Your Cybersecurity Audit: The Day After
April 2, 2018 in Blog
You have received your Cybersecurity Audit final report. Vulnerabilities are identified, gaps in processes are revealed, organizational misalignment is exposed. What to do next?
Establish executive sponsorship
The first and most important step is to establish active executive sponsorship and assign overall responsibility to a senior manager.
It is the executive management’s responsibility to establish risk management fundamentals within the organization. This includes a business framework for setting security objectives and aligning strategic risk management with business needs as well as external statutory and regulatory compliance drivers. Without active sponsorship by executive management and a specific role dedicated to ensuring the fulfillment of security goals, instituting security controls is next to impossible.
A senior manager must have clear responsibility and authority to drive planning, enforce compliance with defined policies, and approve all exceptions to the security policy.
Prioritize remediation strategies
The most important part of the risk management process is to triage the severity of the risk according to its impact and likelihood. It is also important to understand how effective your existing security controls were in managing these risks. This should be a quick exercise to determine your first areas of focus and its urgency.
We can think of security risks as belonging to one of three main categories: People/Policy, Process and Technology. We would begin with process since it is likely that weak or missing processes allowed for the security risks in the first place.
Process is where we often see the greatest opportunity for improvement especially within the Configuration and Maintenance processes. Are your basic maintenance activities adequate? Are these processes run often enough? How do you verify that the process was run completely and effectively? Some of these processes may include:
- Ensuring that all ports and services not required for normal and emergency operations are disabled.
- Tracking, evaluating, testing, and installing applicable cyber security patches for all cyber assets.
- Testing after the installation of security patches, cumulative service packs, and version upgrades (which are all considered significant changes).
- Using antivirus and malicious software prevention tools, where technically feasible.
- Defining and enforcing restrictions on who can perform maintenance and repair, emergency procedures, and remote configuration and maintenance.
- System log collection and alerting
- Comprehensive Change Management procedures
- Lifecycle Management
In some cases, a process may not be effective due to lack of resources or the nature of the business. Technology can mitigate these risks. Some examples are: electronic asset management, system log management, network hardening, VPN restrictions or email filtering for SPAM/Phishing. At a higher-level, Intrusion Prevention Systems or Next Generation Firewalls are included.
People and Policy
Taking input from the Process and Technology risk categories, People and Policy risk mitigation and often the slowest and most difficult to implement. Policies must remain dynamic as new risks, technologies and procedures emerge. Included in this risk category are: security awareness training, access privilege and access revocation policies, incident handling, Change Management policies and ongoing management and monitoring policies. Something to keep in mind…your Cybersecurity audit is already out of date on day one.
A cyber security program must be comprehensive—it is only as strong as its weakest link in the cycle of continuous monitoring, detection and response.
To learn more about our cybersecurity services, contact SDI.
About SDI Guest Blogger: Tim Portokalis
Tim Portokalis has over 25 years of experience in Infrastructure solutions, including designing and managing large-scale network implementations, network management, and cloud-based solutions.