@ISACA Volume 14  12 July 2017

Five Key Components of Information Security Hygiene


John P. Pironti Information security hygiene includes the fundamental capabilities and concepts that every organization should actively be engaged in as part of their business-as-usual approach to information risk management and security. Studies suggest that a majority of publicly known data breaches and security incidents could have been either prevented or dramatically reduced in their impact if the affected organizations had practiced good information security hygiene in advance of these incidents. Unfortunately, the majority of the activities associated with information security hygiene are not intellectually challenging or interesting and may not be easily solved through the use of tools or technologies. Instead they require integration within operational practices, processes and procedures, which then can often be supported by technology for acceleration or automation.

Information security hygiene is not difficult, but if not diligently maintained, it can easily become a significant challenge to organizations. The benefits of effective information security hygiene far outweigh the level of effort that it takes for most organizations to catch up after they have a materially impacting security incident. There are many aspects of information security hygiene that can be considered, but there are 5 key components in particular that are most often cited as materially increasing an organization’s security posture and defensive capabilities:

  1. Access control/privileged user management—Access control is a daunting but important task for any organization. It has long been understood that a least-privileged approach to access control is a leading practice, but it is often difficult to implement and sustain in many organizations. Role-based access control, where an individual or system is granted a default set of privileges based on their job function or business need, is typically the simplest way to approach access control defaults. If a user needs access privileges beyond their basic role, there should be a structured access request process that ensures appropriate approvals are in place prior to access being granted and governance and oversight that revisits the access rights on a scheduled basis (annually, at a minimum) to ensure the individual or system still needs these additional rights. Also, an access review of all user and system accounts and associated permissions should be performed on an annual basis minimally and on a biannual or quarterly basis for privileged accounts.
    With the understanding that access control can be a significant challenge for many organizations, it may be easier to focus on privileged access control as a minimal starting point. If exploited, captured or leveraged, privileged accounts can have an immediate and material impact on an organization. Privileged access management (PAM) and privileged user monitoring (PUM) focus on the monitoring and maintenance of these accounts and their usage. It is recommended that these capabilities be put in place prior to the implementation of broader access control capabilities.
  2. Configuration management and hardening—Configuration management and hardening refers to the identification, understanding and rationalization of configuration settings on devices, systems and applications. For configuration management, each available setting and configuration option should be investigated and catalogued to understand what capability or service it provides, the potential threats and weaknesses that they can introduce, and their impact on system and user performance and experience.
    In many cases, a manufacturer will, by default, enable a fairly open configuration profile to ensure their solution and its capabilities are able to provide the intended service without restriction or limitation. It is the responsibility of the user to enable appropriate security settings that will allow for successful operation within their environment. Hardening refers to removing all unneeded files, disabling or limiting applications and services to their minimum capabilities, limiting access control and network access, and enabling all business-appropriate security settings and capabilities on devices, systems and applications. Hardening guidelines and standards for a variety of devices, systems and applications have been developed and are publicly available, including those provided by the Center for Information Security Benchmarks and Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs).
    While all the settings and suggestions listed in these guidelines may not be possible or applicable, it is often useful to develop a mapping of what configurations and settings an organization has in place compared to the applicable guidance to develop a benchmark. In cases where settings differ from the guidance, a rationalization or business justification should be documented along with an approval for this difference by the business process and/or system owner. These settings should then be reviewed annually to see if they should be updated or if exceptions can be removed. Once these settings are implemented, system scanners can be put in place to ensure settings are implemented and consistently present on regular basis.
  3. Encryption and encryption key management—Encryption and encryption key management focus on the use of encryption capabilities to support the confidentiality of sensitive data and information at rest and in transit. Encryption of data should use viable and security encryption algorithms and techniques such as those referenced in the Annex A section of the US Federal Information Protection Standard (FIPS) Standard Number 140-2.
    The enhanced use of encryption has exponentially increased the number of encryption keys that are in use in many environments. Encryption key management is as important as the use of encryption itself. Encryption key management processes, procedures and capabilities should be in place to ensure the confidentiality, integrity and availability of encryption keys and the operational process to support their effective use. The US National Institute of Standards and Technology (NIST) has produced useful guidance for encryption key management in its Special Publication (SP) 800-57.
  4. Logging and log monitoring—Logging is core to enhancing visibility of technical information infrastructure, and it is essential for the identification of events and incidents and forensic investigations. Security-focused logging should be enabled for both positive and negative behaviors at the device, system and application layers. Often, the best approach to deciding what events to log is to perform a threat and vulnerability analysis of a business process or operating environment to highlight high impact and likely scenarios that will negatively impact the environment. Once these have been identified, indicators that will be useful for the identification of these scenarios can be developed, which can be translated into activities and actions that should be logged.
    Logs are only useful as passive investigative tools unless they are effectively monitored with appropriate thresholds of alert and corresponding actions. Log monitoring should identify both actionable and informational log events that system owners and/or administrators should be notified about as they occur. To minimize the impact of log monitoring activities on operations, establish thresholds of alert that represent a material concern prior to an alert being generated. These thresholds should be rationalized to individual operational tolerances for activities, and the alerts that are generated should include notations to whether they are informational or actionable. Informational alerts will highlight notable insights, while actionable alerts should include details on suggested and/or prescribed follow-up activities to the individuals who are being notified.
  5. Patch and change management—Patching and change management are core foundational IT security hygiene functions that can materially impact the security posture of devices, systems and applications. Once a security-related patch is released by a vendor, a race begins between the adversary and the affected organization to see if the adversary can leverage the identified deficiency faster than the affected organization can apply the patch. Patching and patch management should follow a rationalization process that identifies the applicability and severity level of a suggested patch for an organization compared to the guidance that is produced by the vendor who published the patch.
    Once this rationalization has been defined, structured timelines should be followed for the application of patches based on the defined severity level. It is important to track threat and vulnerability intelligence sources related to patches to identify if severity levels need to be adjusted due to the availability of attack tools or increased frequency and proliferation of attacks, especially if these deficiencies can be corrected by implementing applicable patches.
    Effective change management will ensure that an organization has a clear and definitive understanding of what is present on a device, system or application from its time of implementation until its removal from an environment. If this history exists, then scanning and file integrity management tools and capabilities can be put in place to identify any foreign applications, code or files that are not supposed to be in place in the environment.
    Security reviews of changes should also be part of the change management process to evaluate the security impact of proposed changes. If a change will affect the security posture of the environment, it should be identified, documented and reported to business process and/or system owners so they are aware of the potential impacts of the change prior to implementation.

John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP, is the president of IP Architects LLC.


Implement Successful Data Safeguards With Data Privacy Audit Program

Implement Successful Data Safeguards With Data Privacy Audit Program
Source: baona/Getty

Storing, collecting and purging data have become commonplace as corporations, governments and nonprofits use new technologies to innovate data use. As data use rises, the risk for data breaches also rises. Many recent highly publicized data breaches have highlighted the necessity for data privacy audits.

Through a data privacy audit, IT auditors can assess their organizations’ data privacy policies and practices and provide management with assurance of the effectiveness of its data privacy program. By performing these services and a data privacy audit, the IT auditor can help the organization achieve its objectives and reinforce IT audit value.

IT auditors must cover data governance and classification, data security, and third-party contracts in the IT audit program. Data governance and classification confirm that the organization has identified and classified its data. Gaining insight into the effectiveness of current controls allows management to decide if they can reduce costs or gain efficiency by defining roles for data governance for privacy, confidentiality and compliance more clearly. Auditing data security helps verify data loss prevention controls and authentication and credentialing controls. This is very important in an age where organizations are using new communication and collaboration tools that can increase access to data and increase data leakage risk. Auditing third-party contracts means ensuring the vendor’s data protection ability. As organizations outsource their data storage, it is valuable for them to know what data are being stored and where they are being stored to ensure their safety.

Following conscious steps and procedures to perform the data privacy and assurance audit provides invaluable benefits to organizations. The ISACA Data Privacy Audit Program provides IT auditors with the tools to successfully maintain their organizations data security. To download this audit program, visit the Data Privacy Audit Program page of the ISACA website.


Top 10 Public Cloud Security Recommendations

Top 10 Public Cloud Security Recommendations
Source: Frank Peters/
Getty Images

The public cloud offers organizations of all sizes agility and scalability, and its use keeps expanding. Security has not always been in the forefront of public cloud adoption though, since it has been implemented so rapidly. In the face of this reality, using the public cloud is like using someone else’s computer, and security needs to be paramount. ISACA and Palo Alto Networks have partnered to present the “Top 10 Public Cloud Security Recommendations” webinar to cover public cloud security concerns, what the shared security responsibility model really means, and recommendations for protecting your public cloud workloads and data. This webinar takes place on 25 July at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Matt Keil, who is the director of product marketing for public cloud at Palo Alto Networks, will lead the webinar. In it, Keil will share his public cloud knowledge and experience to provide insight into keeping your organization’s public cloud secure.

To learn more about this webinar or to register for it, visit the Top 10 Public Cloud Security Recommendations page of the ISACA website.


Accelerating GDPR Readiness


In May 2018, the General Data Protection Regulation (GDPR) will take effect and will reset global best practices for data privacy and protection. Preparing for the GDPR is a significant undertaking, and penalties could be involved if compliance is not achieved. ISACA and RSA have partnered to present the “Countdown to GDPR: 5 Tips to Accelerate GDPR Readiness” webinar to help improve your risk management strategies and help you fulfill GDPR obligations. This webinar takes place on 20 July at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Corey Carpenter, who is a principal product manager for RSA Archer, and Brian O'Connor, Esq., CIPP/US, who is the senior privacy counsel and compliance manager at Dell Inc., will lead the webinar. In it, Carpenter and O’Connor will specifically address the importance of inventory, creating a baseline, the data life cycle, third-party risk minimization and program governance as they pertain to GDPR.

To learn more about this webinar or to register for it, visit the Countdown to GDPR: 5 Tips to Accelerate GDPR Readiness page of the ISACA website. And for those who live in the United Kingdom or Europe, consider volunteering to guide the development of ISACA’s position, content and programming on GDPR. Visit the volunteer webpage to learn more and to apply for the GDPR Working Group.


Blockchain Basics


Blockchain could radically transform the financial services industry. Records and ledgers are created as blocks are formed. While this system may help automate current systems and reduce overhead, security incidents are a cause for concern. ISACA is presenting the “Blockchain Basics” webinar to help enterprises understand the technical underpinnings of blockchain and the risk associated with any industry where ledgers are a fundamental part of how records are managed and services offered. This webinar takes place on 27 July at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Ron Hale, Ph.D., CISM, who is the chief researcher at the Cooraclare Institute, will lead the webinar. In it, he will present an overview of what blockchain is, its technical foundation and how records are created and blocks formed. Attendees of this webinar will be able to understand blockchain technology and its associated risk.

To learn more about this webinar or to register for it, visit the Blockchain Basics page of the ISACA website.


ISACA Awards Presented for Outstanding Achievements

ISACA Awards Presented for Outstanding Achievements
Source: Christian
Baitg/Getty Images

On 16-17 June, the ISACA Board of Directors and attendees of the Annual General Meeting (AGM) recognized the outstanding accomplishments of the ISACA corporate award recipients. These individuals exemplify ISACA’s values, purpose and leadership and traveled to Chicago (Illinois, USA) from around the world for the celebration.

In their acceptance speeches, the recipients expressed how honored they were to be recognized by an organization they are so passionate about and that has such a significant impact on their personal and professional lives.

Some of the highlights include:

  • Leonard Ong, CISA, CRISC, CISM, CGEIT, CFE, CIPM, CIPT, CPP, CISSP ISSMP-ISSAP, CITBCM, CSSLP, GCFA, GCIA, GCIH, GSNA, PMP, Andre Pitkowski, CGEIT, CRISC, CRMA, OCTAVE, and Jeff Spivey, CRISC, CPP, PSP, shared how special the people and the leadership are at ISACA and how the benefits they received from volunteering have helped them inspire others to give back as well.
  • Ian Cooke, CISA, CRISC, CGEIT, COBIT Assessor and Implementer, CFE, CPTE, DipFM, ITIL Foundation, Six Sigma Green Belt, described the evolution of his volunteer service from responding to inquiries on ISACA’s online communities to writing articles and then books about the same subject matter.
  • Justine Bone and Phil Zongo appreciate the breadth of work ISACA represents and how they try to lead by example in engaging diverse constituents in new programs and initiatives, such as Connecting Women Leaders in Technology.
  • Tichaona Zororo, CISA, CRISC, CISM, CGEIT, COBIT 5 Assessor, CIA, CRMA, shared how certifications introduced him to ISACA and how his involvement has ultimately shaped who he is and what he does today.

ISACA Past Chair Christos Dimitriadis, Ph.D., CISA, CISM, CRISC (far left) and CEO Matt Loeb, CGEIT, FASAE, CAE (far right)

Earlier this year, ISACA solicited nominations from its members to acknowledge colleagues who have shown outstanding leadership and dedication to ISACA and to the information systems governance, security, audit and assurance professions. Those nominations were vetted via a peer-review process, and recipients were recommended to the ISACA Board of Directors for final approval. Special thanks is given to the ISACA Corporate Awards Working Group and the ISACA Journal Article Review Team who reviewed the nominations. It was a challenging decision as so many dedicated volunteers serve ISACA in so many capacities, and ISACA received many worthy nominations.

To learn more about ISACA awards, the outstanding recipients, the 2016 chapter awards recipients and certification high scorers, visit the ISACA Awards page of the ISACA website and download the 2016-17 ISACA Awards Booklet.