top of page
Search

Security Organization Structure

  • ali@fuzzywireless.com
  • Mar 4, 2022
  • 6 min read

Security Organization Structure

To implement a security plan for an organization, one key step is to set up a security organizational structure with clearly defined roles and responsibilities for all members (ProserveIT, 2017). Clear roles and responsibilities will make sure that owners are accountable. Some of the key elements of a robust security organization structure require proper reporting lines, explicit security roles and responsibilities, setting up a security steering committee, executive level involvement to outline commitment to enterprise information security, coordination of information security activities across different departments of an enterprise, and contacts with appropriate authorities (2017).

Security Metrics

Another important step of implementing enterprise security plan is to define and monitor right set of security metrics (ProServeIT, 2017). Security metrics will help in gauging the effectiveness of security processes and improve further. Ill-conceived security metrics can be deceiving and lead to false sense of security. Some of the attributes of good security metrics are:

  1. Accurately captures the security status of organization

  2. Measures if existing security levels are sufficient or not

  3. Provide evidence of supporting business goals

  4. Helps in making well-informed security decisions (2017)


Information Security Training and Awareness

Awareness and training of all employees across the enterprise will help in reducing the information security risk (CBRN, 2015). In the initial step, knowledge gaps need to be identified followed by training plan to improve the overall information security landscape. Trainings can be offered online to help employees in completing at their own pace (2015). Security awareness and employee engagement are required for a successful implementation of enterprise security plan (Michigan Technological University, 2011). Employees are often dubbed as the weakest link of an organization’s security, which is why it is important to train employees in such a way that they can truly understand the security risks, threats and vulnerabilities associated with information and information systems on a day to day basis (2011)). Usually resource constraints, like time, budget, training material, dedicated security organization etc. hamper the success of security plan, which is why executive level commitment is needed since day one towards the security plan implementation. Trainings are important aspect to educate and increase awareness of security policy, which is why mandatory and time bound trainings with small test or quiz at the end will be helpful in reinforcing the importance of information security in the minds of all employees. Both in-person and virtual mode of security trainings will help in improving the posture of enterprise information security. These trainings needed to be tracked as part of employee’s annual performance assessment, which will ensure full commitment and understanding. In the event of security plan violation, employee will be subjected to strict action, including possible dismissal (State of Minnesota – Office of Enterprise Technology, 2010).

Besides the mandatory training, annual cyber security awareness month will help in employee engagement towards the common business goal of improved security and reduced risks (Michigan Technological University, 2011). Another popular method is to setup annual Hackathons with participation of employees as well as external experts to find holes in the security of enterprise information architecture. Weekly email communication from CSO organization to all employees sharing the latest stories, practices, breaches, incidents etc. will help in employee understanding of enterprise security plan.

External Third-Party Audits

Lastly, periodic annual third-party security audits can help in determining the effectiveness of security plan and also pivotal in performing vulnerability assessment (Evans, 2016). Assessment can include automated scanning tools and penetration tests to identify weakness of network, systems and applications. External audits can use ISO27001 criteria to gauge the effectiveness of security plan (2016)

Operations and Monitoring

There could be varying types of metrics gauging the performance of information security posture for an organization. For instance, on a very high level a CSO need know what’s the time-to-detection and time-to-remediation of security threat (Kushto, 2018). Time-to-detection highlights how much time was elapsed when threat was introduced to the network and when it was finally detected. Similarly, time-to-remediation defines the time taken by CSO organization to resolve the issue completely (2018).

Berinato (2005) outlined some metrics which can be used to gauge the day to day readiness of company’s IT infrastructure to deter cyber security threat. For instance, defense coverage metric which include antivirus, antispyware, firewall etc. give a view of protected IT assets of the company. Another metric is patch latency, which defines the time between the patch was released and successfully deployed across all machines. Platform compliance encompass if there are machines with ports left unnecessary open etc. Trend of email traffic analysis also help in gauging if there is a sudden surge in junk and spam emails which can increase the risk of security breach (2005). Other secondary metrics can track number of systems with known vulnerabilities, number of SSL certificates configured incorrectly, corporate volume of daily data transfer, number of users with administrative or super access and so on.

Security Incidents

From the day-to-day perspective, couple of key metrics can identify if the security posture of company has indeed compromised. One of the metric is the trend of security event recorded on an hourly level and later aggregated at daily, weekly and monthly level (Rhodes-Ousley, 2013). This metric in business-as-usual situation, sets the baseline of security situation. If suddenly number of security incidents increase than immediate attention is required to neutralize the threat as quickly as possible.

Attacks Blocked

Another metric is number of attacks blocked using already deployed defense mechanisms like firewall, antivirus, antimalware etc. Trend of this metric will also help in catching anomalies if suddenly there is a surge in blocked incidents (viruses, malware etc.), this can potentially show that corporate infrastructure is under attack and security measures might need a review (2013).

Network and Email Traffic

Change in network traffic traversing through ingress and egress points of corporate network can also highlight potential security condition requiring attention. In the similar context, sudden increase in number of emails can also point to a potential attack using spam and junk emails.

Spam-not-detected

With the prevalence of junk and spam, some spam and junk emails will still pass through the filters which is why tracking of undetected spam will help in tweaking and updating the filter per new situation. Review of spam and junk will also highlight interesting trend whether phishing attacks are happening the most or some other kind.

Invalid Logging Attempts

Tracking of invalid logging attempts on a regular basis can also help in thwarting upcoming potential security breach. Routers and switches using default user name and password are low laying fruits which CSO should tackle right away. After few invalid login attempts, either complete block of account temporarily or requiring detailed information before resetting password can be used as a first line of defense. Storing IP and MAC addresses of login attempt can be helpful in identifying network breach quickly.

OS Patch, Antivirus/Malware/Firewall update Latency

Tracking and monitoring latency associated with OS patches, antivirus/malware/firewall update etc. deployment can be used to create a risk metric at a high level. To improve security posture, forced updates after initial attempt or two can help in improving the compliance level high and risk to lower values.

Non-Compliant Assets

In every organization, there are certain assets which are vulnerable due to age of equipment, older version of operating system, inadequate and non-standard firewall settings etc. The count of such machines should be ideally zero or near zero, which can otherwise cause widespread damage in the event of well-coordinated cyber-attack.

Administrative or Super-User Rights

Tracking and monitoring of super users and administrative rights is an important exercise because the high number means that access control process and procedures are too lax and establishing unnecessary high privilege accounts which will increase the risk of unintentional or intentional insider damage. Quarterly review of access rights for critical applications will ensure that only legit users will be granted wider access. A good rule of thumb is to limit such users to less than 5% of employee head count.

New user or login creation

Strong access control process and procedures will make sure that users do not get credentials which are over-provisioned and would not be granted super user or administrative rights unless there is a business need and justification recorded in the system with proper approvals from chain of command. In the event of no usage for a certain period, say thirty days than account should be deleted automatically.

Percentage of Fully-Encrypted IT Assets

Encrypted assets thwart data breaches in the event of physical break-in as well as cyber-attack. Loss of storage drive or laptop can result in revealing sensitive business information, resulting in long term financial damages. Tracking of encrypted assets across the enterprise will help in lowering the risk In the event of data breach.


References

Evans, M. (2016). Roadmap to implementing a successful information security program. Retrieved from https://www.barradvisory.com/roadmap-to-implementing-a-successful-information-security-program/


CBRN (2015). How to implement security controls for an information security program at CBRN facilities. Retrieved from https://www.pnnl.gov/main/publications/external/technical_reports/PNNL-25112.pdf


ProserveIT (2017). 5 Tips to build comprehensive information security plan. Retrieved from http://www.proserveit.com/5-tips-information-security-plan/

State of Minnesota – Office of Enterprise Technology (2010). Enterprise Security Tactical Plan. Retrieved from https://mn.gov/mnit/images/Enterprise_Security_Tactical_Plan.pdf


Michigan Technological University (2011). Information Security Plan. Retrieved from https://www.mtu.edu/it/security/policies-procedures-guidelines/information-security-plan.pdf


ProserveIT (2017). 5 Tips to build comprehensive information security plan. Retrieved from http://www.proserveit.com/5-tips-information-security-plan/


Rhodes-Ousley, M. (2013). The complete reference: Information Security. McGraw Hill: NY


Berinato, S. (2005). A few good information security metrics. Retrieved from https://www.csoonline.com/article/2118152/metrics-budgets/a-few-good-information-security-metrics.html


Kushto, 2018. Security metrics you need for the board. Retrieved from https://www.csoonline.com/article/3280966/metrics-budgets/security-metrics-you-need-for-the-board.html



Recent Posts

See All
Policy Proposal for healthcare

Data Privacy - HIPAA Data privacy is regulated by the implementation of regulations set forth by Health Insurance Portability and...

 
 
 
Security Framework

Greene (2014) define security framework as a collective term given to guidance on topics related to information systems security,...

 
 
 

Comments

Post: Blog2_Post
bottom of page