enterprise security critical security functions version 1.0

Enterprise Security- Critical Security Functions version 1.0

There are several elements to consider to properly protect an organization. In order to align security adequately, it is possible to refer to an information security standard such as ISO 27002.

For many organizations, a smaller framework scope can be necessary in order to quickly implement security controls and bring the organization to an acceptable security posture.

In this article, we describe the main areas where it is possible to focus to quickly increase the security posture of an enterprise.

This guide does not encompass all controls and controls objectives and its main focus is to provide guidance on critical aspects often forgotten or not properly addressed.

Enterprise Security- Critical Security Functions version 1.0 June 10th 2015

Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM

Among the biggest security challenges One of the biggest challenge for organization is to established roles for

security.

Undefined roles lead to inappropriate security management and practice. In this circumstance, everyone give best effort to maintain the overall security in an unstructured way.

It can give positive result for a certain time, but on a long period, the security posture of the organization will almost always decrease.

The planning, organization, implementation and verification of security is challenging for every organization.

How to improve?Enterprise Security- Critical Security Functions version 1.0 June 10th 2015


Security Governance Establish authoritative role for Information Security with accountability and

responsibility in a security program.

There must be a management role for Information Security Management such as CISO, CSO, etc. This person must determine roles and responsibilities of the Information Security members (incident management, vulnerability management, system change/update, etc.). Formalize Operational Security Role & Responsibility and Processes.

Roles and responsibilities must be officially defined and integrated to work functions of each members of the security team. Interaction with other team such as the system administration group and other department must be defined and understood by the security members.

Security members must be adequately trained and a security awareness and training standard practice must be in place.



IT Risk Management An IT Risk Management standard practice must be in place in order to

implement appropriate controls and justify decisions according to the risk and impact on the enterprise of various situations or scenarios (ex.: cyber-attack, natural disaster, human error such as misconfiguration, etc.).

Standard methodology and templates must exist for information classification and risk/impact analysis.

Controls to reduce the capability of threat/attack and controls to reduce vulnerabilities must be identified, implemented, audit and verified regularly.

When a necessary control cannot be implemented according to the identified risk/impact, a justification must exist with compensatory measures. Justification must be reviewed periodically and are valid only for a certain period of time. All effort must be made to eliminate the justification and implement the control to reduce the risk/impact.



Information System Management

Protection equipment, according to the identified risk and impact must be selected, implemented, audit and verified regularly (ex.: servers, firewall, IPS, etc.).

Appropriate systems and equipment must be available to security members to conduct their task, such as a ticketing system for incident management.

Protection systems must be kept up-to-date and modifications must follow a change management process in place.

Following an incident, according to the result of the investigation, protective systems must be updated when applicable (ex.: increase logging, update protective rules, etc.).



Threat & Incident Management Role regarding incident management must be identified (ex.: security manager, IT

Security Leader, IT Security Analyst, other team responsibilities/interaction, etc.).

A plan, a process and a practice must be in place regarding threat and incident management.

Manual threat and incident activities must be in place to identify irregularity (ex.: log review, system audit, etc.).

Automation must exist to automatically detect known threat at the organizational boundaries or at sub-layer network if passed main defensive systems.

A threat and intelligence mechanism is strongly suggested (ex.: correlation between internal network/systems events with an external threat feeds).

An incident management systems must be available and used to track and manage incidents.

Investigation standard must exist in the organization specifying the way to investigate incidents, systems to be used and the procedure to follow.Enterprise Security

- Critical Security Functions version 1.0 June 10th 2015Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM

Vulnerability Management A process and a practice must be in place regarding vulnerability

management.

Role of the security, system administration, assets owners, change management, compliance, etc. must be defined in a process and RACI chart.

There must be a mechanism to be informed of know vulnerabilities for systems in scope (ex.: external advisory feeds).

There must be a procedure for emergency or critical update in order to quickly implement fix and remain secured.

Every significant change must be logged, verified, confirmed and conducted according to a change management practice in place.

Enterprise Security- Critical Security Functions version 1.0

Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEMJune 10th 2015

Protecting Information Resources According to the classification scheme defined in the risk management

activities, we must classify data according to confidentiality, integrity and availability.

To be able to protect the information, we must create a protection map (ex.: a map of all information and systems of the organization).

There must be roles specifying management, prevention, detection, response and correction of security issue or disruption to maintain integrity/availability/confidentiality (daily).

Standards must be in place for encryption (ex.: hashing for integrity, symmetric encryption for confidentiality, asymmetric keys for authenticity, etc.).

Encryption mechanisms must implemented and used according to the information classification, risk and impact defined in risk management activities where security controls are defined.



BCP Management Backup systems and data must be available in a timely fashion in order to

maintain operation, especially in case of incident.

Backup must be verified regularly to ensure the viability of the information and systems.

It is strongly suggested to use virtual environment with ready image backup. In case of incident, an image can be restore, updated to current stable and bring live to production to continue the operation normally.



Identity and Access Control Management Policies must exist regarding internal access and external access to ensure

they are managed according to different criteria and needs (ex.: vendor access, employee access, etc.) and different rules must be implemented accordingly.

It is strongly suggested to follow the least privileges principles at all time and remove right at the moment someone doesn't have the need to know or to use in order to accomplish his work.

It is also strongly suggested to follow the principle:”all user are considered untrust until they prove the needs to know or use according to criteria (ex.: group, ID, system integrity check)”. Even an employe account can be considered untrust at first and according to criteria, gain more access.



Identity and Access Control Management A security architecture must defined the various zones of the organization

(ex.: Intranet, Extranet, shared services, etc.), control objectives defined for each zone with controls to respect the control objectives. Risk and impact are important elements to consider when defining control objectives (ex.: everyone can access the zone, employee can access the zone, remote user cannot access the zone, etc.).

Two factor authentication is strongly suggested for access to sensitive or critical systems.

A process must be in place for commissioning and decommissioning account. If possible, automation can be used. A practice must be in place and defining the management of identifies in the organization (ex.: account review, password strength/change).

Privilege account disclosure can lead to greater impact and must be managed, monitor and verified closely. In the case of external access, such for vendors, it can be appropriate that a security analyst monitor the session (remote session opening, monitor changes, ensure remote session is closed).Enterprise Security

- Critical Security Functions version 1.0 June 10th 2015Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM

Change Management We must distinguished “significant change” vs “non-significant change”

(ex.: kernel update is significant, virus definition update is not a significant change.

A policy, a process and the according procedures must be defined, understood and followed for any significant change.

There must be rules defined for emergency/critical changes in order to bring the necessary flexibility to react quickly and properly. These rules must not be pass-trough rules, every exception must be justified. Usually, standard change management steps are just delayed, but followed as usual.

There must be roll-back process, procedure with the information and systems ready to go back to a stable state in case of unsuccessful change.



Physical Security With the current tendencies, information is becoming more and more

accessible electronically and often online. Many objects are now integrating electronic remote access (ex.: car) and physical security must be rethink to include electronic emissions, radio frequency, mobile and WIFI transmissions and access to interfaces/protocols.

Biometrics mechanisms are becoming standards in many organizations. False positive is when an individual gain access while he is not supposed to and those incident are very critical; tests and evidences must exist to confirm effectiveness of the device.

Physical security can prevent, detect , deter, etc. (ex.: outside light, fence).

Data center must be chose carefully (ex.: not close to river, with multiple road access, etc.) and disaster center must be in an appropriate distance and location to prevent any impact from a geographical disaster.

Any privileges access must be supported by two factor authentication (ex.: magnetic cards/pin pad locks and finger print).

June 10th 2015Marc-Andre Heroux, CGEIT, CISA, CRMA, CRMP, ABCP, CISSP, NSA-IAM, NSA-IEM

enterprise security critical security functions version 1.0

Technology