Tackling the Challenges of Cybersecurity

We all hear about hacking, viruses and other threats causing significant monetary, competitive and psychological damage for organizations. There are also other threats like the pace of change in technology, business growth requiring additional hardware or infrastructure, and regulations that require mitigation, effective communication, and plans for resolution. Unfortunately, many organizations are feeling the squeeze to tackle these challenges efficiently and to find and address vulnerabilities without breaking the bank.

Many organizations are realizing that merely installing new hardware or software is not enough to secure their systems and critical data assets. Organizational security isn’t plug and play, and those that continue to treat it that way are likely to leave themselves more open to the impact of security issues.

We recommend that you start with a security review to help ensure that your organization is appropriately managing risk. While this might conjure feelings of dread for some, we take a more optimistic tone mainly because it can help you identify and mitigate possible security vulnerabilities before they become significant issues.

Components of A Security Review

A security review should include:

  • Data Gathering
    • Review of Security Regulations/Requirements

There are regulations and compliance requirements for every industry, and more are established each year. Make sure to identify those that apply to your business, then assess your current state and monitor compliance status. Non-compliance with any regulation requires a risk mitigation action plan.  

Here are some examples of existing regulations and the type of organizations that need to comply:

Regulation

Description

Organization Affected

Sarbanes Oxley Act

This act requires companies to maintain financial records for seven years.

U.S. public company boards, management and public accounting firms

Federal Information Security Management Act of 2002 (FISMA)

This act recognized the information security as matters of national security and mandates that all federal agencies have a method of protecting their information systems.

All Federal Agencies

Gramm Leach Bliley Act (GLBA)

This act mandates that companies secure the private information of clients and customers.

Companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.

Family Educational Rights and Privacy Act (FERPA)

The act protects student educational records.

Any postsecondary institution including universities, academies, colleges, seminaries, technical schools, and vocational schools.

Payment Card Industry Data Security Standard (PCI-DSS)

A set of regulations to reduce fraud and protect customer credit card information.

Companies handling credit card information.

General Data Protection Regulation (GDPR)

An EU data protection law that protects customer data.

Companies that do business with EU residents.

SOC II

A regulation to ensure the privacy of customer data.

Technology-based service organizations that store data in the cloud.

HIPAA (Health Insurance Portability and Accountability Act)

This act protects the healthcare patient individually identifiable data across the spectrum of care and payment.

Any company or office that deals with patient data. That includes but is not limited to doctor’s offices, insurance companies, vendors, and employers.

  • Review of Security Policies and Procedures

Review your security policies and procedures to see if they are compliant and/or meet required standards to protect your technology and information assets. 

All organizations should have clear BYOD (Bring Your Own Device) policies and procedures that address key components of issuing corporate devices or using personal devices on the corporate network. Mobile device management protocols are also required to ensure appropriate account access to data.   

Other policies to consider are corporate compliance, network protection, remote access, as well as data use, access, and transmission.  

And, while it is important to have these policies for your organization, it is even more important to have regular reviews, accommodate updates, and ensure appropriate communication and training with your staff.  

  • Security Architecture Review

The architecture review should consist of examining physical assets as well as software solutions and any controls that are in place (or not). Systems and history logs should be reviewed to ensure that patches have been applied to the system modules when vulnerabilities are detected. The review should also validate that required software updates to operating systems, drivers, and software solutions have been completed.

  • Device Identification and Review

While your systems are important, it is equally important to identify the devices that connect to your network as well as which operating systems they use. This is vital to ensure that all end points are adequately protected. Too often, vendor devices or third-party integrations are not accounted for which can leave the network vulnerable.  

Typical devices to be reviewed include:

  • Firewalls should be assessed by reviewing rules, permissions, and logs to determine if there are gaps that need to be addressed.
  • Laptops should be examined for encryption software.
  • Wireless networks should be reviewed for security and to ensure access points are secure. 

To ensure that a complete review is being conducted on all your relevant systems, equipment, and software solutions, a recommended practice is to develop a custom checklist for your organization. The article, Your checklist for avoiding IT security breaches is a comprehensive list to use and adapt to your IT landscape.

  • Assess Security Controls

Take the time to analyze the actual controls and technologies that your organization is using to support security requirements. Pay special attention to all security endpoints whether your organization is running in-house or in the “cloud”.

  • Software Security Testing

Software that operates with sensitive information can have static and dynamic testing. Static tests include review of the software code, logs, and reports when the software is inactive. Dynamic tests operate while the software is running to detect flaws that are difficult to find in a static test.

  • Vulnerability and Penetration Testing

Vulnerability and Penetration testing are additional tests that can be completed during a security review. Think of them as a “stress” test for your entire information technology infrastructure. The difference between the two is that a vulnerability test is automated, and a penetration test requires testers with various levels of expertise. Testers simulate an attack or try to “break” your security protocols to find previously undocumented vulnerabilities.  

The article How often should I schedule a penetration test, has good advice on when and how often to schedule this testing.

  • Gap Analysis and Mitigation Plan

Once the details of the security review are available, a report identifying and prioritizing the gaps should be developed. A mitigation plan should be developed from the gap analysis. Mitigation actions are the specific projects that are designed to address one or more gaps. The action plan should include a description of the initiative, its prioritization, estimated timeline and budget, as well as how to measure it.

Prioritization of gaps and mitigation activities can be tricky because you must take into account the level of risk for your organization as well as the level of complexity and investment of potential solutions.

Recommended Frequency of Security Reviews

Security reviews should be scheduled with a frequency that makes sense for your organization based on regulations, the type of data your organization manages, the complexity of your infrastructure and solutions, the maturity of your processes, results of past audits, and budget. They could be scheduled monthly, quarterly, once or twice a year, annually, or biannually. They can also be scheduled to address different aspects of a security review at different intervals. For instance, a device audit may be more important to complete more frequently whereas vulnerability/penetration testing may be scheduled far less often.

In summary, a security review will protect mission critical information and provide your organization with a means to prioritize and budget for a mitigation plan to address the identified gaps. Doing a security review based on a predefined schedule will help to ensure that you are consistently addressing potential gaps.

If you are interested in securing our services to help tackle the challenges of maintaining and appropriately securing your technology environment, we’re here to help. The Ninestone team will work closely with your organization to conduct a review and provide you with a risks-based report. 

Think your organization will benefit from a security review?  Give us a call!

Debbie Crooke, Principal Consultant

March 2019

Related