It is not a trivial job to deploy a large-scale, open-source security monitoring infrastructure. Although you can use an easy-to-install open source solution, e.g., Security Onion, planning and knowing what to do is still an essential part of the project.
There are several considerations that need to go into this planning:
With all of these considerations, monitoring efforts should be carefully planned and executed. For example, all traffic will be visible to the security operations center. If background checks of these personnel are not carefully done this may be a risk for the company. Also all changes done on the monitoring system should be audited and recorded.
Most of the time, IT and IS security governance practices fail because of poor decision making on and between the different levels of the organization. Research shows that formal structures within the governance of IT and IS do not explicitly support and address the necessity of good decision making. Often, a decision is a result that just happened because the process of decision making was not properly substantiated.
Decision making is an important topic within governance practices. Our recent Journal article describes how knowledge concerning information security can be shared in an effective way and how this knowledge can facilitate the decision-making process. We have performed multiple sessions with the use of group support system (GSS) software technology to facilitate groups in making adequate decisions. Most of the time, these group meetings are held under a time constraint and require a thorough analysis, proper interpretation and a swift decision.
After the experience of creating a security document package for the commercial product installed in our network, I was fortunate enough to have subsequent work assisting with security audits of organizations outside our company.
Only one of the several organizations I worked with was in the process of developing a system security plan based on the US National Institute of Standards and Technology (NIST) 800-53 controls. They were not ready to share that documentation at the time. The other organizations I worked with all had plans that addressed the highlights of NIST 800-53 but did not delve into the individual controls. Having a plan that addresses all of the controls is a great roadmap to help a company make sure that they have adequate data security protections in place and can be a great artifact to hand to auditors when they arrive.
Technology is evolving at an amazing pace and offering a vital benefit for businesses. On the other hand, it has also brought ever-increasing security threats. There is no agreed upon and well-suited security audit framework for tackling IT security challenges, and there is also no holistic approach for the audit process. Because of this lack of agreement, it is getting more challenging to monitor assets; confidentiality, integrity and availability (CIA); threats; vulnerability; risk; and control.
My recent Journal article proposed 8 audit processes in 1 hierarchical framework to understand and design visualizations on the previously mentioned security concepts.
When I interact with our clients, the vast majority of them are either trying to get a brand-new awareness program off the ground or are looking for ways to improve a program that is pretty limited in scope. I bet this sounds familiar to many readers: IT and information security teams are so busy fighting other battles that they often have little time left for dealing with their human problems in privacy and security. You will pass most audits with a program that is “good enough.” But what if your awareness program could be great?
I got a chance to think more about this the other day when one of our most advanced clients said that his chief information security officer (CISO) wanted to know what it would take for them to take their program from good to great. We had already been working with them on a program that included small units of training interspersed with monthly videos, and I knew that their program was completely voluntary. (Yes, I know!). Here are my ideas for revving up a program that was fun for employees and tightly aligned with known risk factors: