I'm fortunate to coach young baseball players. Each year, we work hard on developing and refining basic fundamental skills in our players. Sure, we work on advanced skills and plays to keep players from getting bored and for skill progression. But nine times out of 10, it's the execution of the fundamentals, or lack thereof, that defines the game's outcome. Especially when we face a more talented team, or we're in a game where each team is battling back and forth until the end.
By now, you've probably looked at this magazine's cover to make sure you haven't picked up the wrong one. There are similarities in how we handle challenges in baseball and in the information security industry. The challenges we face with the ever-changing threatscape — forced budget reductions with IT operational cost savings and business needs driving new technologies — are putting pressure on IT and information security professionals to do more with less.
We sometimes hear that things can't be done due to lack of time, budget or human resources. Should this stop your organization from securely moving forward with its mission and objectives? Absolutely not. Today’s challenges provide security professionals an opportunity to return to basics and review how the fundamentals of their information security program are being executed, and look for areas of improvement with cost-effective strategies.
Let's start with three things that most organizations struggle with or don't know. You need good understanding of:
1) the types of data in your agency;
2) each data type's business value; and
3) which assets process, store or transmit each data type.
Not all data or systems are equal, and having a data classification inventory mapped to an asset inventory will facilitate the types of controls that must be implemented to protect your data. Establishing policies and control sets for each data classification type will benefit an organization with the evaluation and adoption of new technologies like cloud computing and mobile devices, defining clear vendor requirements, and empowering all IT staff responsible for implementing security.
Weak configuration management is one security control problem commonly found in audits, security assessments and penetration tests — and it's often used by attackers to gain unauthorized access to information systems and data. All network equipment, operating systems and applications within an infrastructure have inherent nonconfigured and inconsistent security capabilities. There's no need to re-create your configuration standards from scratch as most vendors have documented security recommendations for their products. There also are many existing standards organizations such as the Center for Internet Security (CIS). Adopting a standard like CIS frees up your technical staff from documenting a standard for each technology, bases your standards on consensus-based and best-practice security configurations, gives you better control of what standards are to be used for audits, and gives you more time to manage exceptions.
The next basic to look at is how we continuously test and evaluate our information security controls to ensure they're being effectively implemented. This is a simple task for small organizations, but how do you prioritize your limited staff resources when you have 500 or more systems? Data classification will help with this prioritization. You should spend most of your staff time on your most mission-critical systems, while still evaluating all of your organization's systems. An example of a scanning schedule would be testing high-rated systems monthly, medium-rated systems bimonthly and low-rated systems every six months. Such a schedule lets your team manage initial findings and gives time to perform validation testing of remediated findings.
A recent survey of state CIOs found that two-thirds expect lower IT budgets in 2011 through 2013. Knowing where our data is, what assets we have, what controls are implemented on each asset, and continuously assessing our environments is a fundamental, cost-effective strategy that our security program and staff should be executing weekly.