Ensuring your security policy works

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/ensuring-your-security-policy-works/article/424832/

Organisations often make the mistake of assuming that implemented security
controls are being applied effectively. While internal policies require
regular review, the majority of businesses still do it only as part of
compliance verification, if at all.

Every company, regardless of its size or industry, is advised to implement
adequate measures to govern data usage, performance and security of IT
systems and to be able to prove that they work properly. This is not only a
key factor in compliance validation, but is also necessary to keep data
safe.

Ensuring security policies perform effectively calls for teamwork across
departments, C-level management and other stakeholders. Departments,
including IT, should define their roles and responsibilities, agree upon
the implementation plan and develop a system of verifications and emergency
measures in case a breach occurs.

Define the scope

The first step in enhancing security policy is defining the scope of
secured data, in order to limit the amount of sensitive information that
could be accessed by violators. The scope needs to be regularly reviewed,
considering changes in both technical and business processes.

The main point here is not to rush; so start with the most important
systems containing the most sensitive data or hosting business-critical
applications, and then gradually work down to the least important. This
helps avoid work overload from the excessive amount of irrelevant reports
people have to look through.

Making the scope smaller will also help cut hardware and software costs and
improve visibility. If you are on a tight budget, start with systems for
access control such as Active Directory including Group Policy and then
extend to monitoring permissions and access to data stored in Share Point,
Exchange, SQL and file servers.

Use compliance regulations as a guideline

Establishing security controls as part of a compliance framework is a
chance to avoid or significantly minimise damage in the event of a security
incident. Mature compliance requirements such as PCI DSS or ISO 27001 and
many others, give organisations an idea of how to protect sensitive data,
optimise their infrastructure and get rid of outdated processes to improve
system performance.

However, compliance requirements should be considered only as a guideline,
as they are a bare minimum for controls and do not guarantee that the risk
of a data breach will be eliminated. The best action companies can take is
to integrate regulatory compliance standards with other organisational
processes for comprehensive security maintenance.

Monitor user activity

Insider misuse still remains a hard-to-detect security violation, but one
of the most destructive. The 2015 Verizon Data Breach Investigations Report
states that 55 percent of insider misuse comes from privilege abuse. So in
order to minimise the risk of employees ‘breaking bad', watch closely for
accounts with extended access rights and keep an eye on any suspicious rise
in activity or unreasonable changes to permissions.

The best practice is to grant permissions adequately to users' business
needs, establish continuous monitoring of user lists and disable the
accounts of former employees as soon as they leave the company.

Have an emergency plan

Unfortunately, there is no silver bullet against a data breach. In such an
event, the best thing you can do is admit you have already been hacked and
plan ahead, how to deal with the consequences.

Since people are always on the first line of defence, make sure your
employees understand how the implemented security policies work and what
they should do in case they spot a security warning or notice malicious
activity. The best practice here is to develop detailed instructions when
training your employees to explain their actions in case of a violation.

Post-breach analysis

Being able to stop a data leak due to a successful emergency plan is good;
but proper investigation will ensure that lessons are learnt.

Review all recent events that stand out from normal behaviour, even if they
are not a root cause of the breach. Make sure that you have established
internal audit procedures that provide comprehensive documentation of
changes made across the entire IT infrastructure such as disk images and
detailed reports. This information is very helpful during the investigation
as well as during further revision and adjustment of internal policies.

Be prepared that maintaining security while achieving complete visibility
of an IT infrastructure and ensuring a non-stop control over the
performance of every security component is a never-ending process. And once
you have completed all steps, it is time to start all over again.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!