Develop Policies for an All-round Approach to Information Security

Taking risks is something we do every single minute, sometimes without even realizing it. A risk may be something as little as talking to somebody, let alone major decision-making or something life-defining. Taking risks also relates heavily to IT security, therefore a countermeasure is required – a policy.

Information Security Policies are an important administrative security control designed to avoid, counteract or minimize IT security risks. They are an integral and inseparable part of the multitude of possible security controls, without which one cannot claim an effective implementation of any meaningful security actions. Organizations need Security Policy, Standards, and Procedures to enforce Information Security in a structured way.

Defining corporate security policies, basing them on industry standards, measuring compliance, and outsourced services are keys to successful policy management.

THE RULES OF POLICIES DEVELOPMENT

Security policy and supporting documents must be not only developed but also implemented. The execution of all documents must be ensured.

A clear and understandable procedure should be developed and implemented for applying sanctions to those who fail to comply with the policy. So staff knows not only what is expected of them, but what are the consequences of non-compliance.

Policy –  Information Security Policy is a comprehensive statement made by the company’s senior management, indicating the role of security in the organization. The Policy is independent in terms of technology and solutions. It outlines the purpose and mission of security and achieves tasks such as defining the assets considered valuable, empowering the security group and its activities, serving as a basis in the process of security-related conflict resolution, capturing the goals and objectives relating to safety, outlining the personal responsibility of staff members, helping prevent unexplained events, defining the boundaries and functions of the security group, etc.

Standards – mandatory actions or rules. Standards help, support, and develop policies in certain areas. Standards may be internal or external (e.g. legislation). Standards can, for example, indicate how to use the software and hardware or how to deal with users. They can ensure the uniformity of technologies, applications, settings, and procedures throughout the company.

Procedures – detailed step-by-step descriptions of tasks performed to achieve a certain goal. Steps can be performed by users, IT professionals, security personnel, and other staff members dealing with specific tasks.

Procedures occupy the lowest level in the chain of policies, as they relate to computers and users and describe certain concrete steps and also how the policies will actually be implemented in the production environment. Procedures should be detailed enough to be understandable and useful.

 

Guidelines – describe the recommended actions and operating instructions for users, IT professionals, and other staff members, when the appropriate Standards do not apply. Recommendations may relate to technological methods, personnel, or physical security. Recommendations, as opposed to mandatory enforcement of strict Standards, show the basic approach of having some flexibility in unforeseen circumstances.

Baselines – uniform ways of implementing a given safeguard. The system must meet the baseline described by benchmarks. Baselines are discretionary; it is acceptable to implement a safeguard without following benchmarks, as long as it is implemented to poses a level of security at least as secure as if using benchmarks.

THE INFORMATION SECURITY POLICY FRAMEWORK

Each document listed above has a different target audience within the business and therefore, should never be combined into one document. Instead, there should be several documents, that together form the concept of an Information Security Policy framework.

This framework is illustrated in the diagram above, with each level of the framework supporting the levels above it. Some small organizations tend to define Security Policies from the bottom up, starting with the capabilities of the tools at hand. Medium and large enterprises know that sound Security Policies Development begins from the top down.

HOW TO START with the development of policies

Practice shows that without top management’s participation and visionary input, Information Security Policies Development is practically impossible.

Any endeavor in Information Security must, at least, be fully supported by top management. Ideally, the seniors of the company will initiate the changes in strategy and will be actively involved in the Information Security Policy development process.

No matter how talented and prepared the Information Security person you hire, they will not be able to affect the necessary changes.

Top management must be involved in the entire program development in order to ensure comprehensiveness, full compliance by staff, and sanctioning for non-compliance – it is only effective when supervised and executed under an autocratic approach.

CISO-for-Hire?

The CISO (Chief Information Security Officer) is the one person in an organization that bears the primary responsibility for IT asset security, for the strategy, planning, and implementation of security measures and initiatives. The main responsibility of the CISO must always be in sync and know what to do with all possible risks associated with cybersecurity. Furthermore, the CISO takes care of all regulatory and operational compliance requirements so that all relevant standards and regulations are addressed properly and in a timely fashion.

WHY DO YOU NEED ONE?

The CISO is a useful function to have in your organization, especially today, with all the dynamics we see in the cyber threat landscape. With a CISO you will be able to:

  • Achieve an improved overall security posture;
  • Be better prepared for what may come;
  • Reach business KPI’s more easily;
  • When you have new projects, or even with existing ones, you will have security and compliance addressed properly at all times;
  • Benefit from all engagements related to risk management as well as in any security or operational endeavors;
  • Decrease the impact of risks associated with the nature of your business;
  • Keep your business updated with all relevant regulations and compliance or other requirements.

WHY WOULD YOU RENT YOUR CISO?

Finding, recruiting, and keeping on the payroll your very own, full-time, dedicated, and talented CISO is not always possible for a number of reasons. Sometimes, it works out to be more cost-effective to hire a CISO from an outside organization. How can that be? Let’s look at some scenarios:

  • Your business is small or mid-sized and a cost-effective alternative to hiring is welcome;
  • You may need a security expert only temporarily, say for a specific project, or if you have upcoming audits and compliance engagements;
  • You may be searching already for your own specialist to hire and want to have someone tide you over in the meantime;
  • Your specialist may be on vacation or extended leave and, again, you don’t want to be without an IT security specialist by your side.

WHAT TO EXPECT AND WHAT TO LOOK FOR IN YOUR HIRED CISO

The company you want to rent your CISO from must prove they can deliver experienced practitioners to act as your hired CISO. Ask for company and personal certifications and qualifications. Furthermore, this person must be able to integrate seamlessly into your business and, well, extend it, least not hinder it. The security presence you need is just to help you bear the brunt by reducing cyber risks and avoiding IT incidents. The service must provide at least the following:

  • Proactive monitoring, adapting, and forecasting of your own risk management engagements;
  • Management of all security incidents;
  • Information security audit assistance and management;
  • Train and re-train your staff;
  • Consult on business and IT process management;
  • Dedicate regular on-site hours to be spend with your team;
  • Be available through email and phone when off-site;
  • Attend and assist management meetings when needed;
  • Regularly report to your management or on a need-to-have basis.

The company you hire your CISO from must form a business partnership with you to drive your IT security strategy forward through one or several consultants who should be:

  • Profoundly and broadly knowledgeable, with certified expertise, experience, and professional qualifications in IT Security that at least matches, and even better if it surpasses those of any single CISO or security manager;
  • Equipped with a varied outside-of-professional-qualification set of skills to include multi-tasking, leadership, swift and legible communication, soft skills, fast reaction, and on-boarding of new security technologies;
  • Passionate about what they do and your satisfaction;
  • Ready to act and consider themselves as your own employees;
  • Skilled in creative thinking and problem-solving.

HOW DOES IT HAPPEN?

The process of on-boarding and “living” with your newly hired CISO usually looks something like the diagram below. Depending on your specifics, the process should be able to be altered to closely adhere and be most beneficial to you as needed:

 

COST-EFFICIENCY

Based on an initial and ongoing risk assessment, the company giving you the CISO should provide flexible, tailored pricing, so you can achieve your goals in information security and, at the same time achieve cost-effectiveness and feasibility. The service ideology should be based on affordability with a maximized value-for-money approach.

Depending on your company’s needs for on and off-site presence, the complexity of one-time or ongoing projects, and internal and external audit needs and requirements, the provider should devise the most cost-effective plan to make sure your information security projects are adequately manned.

What is a Corporate Anti-Virus System Good for?

Antivirus or anti-virus software (AV), sometimes also referred to as anti-malware software, is developed with the purpose to detect, remove and prevent the proliferation of malicious code.

The consequences of malware infection in a corporate environment may be very different – from loss of valuable information, stealing of confidential information, sending unsolicited emails and spam, to unsolicited remote computer access and unauthorized malicious attacks on the server.

ENDPOINT SECURITY

The most commonly used product for endpoint security is antivirus software. Many of today’s integrated endpoint security offerings have evolved over time from the initial development of antivirus software. Anti-virus products are often ridiculed for their continued inability to stop the spread of malicious software.

Unfortunately, there is no perfect remedy or elixir to stop malware, so antivirus products will still be necessary, though insufficient. Antivirus software is a single layer (of many) for defense-in-depth endpoint protection.

HOW DO ANTI-VIRUS SOFTWARE WORK?

Although antivirus vendors often employ heuristic or statistical methods for malware detection, the predominant means of detecting malware is still signature-based. Such approaches require that a malware specimen is available to the antivirus vendor for the creation of a signature. This is an example of application blacklisting. For rapidly changing malware or malware that has not been previously encountered, signature-based detection is much less successful.

MALWARE AND ITS MANY FACES

 

To start with, antivirus software was designed to primarily detect and remove computer viruses, and that’s where it got its name. With the invention and proliferation of many other types of malware, antivirus products have begun providing protection from other computer threats. Modern antivirus software can protect from malicious Browser Helper Objects, browser hijackers, ransomware, keyloggers, backdoors, rootkits, Trojans, worms, dialers, adware, and spyware.

IMPLEMENTATION OF ANTIVIRUS

Integrating comprehensive antivirus protection secures:

  • Control of all possible intrusion channels for viruses – email, HTTP, FTP, external storage media (floppy, CD, DVD, flash-cards, etc.), file servers;
  • Protection against various types of threats – viruses, network and email “worms”, “Trojan horses”, unwanted programs (spyware, adware, etc.);
  • Apart from being installed on endpoint devices (servers, workstations), antivirus software can be run on the Internet gateway, so traffic is scanned before reaching the network;
  • Continuous monitoring and periodic anti-virus scan of all servers and workstations;
  • Automatic notification when an “infection” or “treatment” of viruses has occurred;
  • Protection of mobile devices, etc.;
  • Deploying a corporate antivirus system will enable centralized management and software update distribution.

TIPS WHEN LOOKING FOR A VENDOR

Today’s organizations require a comprehensive, multi-layer, defense-in-depth security strategy to successfully address malware-related issues. A successful antivirus installation will help protect assets and endpoint devices against targeted attacks, prevent data loss and theft, address security policies, and protect vital company information.

Deploying the best antivirus is usually not enough. It must go hand in hand with other controls that ensure the organization is comprehensively protected. As part of building corporate anti-virus protection, look for vendors that offer a range of services, with scope varying in accordance with the needs of the client, and may include:

  • Preparation of proposals for the selection decision, so the customer is protected against compatibility risks, system scalability, additional hardware capacities, etc.;
  • Deployment of solutions on a limited segment, thus reducing potential risks for customer implementation, using the results of a “pilot” operation;
  • Preparing instructions and guidelines for further development on the basis of the results of the deployment of a limited segment;
  • Installation and configuration of a complete solution;
  • Standardization of requirements for anti-virus protection system with respect to installation, configuration, and operation of its components;
  • Development of instructional (operating) system documents for administrators and users;
  • Development of custom policies;
  • Conducting internal workshops in order to educate all participants.

Who Needs Strategy Development in IT and Information Security?

As with just about anything, an IT infrastructure also requires a well-thought strategy. The purpose of such strategy is to give the management the information to make informed decisions on security investments. The strategy bridges the security function and the business direction.

The Information Security strategy of an organization is the direction or the approach taken to meet one or more objectives related to the secure behavior of that organization. The strategy is realized through initiatives, where each represents an operational plan that achieves one or more security objectives, with the goal to collectively achieve all of them.

WHY IS STRATEGY DEVELOPMENT NECESSARY?

Just as hackers and criminals never sleep, the Information Security Officer in your organization must regard Information Security not as a product, but as a process. Constantly evolving, adapting, putting up defenses to new and emerging security breach threats. A plan – written, implemented, and then locked away in a drawer – will only do good for a while. Until things change. Again.

Staying flexible, responsive, pro-active, requires a strategy that is deeply rooted in corporate culture and reflects an educated approach to risk assessment, leverage compliance against practicality, and above all – is a perfect fit for you, and your business only.

ALWAYS KEEP IN MIND THE FOLLOWING:

This is a management issue: IT staff can’t and must not decide what’s important, who needs to protect it, what’s acceptable behavior from employees, and what the penalties are for non-compliance. Things to remember:

  • It’s not going to go away: putting up a firewall doesn’t make threats go away – you need a plan that is maintained and evolves.
  • IT budget will not pay for this: find the right angle to “sell” and get funding support.
  • Be ready to show results from what gets spent. Show progress. Show numbers. Tell real stories.

STATUS & FACTORS TO CONSIDER WHEN BUILDING A STRATEGY

An Information Security strategy provides an organization with a road map for information and information infrastructure protection with goals and objectives that ensure capabilities provided are aligned to business goals and the organization’s risk profile.

Information Security requires its own independent strategy to ensure its ability to appropriately support business goals and to mature and evolve effectively. A multi-phased approach to developing a strategy is often most effective and provides recognizable results and value to an organization.

PHASES IN THE STRATEGY DEVELOPMENT

BUSINESS AWARENESS

  • Understand the organization’s current business conditions;
  • Consider the organization’s risk profile and appetite;

STRATEGY DEFINITION

  • Include a prescriptive annual plan followed by a rolling three-year plan;
  • Clearly identify the point of arrival for capabilities based on management guidance and input;
  • Ensure the availability and capability of necessary staff for the strategy execution;
  • Gain an understanding of the organization’s culture to ensure an appropriate plan for adoption;

STRATEGY DEVELOPMENT

  • Define the governance model and functional inventory of capabilities and services;
  • Consider whether the strategy will include operational components or will act as a consultative element within the organization;
  • Determine the reporting structure;
  • Consider the staff and competency requirements necessary to successfully implement and operate the strategy;
  • Consider the risks of sourcing and ensure appropriate oversight by internal staff;

METRIC & BENCHMARKING

  • Ensure alignment with industry standards and guidelines;
  • Use a reliable assessment methodology, such as the Capability Maturity Model (CMM) for example;
  • Use Key Performance Indicators (KPI) to measure the effectiveness of the functions and capabilities developed through the strategy;

IMPLEMENTATION & OPERATION

  • Take global considerations into account;
  • Determine how compliant the organization wants or needs to be;
  • Determine consequences of not conforming to policies and requirements;
  • Utilize an oversight board as part of the operational model for the strategy;
  • Ensure that appropriate communication is occurring between the Information Security group and the supporting business functions;
  • Ensure cultural awareness regarding how information protection activities are viewed within the organization.

tips for choosing the right strategy development team 

Without a defined and developed strategy, an organization’s security capabilities will continue to be viewed negatively and will have limited benefits or negligible positive impact.

Developing a strategy is a critical element in the maturation of Information Security capabilities.

If the goal of the security group is to be business-aligned, then its strategy must be developed with this goal in mind.

When an effective strategy is developed and implemented, security will become a key benefit to the organization, and its value will be easily understood through the reduction of security incidents as well as the effort and costs associated with information protection.

The true measure of success for a well-developed and implemented strategy can be found in the impressions and actions of the constituency that it serves. When they utilize security capabilities during key decision-making activities and consult with the security group on a regular basis, success can be achieved. If they continue to fear and avoid Information Security and its capabilities until it is absolutely necessary to engage, the strategy needs to be changed.

Can DLP Solve Leakage Problems?

Information security has many faces and comes with a lot of bells and whistles. We have the SIEMs, the IDS’ and IPS’ and of course the DLPs.

As some of you may know, DLP (Data Loss Prevention) is an information traffic control mechanism in the information system of an enterprise. The main objective of DLP systems is to prevent the transmission of confidential information outside of the information system. Such transfers or often called leakages can be both intentional and unintentional.

Practice shows that most of the leaks that are known (about 3/4) occur not by malicious intent, but because of errors, carelessness, or negligence from employees. The rest of the leaks are associated with malicious actors and users of the information systems. It is understandable that insiders usually try to overcome DLP systems. The outcome of this effort depends on many factors and it is impossible to guarantee success, but the risks can be greatly minimized. DLP is necessary because there is a lot of data, unauthorized diversion of which could cause significant damage to the organization.

To assess in advance the size of the damage is not always directly measurable or fully foreseeable. However, in most cases, in order to realize the danger posed by leaks, it is sufficient to provide it even for the basic consequences.

For example, the release of top-secret information or copies of the original documents in the press or other “inconvenient” bodies, the cost of PR and a subsequent decision needed to fix problems caused by leakage, reduced trust and outflow from partners and customers, problems with competitors, leakage schemes, technology, know-how and more.

HOW TO SCOPE A DLP INTEGRATION?

This is a complex task, that has numerous things that have to be taken into consideration. In addition to the DLP system – a technical complex for information protection from leaks, its scope goes beyond just monitoring and blocking of the users’ actions with protected information. The modern DLP system is also a tool that allows you to control the exchange of information, the use of information in the electronic files of the company, and other “useful” areas, such as:

  • Control over the sharing not only of confidential but also other information of interest (libel, spam, excessive amounts of data, etc.), control over the level of business ethics, etc.;
  • Tracking the loyalty of employees, their political attitudes, beliefs, gathering compromising information, tracking any single interest or suspicious object;
  • Identification of brain drain in the early stages, the actions of timely identification, aimed at finding a job/career change – the exchange of electronic messages containing employee information (resume), with external employers, visiting sites about finding a job. Thus, you can more efficiently monitor employee satisfaction, employer and labor conditions in a shorter time in order to take corrective action;
  • Monitoring the misuse of corporate resources, employee time – regular monitoring of storage and use in non-working order files (audio, video, photo, etc.) and the use of communication channels (e-mail, Internet, instant messaging) for the misuse of information exchange

HOW IS IT DONE?

Integrating a DLP, as some of you may already know, is a complicated matter. The main tasks of DLP are monitoring and prevention of number of data transmission occurrences, such as transmission of protected information by email (SMTP, including SSL), transmission of unencrypted data on the Internet (FTP, HTTP, web-mail, chat), transmission of encryption protected information on the Internet (HTTPS, SFTP, SCP (SSH), etc.), transmission of protected information using instant messengers (ICQ, Jabber, Skype, WebEx Connect, QIP, etc.), entry of protected information to removable media (USB drives, CD / DVD, flash-media, etc.) and mobile devices (smartphones, iPhone, iPad), printing documents that contain protected information (monitoring and / or blocking printing on local, network and virtual printers) and copying of such data, control over user access to documents containing protected information (logging), archiving of all transmitted information, monitoring user search activities, controlled data transfers between servers and workstations, monitoring of all storage on network shares (shared folders, work-flow systems, databases, e-mail archives, etc.)

DLP IS NOT JUST FOR THE BIG FISH

 

It is believed that the introduction of DLP system is justified only in the case when the organization has reached a very high level of maturity workflows. In particular, it has developed and implemented policies for handling confidential information, has developed a list of its constituent data matrix, defined role-based access to different kinds of information, etc.

Of course, the presence of all these mechanisms makes the use of the DLP system more efficient, but the full implementation of the policy for handling confidential information involves substantial elaboration.

However, for starters, it will be very useful and a more simple approach to highlight the most critical areas.

In this case, we are not trying to build an overall picture of handling all types of sensitive data, instead, we allocate multiple repositories of documents intended solely for use within the organization. The system (with some regularity) scans all documents held within this repository and then fixes any attempts to move the protected information outside the organization.

THE 2 WAYS TO SOLVE THE PROBLEM

As with almost anything, there are multiple ways to tackle an issue. With DLPs, we have two basic approaches.

THE RIGHT WAY…

Through an integrated approach. There are companies that specialize in these technical solutions for years. Costs about $200-500 in the workplace for implementation, and in the order of $20-50 per year per license.

This approach, of course, solves the problem more efficiently, enables the integration, or future integration, with other systems such as SIEM, RMS, etc., integration with ERP and guarantees compliance with international standards of information security.

THE WRONG WAY…

Trying to use free or low-priced products from multiple vendors that do not solve the problem comprehensively, but only close certain channels of communication.

As a result, we obtain a limited solution that works in principle over some channels and even sometimes solves the problem. However, the data is not structured and is not consolidated, efficiency is very seriously affected and there may be serious problems with scalability. Companies using this approach are eventually forced into an integrated approach.

DLPs are sometimes required in certain certification engagements. You may find yourself looking for DLP when becoming compliant with the GDPR or under ISO27001.