It amazes me to this day that I can pretty much provide a detailed remediation plan for thousands of companies without even stepping foot in their building. That’s because, candidly, I’ve seen the same issues over and over for the past 20 years.
So without further ado, let me play the role of Fortune Teller Konrad and tell you what I see…
- You do not have a current network diagram. Wait, how did you know?
- You lack documented security policies and operational procedures for managing vendors and other security parameters. We had them at one time.
- At the highest level, your organization does not define an “information security policy” that is approved by management and outlines the organization’s approach to managing its information security objectives. Our IT manager drafted one in 1998.
- Your systems have not been patched in months due to other priorities. When can we patch? We are a 24x7x365 organization. Come on!
Sound familiar? Companies spend roughly three to five percent of their overall IT budget on security, so why is it that it takes, according to various reports, 209 days before a breach is detected?
Over time (and based on my fortune-telling powers), I have developed a top 10 list of things your company can do to start reducing risk today. And don’t worry, this advice is free!
- Maintain an information security policy in accordance with business requirements and relevant laws and regulations.
- Identify risks of third-party access to your critical information.
- Establish a policy and procedure for periodic internal and external vulnerability scanning and penetration testing. This includes re-testing upon significant change or following the correction of identified vulnerabilities. Monitoring third-party sources for vulnerability information and assigning identified vulnerability criticality should additionally be performed.
- Have a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services.
- Prevent data leakage through email attachment scanning, USB port restrictions and encrypted mobile devices.
- Develop a formal change control methodology and procedure.
- Security responsibilities should be included in employee job descriptions (please do this).
- Protect secure areas by using the appropriate entry controls to ensure that only authorized personnel are allowed access.
- Audit logs should be reviewed regularly. (Remember that 209 days statistic!)
- Your incident response plan must be reviewed, revised, supplemented as appropriate and it must include requirements for breach notification and disclosure. This plan should be tested at least annually, with lessons-learned documentation generated following completed tests and actual incidents.
To start the journey of accomplishing this list, you should establish a cross-functional steering committee to guide organizational information security efforts and align them with business goals. Then, develop remediation strategies that include short-, medium- and long-term efforts to mitigate risk items identified through assessments, with priority given to high-risk items.
For more security advice, check out my other blog posts.