Enterprise IT security staff deals with enormous amounts of security-related events, incidents and problems on a daily basis. As such, it is important to build repeatable processes and procedures to ensure the actions of security personnel are analyzed and pre-planned in advance, to foster an ongoing cycle of institutional learning and ultimately improve systemic information security management throughout the enterprise.
Conducting security practices in a consistent way not only speeds response time and minimizes errors, but also provides a means to measure performance for continual improvement. There are many "good practice" standards and frameworks organizations may use to increase standardization of security practices on their enterprises. Depending on the industry, some security controls and standards are mandated by regulatory bodies.
Security standards and regulatory requirements
Enterprise compliance mandates, including PCI DSS and HIPAA, offer a baseline set of requirements for organizations handling credit cards and patient health information, respectively. Compliance with these requirements has necessitated enterprises not only perform the mandatory steps, but also document them to make sure they are consistent and repeatable.
PCI DSS outlines 12 security requirements, ranging from not using vendor-supplied security settings, to tracking and monitoring access to all network resources. The institution of these security requirements causes organizations to take a hard look at their security processes to ensure compliance with the standard. For example, the “tracking and monitoring of all access to network resources” requirement forces organizations to develop new processes and procedures around collecting and analyzing logs, and performing log correlation. Developing these processes and procedures requires organizations to think through and document the specific actions their security staff should take when anomalies are identified.
HIPAA’s security requirements include elements such as protecting the confidentiality, integrity and availability of all electronic protected health information (ePHI) and ensuring employees are in compliance with all the prescribed requirements. As with PCI DSS, HIPAA forced many organizations to develop new processes and procedures to ensure compliance with HIPAA mandates. For example, HIPAA requires organizations establish and implement a disaster recovery plan; as a result, organizations not only develop plans, but also the specific descriptions of the roles and responsibilities of those in charge of executing those plans.
These are just short examples; PCI DSS and HIPAA security requirements are quite broad, and implementation and compliance are much more complex. Because of the complexity and nature of some requirements and compliance guidelines, many organizations are not nearly as compliant (or secure) as they should be. To aid in compliance and increase overall security and network visibility, enterprises often develop a tailored security framework. Such a framework would be based on organizational business goals and enable seamless compliance with regulatory security requirements specific to their industry.
However, the creation of such a framework also is an opportunity to codify key day-to-day security processes and procedures. These may be in support of one or more compliance regulations, or only tangentially related to compliance. For example, many standards and compliance guidelines overlap, and therefore a mapping of their requirements and controls enables organizations to build processes and procedures that cover several standards. This is done through the development of a tailored framework that ensures an organization’s business requirements are coupled with external standards and regulatory compliance requirements. Regardless, these process and procedure guidelines should leverage industry good practices, and include a mechanism for continued improvement.
Leveraging industry good practices
There are several standards and frameworks for organizations seeking to increase network visibility and security controls. These include ISO 27001/27002, COBIT, and ITILv3. ISO 27001/27002 in particular documents the requirements for establishing an overarching information security management system, including control objectives (i.e., security requirements) for enhancing an organization’s security posture. While ISO 27001 focuses on elements of security management, ISO 27002 details control objectives. Like ISO 27001/27002, COBIT includes control objectives, but adds processes and is used to implement IT governance. ITILv3 includes a set a processes and functions used to standardize service management capabilities, including information security management.
Organizations should leverage and blend these industry good practices with their business and security strategies to create “best practices” unique to their enterprise. To provide an example, ITILv3 includes processes for event, incident and problem management. The good practices of these processes are included in the ITILv3 publications. These publications do not detail exactly how to implement each process, but offers basic guidelines that may be adopted within enterprises. Not all practices within standards and frameworks are best for every organization. It is up to each organization to develop unique criteria and thresholds for what an event is, when it becomes an incident, and subsequently a problem. Once the criteria is defined and processes and procedures are in place, the practices become standardized, repeatable and can then be considered “best practice” for that organization.
Ensuring continued security improvement
After developing standardized, repeatable security processes and procedures, organizations must ensure a mechanism is in place for continued security improvement. Oftentimes, this becomes difficult due to the organizational construct. Some organizations separate security functions into silos, performed by separate teams. As such, resources are allocated to these teams for instituting new processes or protection mechanisms, but little attention is paid to holistically reviewing and improving security across each silo for the benefit of the organization as a whole. It is important to understand how each team conducts its security process operations, the interfaces across each team, branch or division, reporting requirements, reporting thresholds, escalation criteria, and roles and responsibilities.
With a clearly defined set of repeatable information security processes and procedures established, organizations are better equipped for continual improvement. A solid framework will ensure security operations criterion is set in advance for “who does what” operationally, when handoffs occur, and processes and procedures are defined for each function. This provides the basis for improvement by which an organization may measure their success.
About the author:
Marcos Christodonte II, MBA, CISSP, CISA is a professor and information security consultant. He is the author of Cyber Within: A Security Awareness Story (and guide) for Employees, and former incident handler for NATO. Christodonte can be reached at his website: www.christodonte.com.