When a necessary control cannot be implemented according to the identified
risk/impact, a justification must exist with compensatory measures. Justification must
be reviewed periodically and are valid only for a certain period of time. All effort must
be made to eliminate the justification and implement the control to reduce the
risk/impact.
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
5. Information System
Management
Protection equipment, according to the identified risk and impact must be selected,
implemented, audit and verified regularly (ex.: servers, firewall, IPS, etc.).
Appropriate systems and equipment must be available to security members to conduct
their task, such as a ticketing system for incident management.
Protection systems must be kept up-to-date and modifications must follow a change
management process in place.
Following an incident, according to the result of the investigation, protective systems
must be updated when applicable (ex.: increase logging, update protective rules, etc.).
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
6. Threat & Incident
Management
Role regarding incident management must be identified (ex.: security manager, IT
Security Leader, IT Security Analyst, other team responsibilities/interaction, etc.).
A plan, a process and a practice must be in place regarding threat and incident
management.
Manual threat and incident activities must be in place to identify irregularity (ex.: log
review, system audit, etc.).
Automation must exist to automatically detect known threat at the organizational
boundaries or at sub-layer network if passed main defensive systems.
A threat and intelligence mechanism is strongly suggested (ex.: correlation between
internal network/systems events with an external threat feeds).
An incident management systems must be available and used to track and manage
incidents.
Investigation standard must exist in the organization specifying the way to investigate
incidents, systems to be used and the procedure to follow.
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
7. Vulnerability Management
A process and a practice must be in place regarding vulnerability management.
Role of the security, system administration, assets owners, change management,
compliance, etc. must be defined in a process and RACI chart.
There must be a mechanism to be informed of know vulnerabilities for systems in
scope (ex.: external advisory feeds).
There must be a procedure for emergency or critical update in order to quickly
implement fix and remain secured.
Every significant change must be logged, verified, confirmed and conducted according
to a change management practice in place.
Enterprise Security
- Critical Security Functions version 1.0
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
June 10th 2015
8. Protecting Information
Resources
According to the classification scheme defined in the risk management activities, we
must classify data according to confidentiality, integrity and availability.
To be able to protect the information, we must create a protection map (ex.: a map of
all information and systems of the organization).
There must be roles specifying management, prevention, detection, response and
correction of security issue or disruption to maintain integrity/availability/confidentiality
(daily).
Standards must be in place for encryption (ex.: hashing for integrity, symmetric
encryption for confidentiality, asymmetric keys for authenticity, etc.).
Encryption mechanisms must implemented and used according to the information
classification, risk and impact defined in risk management activities where security
controls are defined.
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
9. BCP Management
Backup systems and data must be available in a timely fashion in order to maintain
operation, especially in case of incident.
Backup must be verified regularly to ensure the viability of the information and
systems.
It is strongly suggested to use virtual environment with ready image backup. In case of
incident, an image can be restore, updated to current stable and bring live to
production to continue the operation normally.
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
10. Identity and Access
Control Management
Policies must exist regarding internal access and external access to ensure they are
managed according to different criteria and needs (ex.: vendor access, employee
access, etc.) and different rules must be implemented accordingly.
It is strongly suggested to follow the least privileges principles at all time and remove
right at the moment someone doesn't have the need to know or to use in order to
accomplish his work.
It is also strongly suggested to follow the principle:”all user are considered untrust until
they prove the needs to know or use according to criteria (ex.: group, ID, system
integrity check)”. Even an employe account can be considered untrust at first and
according to criteria, gain more access.
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
11. Identity and Access
Control Management
A security architecture must defined the various zones of the organization (ex.:
Intranet, Extranet, shared services, etc.), control objectives defined for each zone with
controls to respect the control objectives. Risk and impact are important elements to
consider when defining control objectives (ex.: everyone can access the zone,
employee can access the zone, remote user cannot access the zone, etc.).
Two factor authentication is strongly suggested for access to sensitive or critical
systems.
A process must be in place for commissioning and decommissioning account. If
possible, automation can be used. A practice must be in place and defining the
management of identifies in the organization (ex.: account review, password
strength/change).
Privilege account disclosure can lead to greater impact and must be managed, monitor
and verified closely. In the case of external access, such for vendors, it can be
appropriate that a security analyst monitor the session (remote session opening,
monitor changes, ensure remote session is closed).
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
12. Change Management
We must distinguished “significant change” vs “non-significant change” (ex.: kernel
update is significant, virus definition update is not a significant change.
A policy, a process and the according procedures must be defined, understood and
followed for any significant change.
There must be rules defined for emergency/critical changes in order to bring the
necessary flexibility to react quickly and properly. These rules must not be pass-trough
rules, every exception must be justified. Usually, standard change management steps
are just delayed, but followed as usual.
There must be roll-back process, procedure with the information and systems ready to
go back to a stable state in case of unsuccessful change.
Enterprise Security
- Critical Security Functions version 1.0 June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM
13. Physical Security
With the current tendencies, information is becoming more and more accessible
electronically and often online. Many objects are now integrating electronic remote
access (ex.: car) and physical security must be rethink to include electronic emissions,
radio frequency, mobile and WIFI transmissions and access to interfaces/protocols.
Biometrics mechanisms are becoming standards in many organizations. False positive
is when an individual gain access while he is not supposed to and those incident are
very critical; tests and evidences must exist to confirm effectiveness of the device.
Physical security can prevent, detect , deter, etc. (ex.: outside light, fence).
Data center must be chose carefully (ex.: not close to river, with multiple road access,
etc.) and disaster center must be in an appropriate distance and location to prevent
any impact from a geographical disaster.
Any privileges access must be supported by two factor authentication (ex.: magnetic
cards/pin pad locks and finger print).
June 10th 2015
Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM