Why You Need Security Strategy and How to Develop one?

Some questions we need to address before we embark on Information Security Improvement journey!

Edward Snowden’s leaks to the press, we now know that there has been systematic, broad and deep surveillance of online activity at a scale that could not have been previously imagined. Beyond simply snooping, the revelations pointed to infiltration of the hardware and software we rely on to secure our communications.

When it comes to policies and strategies, it’s hard to go past the tried and tested ways of the past. The best way to make a start is by doing SWOT analysis: Strengths, Weaknesses, Opportunities and Threats. 

Strengths
Look within your organisation. There are bound to be some really good things happening when it comes to Information Security. For example, you might have a very well-educated workforce that never open unexpected attachments. Or your IT team is very conscious of the potential threats to your business and have solid systems and processes in place to deal with them.

Weaknesses
Over the last 15 years, the focus of security in enterprises has been on vulnerability tracking and making sure that your systems are protected from external attacks. While that’s still important, it should only be one facet of your total security strategy. Have you considered what happens once someone gets past your firewalls and other blocking mechanisms? Or if the attack starts from within?

Give some consideration in your strategy to dealing with attacks once they are in action. Are your people ready to react once there is a breach? Are they across the latest threats and attack vectors?

Perhaps the most often seen security weakness (in our observation) is that managing compliance with the security policy is seen as an annual project that’s executed in order to keep auditors happy.

If that’s the case in your business, look for ways to alter that culture.

Opportunities
Aside from using security as a way to get lots of shiny new gear into your server racks or to justify new services, getting your Information Security right can be a great chance to re-engage IT with the business. Look for ways to turn the security conversation into an opportunity to change service delivery. It’s also a great way to further the professional development of your staff.

If you have some strong skills in data analytics in the business, you might find you can give them a new challenge by engaging them in threat intelligence.

Employing red/blue team exercises regularly doesn’t just improve your security response but can be a great way to add some excitement to how you manage security.

Review existing systems and processes to find the security issues. You might find it becomes an opportunity to ditch an old legacy system that’s costing lots of time and resources to maintain.

Threats
Over the last year, it’s become apparent that the threats of last decade are really just background noise today. Sure, we need to keep our firewalls locked down and end-point protection up to date but what can you do when your hardware is compromised or a nation-state can break through your encryption?

These are real threats today. Stuxnet, back in 2010, compromised a nuclear power plant. It is believed by many that it was part of an attack by one government against another. Today, Snowden’s documents tell us that the NSA can intercept a massive array of data. And not just from enemies but from within friendly states.

• So, when was the last time you reviewed your security policy?
• Does it take into account new security mitigation techniques?
• Have you adjusted the skills in your business to manage changing attack methods?
• Is security a once-a-year audit activity?

Verizon Infographic: Why PCI Compliance has to be a Business-Wife Priority?

In 2013, only 11.1% of companies were PCI compliant on their initial assessment!

PCI DSS 3.0 – What's New?

Infographic - Summary of the Changes from PCI DSS 2.0 to 3.0

Last month, the PCI Security Standards Council (PCI SSC) officially released the PCI DSS v3.0 compliance standards, but much remains to be done before merchants, service providers and auditors will understand how the new mandates will impact organizations.

The effective date of the version 3.0 of the standard will be on January 1, 2014, but existing PCI DSS 2.0 compliant vendors will have until January 1, 2015 to move to the new standard, and some of the changes will continue to be best practices for several more months (until June 1, 2015).

Here’s what has changed:

Aligning Security with GRC

How to Leverage GRC for Security?

Governance, Risk & Compliance (GRC) has long been viewed as a framework for tracking compliance requirements and developing business processes aligned with best practices and standards. It plays a strong role in helping security teams understand the business and to protect the organization from threats

But now, more security professionals are turning to data collected by GRC tools for insights into the organization's processes and technologies. The insights gained can help them to develop better controls to protect the organization from cyber-attacks and insider threats.

As part of GRC programs, organizations document processes, specify who owns which assets and define how various business operations align with technology. Security professionals can use this information to gain visibility into the organization's risks, such as determining what servers are running outdated software.

GRC programs collect a wealth of information and insights that can be valuable to security professionals as they manage risk and evaluate the organization's overall security posture. It provides the business context necessary to improve areas such as asset and patch management, incident response and assessing the impact of changes in technical controls on business processes.

Asset Inventory

Many compliance programs, including those for PCI-DSS [Payment Card Industry-Data Security Standard], require organizations to extensively document each asset and identify who uses it for what purpose. The documentation includes information about which business processes rely on which hardware and software. Mapping a piece of technology to a particular business function makes it possible to better identify the risks and the impact on operations if that technology is compromised.

The inventory process may identify equipment that the IT department was previously unaware of. By understanding the business processes that rely on that equipment, security teams can decide what kind of firewall rules to apply, better manage user accounts and learn what software needs to be updated. Understanding who the end-users are and how the asset is being used helps security teams assess how to prioritize the risks and plan how to reduce them.

Security professionals can use GRC programs to understand how technology maps to certain business processes and functions, says Mike Lloyd, CTO of Red Seal Networks, a network security management company. This information can help them figure out what the key threats are and identify ways to mitigate that risk, he says.

Incident Response, Controls

Security professionals can also use GRC to improve information sharing across the organization and streamline incident response. For example, because GRC makes it clear what kind of business processes depend on which assets, security teams have a clear path of who should be notified when there is a security event. Incident response teams can also look at all related processes and be able to identify other assets they should investigate to assess the magnitude of a breach.

Summary

Security professionals must understand the need to move away from a technical view of risk to a more strategic one when evaluating and deploying controls. They should evaluate how certain technical controls, while improving security, can impact business functions, and make necessary adjustments.

GRC enables security professionals to "draw a line between what security tasks are necessary and what business is concerned about.

How To Develop Security Awareness?

Six Steps To Successful Security Awareness Training

If you would schedule an event to teach people about Internet Security, and make it optional to attend, only about 5% of your entire office population will show up. And guess what, those 5% are probably the people that need it least.

Here are the six elements of a successful Internet Security Awareness Training Program

• Formulate, and make easily available a written Security Policy.
  
• Each employee needs to read the document and sign it as an acknowledgment they understand the policy and will apply it.
  
• Give all employees a mandatory (online) Security Awareness Course, with a clearly stated deadline. It is highly recommended to explain to them in some detail why this is necessary.
  
• Make this Security Awareness Course part of the onboarding process of each new employee.
  
• Keep all employees on their toes with security top of mind, by continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert.
  
• Never publicly identify an employee that fails a simulated attack, let their supervisor or HR take this up privately. Give a quarterly prize for the three employees with the lowest ‘fail-rate’.
  
• If you use posters, stickers and or screensavers, change the pictures or messages monthly. After a few weeks people simple don’t ‘see’ them anymore. It’s more effective to send them regular ‘Security Hints & Tips’ via email.

The Risk of Data on Mobile Devices & in the Cloud

Ponemon Institute research finds that 69% of respondents listed mobile devices as posing the greatest risk

A recent study by the Ponemon Institute, The Risk of Regulated Data on Mobile Devices and in the Cloud, sponsored by WatchDox, reveals a stunning need for improvement on managing the risks of mobile devices and cloud computing services.

The survey involved 798 IT and IT security practitioners in a variety of organizations including finance, retail, technology, communications, education, healthcare, and public sector, among others.

The study concluded that “[t]he greatest data protection risks to regulated data exist on mobile devices and the cloud.” 69% of respondents listed mobile devices as posing the greatest risk followed by 45% who listed cloud computing.

Some other key findings include:

• Only 16% of respondents said their organization knew how much regulated data “resides in cloud-based file sharing applications such as Dropbox, Box, and others.”
  
• Only 19% said their organization knew how much regulated data was on mobile devices.
  
• Only 32% believed their organizations to be “vigilant in protecting regulated data on mobile devices.” Nearly three quarters said that employees didn’t “understand the importance of protecting regulated data on mobile devices.”
  
• 43% of organizations allow “employees to move regulated data to cloud-based file sharing applications.”
  
• Although 59% of organizations permit employees to use their own mobile devices “to access and use regulated data,” only about a third have a bring your own device (BYOD) policy.
  
• In the past two years, the average organization had almost 5 data breaches involving the loss of theft of a mobile device with regulated data on it.

What are the risks?

1. Unsafe Security Practices: With their own mobile devices and with their own cloud service provider accounts, employees might engage in unsafe security practices. Mobile devices might not be encrypted or even password-protected. When using cloud services, employees might not have the appropriate settings or an adequately strong password. They might not understand the risks or how to mitigate them.
   
2. Choice of Cloud Service Provider: There are many cloud service providers, and they vary considerably in terms of their privacy and security practices. Cloud service providers may not have adequate terms of service and may not provide adequate privacy protections or security safeguards.
   
3. Regulatory Troubles: If an employee of a HIPAA covered entity or business associate shares protected health information (PHI) with a cloud service provider, a business associate agreement is likely needed. Employees who just put PHI in the cloud might result in their organization being found in violation of HIPAA in the event of an audit or data breach.
   
4. The Ease of Sharing: Sharing files is quite easy with many cloud providers – sometimes too easy. All it takes is a person to accidentally put regulated data into a shared file folder, and . . . presto, it will be instantly shared with everyone with permission to view that folder. One errant drag and drop can create a breach.
   
5. The Ease of Losing: If you don’t carry an umbrella on an overcast day, it surely will rain. And if you put regulated data on a mobile device without adequate protection, that device will surely be lost or stolen. Call it “Murphy’s Mobile Device Law.”

What should be done?

1. Educate the Cs: The C-Suite must be educated about these risks. These are readily-preventable risks that can be mitigated without tremendous expense.
   
2. Develop Policies: The study indicates that there is often a lack of policies about the use of mobile devices and cloud. There should be clear written policies about these things, and employees must be trained about these policies.
   
3. Educate the Workforce: Everyone must be educated about the risks of mobile devices and cloud and about good data security practices. According to the Ponemon Study, “Respondents believe that most employees at one time or another circumvent or disable required security settings on their mobile devices.” Employees must know more about the risks of using unapproved cloud service providers, as well as the special risks that cloud service applications can pose.
   
4. Instill Some Fear: The study reveals that almost systemically at most organizations, the risks of mobile and cloud are underappreciated and often ignored. There needs to be a healthy sense of fear. Otherwise, convenience will win.

The Ponemon Study reveals that there is a long way to go before most organizations adequately address the risks of mobile and cloud. The problem runs deeper than the fact that these risks are hard to redress.

The problem seems to stem from the fact that the risks are woefully underappreciated by many in organizations, from the top to the bottom. That has to change, and soon.

Why Security Teams Fail PCI Audits?

5 Key Challenges in the way of successful auditing!

For any business accepting credit or debit card payments from its customers, Payment Card Industry Data Security Standards (PCI DSS) compliance - which offers comprehensive standards to enhance payment card data security - is an absolute must.

But for most, ensuring continuous compliance (the ongoing monitoring of rules rather than waiting for audits to show non-compliance) with the vast and ever changing set of rules can be a real drain on resources. 

The 5 'C's

Undoubtedly one or all of the following challenges are getting in the way of successful auditing…the five 'C's:

Complexity- enterprises have hundreds of firewalls, routers and switches, all with their own complex configurations and thousands of access rules. All have to be tracked and catalogued which makes it almost impossible to comply with all the PCI DSS rules.

• Change - hundreds of changes every week amounts to thousands of changes to track from one audit to the next. The combination of rapid change and time pressures mean mistakes happen which can leave businesses wide open.
  
• Connectivity - configuration errors very easily lead to compliance issues and service downtime. A high number of rule changes can compromise cardholder data, which can leave businesses compromised until their next audit.
  
• Compliance - audits are time intensive and usually changes are unchecked between audits making the process even more laborious. Yet businesses cannot afford to fail an audit.
  
• Communication - poor communication and a siloed culture of app owners and IT security can mean a comprehensive compliance check between audits is extremely complicated and difficult to manage.

PCI DSS auditing doesn't always need to be a costly and thankless task. While compliance will always be essential for most enterprises, automation solutions can make it a much more efficient process - by slashing time spent on repetitive, manual work so that security teams can focus on strategic tasks such as security architecture, research and education.

Australian Government is getting serious about Information Security?

DSD's top 4 infosec strategies now mandatory for Australia government

The Australian Defence Signals Directorate has made its top four information security mitigation strategies mandatory for all Australian government agencies. Its top 35 strategies were updated in October last year, seeing very little change among the top four that it had marked as "essential".

These four strategies are employing application whitelisting, patching applications, patching operating system vulnerabilities, and minimising the number of users that have administrative rights. At the time of the last update to the strategies list, it states that 85 percent of all intrusions it dealt with in 2011 could have been mitigated had the top four strategies been followed.

The choice to make the top four mandatory stems from an update to the Australian government's Protective Security Policy Framework (PSPF). The PSPF has three core mandatory tenets covering the confidentiality, integrity, and availability of data. To achieve these requirements, it has set out seven "Infosec" requirements. 

In particular, Infosec 4 requires that all agencies document and implement procedures and measures to protect their systems and networks, and specifically notes that it "includes implementing the mandatory 'Strategies to Mitigate Targeted Cyber Intrusions' as detailed in the Australian government Information Security Manual [ISM]".

This means that the ISM will also need to be updated to reflect the changes to the PSPF. DSD expects to make these changes this month. As a mandatory measure, there will also be changes to government agencies' compliance and reporting procedures.

From August 1, agencies must provide annual PSPF compliance reports, including its status in implementing Infosec 4, to the relevant minister.

STORM (Secure Tool for Risk Management)

Designs and keeps updated the ICT Security Policy, Disaster Recovery plans

STORM (Secure Tool for Risk Management) is a collaborative environment offering a buddle of services in order to help your business to securely manage your Information and Communication Technology (ICT) Systems.

STORM is based on web 2.0 technologies and its main characteristics are:

• Compliance with Standards
• Collaboration
• User Friendliness
• Reduces complexity
• Scalability

Some of the key features are:

Cartography:

• Identify and depict the ICT infrastructure
• ICT assets (software and hardware) identification

Impact Assessment Service:

• Recognize the impacts (business, economical, technological, legal) of upcoming incidents on the operations of the ICT

Threat Assessment Service:

• Identify threats Evaluate threats

Vulnerability Assessment Service:

• Identify Vulnerabilities
• Evaluate Vulnerabilities

Risk Assessment service:

• Collaborative support towards identifying and evaluating the impact, threat and vulnerability of each ICT asset (i.e. software, hardware, data asset).

Risk Management service:

• Select the appropriate countermeasures according to the STORM-RM algorithm in order to protect ICT assets.

Refer here for more information or here for demo.

New PCI Guidelines for E-Commerce

New PCI Guidelines for E-Commerce

A new set of card data security guidelines for merchants and payments providers aims to address increasing risks unique to e-commerce environments. On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security.

The guidelines relate to online infrastructures and how merchants work with third-party providers. Developed by the PCI E-commerce Security Special Interest Group, the 39-page resource includes recommendations about topics ranging from online risks associated with payments gateways to often-overlooked security gaps Web-hosting providers can inadvertently create.

Securing the Payments Chain

• The guidance offers a checklist of security recommendations and reminders, such as:
• Know where cardholder data is located within the merchant's infrastructures and those of the processors and vendors to which they outsource.
• Regularly test software and applications to detect if card data or other information is being stored unintentionally.
• Evaluate risks associated within e-commerce technology.
• Review the network and database risks posed by outsourcing functions, such as payments processing and Web hosting to third parties.
• Hire PCI-approved website scanning vendors to validate, on a regular basis, Internet-facing environments for compliance with the PCI Data Security Standard.
• Define best practices for online payment application security.
• Implement security training for internal staff.
• Establish best practices for consumer awareness.

Evaluating Third Parties

The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities related to: 

• Online injection flaws;
• Cross-site scripting, or XSS;
• Online cross-site request forgery, or CSRF;
• Buffer or temporary data storage overflows, which result when programs or processes attempt to store more data than they were designed to hold;
• Weak authentication and/or session credentials; and
• Application and software misconfigurations.

Security audit finds Developer OUTSOURCED his JOB to China

Pro-active Log Review Might Be A Good Idea

A security audit of a US critical infrastructure company last year revealed that its star developer had outsourced his own job to a Chinese subcontractor and was spending all his work time playing around on the internet.

The firm's telecommunications supplier Verizon was called in after the company set up a basic VPN system with two-factor authentication so staff could work at home. The VPN traffic logs showed a regular series of logins to the company's main server from Shenyang, China, using the credentials of the firm's top programmer, "Bob".

"The company's IT personnel were sure that the issue had to do with some kind of zero day malware that was able to initiate VPN connections from Bob's desktop workstation via external proxy and then route that VPN traffic to China, only to be routed back to their concentrator," said Verizon. "Yes, it is a bit of a convoluted theory, and like most convoluted theories, an incorrect one."

After getting permission to study Bob's computer habits, Verizon investigators found that he had hired a software consultancy in Shenyang to do his programming work for him, and had FedExed them his two-factor authentication token so they could log into his account. He was paying them a fifth of his six-figure salary to do the work and spent the rest of his time on other activities.

The analysis of his workstation found hundreds of PDF invoices from the Chinese contractors and determined that Bob's typical work day consisted of: 

9:00 a.m. – Arrive and surf Reddit for a couple of hours. Watch cat videos 

11:30 a.m. – Take lunch

1:00 p.m. – Ebay time

2:00-ish p.m – Facebook updates, LinkedIn 

4:30 p.m. – End-of-day update e-mail to management 

5:00 p.m. – Go home

The scheme worked very well for Bob. In his performance assessments by the firm's human resources department, he was the firm's top coder for many quarters and was considered expert in C, C++, Perl, Java, Ruby, PHP, and Python.

Further investigation found that the enterprising Bob had actually taken jobs with other firms and had outsourced that work too, netting him hundreds of thousands of dollars in profit as well as lots of time to hang around on internet messaging boards and checking for a new Detective Mittens video.

Bob is no longer employed by the firm. ®

Source from The Register

Refer here to read further details.

What Security Issues Are Associated With Mobile Devices and App Development?

5 Mobile Security Trends and Actions to Consider

Governments are aggressively going mobile with new devices, app development projects and system integration efforts. Whether buying proven off-the-shelf products or developing mission-critical apps from scratch, there’s little doubt that the future interface for delivering customer service will be tablets and smartphones.

Estimates suggest that at least 50 percent of users will access the Web via mobile devices by the end of 2013. Meanwhile, many governments that implemented cloud-first policies over the past few years are developing new “mobile-first” edicts to match.

Indeed, tech experts described customer data landscape to business leaders with a triangular diagram containing three interacting puzzle pieces: cloud computing, mobile devices and security.

Some of these new apps are being acquired for public-sector workers to use on government-owned devices to improve efficiency. Other apps are citizen-centric, and they must be usable on the many new devices and operating systems now available and those coming soon.

So what security issues are associated with mobile devices and app development? Here are five mobile security trends and some actions to consider as you become more mobile:

More Mobile Data Than Ever

For years, sensitive enterprise data has leaked via USB drives and lost or stolen laptops, but the number of smartphones, tablets and other mobile devices has exploded.

Actions: Establish policies that encrypt mobile data on devices or keep all sensitive data off mobile devices. If accessing sensitive information is required, consider data loss prevention products and keeping all personally identifiable information on protected enterprise servers and off the endpoint devices.

More Mobile Malware

The bad guys are following the crowds, who are buying smartphones and tablets with more power than PCs of a decade ago. The DroidDream and Gemini malware attacks were launched in early 2012, and some call this the “Year of Mobile Malware.” Mobile botnets are also growing.

Actions: Mobile device management services can protect devices by locking down permissions and offering anti-malware software and tools. Training end users is also essential via formal awareness programs that explain how to think before clicking.

Growing Use of BYOD to Work

Some security experts see the BYOD trend as “bring your own disaster.” Nevertheless, one top industry expert predicted that 80 percent of global enterprises will adopt this approach by 2016.

Actions: Meet with business customers about mobile device preferences. Consider piloting BYOD in areas with nonsensitive data. Develop policies for the use of personal devices under different scenarios, even if some business areas opt out.

Authentication Complexity Growing

Despite the push for single sign-on, many enterprises still struggle with more credentials for more apps and devices. Users are tiring of more complex passwords, and the use of biometrics is growing.

Actions: Streamline credentials with federated identity management across government systems, mobile apps and legacy programs. Consider using federal health IT dollars as anchor tenants. Apply government policies to personal devices, if they store business data — after getting employee buy-in.

Mobile Platform Support Is Complex

Whether you’re writing apps for Apple’s iOS, Google’s Android, BlackBerry’s BES or Microsoft’s Windows 8, secure coding is hard work. One technology CEO said, “You’d be hard pressed to find application developers who actively try to mitigate against cross-site scripting attacks, SQL injection attacks and cross-site request forgery attacks.”

Actions: HTML5 is growing as an industry standard across mobile platforms — consider adopting it. Train staff in secure coding. And before deploying a code, test it for holes.

Final Thoughts

Government executives must consider having vendor partners manage specific services or assist with mobile activities. IT consumerization makes this a difficult area to keep up with. 

Please refer to National Institute of Standards and Technology issued draft guidance on mobile security for further details.

NIST Issues Credential Revocation Guide

Revocation Model for Federated Identities

Organizations can't easily revoke authentication credentials when they employ more than one identify provider. With multiple identity providers and unique requirements for organizations to federate them, no one approach exists to manage them.

To address this dilemma, the National Institute of Standards and Technology has issued NIST Interagency Report 7817: A Credential Reliability and Revocation Model for Federated Identities.

IR 7817 describes and classifies different types of identity providers serving federations. For each classification, the document identifies perceived improvements when the credentials are used in authentication services and recommends countermeasures to eliminate some identified gaps.

With the countermeasures as the basis, the document suggests a Universal Credential Reliability and Revocation Services model that strives to improve authentication services for federations.

Here's how NIST explains the challenge:

Identity providers establish and manage their user community's digital identities. Users employ these identities, in the form of digital credentials, to authenticate service providers. The digital identity technology deployed by an identity provider for its users varies and often dictates a specific authentication solution in order for the service provider to authenticate the user.

A federated community accommodates two or more identity providers along with the specific authentication solution. With the diverse set of identity providers and the unique business requirements for organizations to federate, there is no uniform approach in the federation process. Similarly, there is no uniform method to revoke credentials or their associated attributes.

In the absence of a uniform method, IR 7817 investigates credential and attribute revocation with a particular focus on identifying missing requirements for revocation. As a by-product of the analysis and recommendations, the report suggests a model for credential reliability and revocation services that serves to address some of the missing requirements.

10 Supply Chain Risk Management Best Practices

NIST Interagency Report Aims to Mitigate Vulnerabilities

The National Institute of Standards and Technology has issued a new report to help organizations mitigate supply chain risks. NIST says the 10 supply chain risk management practices can be applied simultaneously to an information system or the elements of an information system.

The practices are:

1) Uniquely identify supply chain elements, processes and actors. Knowing who and what is in an enterprise's supply chain is critical to gain visibility into what is happening within it, as well as monitoring and identifying high-risk events and activities. Without reasonable visibility and traceability into the supply chain, it is impossible to understand and therefore manage risk and to reduce the likelihood of an adverse event.

2) Limit access and exposure within the supply chain. Elements that traverse the supply chain are subject to access by a variety of actors. It is critical to limit such access to only as much as necessary for those actors to perform their roles and to monitor that access for supply chain impact.

3) Establish and maintain the provenance of elements, processes, tools and data. All system elements originate somewhere and may be changed throughout their existence. The record of element origin along with the history of, the changes to and the record of who made those changes is called "provenance."

Acquirers, integrators and suppliers should maintain the provenance of elements under their control to understand where the elements have been, the change history and who might have had an opportunity to change them.

4) Share information within strict limits. Acquirers, integrators and suppliers need to share data and information. Content to be shared among acquirers, integrators and suppliers may include information about the use of elements, users, acquirer, integrator or supplier organizations as well as information regarding issues that have been identified or raised regarding specific elements. Information should be protected according to mutually agreed-upon practices. 

5) Perform supply chain risk management awareness and training. A strong supply chain risk mitigation strategy cannot be put in place without significant attention given to training personnel on supply chain policy, procedures and applicable management, operational and technical controls and practices. NIST SP 800-50, Building an Information Technology Security Awareness and Training Program, provides guidelines for establishing and maintaining a comprehensive awareness and training program.

6) Use defensive design for systems, elements and processes. The use of design concepts is a common approach to delivering robustness in security, quality, safety, diversity and many other disciplines that can aid in achieving supply chain risk management. Design techniques apply to supply chain elements, element processes, information, systems and organizational processes throughout the system.

Element processes include creation, testing, manufacturing, delivery and sustainment of the element throughout its life. Organizational and business processes include issuing requirements for acquiring, supplying and using supply chain elements.

7) Perform continuous integrator review. Continuous integrator review is an essential practice used to determine that defensive measures have been deployed. Its purpose is to validate compliance with requirements, establish that the system behaves in a predictable manner under stress and detect and classify weaknesses and vulnerabilities of elements, processes, systems and any associated metadata.

8) Strengthen delivery mechanisms. Delivery, including inventory management, is an essential function within the supply chain, which has a great potential for being compromised. In today's environment, delivery can be physical such as hardware or logical such as software modules and patches. 

9) Assure sustainment activities and processes. The sustainment process begins when a system becomes operational and ends when it enters the disposal process. This includes system maintenance, upgrade, patching, parts replacement and other activities that keep the system operational. Any change to the system or process can introduce opportunities for subversion throughout the supply chain.

10) Manage disposal and final disposition activities throughout the system or element life cycle. Elements, information and data can be disposed of at any time across the system and element life cycle. For example, disposal can occur during research and development, design, prototyping or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys and partial reuse of components.

NIST says the recommendations in the interagency report are for information systems categorized at the FIPS 199 high-impact level. But NIST says agencies and other agencies can choose to apply the recommended practices to specific systems with a lower impact level, based on the tailoring guidance provided in the draft of NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations.

Refer here to download the report.

Securing Mobile Devices Using COBIT 5 for Information Security

ISACA published (Members Only) guidelines for Securing Mobile Devices 

Securing Mobile Devices Using COBIT 5 for Information Security should be read in the context of the existing publications COBIT 5 for Information Security, Business Model for Information Security (BMIS) and COBIT 5 itself. This publication is intended for several audiences who use mobile devices directly or indirectly.

These include end users, IT administrators, information security managers, service providers for mobile devices and IT auditors. The main purpose of applying COBIT 5 to mobile device security is to establish a uniform management framework and to give guidance on planning, implementing and maintaining comprehensive security for mobile devices in the context of enterprises.

The secondary purpose is to provide guidance on how to embed security for mobile devices in a corporate governance, risk management and compliance (GRC) strategy, using COBIT 5 as the overarching framework for GRC.

Refer here to download. (Members Only)

Tips for IT Security Auditing

How to effectively conduct IT Security Audit?

As an information security professional, it is your responsibility to protect and sustain the enterprise’s information assets from all types of threats. One way to enhance the security posture of your enterprise is to leverage the expertise of a security auditor to help find and fix the worst problems in your security infrastructure.

You may be thinking, “Why would I want to invite a security auditor to help me find my greatest weaknesses?” No one relishes an audit—which often seems to involve people poking around and looking for holes in the network or systems. 

However, a thoroughly conducted audit, with appropriate risk-based scoping, can keep you from having to report to your management or board that a data breach happened on your watch.

In most enterprises, the information security and audit functions are involved with protection and sustainment of important organizational assets. The information security function has the primary responsibility for establishing and maintaining a cost-effective and robust security program.

The audit function, whether internal or external, provides an independent review and analysis of the program. Here are some considerations for participating in and preparing for an IT security audit:

• Remember that audits are opportunities to improve the security program, not a personal indictment of security practices. Taking the initiative to request a thorough audit of your security shows management that you are willing to do what is best for the enterprise. It can also help you get additional budget to address serious areas of risk.
  
• Receive from the audit team an audit plan outlining the purpose, scope and approach to the audit. If you are the requestor of the audit, you have an opportunity to provide input on what areas of focus you think are most at risk.
  
• Conduct a review of the current security policies, standards and guidelines, and make sure you understand how those policies are implemented in operation. Often, there are conflicts in the way policies are implemented, especially when relying on technology alone, and an audit can pinpoint the gaps.
  
• Collect, document and organize the procedures and processes that your staff follows to perform their duties. You may find that lack of consistency in performing the processes results in unacceptable variance in the way that certain security controls are implemented.

Security audits should not be limited to technology testing, penetration testing or exploiting vulnerabilities, but should provide an accurate analysis of the risk areas that pose the most danger to the enterprise. A thorough security audit is about regular and consistent validation and verification that the security program is effective in doing what it is designed to do: protect and sustain the enterprise’s critical assets.

Source: ISACA

NIST Drafting Guide on Media Sanitization

Evolving Storage Environment Creates Need for Revised Guidance

The National Institute of Standards and Technology is revising guidance aimed to help organizations sanitize data based on the confidentiality of stored information. Draft NIST Special Publication 800-88 Revision 1: Guidelines for Media Sanitization discusses methods, techniques and best practices for the sanitization of data on different types of media, employing risk-based approaches to establish and maintain a media sanitization program.

The revised guidance doesn't specifically address all known types of media, but it does describe a sanitization decision process that can be applied universally. NIST is seeking public comment on the draft guidance to consider before issuing a final report.

Comments should be submitted to 800-88r1Comments@nist.gov by Nov. 30.

Simply, sanitization makes accessing data on media unfeasible. The proposed guidance identifies three sanitization models:

Clear: Applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques. It's typically applied through the standard read and write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state, where rewriting is not supported.

Purge: Prescribes physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques.

Destroy: Renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data.

The Bible of Risk Assessment

NIST Issues Risk Assessments Guidance

Special Publication 800-30 Revision 1, Guide for Conducting Risk Assessments, provides direction for conducting risk assessments and amplifies the guidance found in SP 800-39: Managing Information Security Risk. Though SP 800-30 was written for federal information systems and organizations, its lessons can be applied to other organizations in and out of government.

The new guidance document, issued Sept. 18, provides direction for carrying out each of the steps in the risk assessment process, such as preparing for the assessment, conducting the assessment, communicating the results of the assessment and maintaining the assessment. It also shows how risk assessments and other organizational risk management processes complement each other.

Continuous Monitoring

Special Publication 800-30 also provides guidance to organizations on identifying specific risk factors to monitor systems continuously so that they can determine whether risks have increased to unacceptable levels, such as exceeding organizational risk tolerance. And it offers insights on different courses of action that should be taken.

Information technology risks include risk to the organization's operations, such as mission and reputation, as well as its critical assets, including data and physical property as well as individuals who are part of or served by the organization.

Can't Protect Everything

The new publication focuses exclusively on risk assessment, the second step in the information security risk management process. The guidance covers the four elements of a classic risk assessment: threats, vulnerabilities, impact to missions and business operations.

It also addresses the likelihood of threat exploitation of vulnerabilities in information systems and their physical environment to cause harm or adverse consequences.

With the insurance of the revised SP 800-30, the original series of five key computer security documents (including SP 800-39) envisioned by the Joint Task Force to create a unified information security framework for the federal government is completed. The Joint Task Force is a partnership of NIST, the Department of Defense, the Office of the Director of National Intelligence and the Committee on National Security Systems.

Effectively Assessing Information Risks within the Enterprise

3 Lines of Cyberdefence

By combining responsible management, risk management and compliance functions and internal audits, organizations will go far in securing their data and systems. 

To succeed, internal auditors and business systems owners, including chief information security officers, must collaborate more closely to assure the security of their organizations' data systems. 

A new report from PwC, Fortifying Your Defenses: The Role of Internal Audit in Assuring Data Security and Privacy, which identifies three lines of cyberdefense:  

Management: Companies that are good at managing information security risks typically assign responsibility for their security regimes at the highest levels of the organization. Management has ownership, responsibility and accountability for assessing, controlling and mitigating risks. Risk management and 

Compliance Functions: Risk management functions facilitate and monitor the implementation of effective risk management practices by management, and help risk owners in reporting adequate risk-related information up and down the enterprise.

Internal Audit: The internal audit function provides objective assurance to the board and executive management on how effectively the organization assesses and manages its risks, including the manner in which the first and second lines of defense operate.

It's vital that internal audits be at least as strong as the management and risk management and compliance functions for critical risk areas. Without internal audits that provide proficient and objective assurance, organisations risk having their information privacy practices becoming inadequate or outmoded. 

This is a role that internal audit is uniquely positioned to fill, but, it must have the support and the resources to match to do so.

Refer here to download the report.

Recommendations For Your Information Risk Management and Security Strategy

The strategy associated with an enterprise’s information risk management and security (IRMS) program becomes a road map for its activities. When developing or refreshing your IRMS strategy, there are many considerations that should be accounted for to make sure it is beneficial to your enterprise and plausible for implementation and ongoing success.

Here are five things to consider when undergoing this effort:

1. Validate your strategy with your intended audiences early in its development
   
   The key to any successful strategy is the positive perception and realization of its value by the people it will impact.
   
   Too often IRMS professionals assume they intuitively understand their enterprise’s requirements and expectations, as well as the benefits that will be obtained by implementing their proposed strategies. While this may be the case, it is important to validate these assumptions with the customer of the strategy to ensure they agree. Without their support the strategy will have little chance of success.
   
   The easiest way to achieve this validation is to socialize the concepts and ideas that you intend to include in your strategy with key leaders and stakeholders early in the development process. If they are involved in shaping its development and agree with your views and approach, there is a much higher likelihood of successful execution.
   
2. Align the IRMS strategy with your enterprise’s information risk profile
   An enterprise’s approach to IRMS should be about information risk first and security second. When developing your IRMS strategy, make sure you align your programs and activities with your enterprise’s information risk profile.
   
   This profile will identify the information risk appetite of your enterprise. A risk-based strategy presented to a sponsor or leader has a high probability of gaining support since it is designed to align with needs and expectations. If your enterprise does not have a formal information risk profile, seek out the individuals who have risk management responsibilities in the enterprise (i.e., finance, legal, compliance) as well as business process and data owners to work with them to identify their information risk appetite and expectations of security to create a profile to support them.
   
3. Leverage staff as a force multiplier
   Leaders and individual contributors associated with IRMS programs and capabilities often feel as though they are overworked and undersupported by their enterprises. One approach that can help to ease this pain is to plan in your IRMS strategy to leverage your enterprise’s overall staff as a force multiplier.
   
   One strategy that is often successful is to identify individuals who will be tasked as IRMS champions within the key functions and services within your organization. By empowering these champions with knowledge, capabilities and expectations, they can assist you in meeting your IRMS objectives without having to significantly expand the budget or staffing of your program. Beyond the establishment and support of champions, the creation of a risk-conscious and security-aware culture within your enterprise can provide an effective force multiplier for your efforts as individuals incorporate IRMS as a business as usual activity.
   
4. Consider current and projected business conditions
   Current and projected economic and business conditions can have a distinct impact on ISRM strategy development. If your enterprise is currently or projected to contract or operate in an extremely cost-cautious manner, develop a strategy that accounts for this situation. Even when considering areas such as compliance, where many ISRM professionals assume their organizations will have to invest to ensure alignment, it is important to identify contingencies in cases where they are unwilling or unable to do so.
   
   Alternatively, if your enterprise is currently or plans to be operating in a business growth and expansion mode, this is an ideal time to invest in programs and capabilities that will ensure alignment with business needs and expectations. When developing strategies in either scenario, it is important to identify and validate the business value of your proposed strategy to gain the support of your enterprise’s leadership and program sponsors.
   
5. Ensure the strategy can be implemented and operate successfully with your existing budget and resources
   A common mistake made in the development of IRMS strategy is to assume that enhanced funding will be provided or sustained as part of its execution. Business conditions and information risk appetites of organizations can change quickly. IRMS can be an easy target for budget and resource adjustments.
   
   If the foundation of your strategy is based on the use of your current budget and resource allocation, your ISRM program and its capabilities will be more resilient during these types of fluctuations. Components of your strategy that require expanded budget and staff should be developed as modular initiatives whose business value can be clearly understood and monitored, but also easily adjusted if business conditions change.

Source from ISACA.