How applying business philosophy to INFOSEC’s can bring organizations to a Secure State
At the core of SecureState’s philosophy is the timely transition businesses need to make from their CurrentState (CS) security environment to a DesiredState (DS) security environment, consistent with acceptable levels of risk. As shown in the graph below, SecureState begins by working with clients at their CS, performing assessments to understand the security posture of the organization. Once SecureState identifies the CS, tactical and strategic methods are implemented to move the business into a DS and ultimately to a managed SecureState (SS).
Often times, organizations focus on the tactical methods only; working to solve “break-fix” type items that were provided from the results of the assessment. Other organizations focus only on the strategic methods, missing the tactical recommendations that are needed to put those strategic visions in place. SecureState is uniquely positioned to provide organizations with recommendations that provide value at the strategic, program-level combined with the tactical steps needed to put the strategy into place. Without this combination, organizations often fall victim to the principle of three forces (time-resources-change) and fall back into a deterioratedState (dS) and start the cycle over again. We used to call this the “patch/discovery” hole (discover holes, patch holes, find new holes – but never learn or fix the larger issue). Organizations tend to get stuck in a reactive loop and are afraid of change (specifically security program change that might affect the organization). Organizations continue to react and remediate as best as they can instead of becoming program-driven. Therefore, organizations continue to blanket the entire environment with reactive controls and technology and hope they will protect important assets, instead of choosing to understand and address the impacts.
INFOSEC engagements bridge this philosophy, and provide a complete snapshot of the current and desired states.
The INFOSEC assessment has strong ties with ISO 27001:2005, Payment Card Industry Data Security Standard (DSS), and NSA’s IAM standards. The INFOSEC assessment can help identify gaps within the existing or newly rebuilt security posture and is primarily a control-based process focusing on current policies and procedures and security implementations. SecureState has developed an approach that is extremely effective in documenting the organization’s CS, which ultimately assists in moving them to a DS. SecureState utilizes the INFOSEC methodology coupled with a maturity ranking to assess an organization’s controls across 15 different security domains:
- Policies & Procedures
- Organizational Structure
- Governance and Compliance
- Network Security
- Wireless Security
- Operating System Security
- End User Security
- Voice Communications
- Incident Response
- Business Continuity
- Data & Asset Classification
- Physical Security
- Internet Presence
- Application Security
- Remote & Mobile Security
The organization’s security program is accessed across the INFOSEC domains using Carnegie Mellon’s Capability Maturity Model Integration, or CMMI framework. The CMMI has five levels that can be used to assess maturity of controls within a specific area:
- Level 5: Optimized: Continuous improvement of process performance through incremental and innovative corrective action.
- Level 4: Managed: While security control area is able to be monitored and measured, management of the control area is not fully automated or scheduled.
- Level 3: Defined: Security control area has been defined and documented, and communication occurs through awareness training; however, area is left to individual personnel to follow.
- Level 2: Repeatable: Some processes within security control area are repeated; however, planning, performance monitoring, and awareness outside department are minimal.
- Level 1: Initial/Ad Hoc: Security control area is immature, and any processes developed are in a reactive manner; planning and performance monitoring generally are non-existent.
- Level 0: Nonexistent: No evidence exists that security control area is being addressed whatsoever.
INFOSEC Control Maturity:
For each domain SecureState identifies key controls which reflect a security program’s maturity level within that domain. Between three and five representative controls are chosen to grade each maturity level within a domain. The INFOSEC process will assess whether each control is in place, as well as evaluate the design of each control. The resultant control rating reflects how well the control should mitigate associated vulnerabilities assuming the design is perfectly followed.
Obviously, controls are rarely implemented exactly as planned, or consistently kept in place. To account for this, the INFOSEC process also incorporates an effectiveness score for each control, reflecting how well the control is actually performing. Additional assessments such as penetration tests, incident response tests, social engineering, and process audits are necessary to evaluate the effectiveness of these controls.
Finally, an organization’s maturity level within a domain is determined by meeting all of the controls for that maturity level. For example, a single missing control for a level 3 “Defined” rating within a particular domain would leave the maturity level for that domain at a level 2, “Repeatable” Rating. This provides a clear direction for which controls an organization needs to implement in order to increase its maturity within a given domain.
INFOSEC Current State:
Below is an example control sheet for a particular domain. We can notice that a client has met all controls relating to the Level 1, “Initial/Ad Hoc” rating. Additionally, we notice the client has met, not met, or partially met many controls within the Level 2, “Repeatable” rating. Therefore, the INFOSEC consultant would rate the maturity level for this client at only a Level 1, “Initial/Ad Hoc”.
INFOSEC Desired State:
The strategic recommendation plan is used to identify, at a high level, the overall gap of a company’s security program and how that relates to the critical business data sets and impacts. On the chart below, the results of an INFOSEC assessment are represented across all domains. The blue area within the graph would represent an organization that has addressed, and met, all controls and threats surrounding critical data sets and components for each domain. The yellow area represents the current-state of controls surrounding the data sets. Using this type of chart, it is easy to determine where the gaps are within the company’s environment. In this example, the INFOSEC consultant could visually look for large gaps between the blue and green areas and strategically provide recommendations that are pertinent to the client’s industry and business. In the example below, large gaps exist for ‘Voice and Mobile Communications Security and ‘Incident Response.’
The Tactical Recommendation Plan is used to identify the remediation, implementation and countermeasures that meet increased levels of maturity, and are obtainable within the near-future. Incorporating a tactical approach highlights the organization’s commitment and dedication towards a mature security program, and helps to measure and track security steps identified during audits, penetration assessments, and/or risk assessments.
The tactical graph shown below is used as a guideline to quickly determine the CurrentState of security controls, and realistically what level could be obtained in the short-term for each domain. The blue area represents the security level that could be reached by the client with minimal effort, and the yellow area represents where the client rates currently.
You can reference the above section “INFOSEC CurrentState” to see how the control sheet ties into the graph. Every grid line on this chart represents a maturity level. There are a total of five lines with the outer edge being an “optimized” maturity level.
For example, the INFOSEC consultant might tactically recommend performing some control with the ‘Personnel Security’ domain to move from a current-level 3 to a desired-level 4; similarly this could be applied to each domain to find, tactically, what controls could be met to reach to a new maturity level.
The differentiator: INFOSEC and the Secure State:
Validating the effectiveness:
The INFOSEC’s true differentiator is within validating the effectiveness of controls. The INFOSEC process can incorporate an effectiveness score for each control that will detail how well the control is actually performing.
SecureState can measure the effectiveness of controls by implementing assessment services that directly target and test each control within each domain.
For example, an organization could perform an Incident Response Test that goes well beyond traditional Table Top exercises. Ideally, the INFOSEC would couple an Incident Response Test with a Penetration Assessment to help identify and rate the effectiveness of the response and the security controls in place.
During an Incident Response Test, the organization would identify existing gaps within the referenced policies, response methodologies, and accompanying procedures within the current version and implementation of the response plan.
Next, the test would perform live and actual incident scenarios to simulate an attacker attempting to gain remote or local access to the business networks, and exploit weaknesses to obtain as much access to sensitive information as possible.
These assessments ascertain, if an attacker focused their efforts on the business networks, the level of exposure and/or unauthorized access that may be obtained and also tests the control capabilities of the corporation.
Below is a typical recommendation chart that is used to show a snapshot of a client’s CS, what level of CMMI they could obtain in the near future, and how controls within each domain were tested and validated. In this example, we show the client several controls that were validated during an internal penetration assessment, and what tactical recommendations could be implemented to increase the security maturity of the organization:
INFOSEC engagements provide organization with an effective baseline or understanding of the CS and allow for the development of a meaningful plan that is program-driven to get to a DS. Through tailored tactical and strategic recommendations, with validation assessments to test the effectiveness of the controls, the INFOSEC process and SecureState’s philosophy will ultimately bring organizations to a Secure State.