security baseline

Security baseline - Part III Monitor & Evaluate - ISM4Startups

The last part of this baseline is short in comparison of the last blog post I made about delivery and support.

Monitor and Evaluate

Monitor the processes-assess internal control adequacy
Regularly monitor the performance of information (security).

1. Have key staff periodically:

  • Asses adequacy of security controls compared to defined requirements and in light of current vulnerabilities.
  • Reassess what security exceptions need to be monitor on an ongoing bases.
  • Evaluate how well the security mechanisms are operating and check for weaknesses such as intrusion detection, penetration and stress testing and testing of contingency plans.
  • Ensure that exceptions are acted upon.
  • Monitor compliance to key controls.

Obtain independent assurance
Gain confidence and trust in security through reliable and independent sources.

2. Obtain, where needed, competent external resources to review the information (security) control mechanisms; assess compliance with laws, regulations and contractual obligations relative to information security. Leverage their knowledge and experience for internal use.  

Here are the 2 previous posts on this subject. If you liked these and thought they where helpful in any shape or form. Please let me know! And I will continue with stuff like this. The format can change as the subjects change. 

Security baseline - Part I - ISM4Startups (Plan and organize)
Security baseline - Part II - ISM4Startups (Delivery and support)
Security baselines - Part III - ISM4Startups (Monitor and Evaluate) 

Security Baseline - Part II - ISM4Startups

This is a continuing post from last weeks - Security Baseline - Part I - ISM4Startups.

So lets continue where we left off! 

Just a heads up, it is a long post this time! But remember I only put stuff in that is relevant and will help your business.  

Deliver and Support

Define and manage service levels
Define and management security aspects of service levels

1. Ensure that management establishes security requirements and regular reviews compliance of internal service level agreements and contracts with third-party service providers.

Manage third-party services
Manage security aspects of services.  

2. Assess the professional capability of third parties and ensure they provide adequate contact with the authority to act upon enterprise security requirements and concerns.
3. Consider the dependence on third-party suppliers for security requirements, and mitigate continuity, confidentiality and intellectual property risk by, for example - escrow, legal liabilities, penalties and rewards. 

Ensure continuous service
Ensure that the enterprise is capable of carrying on its day-to-day automated business activities with minimal interruption from a security incident.  

4. Identify critical business functions and information, and those resources (e.g. applications, third-party services, supplies and data files) that are critical to support them. Provide for availability of these resources in the event of a security incident to maintain continuous service. Ensure that significant incidents are identified and resolved in a timely manner.
5. Establish basic principles for safeguarding and reconstructing IT services, including alternative processing procedures, how to obtain supplies and services in an emergency, how to return to normal processing after the security incident, and how to communicate with customers and suppliers.
6. Together with key employees, define what needs to be backed up and stored offsite to support recovery of the business. Examples are, critical data files, documentation and other IT resources. Also secure is appropriately and regular intervals. 

Ensure systems security
Ensure that all aspects of the enterprise’s automated processing are used only by authorized persons/systems for business purposed.  

7. Implement rules to control access to services based on the individual’s need to view, add, change or delete information and transactions. Especially consider access rights of service providers, suppliers and customers.
8. Ensure that responsibility is allocated to manage all user accounts and security tokens (e.g. passwords, cards and devices) to control devices, tokens and media with financial value. Periodically review/confirm the actions and authority of those managing user accounts. Ensure that these responsibilities are not assigned to the same person.
9. Detect and log important security violations (e.g., system and network access, virus, misuse, and illegal software). Ensure that they are reported immediately and acted upon in a timely manner.
10. To ensure that counter parties can be trusted and transaction are authentic when using electronic transaction systems, ensure that the security instructions are adequate and compliant with contractual obligations.
11. Enforce the use of virus protection software throughout the enterprise’s infrastructure and maintain up-to-date virus definitions. Use only legal software.
12. Define policy for what information can come into and go out the organization and configure the network security systems, e.g. firewall, accordingly. Consider how to protect physically transportable storage device. Monitor exceptions and follow up on significant incidents.

Manage the configuration
Ensure that all assets are appropriately secured and security risks are minimized by maintaining the enterprise’s awareness of its related assets and licenses.

13. Ensure that there is a regularly updated and complete inventory of the (IT) hardware and software configurations. 
14. Regularly review whether all installed software is authorized and licensed properly. 

Manage data
Ensure that all data remain complete, accurate and valid during input, processing, storage and distribution.

 15. Subject data to a variety of controls to check for integrity (accuracy, completeness and validity) during input, processing storage and distribution. Control transactions to ensure their authenticity and that they cannot be repudiated.
16. Distribute sensitive output only to authorized people.
17. Define retention periods, archival requirements and storage terms for input and output documents, data and software. Ensure that they comply with user and legal requirements. While in storage, check continuing integrity and ensure that data cannot be retrieved. 

Manage facilities
Protect all (IT) equipment from damage. 

18. Physically secure (IT) facilities and assets, especially those most are risk to a security threat and if applicable, obtain expert advice.
19. Protect computer networking and storage equipment (particularly mobile equipment) from damage, theft, accidental loss and interception.

Next week it will be all about monitoring and evaluating. And as always, if you have any questions, suggestions or tips please don’t hesitate and just ask them! 

Security Baseline - Part I - ISM4Startups

As I mentioned in - Scenario, Role Identification & Access - todays post will about a Security Baseline. 

Having a proper security baseline is important. This document will contain your requirements and critical enterprise services.

So lets start straight away! 

Plan & Organize

Define a strategic IT plan-define the information architecture.
Identify information and services critical to the enterprise and consider their security requirements.

1. Based on a Business Impact Analyses for critical business processes, identify: 

  • Data that must not be misused or lost
  • Services that must be available
  • Transaction that must be trusted (to be authentic and have integrity)

Consider the security requirements:

  • Who may access and modify data?
  • What data retention and backup are needed?
  • What availability is required?
  • What authorization and verification are needed for electronic transactions?

Define the IT organization and relationships
Define and communicate IT security responsibilities

2. Define specific responsibilities for the management of security and

  • Ensure that they are assigned, communicated and properly understood
  • Beware of the dangers of concentrating too many security responsibilities and roles in 1 person. 
  • Provide the resources required to exercise responsibilities effectively

Communicate management aims and directions
Appropriately define  and circulate management aims and directions with respect to IT and security. 

3. Consistently communicate and regularly discuss the basic rules of implementing security requirements and responding to security incidents. Establish minimum “dos and do nots” and regularly remind people of security risks and their personal responsibilities. 

Manage Human Resources
Ensure functions are staffed properly by the right people who posses the necessary skills to fulfill responsibilities, including security. 

4. When hiring, verify with reference checks
5. Obtain through hiring or training the skills needed to support the enterprise security requirements. Verify annually whether skills and qualifications are still up-to-date, and act accordingly. 
6. Ensure that no key security task is critically dependent upon a single resource. Train the proper people and share knowledge. 

Ensure compliance with external requirements 
Ensure that IT- and security functions comply with applicable laws, regulations and external requirements (such as industry standards).

7. Identify what, if anything, needs to be done with respect to security obligations to comply with privacy, intellectual property rights and other legal, regulatory, contractual and insurance requirements. Encourage staff to understand and be responsive to these security obligations.

Assess Risks
Discover, prioritize and either contain or accept relevant security/IT-security risks.

8. At appropriate  times discuss with key staff what can go wrong with enterprise-, IT- or physical security that could significantly impact the business objectives. Consider how best to secure services, data and transactions that are critical to the success of the business. Prepare risk management action plan(s) to address the most significant risks. 
9. Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security practices (e.g. effective backup, basic access control, virus protection, firewalls, network segregation etc.) and insurance coverage. 

Next we will be talking acquiring, implementing and support & delivery. Support & Delivery is a big subject and so that is what most of that post will be about. 

Please let me know if you have any tips, suggestions or topics. Leave a comment below.