Enterprise Security Strategy Plan

ABC LLC is a fictional company which offers telecommunication products and services across United States. People subscribe to ABC company on a month-to-month basis and access their telecommunication network services like voice call, text messaging, video call, data transfer, video streaming and so on. The company also offers storage of personal information at a cloud infrastructure for a nominal monthly fee. A free email account is also offered to all their subscribers. To facilitate the use of new smartphones and tablets, ABC LLC also offers equipment through leasing and financing options to well-qualified customers. Limited amount of customer data is shared within the subsidiary businesses of ABC LLC for product marketing and promotional purposes.

Business Goals

The key strategic objectives to secure business are (State of Minnesota, n.d.):

1. Improvement in situational awareness – continuous monitoring and assessment of controls

2. Proactive risk management – well-grounded security requirements and on-going training

3. Crisis and Security incident management - allows critical services to continue to operate uninterrupted in the event of crisis

4. Data loss prevention (University of Connecticut, 2010)

Overall Security Strategy

Some of the key activities in the security strategy are:

1. Needs analysis and framework establishment

2. Risk assessment and analysis

3. Strategy development

4. Roadmap development

Framework and analysis will help in identifying the regulatory and industry frameworks to be adopted in the company’s enterprise security plan (AT&T Cybersecurity Consulting, 2018). Some key standards and frameworks are Health insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act, Health Information Technology for Economic and Clinical Health Act (HITECH), Information Security Standards of Good Practice (SOGP), ISO 27002, Health Information Trust Alliance, Common Security Framework etc. Based on the requirements of ABC LLC, a custom framework is formulated to encompass regulatory and industry requirements. Risk assessment and analysis identifies the threat landscape and validate the effectiveness of security controls. Key prospects of security strategy are to address security concerns, mitigate risks to reasonable and acceptable levels, limit exposures, etc. Strategic plan ensures budget for security initiatives and prioritization of security projects. Custom metrics highlights the effectiveness of security measures and identifies areas of concern for mitigation (2018).

Company Assets

The infrastructure of the company involves tower equipment, central switches, high speed transport backbone, operations and management center, data centers, corporate and regional offices, marketing and sales franchise centers, call centers, handheld devices, internet of things and so on. Network nodes are connected to each other using wireless and wired connections like, optical fiber, coaxial cables, etc.

Hardware Strategy

Networking and telecommunication hardware deployed across network and customer of ABC LLC include, routers, switches, fiber backhaul, smartphones, laptops, data centers etc. Robust security strategy sets up controls such as badge controlled access, guarded perimeter, perimeter fences, pin code doors, disaster-controlled locations, man-traps, disaster recovery, personnel safety, flexible network perimeter, proactive monitoring, encrypted data storage, encrypted network traffic and multiple IS providers (State of Hawaii, n.d.).

Software Strategy

With respect to software, there is a need of comprehensive security controls placed network-wide. For instance, audit logging, identity and access management, multi-factor authentication, bring your own device, database access management, secure coding methodology, software development lifecycle, privileged access monitoring, operating system hardening, separation of duties and compliance management are some of the main security controls under the umbrella of software strategy (State of Hawaii, n.d.).

Security Requirements

State of Hawaii (n.d.) identified data loss prevention, identity management, security information and event management, network access control, vulnerability assessment, intrusion detection and prevention, patch management, antivirus, application security, firewalls, strong user authentication, server, storage and database encryption, VPN, secure web gateway, email gateways and integrated security appliances as the key threats to any enterprise security.

Based on the services offered and network owned by ABC LLC, varying level of security practices are applied to safeguard customer and network information from malicious users, breach etc. Some of the key examples of data which require different level of security are:

Customer Security

Subscriber Identity – customers submit their personal identification information to ABC LLC company in good faith to subscribe to their offered services. Customer information may include, name, home address, date of birth, telephone number, social security, family members and so on.

Subscriber Activity – customer’s location, usage pattern, access of specific services on a particular time of the day etc. are being used by ABC LLC company to improve the performance of network as well as product marketing and promotion.

Subscriber Account Credentials – customer accounts are accessible using two-factor authentication, which manage, add, modify or remove the subscription of services.

Subscriber Personal Data – customer store back-up of their phones and other personal files to cloud storage offered by ABC LLC.

Subscriber Financial Information – customer’s credit card and bank account information are used to pay for the subscribed services.

Subscriber Email Account – customer emails, which are sent and received through free email service offered by ABC LLC are stored on servers and cloud infrastructure.

Subscriber Equipment – customer handset, routers and gateways enable access to telecommunication services anywhere and everywhere.

Network Security

Network Equipment – network access points, routers, gateways, switch etc. enable varying telecommunication services, which include voice, video, text etc.

Corporate Network & Communications – company’s internal network enable the employees to communicate and network with each other and outside to offer state-of-the-art telecommunication services.

Corporate Web pages & Social Media Portals – company’s official web page and social media portals are used to announce new products, services etc. and reach customers for troubleshooting and feedback purposes.

Corporate financial data – company’s financial information, which are used to generate monthly and quarterly statements for regulatory filings, shareholders and board of governors.

Risk Assessment Plan

Risk assessment plan encompass all the functions, processes and applications in ABC LLC (Metivier, 2017). Specifically, the information systems, consisting of computing and network components of ABC LLC (Massachusetts Government, 2018). The plan will be broken into multiple sections:

1. System inventory documentation

2. System policy, standards and procedures

3. Threats and vulnerability, with severity level

4. Safety controls to mitigate threats and vulnerability

5. Recommended changes to improve safety

6. Residual risk level after recommended changes are implemented (2018)

System & Data Documentation

This part of risk assessment plan will identify each and every information system in ABC LLC along with details associated, which include system owner, system identification, operating perimeter of system, system purpose and details and current level of system security (Massachusetts Government, 2018). This will include the network diagram with interconnected computing nodes, highlighting the perimeter of operating system. Functional and operational details are outlined with inclusion of supported business process, application processes, interconnected components, software, interfaces, asset identification, physical location, listing of user accounts etc. (2018).

Data classification and definition is also performed int his phase (Lamar Institute of Technology, 2012). This will include employee and customer identification information, such as social security number, credit card numbers, address, date of birth and so on. Data custodian and owners are identified for provisioning and access control (2012).

System Risk Determination

In this part of risk assessment plan, threats and vulnerabilities are identified for each and every information system identified during system documentation phase (Massachusetts Government, 2018). This will include the potential dangers to the systems. It will also identify the weakness of systems that can be exploited, for instance human, physical, environmental, and technical (2018).

Details of risks are outlined for every information system (Massachusetts Government, 2018). This will include risks due to interconnections, system dependencies, software faults, human errors, malicious intent, incorrect permissions and so on. Existing safety controls to safeguard the system are documented, like scanning tools, security advisories, audits, system deficiency reports, past risk assessments, NIST vulnerability database etc. Likelihood of threat occurrence is discussed along with severity impact, such as negligible, very low, low, medium, high, very high and extreme. Levels of risk are also determined, whether low, moderate or high risk. Severity impact of risk for every information system is than tagged as insignificant, minor, significant, damaging, serious or critical (2018).

Safety Controls and Residual Risk Determination

For each and every information system identified in ABC LLC, safety controls and measures are recommended, which include stricter user provisioning, administrative controls, user authentication, infrastructure data protection, physical and environmental data security (Metivier, 2017). Assuming all the recommended measures are implemented, residual likelihood of threat, severity and risk levels are recomputed. Metivier (2017) formulated a simple risk rating formula by multiplying the impact (if exploited) and likelihood. NIST presented a risk assessment in their special publication, shown here in Table 1.

Table 1

Risk rating using NIST’s product formula of likelihood and impact

Standards

Special publication from National Institute of Standards and Technology (NIST) outlining the security and privacy controls for information systems and organizations will be followed and implemented at ABC LLC. NIST cyber security framework describe current security posture, target security state of information systems, identification and prioritization of values processes, progress assessment towards goal and communication amongst all stakeholders (NIST, 2018). Three main components of NIST cybersecurity framework are core, implementation tiers and profiles (2017).

ISO 27000 family – 27000 series of standards developed by the International Standards Organization to manage information securely and risk associated with people, processes and systems (Theriault, 2017). There are several sub-standards for varying industries, for instance 27001 has six parts, which include definition of security policy, scope of policy, risk assessment, management of risk, security controls and statement of applicability (2017).

Email Security Policy

Purpose

The objective of the corporate email security policy is to outline the principles to be followed across all email related information systems to fulfil regulatory and compliance requirements, contractual obligations and follow industry best practices, policies and standards in the realm of information security (King County, 2009). The policy will assess security threats and recommend changes to reduce the threat and vulnerability (2009).

Policy Statement

Corporate email service and associated mailing lists are privileges services provided by the company to conduct day to day business. The use of corporate email service requires full adherence to company policy and code of conduct. The policy protects all the information and information systems across the enterprise while ensuring security and protection of proprietary information.

Risks, Threats and Vulnerabilities Identification & Remedies

Some of the known vulnerabilities of electronic mail service are junk, fraudulent, unsolicited and spamming emails, which are usually initiated from outside the organization. Traditional threats associated with electronic mail service are malware and virus attachments, identity theft, phishing, knowing or unknowingly sending emails to thousands of recipients etc. Email access through laptops and webmail increase the risk of unauthorized access by several folds. Email clients on mobile devices like smartphones pose serious risks in the event of device theft, loss or break-in. Corporate email security policy will reevaluate risk, threat and vulnerabilities on a quarterly basis and implement new recommendation to reduce the residual risk.

Responsibilities

The policy is issued and maintained by CIO office. Domain leads of emails are responsible for reliable and uninterrupted service. CSO office is responsible of safeguarding the physical and logical security of email related infrastructure, which include email servers, email client, end-user devices etc. Corporate emails are declared as company property whether accessed through traditional computers (laptops, desktops etc.) or modern mobile devices (smartphones) with usage strictly limited to conduct business. Email service users are required to exercise caution while transmitting sensitive information and safeguard against unauthorized access. Emails with proprietary and subscriber information are required to be encrypted using corporate encryption service.

Technology Guidelines and Standards

The guidelines on electronic mail security of National Institute of Standards and Technology (NIST, 2018), which is SP 800-45 version 2 will be used to design, implement and maintain corporate email system. the guideline provides encryption standards, mail server administration, email client security, best practices to secure mail servers’ operating system, applications and secured access.

Procedures

Access to email service is offered to all employees of the enterprise as well as departments. Use of the electronic mail service is governed by enterprise policy and code of conduct. Emails are backed up at enterprise storage per information retention policy. Email traffic is managed by maximum email size, number of recipients and mail box size. Domain leads will apply filters to identify spam and phishing emails. CSO will provide antivirus and malware protection for all email related corporate assets. Sensitive and proprietary customer and enterprise information, like social security, address, date of birth, credit card number, bank information, financial information etc. are secured through encryption (Sophos, 2018). Another important step is to ensure full disk encryption across all information systems (2018).

Enforcement

To educate all employees and users of email, some short online training can be helpful in highlighting the do's and don’ts of email. Since the email is the formal mode of communication to perform business, which is why enforcement of business code of conduct will help in setting ups the boundary of employee expectations. However, from company's perspective, some things require strict implementation to maintain order; for instance, filtering suspicious executable attachments, restricting email attachment size, encryption of emails, junk and spam identification, blocking offensive content and so on. If violation of business code of conduct happens than HR can be involved for intermediate and severe cases while minor violations, which are still documented can be handled by reporting Manager through counseling and additional training. If multiple violations of business code of conduct happen than employee's employment can be terminated with immediate effect.

Definitions

Threat analysis group (2018) define threat as anything that can exploit a vulnerability either intentionally or accidentally to damage or destroy an asset. Vulnerability is referred as weakness or gaps in a program related to electronic mail service that can lead to unauthorized access to an asset. Finally, risk is defined as potential for loss or damage of an asset as a result of threat exploiting a vulnerability thus risk is described as an intersection of assets, threat and vulnerabilities. (2018).

Watts (2018) define threat as an incident which can harm a system or overall organization. Threat can be:

1. Natural – floods, tornadoes etc.

2. Unintentional – employee mistake etc.

3. Intentional – spyware, malware etc.

On the other hand, risk is referred as the potential loss due to vulnerability exploited by threat. For instance, risk can be financial, privacy, business disruption, reputational damage, legal implications, loss of life etc. (2018).

Internet Use Policy

Purpose

The objective of the internet use policy is to outline the principles to be followed while using internet on company provided machines (desktop, laptop, smartphone etc.), during business hours, performing work duties (meetings etc.), visiting business client locations, and within company premises to fulfil regulatory and compliance requirements, contractual obligations and follow industry best practices, policies and standards in the realm of information security (King County, 2009). The policy will assess security threats and recommend changes to reduce the threat and vulnerability (2009).

Policy Statement

Internet use, which means accessing websites outside the corporate intranet is a privileged service provided by the company to conduct day to day business. The use of internet requires full adherence to company policy and code of conduct. The policy protects all the information and information systems across the enterprise while ensuring security and protection of proprietary information.

Risks, Threats and Vulnerabilities Identification & Remedies

Use of unsecure websites can pose serious risk in the form of virus, malware etc., which can harm company’s information technology infrastructure by damaging or leaking sensitive proprietary data. Business efficiency can be impacted due to potential downtime associated with malware infected machines. There are increased threats of ransom where other party hold access of company’s sensitive information in exchange of money. Download of illegal software can lead to potential copyright issue. Use of peer-to-peer sharing programs can make the machines vulnerable to malicious users. Employee productivity can be impacted by unnecessary browsing during the business hours. Valuable network bandwidth and resources are wasted due to unnecessary internet traffic.

Responsibilities

The policy is issued and maintained by CIO office. Leads of web traffic are responsible for reliable and uninterrupted internet service for business reasons. CSO office is responsible of safeguarding the physical and logical security of IT infrastructure, which include browser, routers, transport backhaul, servers, end-user devices etc. Internet usage is strictly limited to conduct business. Internet service is provided to gather data and research material related to company business only.

Technology Guidelines and Standards

Cyber security framework of National Institute of Standards and Technology (NIST, 2018), which will be used to design, implement and maintain IT infrastructure. The framework offers a complete structure of cybersecurity by assembling guidelines, standards, and practices in one place. The framework address cybersecurity issues from the perspective of people, physical and cyber.

Procedures

Access to internet is offered to all employees of the company. Use of the internet is governed by enterprise business policy and code of conduct. Internet activity is recorded at enterprise storage per information retention policy. Domain leads will identify high internet traffic users, users accessing prohibited web sites etc. for disciplinary actions. Active website filtering will be used to block sites with offensive words, materials, media etc. CSO will provide antivirus and malware protection for all devices capable of accessing internet. Security certificates will be updated regularly by CIO to protect company assets. Another important step is to ensure full disk encryption across all information systems, which will prevent data leakage in the event of breach (Sophos, 2018).

Mobile Device Use Policy

Purpose

The objective of the mobile device use policy is to outline the principles to be followed while using mobile devices (laptop, tablet, smartphones etc.) provided by company all the time to fulfil regulatory and compliance requirements, contractual obligations and follow industry best practices, policies and standards in the realm of information security (King County, 2009). The policy will assess security threats and recommend changes to reduce the threat and vulnerability (2009).

Policy Statement

Mobile device use, which include making and receiving phone calls, accessing corporate email, browsing internet etc. are privileged services provided by the company to conduct day to day business. The use of mobile devices requires full adherence to company policy and code of conduct. The policy protects all the mobile devices across the company while ensuring security and protection of proprietary information.

Risks, Threats and Vulnerabilities Identification & Remedies

Use of mobile devices by employees incur high cost to company, which is why use of voice minutes and data usage is strictly limited to business use. International calls are blocked on all mobile devices. Text messaging service can be used sparingly by employees, but text service usually causes high cost to company in terms of international charges, inter-connect carrier changes etc. Data usage on the mobile devices is charged based on number of bytes, which is why use of internet and hotspot is limited to business use only. Spam calls can cause financial loss to employee, which is why company’s provided number should not be dispersed on social media and personal use. Storage and playback of indecent media (audio and video), messages etc. is strictly prohibited. Browsing illicit internet websites can pose serious risk to device, which can lead to data loss and breach. Screen passwords are mandated to protect the device from misuse in the event of device theft or loss. Installation of applications not related to business is strictly prohibited. Backup of mobile devices should be performed on another company provided laptop or computing device. Usage of social media applications on mobile device is prohibited. Full encryption of mobile devices is mandatory for all employees. Keeping the operating system updated is necessary for a secure and safe mobile device usage.

Responsibilities

The policy is issued and maintained by CIO office. Leads of mobile devices are responsible for issuance of mobile devices with appropriate voice and data plans for business reasons. CSO office is responsible of safeguarding the physical and logical security of mobile devices, which include VPN, secure applications, mobile internet, mobile email etc. Internet usage on mobile device is strictly limited to conduct business. Voice and data service on the mobile device is provided to conduct company business only.

Procedures

Mobile devices, which include smartphone, laptop, tablet etc. are offered to all employees of the company. Use of the mobile devices is governed by enterprise business policy and code of conduct. All the activity on mobile devices is recorded at enterprise storage per information retention policy. Domain leads will identify abusive users, users with old operating system, illicit applications etc. for disciplinary actions. CSO will provide antivirus and malware protection for all mobile devices. Full disk encryption is mandated across all mobile devices, which will prevent data leakage in the event of breach (Sophos, 2018).

Applications Use Policy

Purpose

The objective of the applications use policy is to outline the principles to be followed while using applications on desktop, laptop, tablet and smartphones provided by company all the time in the realm of information security (King County, 2009). The policy will assess security threats and recommend changes to reduce the threat and vulnerability (2009).

Policy Statement

Applications are needed on all computing devices to perform specialized tasks like word processing, image editing, worksheet, computations, designing, forecasting, presenting and so on. However, the use of applications on any company provided devices is strictly limited to business use only. The use of applications requires full adherence to company policy and code of conduct. The policy protects all the applications installed on the devices across the company while ensuring security and protection of proprietary information.

Risks, Threats and Vulnerabilities Identification & Remedies

Applications which are developed in-house are available to all employees free of cost. However, third party applications are frequently used to conduct business on a day to day basis. It is therefore mandatory to install applications from company’s internal software store. Applications hosted on computer software store are license protected and tracked by IT department for usage fee. Applications which is not used by employee for three months duration will be automatically deleted from the system. To reduce the licensing cost, reporting managers will approve the installation of each application on their direct report’s devices. Applications requiring periodic update will be forcefully pushed and installed across the company, to ensure that all fixes are in place. Usage of applications for personal use is strictly prohibited and result in disciplinary action. Sharing of application outside company can result in termination of employment. Misuse of application is prohibited to safeguard company’s IT assets. Illegal and unauthorized applications are not allowed on any device issued by the company.

Responsibilities

The policy is issued and maintained by CIO office. Leads of applications, software and operating system are responsible for the availability of applications to conduct business. CSO office is responsible of safeguarding the physical and logical security of devices installed with applications. Applications incur high licensing cost to company, thus require tracking of appropriate usage by employees.

Procedures

Applications are installed on all computing devices offered to employees of the company. Use of the applications is governed by enterprise business policy and code of conduct. Installation, usage, update and deletion of application is tracked by IT department. Domain leads will identify abusive users, users with old operating system, illicit applications etc. for disciplinary actions. CSO will provide antivirus and malware protection for all mobile devices.

Implementation

Security Organization Structure

To implement a security plan for an organization, one key step is to set up a security organizational structure with clearly defined roles and responsibilities for all members (ProserveIT, 2017). Clear roles and responsibilities will make sure that owners are accountable. Some of the key elements of a robust security organization structure require proper reporting lines, explicit security roles and responsibilities, setting up a security steering committee, executive level involvement to outline commitment to enterprise information security, coordination of information security activities across different departments of an enterprise, and contacts with appropriate authorities (2017).

Security Metrics

Another important step of implementing enterprise security plan is to define and monitor right set of security metrics (ProServeIT, 2017). Security metrics will help in gauging the effectiveness of security processes and improve further. Ill-conceived security metrics can be deceiving and lead to false sense of security. Some of the attributes of good security metrics are:

1. Accurately captures the security status of organization

2. Measures if existing security levels are sufficient or not

3. Provide evidence of supporting business goals

4. Helps in making well-informed security decisions (2017)

Information Security Training and Awareness

Awareness and training of all employees across the enterprise will help in reducing the information security risk (CBRN, 2015). In the initial step, knowledge gaps need to be identified followed by training plan to improve the overall information security landscape. Trainings can be offered online to help employees in completing at their own pace (2015). Security awareness and employee engagement are required for a successful implementation of enterprise security plan (Michigan Technological University, 2011). Employees are often dubbed as the weakest link of an organization’s security, which is why it is important to train employees in such a way that they can truly understand the security risks, threats and vulnerabilities associated with information and information systems on a day to day basis (2011)). Usually resource constraints, like time, budget, training material, dedicated security organization etc. hamper the success of security plan, which is why executive level commitment is needed since day one towards the security plan implementation. Trainings are important aspect to educate and increase awareness of security policy, which is why mandatory and time bound trainings with small test or quiz at the end will be helpful in reinforcing the importance of information security in the minds of all employees. Both in-person and virtual mode of security trainings will help in improving the posture of enterprise information security. These trainings needed to be tracked as part of employee’s annual performance assessment, which will ensure full commitment and understanding. In the event of security plan violation, employee will be subjected to strict action, including possible dismissal (State of Minnesota – Office of Enterprise Technology, 2010).

Besides the mandatory training, annual cyber security awareness month will help in employee engagement towards the common business goal of improved security and reduced risks (Michigan Technological University, 2011). Another popular method is to setup annual Hackathons with participation of employees as well as external experts to find holes in the security of enterprise information architecture. Weekly email communication from CSO organization to all employees sharing the latest stories, practices, breaches, incidents etc. will help in employee understanding of enterprise security plan.

External Third-Party Audits

Lastly, periodic annual third-party security audits can help in determining the effectiveness of security plan and also pivotal in performing vulnerability assessment (Evans, 2016). Assessment can include automated scanning tools and penetration tests to identify weakness of network, systems and applications. External audits can use ISO27001 criteria to gauge the effectiveness of security plan (2016)

Operations and Monitoring

There could be varying types of metrics gauging the performance of information security posture for an organization. For instance, on a very high level a CSO need know what’s the time-to-detection and time-to-remediation of security threat (Kushto, 2018). Time-to-detection highlights how much time was elapsed when threat was introduced to the network and when it was finally detected. Similarly, time-to-remediation defines the time taken by CSO organization to resolve the issue completely (2018).

Berinato (2005) outlined some metrics which can be used to gauge the day to day readiness of company’s IT infrastructure to deter cyber security threat. For instance, defense coverage metric which include antivirus, antispyware, firewall etc. give a view of protected IT assets of the company. Another metric is patch latency, which defines the time between the patch was released and successfully deployed across all machines. Platform compliance encompass if there are machines with ports left unnecessary open etc. Trend of email traffic analysis also help in gauging if there is a sudden surge in junk and spam emails which can increase the risk of security breach (2005). Other secondary metrics can track number of systems with known vulnerabilities, number of SSL certificates configured incorrectly, corporate volume of daily data transfer, number of users with administrative or super access and so on.

Security Incidents

From the day-to-day perspective, couple of key metrics can identify if the security posture of company has indeed compromised. One of the metric is the trend of security event recorded on an hourly level and later aggregated at daily, weekly and monthly level (Rhodes-Ousley, 2013). This metric in business-as-usual situation, sets the baseline of security situation. If suddenly number of security incidents increase than immediate attention is required to neutralize the threat as quickly as possible.

Attacks Blocked

Another metric is number of attacks blocked using already deployed defense mechanisms like firewall, antivirus, antimalware etc. Trend of this metric will also help in catching anomalies if suddenly there is a surge in blocked incidents (viruses, malware etc.), this can potentially show that corporate infrastructure is under attack and security measures might need a review (2013).

Network and Email Traffic

Change in network traffic traversing through ingress and egress points of corporate network can also highlight potential security condition requiring attention. In the similar context, sudden increase in number of emails can also point to a potential attack using spam and junk emails.

Spam-not-detected

With the prevalence of junk and spam, some spam and junk emails will still pass through the filters which is why tracking of undetected spam will help in tweaking and updating the filter per new situation. Review of spam and junk will also highlight interesting trend whether phishing attacks are happening the most or some other kind.

Invalid Logging Attempts

Tracking of invalid logging attempts on a regular basis can also help in thwarting upcoming potential security breach. Routers and switches using default user name and password are low laying fruits which CSO should tackle right away. After few invalid login attempts, either complete block of account temporarily or requiring detailed information before resetting password can be used as a first line of defense. Storing IP and MAC addresses of login attempt can be helpful in identifying network breach quickly.

OS Patch, Antivirus/Malware/Firewall update Latency

Tracking and monitoring latency associated with OS patches, antivirus/malware/firewall update etc. deployment can be used to create a risk metric at a high level. To improve security posture, forced updates after initial attempt or two can help in improving the compliance level high and risk to lower values.

Non-Compliant Assets

In every organization, there are certain assets which are vulnerable due to age of equipment, older version of operating system, inadequate and non-standard firewall settings etc. The count of such machines should be ideally zero or near zero, which can otherwise cause widespread damage in the event of well-coordinated cyber-attack.

Administrative or Super-User Rights

Tracking and monitoring of super users and administrative rights is an important exercise because the high number means that access control process and procedures are too lax and establishing unnecessary high privilege accounts which will increase the risk of unintentional or intentional insider damage. Quarterly review of access rights for critical applications will ensure that only legit users will be granted wider access. A good rule of thumb is to limit such users to less than 5% of employee head count.

New user or login creation

Strong access control process and procedures will make sure that users do not get credentials which are over-provisioned and would not be granted super user or administrative rights unless there is a business need and justification recorded in the system with proper approvals from chain of command. In the event of no usage for a certain period, say thirty days than account should be deleted automatically.

Percentage of Fully-Encrypted IT Assets

Encrypted assets thwart data breaches in the event of physical break-in as well as cyber-attack. Loss of storage drive or laptop can result in revealing sensitive business information, resulting in long term financial damages. Tracking of encrypted assets across the enterprise will help in lowering the risk in the event of data breach.

Table 2 summarizes all the ten key security monitoring items, optimal operating ranges and respective action items.

Table 2:

Security Monitoring, Thresholds and Actions

Monitoring Item

Why?

Optimal Range

Actions if not in range

Security Incidents

Sudden increase in security incident points to possible cyber attack

>5% from usual

Alert CSO organization and incident response team to check all ingress and egress network nodes for anomaly

Attacks Blocked

Sudden increase in blocked cyber-attacks points to possible cyber attack

>5% from usual

Alert CSO organization and incident response team to check all ingress and egress network nodes for anomaly

Network and Email Traffic

Sudden increase in network traffic could be due to DoS or DDoS attack. Increased emails can be due to spam/junk

>5% from usual internet and email traffic

Identify ports where increased network traffic is observed and check for anomaly. Check email spam filters.

Spam-not-detected

Undetected spam highlights inefficiency of spam filters

<10% of total spam

Review spam and junk filters to bring undetected spam to <10%

Invalid Logging Attempts

Invalid attempts could be attempt of illegitimate access

<5% of total accounts; disable account after 3 successive invalid attempts

Monitor patterns of machines where invalid attempts were noticed and disable accounts after 3 invalid attempts

OS Patch, Antivirus/Malware/Firewall update Latency

Delay in updates can increase risk of data breach/loss

<5 working days

Immediately start force updates on machines

Non-Compliant Assets

Non-compliant IT assets increased the vulnerability and risk

<1%

Remove the non-compliant IT assets from network and start compliance procedure

Administrative Rights

High number of high access privileges can lead to abuse and increase risk of data loss

<1%

Immediately start auditing the users with administrative rights and remove unnecessary ones

New user or login creation

Require approval from at least two higher levels of reporting chain of command

1 working day, remove account after 30 consecutive inactive days

After necessary approvals, create account within 1 business day. Remove inactive accounts after 30 days of no use

Percentage of fully encrypted IT Assets

To thwart data leak in case of data breach or loss

>95%

Immediately start campaign to bring non-encrypted IT assets to less than 5%

Audit and Assessment Plan

Audit Checklist

Yeagley (2015) defines audits as periodic validation of the IT security implementation of an enterprise by a certification authority. Security audits should be performed to compare the current security posture against the security policy (Ousley-Rhodes, 2013). Audits can be performed by internal departments as well as outside agencies (2013). Audits by an unbiased third-party agency helps in highlighting the weakness within security policy and its enforcement. It can be performed on an annual, quarterly, monthly or any other regular interval however annual audit ensure the operational compliance of IT security and policy (2013). Audit is usually performed to comply by federal, state or industry regulations (Yeagley, 2015). Table 3 summarizes some of the items performed during audits with their respective thresholds of optimal operating range.

Table 3:

IT Audit Checklist

Audit Item

Item Description

Source

Audit Criteria

Security Incidents

Daily count of security incidents

Monitoring control

Optimal: up to 5%

>5% trigger investigation

Attacks Blocked

Daily count of attacks blocked by existing measures

Monitoring control

Optimal: up to 5%

>5% trigger investigation

Network and Email Traffic

Daily network and email traffic trend

Monitoring control

Optimal: up to 5%

>5% trigger investigation

Spam-not-detected

Daily count of undetected spam

Monitoring control

Optimal: up to 10%

>10% review and update spam and junk filters

Invalid Logging attempts

Daily count of invalid login attempts

Monitoring control

Optimal: up to 5%

>5% monitor and investigate machines and users

Latency

Daily measure of OS patch, antivirus, malware, firewall etc. update latency

Monitoring control

Optimal: up to 5 working days

>5 working days, engage CSO organization to implement force update

Non-compliant assets

Daily count of non-compliant assets

Monitoring control

Optimal: up to 1%

>1% remove the non-compliant machines from network and start compliance procedures

Administrative rights

Daily count of admin users

Monitoring control

Optimal: up to 1%

>1% review and downgrade user access immediately

New login creation

Daily count of average days in creating new logins

Monitoring control

Optimal: up to 1 working day

Remove inactive users

%Encryption

Daily count of IT assets, which are fully encrypted

Monitoring control

Optimal: >95%

<95% immediately engage CSO resources to encrypt assets

Mobile Applications

Daily count of secure mobile applications

Policy

Optimal: 100%

<100% remove applications from mobile

Desktop/Laptop/Tablet Applications

Daily count of secure applications

Policy

Optimal: 100%

<100% remove applications from desktop/laptop/tablet

Servers and other IT nodes

Daily count of secure IT nodes

Policy

Optimal: 100%

<100% remove applications from nodes

Mobile Usage (Voice)

Daily count of mobile users with higher voice minutes usage than allotted

Policy

Verify legit business use case by engaging reporting manager

Mobile usage (Internet)

Daily count of mobile users with higher data usage than allotted

Policy

Verify legit business use case by engaging reporting manager

Internet Usage

Daily count of hours spent on internet

Policy

Verify legit business use case by engaging reporting manager

Corporate Email Volume

Daily email volume

Policy

Verify legit business use case by engaging reporting manager

Corporate Email spam

Daily count of spam email

Policy

In case of spam generation by employee, engage reporting manager and HR for code of conduct violation

Corporate Email for personal use

Daily count of personal emails (non-corporate email accounts)

Policy

In case of high number of personal emails generation by employee, engage reporting manager and HR for code of conduct violation

Corporate Mailbox

Maximum mailbox size of employee at server

Policy

Engage with employee to identify reason high email volume and explore mailbox size increase etc.

Assessment Plan

Assessment is defined as evaluation and estimation of IT security against benchmarks and standards for the determination of acceptable level of operation (Yeagley, 2015). Assessment can be performed by internally or through external agency. Assessment of IT security is performed to identify gaps and risks whereas audits are detailed and thorough examination of policy and procedures. Assessments can be performed yearlong whereas audits are performed on a specific timeframe (2015).

In order to improve the existing controls, processes and policies, below are some possible actions:

1. Setup monthly employee surveys with regards to IT services and identify issues for resolutions and efficiency improvements.

2. Update IT security training material on quarterly basis with new threats

3. Review security tools for real-time monitoring and actions to reduce damage in the event of network breach

4. Review disabling on external USB and other data transfer ports on desktop, laptop, tablet etc. to reduce the risk of data loss

5. Analyze update of old and outdated non-compliant IT assets to prevent network breach

6. Review 100% enforcement of encrypted IT assets across organization to improve security posture

7. Review disable of internet and social media access for employees using company provided desktop, laptop, tablets etc., except enterprise intranet to limit security risk

8. Review introduction of multi-factor authentication using physical or soft tokens for all enterprise logins to improve security posture

9. Implement immediate force update of OS patches, antivirus/malware/firewall update etc. to reduce latency and improve security posture

10. Implement virtual private network (VPN) solution for remote access of enterprise computing resources to enhance the enterprise security

References

Yeagley, G. (2015). IT Auditing and IT Risk Assessment: What’s the difference? Retrieved from https://www.compassitc.com/blog/it-auditing-and-it-risk-assessment-whats-the-difference

University of Connecticut (2010). Information security strategic plan. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=2ahUKEwih7P6s7ZPdAhUR7awKHc8jBG0QFjAAegQIChAC&url=https%3A%2F%2Fsecurity.uconn.edu%2Fwp-content%2Fuploads%2Fsites%2F251%2F2014%2F05%2Finformation-security-master-plan2.pdf&usg=AOvVaw3vL-aujp_ERTEfynWfRDaH

State of Hawaii (n.d.). Information Assurance and cyber security strategic plan. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=2ahUKEwjNjsWU65PdAhUIgK0KHcpzCzkQFjABegQICRAC&url=http%3A%2F%2Fets.hawaii.gov%2Fwp-content%2Fuploads%2F2012%2F09%2FGovernance_Info-Assurance_Cyber-Security.pdf&usg=AOvVaw3Xk-IDEMuvJD9MMAVxlhTQ

AT&T Cybersecurity Consulting (2018). Align your company security with your business goals. Retrieved from https://www.business.att.com/.../att-consulting-security-strategy-roadmap-service.pdf

State of Minnesota (n.d.). Enterprise security strategic plan. Retrieved from https://mn.gov/oet/images/Enterprise_Security_Strategic_Plan.pdf

Evans, M. (2016). Roadmap to implementing a successful information security program. Retrieved from https://www.barradvisory.com/roadmap-to-implementing-a-successful-information-security-program/

CBRN (2015). How to implement security controls for an information security program at CBRN facilities. Retrieved from https://www.pnnl.gov/main/publications/external/technical_reports/PNNL-25112.pdf

ProserveIT (2017). 5 Tips to build comprehensive information security plan. Retrieved from http://www.proserveit.com/5-tips-information-security-plan/

State of Minnesota – Office of Enterprise Technology (2010). Enterprise Security Tactical Plan. Retrieved from https://mn.gov/mnit/images/Enterprise_Security_Tactical_Plan.pdf

Michigan Technological University (2011). Information Security Plan. Retrieved from https://www.mtu.edu/it/security/policies-procedures-guidelines/information-security-plan.pdf

ProserveIT (2017). 5 Tips to build comprehensive information security plan. Retrieved from http://www.proserveit.com/5-tips-information-security-plan/

Rhodes-Ousley, M. (2013). The complete reference: Information Security. McGraw Hill: NY

Berinato, S. (2005). A few good information security metrics. Retrieved from https://www.csoonline.com/article/2118152/metrics-budgets/a-few-good-information-security-metrics.html

Kushto, 2018. Security metrics you need for the board. Retrieved from https://www.csoonline.com/article/3280966/metrics-budgets/security-metrics-you-need-for-the-board.html

NIST (2018). Guidelines on electronic mail security. Retrieved from https://csrc.nist.gov/publications/detail/sp/800-45/version-2/final

King County (2009). Information Technology Governance policies and standards. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=5&cad=rja&uact=8&ved=2ahUKEwiP6aevp7zdAhXh5IMKHRrmBmAQFjAEegQIBhAC&url=https%3A%2F%2Fwww.kingcounty.gov%2F~%2Fmedia%2Foperations%2Fit%2Fgovernance%2Fpolicies%2FEnterprise_Information_Security_Policy_signed.ashx%3Fla%3Den&usg=AOvVaw3pC-8RpWyphdZWR8JvL86-

Threat analysis group (2018). Threat, vulnerability, risk – commonly mixed up terms. Retrieved from https://www.threatanalysis.com/2010/05/03/threat-vulnerability-risk-commonly-mixed-up-terms/

Watts, S. (2018). IT Security Vulnerability vs threat vs risk: what’s the difference? Retrieved from http://www.bmc.com/blogs/security-vulnerability-vs-threat-vs-risk-whats-difference/

Theriault, C. (2017). What is an information security framework and why do I need one? Retrieved from https://tbgsecurity.com/what-is-an-information-security-framework-and-why-do-i-need-one/

Sophos (2018). Sample data security policies. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=9&ved=2ahUKEwj_l7vOnLzdAhWs7YMKHehmC7kQFjAIegQIAxAC&url=https%3A%2F%2Fwww.sophos.com%2Fen-us%2Fmedialibrary%2FPDFs%2Fother%2Fsophos-example-data-security-policies-na.pdf%3Fla%3Den&usg=AOvVaw2CfCvJ3nLv3tvTLu83RSjo

Theriault, C. (2017). What is an information security framework and why do I need one? Retrieved from https://tbgsecurity.com/what-is-an-information-security-framework-and-why-do-i-need-one/

NIST (2018). NIST Cybersecurity framework. Retrieved from https://www.nist.gov/cyberframework

Massachusetts Government (2018). Information Security Risk Assessment Guidelines. Retrieved from http://www.mass.gov/anf/research-and-tech/cyber-security/security-for-state-employees/risk-assessment/risk-assessment-guideline.html

Lamar Institute of Technology (2012). Information Technology Risk Management Plan. Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=2ahUKEwjTysm3ua_dAhVL_IMKHT5-DYUQFjABegQICxAC&url=https%3A%2F%2Fwww.lit.edu%2Fdepts%2FTechService%2FDocs%2FLIT%2520Risk%2520Management%2520Plan%2520ver%25202.31.pdf&usg=AOvVaw0wQRoEwe20CU4ddNGshCfC

Metivier, B. (2017). Sage Advice – cybersecurity blog. Retrieved from https://www.sagedatasecurity.com/blog/6-steps-to-a-cybersecurity-risk-assessment