Skip to main content

Governance and InfoSec - Balancing CIA Triad and Change | Week 3

"The only thing that is constant is change.” (Heraclitus). As anyone who works in IT will tell you, this statement is especially true regarding technology. In a discipline where technology, processes, procedures, standards, and best practices change so frequently, it is important that organizations can adapt and evolve. Only organizations with proper change governance controls are properly equipped to adapt however, and only those who can identify the correct stakeholders for such governance can adapt successfully. 

Every week I sit on a change control governance meeting. The purpose of these meetings is to suggest needed changes within the technical infrastructure that may be business critical. To ensure no unintended issues arise from such changes we gather service matter experts (SMEs) from various departments together to review the request and raise potential concerns. The criteria for changes are a relatively low threshold: 

  • Can the need for it be mapped to a business need/benefit? 
  • Can controls and policy be implemented to comply with governmental regulations and industry best practices? 
  • What is the risk analysis and would benefits outweigh potential risks? 

The last bullet point is what seems to drive the most conversation and relates back to the CIA triad of information security. The conversation normally starts with “if this particular change is made, what risks does it post to confidentiality, availability, and/or integrity of data throughout other departments?” It is up to the SMEs to figure this out and approve or deny a change accordingly.  
One example discussion that comes to mind is a firewall rule change suggested by our networking team to block a certain port on our edge server. The benefit suggested it that it mitigates risk of vulnerabilities within our network. The purpose behind the change was that they were seeing increased packets of data coming through on that port and blocking it outright would save on monitoring resources.  

Our network operations team however needed the port opened as it served a function for their real-time monitoring of uptime of our SaaS platform. If the port were to be blocked outright without such a governance process in check, it could have spell disaster for our NOC. Many of our clients are promised SLAs that include uptime, and losing access to monitor this would breach our contracts with our clients. This all goes to show just how important a change control process is. 

References:
Stackpole, B. Oksendhal, E. (2011). Security Strategy from Requirements to Reality. Boca Raton, FL: Taylor & Francis Group. 

Comments

Post a Comment

Popular posts from this blog

A Balancing Act: When Security Controls Disrupt Operations | Week 10

In an ideal world security controls should integrate seamlessly with business strategy and through policy and procedure support operations.  In reality however  security controls often disrupt operations. From a user perspective an Information Security Department is simply a group of people sitting behind computers all day saying “no” to everyone. Although that is sometimes the case (“no” is a common word in their vocabulary from what I have seen), there are reasons behind it.   This week I want to share a story of how a change in policy and procedure by one security department, disrupted current operational workflow in another. Our AV engineering team works with integration vendors to build out the videoconferencing infrastructure through our offices. One day our director of security decided this  vendor  had too many badges assigned to them and wanted to reel back access to physical locations by limiting the badges to 2.    The reasonin...
Post a Comment
Read more

A Test of Physical Security - A Real World Example | Week 5

I would like to build off last week’s post by sharing a real-world example of how no matter how many security controls you have in place, employee engagement and adherence to policy will inevitably determine their effectiveness.   The organization I work for have two separate departments, one for data security (think workstations, servers, etc.) and the other for physical security (think door/badge access, security cameras, etc.). Both departments are completely separated from each other and operate in their own silos. One day the security operations center who manages the physical security of our buildings decided to run a penetration test. They hired an outside contractor, gave him a “lost employee bade” with basic access, and told him to see what he can gain access to in a day before getting caught.    So  off this contractor went wearing a badge without his picture on it, no knowledge of the key combination to use with the badge, but simply followin...
Post a Comment
Read more

Bitlocker, Filevault, JAMF, and KACE – Auditable Encryption Verification | Week 9

As you can clearly tell from my previous posts, I am a big fan of automated controls. This week I want to share with you a story of a recent computer upgrade. I had an old 2013  Macbook  Air. Our Desktop Engineering team was tasked with rolling out the new OS, Mojave, to all outdated Mac systems. Now my Air was a test Mac I got years ago and never really had much need to upgrade. Through automated controls, specifically a tool called Casper JAMF, our Desktop  Eng  team was able to tell that my Mac was outdated and needed an upgrade.   They reached out to me, set up a time to update, and realized that the hardware was simply too old for the new OS. To accommodate they initiated an update procedure. A new  MacbookPro  was imaged, updated, and given to me. They jumped the gun when they distributed it to me in production however and the disk encryption,  FileVault , was not completed before it left the secured image lab. Once again, the JAMF s...
Post a Comment
Read more