"Security is a process, not a product."
Bruce Schneier

Tag: IT security

7Security welcomes a new Qualified Security Assessor

At 7Security, we believe every success should be celebrated – from completing yet another successful project or hearing good news from our clients… to, in this case, having the pleasure of calling one of our colleagues a Qualified Security Assessor for the first time!

Yasen Georgiev, who joined us earlier this year as Information Security Auditor, recently added the QSA title under his belt, and we cannot be happier for him. Yasen is now officially part of our QSA team and will be working closely with fintechs, helping them maintain their PCI DSS compliance.

PCI DSS is a unique standard’, shared Yasen, ‘it’s not fully technical; there are many controls related to people – the way employees implement and follow their security policies. I find the human factor here very intriguing. What also thrills me is not just assessing a company’s compliance with the standard but seeing various architectures and solutions in the process. I especially enjoy the consulting part of my role – sharing my know-how and providing support where needed. It’s great to offer the client an angle they haven’t thought about that ends up saving them costs and effort in managing their PCI environment. It’s my personal contribution to the fintech industry.’

‘I can’t say becoming a QSA was an easy journey’, added Yasen, ‘It had its challenges, but throughout the whole process, I felt supported by my colleagues at 7Security, and I learned a lot from them and the PCI Council training. At 7Security, we are adept in cloud technologies and the ways they simplify compliance, especially for startups who are going through their first PCI DSS. I feel lucky to be working next to people with such vast experience and interests in modern cloud solutions. Here, I can put my skills to good use, but I am also challenged daily to learn and grow.’

We wish Yasen many exciting projects. We are confident we will have plenty of occasions to share more success stories about him in the future.

The Role and Purpose of Training & Awareness in Information Security

WHERE IS YOUR ORGANIZATION?

Do not be alarmed to find out your organization is somewhere in the first couple of levels on the diagram below. Awareness is the first step, and you have much to gain by simply educating your personnel or just yourself.

 

 

WHY IS AWARENESS & TRAINING IMPORTANT?

Enterprises and organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing IT:

  • Understand their roles and responsibilities related to the organizational mission;
  • Understand the organization’s IT security policy, procedures, and practices;
  • Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.

As cited in audit reports, periodicals, conference presentations, and various other media, it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks.

The “human factor” – not technology – is key to provide an adequate and appropriate level of security. If people are the key but are also a weak link, more and better attention must be paid to this “asset”.

A robust and enterprise-wide awareness and training program are paramount for ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.

DETERMINING THE NEEDS

A needs assessment is a process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can convince management to allocate adequate resources to meet the identified awareness and training needs.

In conducting a needs assessment, it is important that key personnel is involved. As a minimum, the following roles should be addressed in terms of any special training needs:

Executive Management – organizational leaders need to fully understand directives and laws that form the basis for the security program. They also need to comprehend their leadership roles in ensuring full compliance by users within their units.

Security Personnel (security program managers and security officers) – these individuals act as expert consultants for their organization and therefore must be well educated on security policy and accepted best practices.

System Owners – owners must have a broad understanding of security policy and a high degree of understanding regarding security controls and requirements applicable to the systems they manage.

System Administrators and IT Support Personnel – entrusted with a high degree of authority over support operations critical to a successful security program, these individuals need a higher degree of technical knowledge in effective security practices and implementation.

Operational Managers and System Users – these individuals need a high degree of security awareness and training on security controls and rules of behavior for systems they use to conduct business operations.

A variety of sources of information in an agency can be used to determine IT security awareness and training needs, and there are different ways to collect that information. Below is a sample list that suggests techniques for gathering information as part of a needs assessment:

  • Interviews with all key groups and organizations identified;
  • Organizational surveys;
  • Review and assessment of available resource material, such as current awareness and training material, training schedules, and lists of attendees;
  • Analysis of metrics related to awareness and training (e.g., a percentage of users completing required awareness session or exposure, percentage of users with significant security responsibilities who have been trained in a role-specific material);
  • Review of security plans for general support systems and major applications to identify system and application owners and appointed security representatives;
  • Review of system inventory and application user ID databases to determine all who have access;
  • Review of any findings and/or recommendations from oversight bodies (e.g., Congressional inquiry, inspector general, internal review/audit, and internal controls program) or program reviews regarding the IT security program;
  • Conversations and interviews with management, owners of general support systems and major applications, and other organization staff whose business functions rely on IT;
  • Analysis of events (such as denial of service attacks, website defacements, hijacking of systems used in subsequent attacks, successful virus attacks) might indicate the need for training (or additional training) of specific groups of people;
  • Review when technical or infrastructure changes are made;
  • The study of trends first identified in industry, academic, or government publications or by training/education organizations. The use of these “early warning systems” can provide insight into an issue within the organization that has yet to be seen as a problem.

THE INFORMATION SECURITY LEARNING CONTINUUM

 

 

Learning is a continuum; it starts with awareness, builds to training, and evolves into education. Security awareness efforts are designed to change behavior or reinforce good security practices.

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

Training strives to produce relevant and needed security skills and competencies.

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce IT security specialists and professionals capable of vision and response.

Develop Policies for an All-round Approach to Information Security

Taking risks is something we do every single minute, sometimes without even realizing it. A risk may be something as little as talking to somebody, let alone major decision-making or something life-defining. Taking risks also relates heavily to IT security, therefore a countermeasure is required – a policy.

Information Security Policies are an important administrative security control designed to avoid, counteract or minimize IT security risks. They are an integral and inseparable part of the multitude of possible security controls, without which one cannot claim an effective implementation of any meaningful security actions. Organizations need Security Policy, Standards, and Procedures to enforce Information Security in a structured way.

Defining corporate security policies, basing them on industry standards, measuring compliance, and outsourced services are keys to successful policy management.

THE RULES OF POLICIES DEVELOPMENT

Security policy and supporting documents must be not only developed but also implemented. The execution of all documents must be ensured.

A clear and understandable procedure should be developed and implemented for applying sanctions to those who fail to comply with the policy. So staff knows not only what is expected of them, but what are the consequences of non-compliance.

Policy –  Information Security Policy is a comprehensive statement made by the company’s senior management, indicating the role of security in the organization. The Policy is independent in terms of technology and solutions. It outlines the purpose and mission of security and achieves tasks such as defining the assets considered valuable, empowering the security group and its activities, serving as a basis in the process of security-related conflict resolution, capturing the goals and objectives relating to safety, outlining the personal responsibility of staff members, helping prevent unexplained events, defining the boundaries and functions of the security group, etc.

Standards – mandatory actions or rules. Standards help, support, and develop policies in certain areas. Standards may be internal or external (e.g. legislation). Standards can, for example, indicate how to use the software and hardware or how to deal with users. They can ensure the uniformity of technologies, applications, settings, and procedures throughout the company.

Procedures – detailed step-by-step descriptions of tasks performed to achieve a certain goal. Steps can be performed by users, IT professionals, security personnel, and other staff members dealing with specific tasks.

Procedures occupy the lowest level in the chain of policies, as they relate to computers and users and describe certain concrete steps and also how the policies will actually be implemented in the production environment. Procedures should be detailed enough to be understandable and useful.

 

Guidelines – describe the recommended actions and operating instructions for users, IT professionals, and other staff members, when the appropriate Standards do not apply. Recommendations may relate to technological methods, personnel, or physical security. Recommendations, as opposed to mandatory enforcement of strict Standards, show the basic approach of having some flexibility in unforeseen circumstances.

Baselines – uniform ways of implementing a given safeguard. The system must meet the baseline described by benchmarks. Baselines are discretionary; it is acceptable to implement a safeguard without following benchmarks, as long as it is implemented to poses a level of security at least as secure as if using benchmarks.

THE INFORMATION SECURITY POLICY FRAMEWORK

Each document listed above has a different target audience within the business and therefore, should never be combined into one document. Instead, there should be several documents, that together form the concept of an Information Security Policy framework.

This framework is illustrated in the diagram above, with each level of the framework supporting the levels above it. Some small organizations tend to define Security Policies from the bottom up, starting with the capabilities of the tools at hand. Medium and large enterprises know that sound Security Policies Development begins from the top down.

HOW TO START with the development of policies

Practice shows that without top management’s participation and visionary input, Information Security Policies Development is practically impossible.

Any endeavor in Information Security must, at least, be fully supported by top management. Ideally, the seniors of the company will initiate the changes in strategy and will be actively involved in the Information Security Policy development process.

No matter how talented and prepared the Information Security person you hire, they will not be able to affect the necessary changes.

Top management must be involved in the entire program development in order to ensure comprehensiveness, full compliance by staff, and sanctioning for non-compliance – it is only effective when supervised and executed under an autocratic approach.

CISO-for-Hire?

The CISO (Chief Information Security Officer) is the one person in an organization that bears the primary responsibility for IT asset security, for the strategy, planning, and implementation of security measures and initiatives. The main responsibility of the CISO must always be in sync and know what to do with all possible risks associated with cybersecurity. Furthermore, the CISO takes care of all regulatory and operational compliance requirements so that all relevant standards and regulations are addressed properly and in a timely fashion.

WHY DO YOU NEED ONE?

The CISO is a useful function to have in your organization, especially today, with all the dynamics we see in the cyber threat landscape. With a CISO you will be able to:

  • Achieve an improved overall security posture;
  • Be better prepared for what may come;
  • Reach business KPI’s more easily;
  • When you have new projects, or even with existing ones, you will have security and compliance addressed properly at all times;
  • Benefit from all engagements related to risk management as well as in any security or operational endeavors;
  • Decrease the impact of risks associated with the nature of your business;
  • Keep your business updated with all relevant regulations and compliance or other requirements.

WHY WOULD YOU RENT YOUR CISO?

Finding, recruiting, and keeping on the payroll your very own, full-time, dedicated, and talented CISO is not always possible for a number of reasons. Sometimes, it works out to be more cost-effective to hire a CISO from an outside organization. How can that be? Let’s look at some scenarios:

  • Your business is small or mid-sized and a cost-effective alternative to hiring is welcome;
  • You may need a security expert only temporarily, say for a specific project, or if you have upcoming audits and compliance engagements;
  • You may be searching already for your own specialist to hire and want to have someone tide you over in the meantime;
  • Your specialist may be on vacation or extended leave and, again, you don’t want to be without an IT security specialist by your side.

WHAT TO EXPECT AND WHAT TO LOOK FOR IN YOUR HIRED CISO

The company you want to rent your CISO from must prove they can deliver experienced practitioners to act as your hired CISO. Ask for company and personal certifications and qualifications. Furthermore, this person must be able to integrate seamlessly into your business and, well, extend it, least not hinder it. The security presence you need is just to help you bear the brunt by reducing cyber risks and avoiding IT incidents. The service must provide at least the following:

  • Proactive monitoring, adapting, and forecasting of your own risk management engagements;
  • Management of all security incidents;
  • Information security audit assistance and management;
  • Train and re-train your staff;
  • Consult on business and IT process management;
  • Dedicate regular on-site hours to be spend with your team;
  • Be available through email and phone when off-site;
  • Attend and assist management meetings when needed;
  • Regularly report to your management or on a need-to-have basis.

The company you hire your CISO from must form a business partnership with you to drive your IT security strategy forward through one or several consultants who should be:

  • Profoundly and broadly knowledgeable, with certified expertise, experience, and professional qualifications in IT Security that at least matches, and even better if it surpasses those of any single CISO or security manager;
  • Equipped with a varied outside-of-professional-qualification set of skills to include multi-tasking, leadership, swift and legible communication, soft skills, fast reaction, and on-boarding of new security technologies;
  • Passionate about what they do and your satisfaction;
  • Ready to act and consider themselves as your own employees;
  • Skilled in creative thinking and problem-solving.

HOW DOES IT HAPPEN?

The process of on-boarding and “living” with your newly hired CISO usually looks something like the diagram below. Depending on your specifics, the process should be able to be altered to closely adhere and be most beneficial to you as needed:

 

COST-EFFICIENCY

Based on an initial and ongoing risk assessment, the company giving you the CISO should provide flexible, tailored pricing, so you can achieve your goals in information security and, at the same time achieve cost-effectiveness and feasibility. The service ideology should be based on affordability with a maximized value-for-money approach.

Depending on your company’s needs for on and off-site presence, the complexity of one-time or ongoing projects, and internal and external audit needs and requirements, the provider should devise the most cost-effective plan to make sure your information security projects are adequately manned.