Dig up your high school yearbook photo and you’re likely in for a laugh — the clothes, the hair styles, the glasses are distant memories for most of us. That snapshot of 18-year-old you is unlikely to be confused with who you are today.
And yet when it comes to IT, many organizations often find themselves the victim of a kind of snapshot syndrome, the common misconception that our environments exist in the state in which they were last measured or assessed. In reality, most infrastructure, policies, and processes are in a continually dynamic state, and just like current you compared to your high school yearbook photo, only a few undergo limited changes.
To thrive and adapt to this changing competitive and performance-based landscape, we must continually introduce systems and applications that interact with each other and the information we are responsible for. As legacy systems are aged out and new ones brought online, organizations must update their policies and processes to reflect realignments, departing requirements, and unique capabilities. By following formalized IT lifecycle management frameworks, such as ITIL or COBIT, or internally grown systems, organizations ensure these policies and processes are reviewed and modified on a regular basis.
The challenge occurs in getting organizations to mature their IT lifecycle, to include regular assessments or measurements of the ecosystem’s security. Many discussions with IT experts have revealed that a combination of the following activities can help an organization transition to a state of continual measurement: change management, vulnerability scanning, and advanced assessments.
Commonly considered a precursor to assessments, a well-developed change management program ensures that appropriate process controls keep an ecosystem’s security controls properly configured and deployed at the right locations. Because a dynamic environment is one of the most significant challenges for security teams, the ability to track the changes occurring within their organizations – a particularly difficult task for those segmented from their IT management team – is critical.
Some organizations rely heavily on change control and management boards to monitor alterations to their environment, but for others the mere existence of these boards may be a pipe dream. In both cases, security best practices assume the creation and refinement of existing change processes, which provide the security team with a formalized process for interacting with and making recommendations regarding IT changes. These interactions should include:
- defining the business driver for the change
- assigning responsibilities for the teams who own these systems
- mapping out the scope of the systems and applications to be affected by the change
- identifying critical systems and data which may be involved
- scheduling change windows
- detailing a back out plan
Even with significant efforts to monitor and control changes within a network, inevitably a number of misconfigurations and changes will be introduced without the security team’s knowledge. To this end, the security team should trust, but verify.
Vulnerability scanning provides the means for verification, as well as the ability to identify issues that may exist outside of the change management process. Properly deployed vulnerability scanning enables the classification and assignment of risks to system and application owners.
Although some organizations are driven to deploy vulnerability scanning based on compliance and regulatory requirements, all organizations can benefit from these technologies in securing their critical data. Additionally, even the most resource-challenged organizations can successfully deploy and include a solution within their security lifecycle with minimal impact.
Organizations should evaluate their external environments and internal networks because of the roaming nature of modern endpoints, like laptops, smartphones, and tablets. At a minimum, modern vulnerability scanning tools will provide IT with risk ratings, prioritization, and remediation steps.
Advanced assessments should occur throughout your IT operations lifecycle, reproducing the “security wheel” shown in many presentations. Ideally, an organization with significant security concerns should perform some form of advanced assessment as soon as possible in order to identify its requirements and prioritize tasks.
The auditing activities in advanced assessments are designed to examine an organization beyond the typical IT operational concerns, such as classifying data, defining its location, and determining how it’s being used. Some advanced assessments include the following:
- Security Posture Reviews (SPRs) evaluate the strength of external and internal systems, firewall and perimeter security mechanisms, and remote access authentication to uncover flaws and promote a more comprehensive and impenetrable security system.
- HIPAA Security Assessments identify an organization’s existing alignment with HIPAA/HITECH and the Common Security Framework (CSF) with the latest guidance and requirements.
- Penetration Testing completes scans for organizations interested in performing vulnerability identification as well as possible active exploitation of both external and internal hosts.
- Social Engineering evaluates the strength of an existing information assurance training program and internal IT support processes. Testing activities include a range of social engineering practices including phishing, pre-texting, and physical security evaluation.
The results of these assessments typically culminate in two messages: An executive summary or report communicating risk and recommendations to executives and management teams, and a technical report that can be utilized by internal IT teams. Not only do these reports support internal initiatives and begin to frame value such as return on investment, but they also have the side benefit of documenting current processes and controls, as well as their desired future state.
No matter what your organization’s security maturity level, assessments should be included as part of your IT operations program, a commitment to constantly testing and refining an IT ecosystem. By establishing change management protocols, scanning for vulnerabilities, and using advanced assessments to identify deeper needs, organizations can finally move past the snapshot syndrome that leaves ecosystems vulnerable to new threats.
To learn more about security assessment strategies or discuss the challenges your organization is facing, please contact your SHI account executive or email the SHI security team at SecuritySolutions@SHI.com.