Category: IT Governance

CISO-for-Hire?

The CISO (Chief Information Security Officer) is the one person in an organization that bears the primary responsibility for IT asset security, for the strategy, planning, and implementation of security measures and initiatives. The main responsibility of the CISO must always be in sync and know what to do with all possible risks associated with cybersecurity. Furthermore, the CISO takes care of all regulatory and operational compliance requirements so that all relevant standards and regulations are addressed properly and in a timely fashion.

WHY DO YOU NEED ONE?

The CISO is a useful function to have in your organization, especially today, with all the dynamics we see in the cyber threat landscape. With a CISO you will be able to:

  • Achieve an improved overall security posture;
  • Be better prepared for what may come;
  • Reach business KPI’s more easily;
  • When you have new projects, or even with existing ones, you will have security and compliance addressed properly at all times;
  • Benefit from all engagements related to risk management as well as in any security or operational endeavors;
  • Decrease the impact of risks associated with the nature of your business;
  • Keep your business updated with all relevant regulations and compliance or other requirements.

WHY WOULD YOU RENT YOUR CISO?

Finding, recruiting, and keeping on the payroll your very own, full-time, dedicated, and talented CISO is not always possible for a number of reasons. Sometimes, it works out to be more cost-effective to hire a CISO from an outside organization. How can that be? Let’s look at some scenarios:

  • Your business is small or mid-sized and a cost-effective alternative to hiring is welcome;
  • You may need a security expert only temporarily, say for a specific project, or if you have upcoming audits and compliance engagements;
  • You may be searching already for your own specialist to hire and want to have someone tide you over in the meantime;
  • Your specialist may be on vacation or extended leave and, again, you don’t want to be without an IT security specialist by your side.

WHAT TO EXPECT AND WHAT TO LOOK FOR IN YOUR HIRED CISO

The company you want to rent your CISO from must prove they can deliver experienced practitioners to act as your hired CISO. Ask for company and personal certifications and qualifications. Furthermore, this person must be able to integrate seamlessly into your business and, well, extend it, least not hinder it. The security presence you need is just to help you bear the brunt by reducing cyber risks and avoiding IT incidents. The service must provide at least the following:

  • Proactive monitoring, adapting, and forecasting of your own risk management engagements;
  • Management of all security incidents;
  • Information security audit assistance and management;
  • Train and re-train your staff;
  • Consult on business and IT process management;
  • Dedicate regular on-site hours to be spend with your team;
  • Be available through email and phone when off-site;
  • Attend and assist management meetings when needed;
  • Regularly report to your management or on a need-to-have basis.

The company you hire your CISO from must form a business partnership with you to drive your IT security strategy forward through one or several consultants who should be:

  • Profoundly and broadly knowledgeable, with certified expertise, experience, and professional qualifications in IT Security that at least matches, and even better if it surpasses those of any single CISO or security manager;
  • Equipped with a varied outside-of-professional-qualification set of skills to include multi-tasking, leadership, swift and legible communication, soft skills, fast reaction, and on-boarding of new security technologies;
  • Passionate about what they do and your satisfaction;
  • Ready to act and consider themselves as your own employees;
  • Skilled in creative thinking and problem-solving.

HOW DOES IT HAPPEN?

The process of on-boarding and “living” with your newly hired CISO usually looks something like the diagram below. Depending on your specifics, the process should be able to be altered to closely adhere and be most beneficial to you as needed:

 

COST-EFFICIENCY

Based on an initial and ongoing risk assessment, the company giving you the CISO should provide flexible, tailored pricing, so you can achieve your goals in information security and, at the same time achieve cost-effectiveness and feasibility. The service ideology should be based on affordability with a maximized value-for-money approach.

Depending on your company’s needs for on and off-site presence, the complexity of one-time or ongoing projects, and internal and external audit needs and requirements, the provider should devise the most cost-effective plan to make sure your information security projects are adequately manned.

Who Needs Strategy Development in IT and Information Security?

As with just about anything, an IT infrastructure also requires a well-thought strategy. The purpose of such strategy is to give the management the information to make informed decisions on security investments. The strategy bridges the security function and the business direction.

The Information Security strategy of an organization is the direction or the approach taken to meet one or more objectives related to the secure behavior of that organization. The strategy is realized through initiatives, where each represents an operational plan that achieves one or more security objectives, with the goal to collectively achieve all of them.

WHY IS STRATEGY DEVELOPMENT NECESSARY?

Just as hackers and criminals never sleep, the Information Security Officer in your organization must regard Information Security not as a product, but as a process. Constantly evolving, adapting, putting up defenses to new and emerging security breach threats. A plan – written, implemented, and then locked away in a drawer – will only do good for a while. Until things change. Again.

Staying flexible, responsive, pro-active, requires a strategy that is deeply rooted in corporate culture and reflects an educated approach to risk assessment, leverage compliance against practicality, and above all – is a perfect fit for you, and your business only.

ALWAYS KEEP IN MIND THE FOLLOWING:

This is a management issue: IT staff can’t and must not decide what’s important, who needs to protect it, what’s acceptable behavior from employees, and what the penalties are for non-compliance. Things to remember:

  • It’s not going to go away: putting up a firewall doesn’t make threats go away – you need a plan that is maintained and evolves.
  • IT budget will not pay for this: find the right angle to “sell” and get funding support.
  • Be ready to show results from what gets spent. Show progress. Show numbers. Tell real stories.

STATUS & FACTORS TO CONSIDER WHEN BUILDING A STRATEGY

An Information Security strategy provides an organization with a road map for information and information infrastructure protection with goals and objectives that ensure capabilities provided are aligned to business goals and the organization’s risk profile.

Information Security requires its own independent strategy to ensure its ability to appropriately support business goals and to mature and evolve effectively. A multi-phased approach to developing a strategy is often most effective and provides recognizable results and value to an organization.

PHASES IN THE STRATEGY DEVELOPMENT

BUSINESS AWARENESS

  • Understand the organization’s current business conditions;
  • Consider the organization’s risk profile and appetite;

STRATEGY DEFINITION

  • Include a prescriptive annual plan followed by a rolling three-year plan;
  • Clearly identify the point of arrival for capabilities based on management guidance and input;
  • Ensure the availability and capability of necessary staff for the strategy execution;
  • Gain an understanding of the organization’s culture to ensure an appropriate plan for adoption;

STRATEGY DEVELOPMENT

  • Define the governance model and functional inventory of capabilities and services;
  • Consider whether the strategy will include operational components or will act as a consultative element within the organization;
  • Determine the reporting structure;
  • Consider the staff and competency requirements necessary to successfully implement and operate the strategy;
  • Consider the risks of sourcing and ensure appropriate oversight by internal staff;

METRIC & BENCHMARKING

  • Ensure alignment with industry standards and guidelines;
  • Use a reliable assessment methodology, such as the Capability Maturity Model (CMM) for example;
  • Use Key Performance Indicators (KPI) to measure the effectiveness of the functions and capabilities developed through the strategy;

IMPLEMENTATION & OPERATION

  • Take global considerations into account;
  • Determine how compliant the organization wants or needs to be;
  • Determine consequences of not conforming to policies and requirements;
  • Utilize an oversight board as part of the operational model for the strategy;
  • Ensure that appropriate communication is occurring between the Information Security group and the supporting business functions;
  • Ensure cultural awareness regarding how information protection activities are viewed within the organization.

tips for choosing the right strategy development team 

Without a defined and developed strategy, an organization’s security capabilities will continue to be viewed negatively and will have limited benefits or negligible positive impact.

Developing a strategy is a critical element in the maturation of Information Security capabilities.

If the goal of the security group is to be business-aligned, then its strategy must be developed with this goal in mind.

When an effective strategy is developed and implemented, security will become a key benefit to the organization, and its value will be easily understood through the reduction of security incidents as well as the effort and costs associated with information protection.

The true measure of success for a well-developed and implemented strategy can be found in the impressions and actions of the constituency that it serves. When they utilize security capabilities during key decision-making activities and consult with the security group on a regular basis, success can be achieved. If they continue to fear and avoid Information Security and its capabilities until it is absolutely necessary to engage, the strategy needs to be changed.

Business Continuity & Disaster Recovery 101

Even when all else fails, there is still hope! Business Continuity Planning and Disaster Recovery Planning are here as the last resort to protect your business.

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) are an organization’s last corrective control when all other controls have failed! BCP/DRP may prevent or provide a remedy for force majeure circumstances such as injury, loss of life, or failure of an entire organization.

Furthermore, BCP/DRP provide the advantage of being able to view the organization’s critical processes and assets in a different, often clarifying light. Risk analysis conducted during a BCP/DRP plan stage often leads to immediate mitigating actions.

An eventual potentially crippling disaster may have no impact due to prudent risk management steps taken as a result of thorough BCP/DRP plans.

HOW DO you BEGIN?

Developing a Business Continuity Planning and Disaster Recovery Planning are essential for a company’s responsiveness and ability to recover from an interruption in normal business functions or catastrophic events. In order to ensure that all planning has been considered, the BCP/DRP have a specific set of requirements to review and implement. Below are listed the high-level steps to achieving a sound, logical BCP/DRP:

  • Define Project Scope;
  • Business Impact Analysis;
  • Identify Preventive Controls;
  • Recovery Strategy;
  • Plan Design and Development;
  • Implementation, Training, and Testing;
  • BCP/DRP Maintenance.

what is the difference between BUSINESS CONTINUITY and DISASTER RECOVERY?

Business Continuity Planning will ensure the business will continue to operate prior to, during, and after a disaster happens.

The focus is on the business in its entirety and making sure critical services and functions provided by the business will still be performed, both if threatened by disruption as well as after the threat has subsided.

Organizations need to consider common threats to their critical functions as well as any associated vulnerabilities that might facilitate a significant disruption. Business Continuity Planning is a long-term strategy for continued successful operation despite inevitable threats and disasters.

Disaster Recovery Planning– while Business Continuity Planning is responsible for the strategic, long-term, business-oriented plan for uninterrupted operation when faced with a threat or disruption, the Disaster Recovery Planning will provide the tactics. In essence, DRP is a short-term plan for dealing with specific IT-oriented outages.

Mitigating a virus infection with a risk of spreading is an example of a specific IT-oriented disruption that a DRP must address. The focus is on efficiently mitigating the outage impact and the immediate response and recovery of critical IT systems. Disaster Recovery Planning provides a means for immediate response to disasters.

 

The relation between BCP & DRP – the BCP is an all-inclusive plan that includes, amongst multiple specific plans, the DRP – the importance stems from the fact that the focus and process of these overlap critically.

Continual provision of business-critical services facing threats is achieved with the aid of the tactical DRP. The plans, with their different scopes, are organically intertwined.

In order to distinguish between a BCP and a DRP one needs to realize that the BCP is concerned with the business-critical function or service provided by the company, whereas the DRP focuses on the actual systems and their interoperability so the business function is performed.

SOME RELATED PLANS

As mentioned before, the Business Continuity Plan is an umbrella plan that contains other plans, in addition to the Disaster Recovery Plan:

Continuity of Operations Plan (COOP) – describes the procedures required to maintain operations during a disaster. This includes the transfer of personnel to an alternative disaster recovery site and operations of that site.

Continuity of Support Plan – focuses narrowly on the support of specific IT systems and applications. It is also called the IT contingency plan, emphasizing IT over general business support.

Cyber Incident Response Plan (CIRP) – designed to respond to disruptive cyber events, including network-based attacks, worms, computer viruses, Trojan horses, etc.

Business Recovery Plan (BRP) – also known as the business resumption plan, details the steps required to restore normal business operations.

Crisis Communications Plan – used for communicating to staff and the public in the event of a disruptive event. Instructions for notifying the affected members of the organization are an integral part of any BCP/DRP.

Occupant Emergency Plan (OEP) – provides the response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property.

how does the testing work?

IT STARTS WITH THE DISASTER RECOVERY PLAN

The Disaster Recovery Plan must be an actionable prescription for recovery. Writing the plan is not enough, thorough testing is needed. Information systems are in a constant state of flux, with infrastructure, hardware, software, and configuration changes altering the way the DRP needs to be carried out. Testing the details of the DRP will ensure both the initial and continued efficacy of the plan. The tests must be performed on an annual basis as an absolute minimum.

Review – the most basic form of initial DRP testing. It involves simply reading the DRP in its entirety.

Checklist – also referred to as consistency testing, lists all necessary components required for a successful recovery and ensures that they are, or will be, readily available should a disaster occur.

Walkthrough/Tabletop – the goal is to talk through the proposed recovery procedures in a structured manner to determine whether there are any noticeable omissions, gaps, erroneous assumptions, or simply technical missteps that would hinder the recovery process from successfully being carried out.

Simulation (aka Walkthrough Drill) – goes beyond talking about the process and actually has teams carry out the recovery process. The team must respond to a simulated disaster as directed by the DRP.

Parallel Processing – involves the recovery of critical processing components at an alternative computing facility, and then restore data from a previous backup. Regular production systems are not interrupted.

Partial & Complete Interruption – extreme caution should be exercised before attempting an actual interruption test. This test causes the organization to actually stop processing normal business at the primary location and use an alternative computing facility.

What is an Independent Audit Good For?

The audit of Information Security is a comprehensive assessment, which is allowed, in order to assess the current condition of Information Security in the business and to plan timely actions in order to increase the level of security.

The audit of Information Security is conducted when a current necessity of independent assessment of the condition of Information Security is needed.

Why do you need internal audit?

There are a number of reasons to perform internal audits either one-time, ad-hock, or regularly. Some of these may be:

  • If there is a change in the strategy of the company;
  • In case of mergers or acquisitions;
  • When there are significant changes in the organizational structure of the company or change of leadership;
  • When there are new internal or external requirements for Information Security;
  • In the event of significant changes in the business processes and IT infrastructure.

THE RULES OF AUDIT

When performing an internal audit, one needs to take into account and adhere to the following “rules”:

  • Analysis of the organizational and administrative documents of the company;
  • Interviews with employees of the organization: representatives from the business units, the administrators and developers of information systems, professionals in Information Security;
  • Technology for inspection of office space in terms of physical security of the IT infrastructure;
  • Analysis of the configuration settings of hardware and software;
  • Auditing of special hardware (scanners, security analysis, control of the leakage of information, etc.);
  • Penetration testing;
  • Assessment of the knowledge of workers in the field of Information Security.

 

An extra special examination can be made that takes into account the particularities of the audited company. If necessary, in the phase of the study, additional information may be collected, that is needed for the implementation of other projects, which hereinafter will save additional resources for the organization and will help the distribution of its budget.

INDEPENDENT vs. INTERNAL IT AUDIT

Objective – An independent audit is usually performed either due to regulatory requirements or those of third parties wishing to enter in collaborative or supplier relations, an outsourcing partner, for example. Internal audits are usually mandated by management and are more focused on business operations and their continuity.

 

Auditors – An independent audit is carried out by an external team, while internal audits are performed by members of staff. While the independent auditor may provide a more “fair view” of the current state, the internal audit may reflect a business’s proprietary technological and organizational characteristics more closely, with in-depth findings.

 

Reporting – Usually, the independent IT audit will result in the main report being in a format required by auditing standards, with a focus on whether the Information Security claims of the company give a true and fair view and comply with requirements. These reports, whether formal or not, are designed to provide a status snapshot, rather than go into detailed recommendations on how to make things better.

 

Internal audit should produce a tailored report about how the risks and objectives are being managed – with a focus on helping the business move forward. As such, internal audit reports are expected to contain recommendations for improvement of the organization’s Information Security.

Cyber Forensics: Helping You Understand and Recover

Cyber forensics (aka digital forensics) is a branch of forensic science belonging to evidence found in computers, digital storage media, cloud services, and social media. Digital forensics in civil litigation is a growing requirement of courts to ensure evidence is properly preserved, processed, and presented in court. Digital forensic collections, data extraction, and forensic reports are all part of this growing field.

WHY ARE DIGITAL FORENSICS IMPORTANT?

Adding the ability to practice sound computer forensics will:

  • Help you ensure the overall integrity and survivability of your network infrastructure by adding a layer of traceable responsibility and monitor compliance with policies and regulations.
  • Help you capture vital information if your network is compromised and will help you deal with the case internally if the intruder is caught.
  • Help you realize that allocating a greater portion of the information technology budgets for computer and network security will ultimately save your organization money.
  • Help preserve vital evidence or having forensic evidence ruled inadmissible in a court of law.
  • Help your organization comply with new laws that mandate regulatory compliance and assign liability if certain types of data are not adequately protected.

You can help your organization if you consider computer forensics as a new basic element in what is known as a “defense-in-depth”, which is designed on the principle that multiple layers of different types of protection from different vendors provide a substantially better protection approach to network and computer security.

Computer forensics is a relatively new discipline to the courts and many of the existing laws used to prosecute computer-related crimes, legal precedents, and practices related to computer forensics are in a state of flux. Nevertheless, digital forensics can be invaluable in dealing with a rogue or ill-intended employee or ex-employee.

In these cases, having the incriminating information intact and safe from further destruction or obliteration, may prove invaluable in not only dealing with said individual, but in applying recovery measures that could otherwise not be possible at all.

ASPECTS OF THE FORENSIC INVESTIGATION

Technical goal: to identify, collect, preserve, and analyze data in a way that preserves the integrity of the evidence collected so it can be used effectively in a legal case or in internal procedures.

Understanding: those who investigate computers have to understand the kind of potential evidence they are looking for in order to structure their search. Crimes involving a computer can range across the spectrum of criminal activity, from child pornography to theft of personal data to destruction of intellectual property.

Use of tools: the investigator must pick the appropriate tools to use. Files may have been deleted, damaged, or encrypted, and the investigator must be familiar with an array of methods and software to prevent further damage in the recovery process.

Data types: persistent data is the data that is stored on a local hard drive (or another medium) and is preserved when the computer is turned off.

Volatile data: any data that is stored in memory or exists in transit, that will be lost when the computer loses power or is turned off. Volatile data resides in registries, cache, and random access memory (RAM). Since volatile data is ephemeral, it is essential that the investigator knows reliable ways to capture it.

Personnel: System administrators and security personnel must also have a basic understanding of how routine computer and network administrative tasks can affect both the forensic process (the potential admissibility of evidence at court) and the subsequent ability to recover data that may be critical to the identification and analysis of a security incident.

Depending on the needs, a whole range of different investigative actions can be taken to produce relevant forensics data. Below is just an exemplary list of actions and checks that reflects the most common scenarios, and can, of course, be expanded to accommodate other requirements:

  • Active, Archival, and Latent Data;
  • Hashes and Checksums;
  • Conducting Keyword Searches;
  • Creating Understandable and Accurate Reports;
  • Creating Forensically Sound Working Copies or Images of Media;
  • Common File Header Formats;
  • Documentation, Chain of Custody, and Evidence Handling Procedures;
  • Assisting with Motions (i.e., Compel Production of HDD’s, Logs, etc.);
  • Questions to Prepare for/Advising Your Retaining Counsel;
  • FAT 12/16/32 File Systems;
  • File Slack, Ram Slack, Drive Slack, and Unallocated Space;
  • NTFS File Systems;
  • Compact Disc Analysis;
  • Interpretation of Various Log Formats;
  • Interpreting Internet History and HTTP concepts;
  • Manual and Automated Data Recovery;
  • Metadata for Microsoft Office and PDF documents;
  • Overcoming Encryption Mechanisms And Password Protection;
  • PC Hardware Concepts;
  • Privacy Issues;
  • Rules of Evidence;
  • Windows Print Spool Files;
  • Windows Registry;
  • Windows Shortcuts;
  • Windows Swap File;
  • Working as an Expert Technical Witness;
  • Insurance/Liability Issues;
  • Viruses and Malware.