ISACA CISM – Domain 04 – Information Security Incident Management Part 6

31. Audits

Now, don’t be afraid of audits. Audits are an important aspect of what we should be doing. And by the way, I look at audits as being proactive. Now, again, we can do internal audits where we have our inhouse experts, people that work for the organization that try to go past the assumptions of security. I told you that there were two problems with the fire, firewall as an example. One is that it allows traffic and that’s really not a problem other than the fact that attacks can occur still through the firewall that way, or it could be a misconfiguration. Now, when we think that we have basically everything set up appropriately, we think that we have the proper policies in place. The question is, how do you make sure, how do you verify that you do that through an audit? You test that security assumption to make sure that it’s working and behaving the way you expect it to.

Again, it’s part of that verification. And we also do audits so that we can also show that we’re in compliance with, again, different types of laws or regulations that are governing the type of company that you are. Now, one of the harder things to do is to try to self certify your own organization as being compliant. And so often we do hire external auditors, some cases at least once a year, which means that we’re using an outsourced third party, hopefully with the same goal as the internal audit. And the goal for that, by saying it, is that you’re having some unbiased point of view doing the same thing for you, having the same goals of making sure that you’ve taken care of the assumptions in your security, that you are in compliance. And that’s an important aspect.

Now sometimes I have seen having been a part of external auditing teams where some of the people that are working internal to an organization sometimes get a little offended and maybe kind of back into that little silo effect. I was talking about that they don’t want to hear that something’s wrong or something’s misconfigured or there was an assumption that we can’t verify. As an external auditor, your goal is to do the same as the internal, as I said, and that’s to make sure your R is secure based on what your organization has said was important through your risk analysis or the business impact analysis, that it’s taken care of. And sometimes it’s nice to have that extra set of eyes, a fresh set of eyes coming in without, as I said, that bias or that assumption being already made. Both types of audits are important for an organization and it’s something that it should be really a big part of the overall management. As we talk about incident management.

32. Lesson 5: Incident Management Objectives

Now, in this lesson we’re going to talk about the incident management objectives. So we’re going to talk about how to define the objectives what we call the desired state strategic alignments risk Management assurance process integration value delivery and resource management.

33. Defining Objectives

So again, one of the things we’re doing here is talking about the incident management objectives and typically the objectives for this are going to know that we have an objective of being able to handle an incident when they occur. And part of that objective is probably to say that we want to limit and contain an exposure that we want to know that we can prevent through this management having any of the previous incidences from occurring. Again, that can be done through the documentation. As I said, learning from our mistakes and learning from the past. And of course we also want to be able to display or deploy, I should say proactive countermeasures to be able to help prevent incidences. So that’s kind of the objectives that we’re looking for.

34. The Desired State

This idea of desired state is sometimes a little bit more difficult to address and we’re going to address them in a number of different areas as you can see here by what we’ve put in here. Again, the idea of incident management as I’ve said before, is you like the fire department, the ambulance service or maybe even the emergency you room for your information assets and so we have to be able to address the unexpected. And as I said before, the unexpected is sometimes not as easy to be able to define but we have to realize that it’s not just electronic but it could also be physical. One of the things that we want to do is have a method of monitoring and through monitoring being again proactive to see where we’re at as we’re trying to decide whether or not we are at the desired state or not.

In fact, we talked a little bit about the idea of a gap analysis, which is where we are versus where we want to be, where we want to be at some, again, desired baseline. Maybe that’s another word I could use for the desired state we’ve brought up before. Just remember that as we’re doing it, we have to look at it through the technical aspect. If you want to get right down to it, it’s all about a bunch of binary values being transmitted, stored somewhere. I mean really that’s what it comes down to. It’s going through your network, it’s stored on a drive, on a server and we’ve already mentioned all of the different technical aspects that we want to be looking for. Technically, the desired state may be to be as antivirus set up as best we can to be as virus free is what I wanted to say, as possible physically.

Again, I’ve talked about all of the external and internal types of things that we look at through power, HVAC, theft, which a lot of that’s internal and external natural disasters, those types of things we also want to be here with the administrative aspect. And a term that I’ve heard used a lot in security is a top down approach. Top down means we have the support from senior management all the way down to the users that are in our network. That’s kind of what we’re trying to address. And remember we can’t make anything 100% secure. We can’t go out there and say that there’s no way anybody’s going to get into this firewall, intrusion prevention or whatever the case may be.

What we want, if you think about it, a desired state is some combination of maximum capability, right? We want the best throughput we can get, we want the best processing power that we can get, we want the best operational continuity and we want to so let’s call that performance. But at the same time we also want to minimize the risks or the chance of an incident occurring. And so we’re looking for that balance here where we’re getting both of these. And I guess in that balance, you could say that would be our desired state.

35. Strategic Alignment

So let’s take a look at this thing. We call this strategic alignment, and it’s something similar to other support functions. Incident management has to be aligned with your organization’s strategic plan. And that’s an important thing, and I think I’ve mentioned it before, that no matter what we’re doing in the world of security, business needs must be first. Like I said, if you’re a company that makes widgets and that’s the only way your company makes money, that’s what we have to look at is what does it take to be able to build, make, sell whatever it is. These widgets that you have, I’ve often talked about as an example of this manufacturing company in the city that I live in. And they are one of the top producers of Ram, and they make a lot of other types of hardware components now as well.

But so they have these large fabrication units, huge facilities that are all over their grounds and that’s how they make money, right? That memory leaves the fabrication unit and it goes for sale on the market. That’s how they make their money. So what do I know about this? Well, one of the things that they looked at is to them, and I realized most of you are thinking, hey, we’re talking about information science here. All right, I realize that, but I’m just trying to get to the point that this was the first priority. Now, as a part of that process, they have a lot of automated machines that are involved in the production of this memory. Those machines are networked and they make reports. So obviously there’s some things that we can look at from the Is standpoint of what is it going to do to help make more Ram.

But just to take it a little bit further to talk about the goals of business needs, as an example, anybody who’s hired for this company, let’s say I just hired me, I just hired Ken, and Ken’s a lawyer. I’m not, but let’s just say I am. Well, before that lawyer goes to work practicing law for this company, that lawyer has to be trained in how to make memory, even if they’re only taught a part of the fabrication process. The goal is that when worse comes to worse and they need somebody to be able to fill up the fabrication plants, they’re willing to go without the lawyer and have Ken wear that nice little white carbon suit and go in there and make memory because that’s the most important aspect to that company. And so we go back to the idea of the information sciences.

Again, obviously the ability to produce memory and the automation of those machines is something that’s a little more important to them than having their email servers up and running. Even though you might want to focus on the email servers. I hope I’m making sense that’s where we’re having the alignment, where we’re working with these business needs that I’m talking about. We’re going to call it again, the IMT. The incident management team has to be aligned, as I’ve said, and I’ve, I guess I’ll get off my soapbox about it. So as we’re talking about this incident management, one of the first things is the constituency. And basically the big thing is, remember, is who does the IMT work for? Well, they work for that organization. Like I said when I talked about Ken the lawyer, even though that was the job I wanted, that’s the job I did.

I’m still working for that company. And so if it came down to it and they put me in the fab, that’s great. But we just have to remember basically, who are we providing services for? That’s an important aspect of what we’re doing because we need to be able to identify the expectation and the needs of that company. So that’s the first important part of thinking about the kind of the team’s goals as well, the mission, all right, the mission defines the purpose of the team and it should also give us the primary goals for this team. And so I look at that as a part of the mission and as an example. Again, you might have a mission that says the IMT is to develop, maintain and deliver incident management capabilities and services to safeguard the organization’s information assets against computer incidences.

So that’s, you know, kind of the mission, I mean, it’s brought out. It should be written down. We do provide services and those services should be clearly defined as far as what our expectations are and what is expected of us. And there should be an organizational structure. As I said, we should be supporting the organizational structure. They should be supporting us as well. As I talked about this top down. Another big thing is we ought to talk about resources. You do want sufficient staffing, but you know, we got to consider also what is the size of that corporation. I mean, you may not have the internal resources that you need and because of that, you may look again at the third party outsourcing, some of the needs that you have. Also, again, funding, especially when we consider that we are responding to events, there may be needs for specialized tools.

As an example, as a part of what we have to do is to gather evidence, let’s say, of potential crimes or theft maybe from internal. And so we get into this whole world of computer forensics. Okay, that sounds cool and it is cool, but in order to capture the evidence, you do need some specialized, basically drive duplication tools because you just can’t use the tools like copy and paste. Just won’t work, won’t ever hold up in court. So again, just trying to give you some other outside the box thinking here about funding, whether or not your company can afford it as well. But in order to get all of that you have to have the management buy in. That means senior management has to be involved and make the decision theirs. Because if it’s their decision, then they’re probably more like to fund that for you. However you want to do that, maybe that takes some special salesmanship on parts of the members of that team.

36. Other Concerns

All right, so there are some other concerns that we’re going to take a look at. One of them, risk management as an example. Remember that the outcome, right? What are we looking for is the outcome of this? The outcome of this is really where the entire incident management, whatever team response, whatever you want to look at it, I guess the incident management team, the incident management or incident response team, all of the plans, that’s where they come from. That’s where our goals come from. As we said, incident management is a part of risk management. We also want to look at assurance, process integration. The type and nature of incidences that the Is manager might deal with, might often require a number of other organizations to work together, like legal HR, people in charge of physical security, as I’ve said before.

And that means that it’s important to ensure that the incident management and recovery plans actively incorporate and integrate these functions together. As I said, it’s not just one part of an organization. Another concern is what we call value delivery. That means that basically your incident management has to be integrated closely with the business functions and often provide the last line of defense for your cost efficient risk management. So that means that we have to work with all of these structures and processes as seamlessly as we can. We should be integrated with the business continuity plan, maybe even the Disaster recovery plan.

And if you think about it, if what we’re doing is good in incident management, then we should be a part of the overall strategy of trying to protect and secure your critical business functions. And of course, there’s the resource management and that’s going to what do we mean by resources? That’s the people, right? Team members, the users, obviously funding or funds, money costs, those types of things that we have to manage, as we talked about before, out time, we have to manage time as well. Funding, some people would call that a part of budgeting, right? But those are all parts of our resources that we also have to be concerned with as we’re moving forward and de dealing with this entire process.

37. Lesson 6: Incident Management Metrics and Indicators

Now, there are some other things we should look at for management. Now, we already know that security encompasses a broad range of activities and responsibilities that are inside of this position. We call the Information Security manager. Now, some of these examples might be the legal and regulatory requirements. Now, your corporation, your organization may already have a legal department, but they might not have a security focus. In fact, one of the last things they might be thinking about is what regulatory requirements you have on maintaining certain levels of security. They may be busy dealing with new land deals, new purchase order agreements for lease requirements. They’re busy doing the other parts of what legal does for an organization, and you might be on the end of that what’s important for them to look at.

So it’s usually something that falls within the security manager’s purview to make sure that you have policies that say that these are your goals, these regulatory requirements, and that your program is designed to get you to be in compliance with those, of course, the physical and environmental factors. And here’s the other kind of thing again, is that because there’s a broad range of activities, as we’ve said before, security managers are going to be busy with many different business units. The first thing I just mentioned about legal has nothing to do with the information technology realm, at least not as an actual something I sit down at with a keyboard and a monitor and do something with. But it does have its overall effect because it is legal requirements. Well, the next business unit would be on the physical and environmental factors.

We have to be concerned with the heating, ventilation and air conditioning, the HVAC systems. There are potential injuries to our equipment if it’s too warm or if there’s too much humidity or not enough humidity. We have to work to see that we have the proper facilities to be able to house the actual hardware that we’re using to support our network. We, of course, have to look at external security. Now, there’s a lot of things that people would look at when it comes to external security, such as placement of a facility in a high crime area into a floodplain. All of these are issues. Now, we’ve talked a lot about vulnerability assessments, and I’m thinking we ought to really be looking at security and right now talking about external security. But even internal security is there’s a lot of things we can do for vulnerability assessments against actual physical security.

I can just give you an example of finding a vulnerability quite by accident. I was in a facility headquarters of a nationwide company and actually kind of a worldwide one, and they had one of these situations where they decided that security through obscurity was a way to go, and that is that they didn’t put a sign on the door for the network operations center. Okay, that’s all right. It makes sense to me because that way it looks like every other door. But unfortunately it was the only door without a sign, so I knew it had to be important. Then when I got there, I was able to look to a little sliding bit of glass and I could see that it was kind of one of those areas, kind of like a man trap. I don’t think it was designed especially that way. But if I got through the first door, I’d have to get to you.

It looks like a combination lock and get into another door. So to make the story pretty quick, as I’m looking through the window, suddenly somebody tapped me on the shoulder, says, can I help you? I just said, oh, I’m here as a contractor. I thought it’d be cool to see the knock and without any further request for me for identification or anything else, you just let me ride in. Those are vulnerabilities that we want to look at. There should have been some other type of setup. Okay, all right, enough with the long stories. Design hazards, right? Do you want to build your server room underneath all the water pipes, media transportation? When you do backups, how do you get that media to the secure storage site? I talked about the bank sending their stuff through a shipping company and the shipping company losing it.

At least they knew they had encrypted it, so they were thinking about that physical environment as well. Now, some of your required job actions can deal with culture and ethics. If I’m in the process of doing some sort of a vulnerability scan or working towards doing a penetration test, I may come into contact with information that I’m not supposed to see, some sensitive information. And so what’s important is that we understand that we have to consider the ethics, especially of those people that are doing this work so that they know when not to divulge information or that we can hold them accountable for information that they may not supposed to have seen.

And that’s something we have to deal with in management. And of course, just the pure logistics, the fact that we’re working with all of these different business units can make the coordination of these efforts in talking with the physical environments, the legal department, human resources, over the back background checks of people that you want to trust and have ethics. And I haven’t even hit many other business units. But those logistics can also be a nightmare that we have to consider and think about as we’re dealing with the security management.

38. Implementation of the Security Program Management

Now in the implementation of the security program management, whether or not it’s a brand new security department or one that’s already established, there are things that you’re going to have to look at and be aware of. And number one is are there any defined responsibilities or how do you deal with no defined responsibilities we talk about a big part of this is that we have to assign roles and responsibilities. If we don’t have those clearly defined then it’s even even harder to determine if they’re being taken care of. If we just said well, nobody’s really in charge of the firewall, we just all go and fix it if something’s wrong. That kind of tells me that we’re probably not in compliance. That means we need to have responsibilities like the technical responsibilities, assignments of roles and responsibilities.

On firewalls, on virus detection we should have an organizational structure. Now in many places the organizational structure is probably of no use. I’ve seen companies where the chain of command just really doesn’t exist, that people just jump over the chain of command and talk to whoever they want to talk to. Now, I’m not going to get into the philosophy of the open door management system. The closed door management system being very militaristic, trying to be easy to approach. That’s not my goal. But we should have a good understanding of what that organizational structure is a part of good compliance is knowing who to report to, especially if we have issues or incidences like security breach that need to be dealt with immediately.

So there should be at least a reporting structure that we can follow for those types of things. And we have to realize that sometimes there’s just been this existing way of doing business. And if you’re coming in there to clean house and bring yourselves into alignment with good security practices and there’s nothing wrong with that, just be aware in management, right? You’re going to hit a lot of roadblocks in trying to get people from the way they’re used to doing things and that’s part of the culture into the way things have to be done. You might not be a very popular person at the next office party but those are some of the things that we have to look at and that you have to address inside of the security program management.

Now the other aspects of things that you have to address so that was what do we just say? Roles and responsibilities, chain of command, reporting structures and understanding that we may have to change culture as far as the way which the company has been operating that might have not had a lot of direction. The other thing we have to deal with in management is the effective documentation. Again, the documentation are the controls themselves, the policies, standards and procedures. Keeping an update to version, control of change control that we’re going to do. That’s another part of that we have to manage. And it very well could be an overall overwhelming amount of documentation that may be coming to you as you’re managing this program.

• Category: Uncategorized