Security Program Spring Cleaning - Part 3 of 3

Now we’ve dusted the bunnies under the furniture, steam cleaned the carpets, and nearly fell asleep reviewing documentation and logs. This week — the Febreeze™ final touch to leave your network smelling fresh and ready for Summer.

Tidy Up Your Security Program
Variety may be the spice of life but it is variety or exceptions in your security program that lead to breaches. Vendors with Windows XP systems on your network? I’m looking at you. Let’s look at auditing controls and risk assessments for security practitioners.

What are the projects on your comprehensive security strategy roadmap? Do they address the gaps in your security program or increase your capabilities? Most mid-large organizations have an audit team responsible for their security risk program. As a technical security practitioner, I recommend self-auditing to evaluate, with your understanding of the environment, how you score your organization versus what the auditors focus on. Start by measuring your security controls against a security standards framework UCF/NIST/SANS/DISA etc. Are your security projects for the year filling the gaps or are narrowly focused in an area where you are already strong? Do your own audit before the audit team shows up and you’ll be more productive.

Do you know about ALL the end-points on you network? Are your vendors in compliance with your security policies? How often do they patch? How is your vendor risk management program going? Say what — you don’t have one? Tsk, tsk. The number of third party breaches due to deviations from your security program serve as warning signs. Don’t be the next Target, JPMorgan, HomeDepot, Sony, you name it! Make certain you have a thorough understanding of your partner’s security program and maintain a healthy liability cap (or no cap) with your vendors. Ensure you have the right to audit the partner and validate the controls mandated by your risk program. We have seen companies do everything right only to get breached through a third-party playing by a different set of rules.    

To-Do To-day

• Measure your security controls against a security standards framework UCF/NIST/SANS/DISA etc.
• Review your security roadmap to make sure your program is focused on closing the gaps
• Identify deviations from configuration standards
• Assess vendor hosts on your network. 

As we wrap up all the spring cleaning it’s time to take a little down time and enjoy the beach (the letter 'r' in beach intentionally omitted). Don’t stay way too long; attackers thrive on complacency.