When building a Cybersecurity Culture, process plays an integral role. Every process should include learning, improvement, and accountability touch-points, as well as provide end-to-end corroboration of the function it represents.
Let’s review what this looks like in practice.
#1. User & Equipment Provisioning
While these duties may be distributed among different people (i.e., managers or supervisors), the process of user and equipment provisioning must be centrally managed. That means a single role has a view of the function across the organisation, and a standard form documents system access and equipment provisioning.
Appropriate system access should:
- Only be granted by approval following the principle of least-privilege required to perform job duties;
- Be changed if a person’s role changes; and
- Be removed at time of termination.
Additionally, all equipment must be recovered at the time of termination and any user accounts / passcodes changed or deleted.
#2 Change Management
The process of change management is the controlled identification and implementation of any changes. Change-types should be pre-determined according to the risk they present, and the controls around each change-type should be commensurate with that risk. For example, a low-risk change may be updating a virus software definition, but a high-risk change may be updating critical applications on a server or making a rule-change to a firewall.
The procedural and documentation rigor will vary depending on the type of change, hence the level of risk. That means for higher risk changes, the process should require more approvals, more testing, more backout planning, more documentation, etc.
In terms of a process, you want to provide end-to-end corroboration of the function it represents, so tie all changes performed to changes approved. Regular review of performed and planned changes should be scheduled. A Change Advisory Board can provide oversight, foresight, and hindsight to this process. Changes should also be reported to senior management or your Board of Directors.
#3 Cyber Risk Management
Effective cyber risk management starts with an organisational risk criteria or appetite statement to guide you in your risk assessment process. When assessing risks, use a standard methodology that is applied consistently across applications. The process involves:
- Understanding your vulnerabilities and the existing threats that might exploit them;
- The impact to your organisation if a vulnerability were exploited by a threat source; and
- The likelihood of exploitation, given your control environment.
You want a repeatable process to ensure consistency. This will require training and documentation (institutional memory), so it becomes a living part of your organisation that can withstand the loss or change of personnel performing the function.
Schedule risk assessments based on the criticality of applications or processes that you’re reviewing. You will also want to have a programmatic remediation process to deal with elevated and severe risks. The process should be assigned and tracked.
You should also develop a Memorandum of Accepted Risk that documents the risks you accept as an organisation. Then review those each year to determine if there is some new solution – either technological or procedural – that can help you remediate the risk rather than just accept it.
Reporting is also important so that senior management can be involved in determining your risk position.
#4 Account Review
As with user and equipment provisioning, this process should have centralised management with distributed performance. So, somebody owns the task, but performance of the reviews goes to managers who have the custodial responsibility over applications or systems. This is because they will know when they look at a user list, who belongs and who doesn’t.
The goal is to only have active accounts tied to active employees and vendors.
#5 Activity Review
It’s common knowledge that detective controls succeed when preventative controls fail, and there is no such thing as a 100% effective preventative control. That’s why daily log analysis is an important process in organisations with a Cybersecurity Culture. This process involves looking at your network and firewall logs to ensure all the traffic allowed is actually permitted.
What is allowed through defenses will often be more important than what is blocked – your firewall knows how to be a firewall if it’s maintained properly. What’s blocked is great, you want to review it, but malicious content often gets by firewalls and traditional automated systems.
Creating a process, or employing a service (like nDiscovery Managed Threat Detection), where someone reviews your logs to identify anomalous and / or suspicious behavior every day can definitely bolster your ability to detect threats quickly.
#6 Threat Intelligence
The process for gathering and distributing threat intelligence can help organisations more quickly understand and effectively respond to the evolving threat environment. Like many of the processes we’re discussing, this should be centrally managed with tasks distributed as needed.
An effective threat intelligence process includes:
- Identifying sources that define and explain the evolving threat landscape and are relevant to your business;
- Documenting how the sources will be used; and
- Assigning roles and responsibilities for collecting, assessing, and distributing the information.
Actionable intelligence must be tied to the actions taken, and you should have a regular process for reviewing it.
Report out on what sources are working, what sources are not working, and how your organisation is using the information. Again, this should go to senior management or the Board, so they can stay informed.
#7 System Lifecycle Management
Security considerations should be woven into all lifecycle management conversations – from acquisition to destruction. When sourcing a system, involve someone from a security standpoint to perform the right checks and ask the right questions. It’s much easier to involve security from the beginning than try to bolt it on at the end. Not doing it could cost more money, plus once a project is frozen, it is frustrating to have security want to jump in to do some work.
Systems must be built and hardened according to the documented process – before it’s introduced in a production environment. Images should also be updated as patching and new versions are available. Maintaining this at the image level, makes it easier to deploy systems.
Lifecycle management is an end-to-end process – that means you know what you bought, what the serial number is, how it was built, hardened, managed, and destroyed. You even have a certificate of the destruction with the serial number on it.
As we close our discussion on process and Cybersecurity Culture, it’s important to remember that all of the processes we’ve discussed today should be end-to-end with points of accountability built in. Take a look at your current processes and see what components in a cybersecurity culture context you might be missing which could improve your cyber resiliency.