Reading Questions
- What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
- Who or what do you think is the most significant risk to any organization?
- Security education is spoken of often. Why is it important?
- Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
- How much attention do you pay to the security of your device, data, and behaviors?
The iPremier Case
Read the iPremier Case. Consider these questions when you prepare for our Webex.
- How well did the iPremier Company perform during the seventy-five minute attack? If you were Bob Turley, what might you have done differently during the attack?
- The iPremier Company CEO, Jack Samuelson, had already expressed to Bob Turley his concern that the company might eventually suffer from a “deficit in operating procedures.” Were the company’s operating procedures deficient in responding to this attack? What additional procedures might have been in place to better handle the attack?
Rich
Michael Gibbons says
What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
The risks associated with the 10 processes that Gartner says you must get right would include an ineffective Information Security program. Information Security needs to be accepted by the organization and integrated into all critical processes. It’s an important set of eyes that needs to be able to communicate information security risk in business terms. Going through the 10 processes, there is a risk associated which each process not functioning properly. If Information Security Governance is not working effectively, the organization may take on excessive risk and jeopardize meeting their business objectives. If Information Security policies are ineffective or deficient, the organization is not meeting their obligation of due care in communicating formal expectations to all levels of the organization. There is also the risk of too many exceptions to policy or not having the authority to enforce policy. Training and Awareness adds to the policies by putting policy language to action and teaching the organization what is expected and how it is to be done. Access management should set the limits and prevent segregation of duties issues and follow a least privilege model (tie back to policy and training). If not working properly, the organization runs the risk of issues with the confidentiality of data, integrity of data and availability of data (which can lead to the risk with Incident Response and Business Continuity). Vulnerability Management risks can lead to similar risks and exceptions can be an issue here as well if the organization is selecting vendors that do not provide patches or remediation in a timely manner (ties back to policy, change management, incident response, business continuity, project management and vendor management).
Richard Flanagan says
Michael – I particularly like you comment about too many exceptions to policy. This is a frequent issue, not just with security but with all policies. You want your policies to be as simple as possible.
Anthony Quitugua says
I agree that too many exceptions to a policy is a risk. A policy becomes invalid once you start making exceptions to it. At that point you are no longer enforcing the current policy, but are in fact enacting a new one in accordance with the exceptions.
It’s like the old saying” If you are not following the standard…you are creating a new one”.
Michael Gibbons says
2. Who or what do you think is the most significant risk to any organization?
I think weak governance processes are the most significant risk to any organization. If the control environment (tone at the top) is weak, there is little an organization can do make the control activities, risk assessment, information and communication and monitoring activities worthwhile in meeting the organizations objectives.
Anthony Quitugua says
Exactly . Without a strong governance structure in place, your policies are worthless. However, I do need to caveat that with you must also have the proper authorities in place to enforce the policies. Governance without enforcement is about as useless as policy without governance.
Michael Gibbons says
3. Security education is spoken of often. Why is it important?
Security education is important because employees are typically the weakest link in an organization. A perfect example would be the success rates of social engineering attempts. People by nature want to be helpful and being helpful vs. taking a step back to think about information security can be difficult for some people.
Michael Gibbons says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
The topics in the CyberSecurity and Boards article and the Gartner top 10 security processes relate in the governance aspect. The board has ultimate responsibility and oversight of the organization. They need to be in the know for these processes and management needs to be able to provide them with relevant information related to these processes. That information might not be in the same level of detail as what senior management and the CEO require, but at a level that they have a clear understanding of the security posture of the organization and the ability to help direct management towards the defined risk appetite. In both articles, the CISO is not going to be in a position of making friends because the information they will be providing to management and the board may not be looked at favorably if the organization is not doing the right things well.
Michelangelo C. Collura says
Excellent point about the board and its authority. It is possible that a board will transfer the risk to IS staff in the organization, or at least think they are. In truth, they have, as you say, ultimate responsibility and oversight, so they cannot expect security controls to run smoothly if they are aloof or uninformed.
Michael Gibbons says
5. How much attention do you pay to the security of your device, data, and behaviors?
I would say I am probably more aware of the security of my devices, data and behaviors than someone who does not work in an assurance function. An example would be due to receiving alerts from multiple source (US-CERT, security blogs, FS-ISAC, etc.), I am able to correlate those alerts and fixes if available to the devices I own and control to keep them up to date. I learn things better when I can actually do something so if I read a system hardening guide, I am going to perform those steps on a system I own to see what that does to the functionality of that system. With my personal data, I have no false believes that my data has not been compromised (I have received enough letters from the university that I did my bachelor’s degree at informing me that my information has been compromised that it’s easier to accept that you data is out there and take steps to monitor – review credit reports, bank statements, etc.). Behavior wise, I try to be vigilant of what I am doing and using different machines based on the purpose (1 machine for banking vs another machine that is for browsing the internet – keeping devices up to date, using more than the router provided by the cable company for firewall protection, antivirus/antimalware software, basically what could be referred to as a layered security approach because of knowing what can happen with a single point of failure).
Donald Hoxhaj says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
The biggest risk in not implementing the 10 processes as defined by Gartner is that an organization would end up having a weak Information Security Process as defined by the CISO. These processes are important because they help the organization to make constant improvement and keep pace with the changes happening in the technology space at a given point in time. The drawback of not having these processes would be a weak standard of care. There is definitely a risk associated in each of the 10 processes defined by Gartner. If the Security Governance process is not followed correctly, there are high chances that the organization might run out of resources to continue to address the security needs and might execute the security practices badly. The governance process becomes crucial here as it helps to execute effectively. Not following an effective security policy might essentially lead to poor awareness, delayed approval processes within the systems, and failure in executing compliance verifications.
Similarly, not adhering to the Awareness and Education process might lead an organization to be technically challenged and unaware of the latest security practices in place. It would not only put the organization in jeopardy, but also create an inefficient workforce that was not trained on security practices. IAM becomes a key factor, especially when it comes to security implementations within an organization. If the IAMs are not practiced effectively in place, it might lead to unauthorized and unidentified users having access to critical systems and important data that could potentially put the organization in danger or probably bankruptcy. All these processes are in many ways interlinked with each other and have to execute in tandem. Incident Response process risk can be quite costly for organization if not implemented rightly. A weak Incident Response strategy could lead to failure in detection, assessment, response, and learning process. Additionally, lack of Change Management practices could potentially put an organization in trouble during change in security policies or adherence to new security patches in response to a threat. Any delay here could lead to massive loss of data.
These controls help by enabling an organization to have a strong Information Security practice and process in place. They help an organization to have a strong framework in dealing with security breaches and have a strong risk response strategy. All these ultimately help in learning and knowledge management to adapt to new changes.
Vince Kelly says
I agree with the statement that you made Donald – “not adhering to the Awareness and Education process might lead an organization to be technically challenged and unaware of the latest security practices in place. It would not only put the organization in jeopardy, but also create an inefficient workforce that was not trained on security practices. ”
good point – it creates the potential to create a circularly re-enforcing bad security practices right? i.e., taking a ‘who cares’ or lax approach in training employees leads to a similar, ‘well I don’t care if my management doesn’t care’ type of attitude about security by the employees.
Richard Flanagan says
Absolutely right.
Donald Hoxhaj says
2. Who or what do you think is the most significant risk to any organization?
I think that both Security Governance and IAM are the most significant risks to an organization. While any compromise or failure in implementing Security Governance can lead to weak security response measure, leading to poor communication and response to threat, the IAM can on the contrary fail the entire system or rather breakdown a chain of security events associated with each other. It is ultimately the user that has access to system resources and features. Therefore, in the order or priority, I would say IAM would stand first and Security Governance second and both of them are significant risks to an organization.
Donald Hoxhaj says
3, Security education is spoken of often. Why is it important?
Security education and training is often spoken about and practiced in many organizations. While there are many reasons for its importance, some of the primary reasons are that it acts as the first line of defense against security threats, enables an organization to be trusted, prevents unwarranted attacks on internal resources, and empowers the employees within the organization to follow best practices and security standards to protect critical systems from unauthorized breaches. Employees are very critical here, because we live in an age where human intervention is maximum in any organizational setting or security practice. Therefore, it is important that these people be trained and educated first on the latest security vulnerabilities, security issues and practices followed throughout the world.
Michelangelo C. Collura says
I would wonder about the first line of defense, so perhaps the professor will chime in. I would think that automatic controls, such as prohibiting web browsing on company devices or wifi, would preempt security training. This isn’t invalidating the training, but as we all know, people can ignore it.
Michael Gibbons says
I’m not sure if I look at this correctly but operations and management would be part of the 1st line of defense and be responsible for implementing appropriate controls that reflect the organizations risk appetite. The second line of defense would include some of the assurance activities like Information Security, Legal, Compliance, Enterprise Risk Management and my understanding is also that the security awareness and training is owned in this line of defense. The third line of defense is audit who does not own any controls nor acts as a control but provides independent assurance to the controls.
Richard Flanagan says
Michael – I think you are exactly right. You want operations (IT or otherwise) to run such tight processes that nothing bad is apt to occur, no missed assignment, no policy violations, all intrusions discovered, etc. No one will be perfect but you want them to be as good as possible. Internal management including key staff groups like internal auditing, legal and HR should be monitoring the processes looking for potential problems and then recommending action. External audit gives the truey external review, but one hopes there is nothing significant left for them to find.
Richard Flanagan says
Michelangelo – certainly these can help but only if the right tone is set by the organization. We had a clear policy, look at porn on the company’s equipment and you are fired. Every month or two some bored operator on the midnight shift at a plant would try to outsmart our controls and then be fired. I think we had an excellent tone and we gave everyone lots of training (including telling operators that this was the #1 reason for firings) but still, every month or two someone did it. Behavior is very difficult to control
Patrick DeStefano (tuc50677) says
Don’t forget quick response time as a byproduct of a good security education. If your organization has a good security education, everyone knows what to look out for and how to respond at the first hints of a security incident. The earlier it’s recognized and contained the better. Employees who are properly trained in recognizing phishing emails or click-bait malware are much less likely to accidentally allow a virus into the system
Donald Hoxhaj says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
The Risk Response Measure and Security Governance are 2 areas I feel where these 2 topics relate quite a lot. The Board governs the whole security process within an organizations and ensures that all practice teams and security settings within an organization are following or adhering to maximum security protection and safety measures. Similarly, in the Gartner’s 10 security processes, there is a lot of importance given to Incident Response strategy that helps the teams to respond to security breaches in the quickest time possible. Ultimately it is the board that will supervise and decide on the security implementation that needs to be done and therefore both are linked because the Gartner’s 10 security processes act as an enablers to the already existing processes in place.
Richard Flanagan says
Keep in mind that the board is responsible for the future well being of the company. As cyber attacks become more impactful, boars need to pay attention. Unfortunately, many still don’t.
Vince Kelly says
I totally agree! I recently read an article that attempted to put some dimensions around this risk. The article claimed that:
“…according to some recent figures the global figure for cyber breaches had been put at around $200 billion annually. Or, looking at it from the retail level, $670m in associated costs through theft, lost time loss, identify theft, etc.”
“For the UK, a Government body for cybercrime had estimated the numbers at around that time ranging from £11 billion to £27 billion per annum for the entire UK and Plc economic impact. However, these numbers only related to a third (34%) of cybercrimes actually being identified within six months of incidents occurring.”
You’d think those numbers would get the boards attention but in spite of all this, the article cites a recent study that pretty much confirms you’re point:
“…According to findings from Fortinet’s Global Enterprise Security Survey, which canvassed 1,801 respondents who have responsibility/visibility of IT security across sixteen countries including Australia, Canada, Germany, Korea, the Middle East, Poland, South Africa, the U.S. and UK, almost half (48%) of IT decision makers believe members of the board still do not consider cybersecurity as a top priority.”
”
Boards seem to focus heavily on profitability – even at the expense of people jobs at times – you would think that the numbers and exposure pointed out by the article would get Boards to realize that this is an area of ‘low hanging profitability fruit’
Michelangelo C. Collura says
This is a very good point, and I believe it’s where we would be setting the new trend, as new IT audit staff coming in to organizations today. Rather than simply listing details and sticking to the tech side, we are well suited to explain and persuade leadership so that the trend of uninformed and aloof boards and c-suites can become a thing of the past.
Michael Gibbons says
I think it also points to the skill sets that Boards are not requiring of themselves. In the majority of companies I have worked for, the overall majority of Board members were lawyers or CPA’s. There may be 1 Board member with actual IT experience but not enough to translate business and IT risk to the rest of the Board. It would make sense to have requirements for the Board to have a more in-depth knowledge of IT risk so they could ask the right questions of management rather than just taking managements word for it (Trust but verify approach).
Heiang Cheung says
I think also the board don’t really think it could happen to them until it actually happen. I think this is like most people. Most people don’t worry about their password being easily guessed or connecting to random Wi-Fi network until their devices or accounts get hacked. Good point on the saying the lack of skill sets or knowledge of IT of the board members because I do think that if they knew the importance it would be implemented better.
Richard Flanagan says
Michael, my co-author, Jan Yeomans, was the treasurer of 3M and currently sits on three boards so she has been going to board meetings for some 30 years. As of the time we wrote the article she had never seen IT discussed at a board meeting. Jan (MBA) thinks this is crazy but says when she has tried to bring up cyber security she was looked at like she had two heads. Jan says that this is getting better, now, but slowly. She laughs that different boards are asking her to come speaks since she doesn’t consider herself an expert at all. I know of one other person, who is a security expert, who had been doing a lot of cyber session for boards in the past year.
Don’t judge too harshly, board members do have a lot to do at these meetings. Jan tells me her typical meeting is three days long, has maybe 100 items on the agenda (scheduled down to 5 minutes per item), and has about 1,000 pages of pre-reading to digest before the meeting.
Donald Hoxhaj says
5. How much attention do you pay to the security of your device, data, and behaviors?
I usually am aware of the security breaches that could happen to my smartphone, internet use, or internal university resources that I use and therefore I try to adhere as much as possible to the security practices. I usually try to lock my phones or computers if I am not working or not in the desk so that any unauthorized access can be prevented. If I see any suspicious behavior, I would immediately report it to the company or the university so that fast response measures can be implemented by either blocking access to my data. On a constant basis, I ensure that I have the latest security patch installed on my systems that would prevent any brute force malware attacks. Whatever is within my control, I would certainly go ahead and do it.
Anthony Quitugua says
Donald,
Unfortunately I think you might be in the minority with how you handle your own security. I am constantly reminding my coworkers to do most of the things that you mention. I routinely see unlocked and unattended workstations, unlocked phones left on desks and file cabinets left unlocked and unattended. It seems as if the security training we do is not paid attention to at all.
Patrick DeStefano (tuc50677) says
I treat work security at a higher level than my own personal security. I generally always lock my workstation when i walk away from my desk as well as make sure I take my badge and token with me. That being said, my own personal devices, i don’t hold up to this standard. I don’t keep too much personal data on my phones, but I should probably keep it in mind and work on being better at it.
We used to have a process where every so often we would have a random desk audit where someone goes around to randomly preselected workstations to ensure that security measures were being followed, A good idea for anyone with highly confidential data.
Pascal Allison says
What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
The processes are divided into two parts:
Security Responsibility:
• Security governance
• Policy Management
• Awareness & Education
• Identity & Access Management
• Vulnerabilities Management
• Incident Response
IT Responsibility:
• Change Management
• Disaster Recovery & Business Continuity
• Project Life Cycle Management
• Vendor Management
These processes are vital because of the risks associated with them. The risk is how management view risk and security; what plans, or actions are available to account for these risks. Some key points will be inefficient decisions making, ineptitude (strategies, policy, individuals), and acquisition of unproductive application.
• Security governance – wrong structure or decision to meet business goals (information or application available to the wrong individuals)
• Awareness & Education – employees are the weakest part of an organization; thus, lack of knowledge is a serious risk (damaging application, misusing application, etc.)
• Identity & Access management – information must be available only when needed, if they fall into the wrong hand, that is a recipe for disaster. Unauthorized access and improper identity can lead to misuse, abuse, and unaccountability. If it not available, it could impact business functions.
• Disaster Recovery & Business Continuity – Since risk is inevitable, there is a risk of not preparing for its occurrence. Decisions for recovery could save the organization image, finance, lawsuits, and help the business stay alive.
• Vendor management – if vendors are not managed properly, it could increase cost, inadequate service, inefficient vendor selection and contract.
• Incident Response – responding is great, but the inadequate response could escalate the issue or could not resolve the issue.
• Vulnerability Management – the discovery, reporting, prioritization, and response are important to risk management. If the right decision is not taken, the organization could be exposed to lots of risks, mismanage risk, response inefficient, etc.
• Policy Management – authorization, methodology, tools, and techniques need regulation. If they are not regulated, they can be abused which lead to damages, lawsuit, breaches, etc.
• Change Management – the risk associated with change management are increasing the cost of avoidance, inefficient mitigation strategies, resistance, and disruption.
All process helps with the preservation of information security. If these processes are not implemented correctly or implemented at all, information security preservation will not be realized (risk).
Vince Kelly says
Good point about governance Pascal – the wrong structure or decision to meet business goals are like the Generals who try to ‘fight the last war’ I think governance shouldn’t be considered as static or rigid, instead it should be considered as a dynamical and continually changing process As the Gartner article points out, “the governance process is measured in terms of the effectiveness and efficiency of security in delivering business value.” So given that the business environment is nearly always under *constant* pressure to innovate, adapt and change, security governance should be flexible enough to change with it – or else it just becomes counterproductive don’t you think?
Pascal Allison says
Absolute Vince, contemporary security governance is key. If security governance is set base on the risks of today, it should change and adjust based on future arrangement (risk). This should happen with appropriate change management.
Pascal Allison says
Who or what do you think is the most significant risk to any organization?
I think employees or people are the significant risks to the organization. I think so because its either employees cause the damage, or they do not act to prevent the damage. All of the processes spelled out by Gartner are initiated and implemented by people; people manage equipment(s); policies are written and followed by people. If these people not are trained or decided not to follow law or regulation, nothing can be done correctly (risk).
Richard Flanagan says
Pascal – does your company do anything to make sure your employees are aware or to test them?
Pascal Allison says
Yes, employees attend training, workshops, watch videos, read resources, etc. After which we are tested to determine our level of understanding. The test is closed book, pass, and fail. Most of test has a passing mark of at least 70%.
Sometimes, there are drills for practices, improvement, knowledge development, etc.
Michelangelo C. Collura says
I don’t know if this is industry standard, but I find this to be very effective protocol. Closed-book, passing of 70 or higher…. This really does emphasize security. The only question I’d ask for further clarity is what happens if staff fail or do not take the test, perhaps for vacation, sick leave, etc. Is it easy for staff to get around the requirement?
Pascal Allison says
No, there is no way around it. If not completed, it shows up as “pending or Not Started.” That employee is required to complete the training and testing upon return.
If it is a face to face training, the employee will join the next class for training, after which the test must be completed.
Pascal Allison says
Technologies, policies, equipment, regulation, and laws are not controlled by themselves; people control them. People (employees) are the most significant risk of an organization, educating those is important. Security education is important because it teaches employees by creating awareness which enforces the resistance to breaches, reduces the number of breaches, and explains employees’ roles in information security. One reason would be the cost of training is less than the cost of untrained employees’ negligence or error.
Michelangelo C. Collura says
People tend to assume that data theft involves high-tech methods of technical savvy. As you mentioned, people are indeed the weakest link in security, not the process or technology. I think the first step to reducing such theft is to make this axiom known to average people outside the industry.
Pascal Allison says
Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
Board members are no more waiting on the CISO or CIO to tell them what to do or when to do it; besides, data breaches are focusing on board member; knowing that board members communicate with the organization via email.
Board members are involved in the discussion and decision-making processes, measures and action to prevent or handle risks, and compliance with regulatory laws which is parallel to the Gartner’s top 10 security process. If board member must ably support management or execute their function, the board member must also get these processes right to contribute to the organization well-being fully because everything they have to do is guarded or parallel to the Gartner processes.
Richard Flanagan says
Pascal – keep in mind that the board is not management. They are not active in making decisions but they are actively monitoring what senior management is doing to assure the company’s future.
Pascal Allison says
How much attention do you pay to the security of your device, data, and behaviors?
I am very cognizant of the security of my device, data, and behaviors. I understand the effect of the insecurity of my device, data, and behavior. I have installed antivirus and other protective software on all my devices where possible got security alert on all devices and internet activities. Bank account, email, and social media come with a second verification step (code via email or phone), etc.
I pay attention to abnormal activities on my devices and data. Once I am notified of unprotected website or the possibility of data stealing, I do not visit that site. The antivirus helps which I update periodically.
Paul Needle says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
The following are the 10 processes that Garner says you must get right as well as the risk of not getting them right:
– Security Governance: Without governance there can be no assurances that the correct actions are taken and executed properly. It’s the foundation of security.
– Policy Management: Without policy management there would be no structure to establishing controls resulting in ambiguity and confusion.
– Awareness and Education: It’s crucial that continuous learning be implemented in the culture as security is continuously evolving.
– Identity and access management: This could weaken the control environment if appropriate levels of authority are not defined. It also helps identify breaches and avoids overlap with segregation of duties.
– Vulnerability management: If they are not actively strengthening security than there will unaddressed vulnerabilities.
– Incident Response: A delayed response could exacerbate the cost of a breach and the scale of an incident.
– Change Management: The company would be unable to monitor change in a controllable and auditable manner if they do not have a structured process.
– Business continuity management and Disaster recovery management: Unexpected outages or disasters can cripple a company particularly if it comes at a time of high profit for a company. Not being able to get everything up and running could result is significant revenue loss.
– Project life cycle management: The risk of getting this wrong could result in costly and unaffected projects that don’t benefit the company.
– Vendor management: Having the appropriate contracts in place is key to vendor management and if not done appropriately the company could have serious issues with service and availability.
These controls provide a foundation for a structured approach to security. They provide the basic outline that a CISO should follow.
Paul Needle says
2. Who or what do you think is the most significant risk to any organization?
A company’s employees are the single biggest risk and strength of an organization. It is similar to the weakest link in a chain theory. Having a strong culture and training program will help raise awareness of cyber security for the whole company. This starts with C-Suite and funnels down through the rest of company. If one employee accidentally clicks on a link or down loads a virus the control environment can be compromised. That is why it is so important to implement a culture and educate employees regarding cyber security.
Paul Needle says
3. Security education is spoken of often. Why is it important?
It is crucial for a company to educate their employees on the exposures and how to defend against them. It needs to be built into the culture of a company which starts from the top down. Having cyber security built into the culture of company will promote a heightened awareness of the potential threats and understanding the vulnerabilities. Any one employee can be a target and they need to be trained on cyber security to help protect the company as whole. Also the threat agents are constantly looking for new ways to breach a system. It is important that employees are continuously learning on how to appropriately defend against cyber threats.
Vince Kelly says
exactly Paul – I think your point goes right to the heart of organizational and MORE importantly, personal accountability. Simply laying down a bunch of rules and forking out money to buy security hardware and software will amount to nothing if security isn’t embedded into the company culture and accountability isn’t owned by everyone.
Michael Gibbons says
Excellent points Paul and Vince. The only other thing I can think of besides personal accountability is consistent enforcement of policy. Some users may know what they did was wrong but if the culture says it’s ok for management to ignore this and not report an incident but use the same example to fire the next person, it creates mass confusion and distrust for the process.
Paul Needle says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
Both articles put heavy emphasis on the board and the CISO to address cyber security. Cyber security needs to have a dedicated position to manage, oversee and implement cyber security for the entire organization. This role is the CISO. Both articles speak to a systematic approach to identify and get right to have a strong cyber security and control environments. There is also emphasis on building the culture and having the appropriate response when something does occur.
Donald Hoxhaj says
Paul,
Thanks for sharing your perspective. Yes you are right that both these articles do throw light on the importance of addressing security by the CISO. In fact, systems should be designed in a way that are more controllable. I can recall an example of a recent internal risk that happened in Facebook where the systems started generating their own codes in the Artificial Intelligence platform. The system could never be controlled and Facebook had to shut down the system. Security controls should lay out proper procedures and control mechanisms to address unforeseen security risks.
Paul Needle says
5. How much attention do you pay to the security of your device, data, and behaviors?
We hear the term cyber hygiene often. I believe good hygiene is something that one needs to do daily. It’s something that is just a part of life or a cost of doing business. Cyber Security should be viewed as an absolute necessity or things will deteriorate. I try utilize the same through process at home and in my daily life as I do with work because it’s important to have overall good cyber hygiene.
Vince Kelly says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
Security Governance:
Helps to ensure that the right actions are taken to balance the needs to protect the organization against the needs to run the business. The risk here is that the Governance process is not effective and/or efficient and that as a result, business value won’t be delivered.
Policy Management:
Defines/articulates the enterprises risk appetite, risk tolerance and how much residual risk it can afford. The risk is that the policies that lack clarity create the potential for a “Tower of Babble” approach to security where people are unsure of what is and what is not permissible, what their individual responsibilities are and how to put together and maintain a comprehensive and reliable security environment.
Awareness and Education:
Helps by ensuring that everyone understands and appreciates the impact of proper security policies and procedures. The risk is that, if people are not aware of the risks or cannot be influenced to engage in behaviors that minimize the potential for risk, then it doesn’t matter how comprehensive or effective governance and policy management are because they will simply be circumvented when people feel that it is convenient to do so
Identity and Access Management:
Helps by ensuring that there is a proper and systematic level of managing user identities from the minute that they join the enterprise until the minute they leave. This includes activities like ensuring the proper separation of duties, privilege levels, etc. The risk is that without proper IAM, it becomes more difficult to protect against, identify and mitigate breaches that will inevitably occur as a result of poor IAM management.
Vulnerability Management:
Helps by identifying, assessing and resolving security weaknesses in the enterprise – including process and poor staff practices. The risk is that vulnerabilities are not identified or go unnoticed until they are discovered and exploited by malicious or incompetent actors.
Incident Response:
Identifies how to prepare,(anticipating what could happen, what to do, etc), how to detect and expose , how to triage an incident that has or is occurring, how to classify and contain the threat or vulnerability, how to remediate and how to incident report and do post mortem, (the learning process). The risk is that one or more of these things do not occur – e.g., a threat is never identified until it’s too late, its handled in a way that creates even more damage when it does occur, its never remediated and, most importantly, the organization never learns from the incident – it just continues on as if nothing happened and subjecting itself to the same incident in the future.
Change Management:
Helps by making sure that changes are instituted in and organized, controlled and auditable manner. The risk of improper change management is that the change itself process could introduce errors and failures if not managed correctly (e.g., making changes too late or too early in a process, not making the correct type of change, etc.)
Business Continuity and Disaster Management:
Helps by ensuring that in the event of a serious disruption to the enterprise, business operations can continue and systems and processes can recover in a considered and orderly manner. The risk is that the enterprise may be exposed to the failure of their backup and recovery plans precisely when it is needed most, they may cause reinfection/reintroduction of malware into the enterprise after it has been remediated, etc.
Product Life Cycle Management:
Helps by ensuring that serious, expensive and possibly immutable security risks to the enterprise are avoided. The risk with poor product life cycle management is that the enterprise fails to adopt an appropriate methodology, doesn’t accurately assess projects, fails to get the appropriate level of approvals for the architecture, design, implementation and/or operational aspects of the business.
Donald Hoxhaj says
Vince,
Your points on Incident Response and Product Life Cycle Management were quite interesting. You mentioned about approval stages in PLCM. That’s a pretty important point as I see because many a times in organizations too, decisions to change processes or modify is done without taking necessary approvals from the higher authority or someone more experienced. It’s also seen that a lot of assumption and intuition plays this part and these risks can be extremely costly. One way organizations can avoid this is by having an approval mechanism where no individual approvals are given a green signal without the approval of the senior. Any deviation here shall be notified immediately.
Vince Kelly says
2. Who or what do you think is the most significant risk to any organization?
In my opinion, the most significant risk to any organization are people – both internal and external to the organization. Because fallibility is at the very core of what makes us human, no matter what the level of involvement or circumstance, no matter how vindictive or how well-meaning their intentions or advice is, people will always represent the most significant risk to any organization. This applies to all facets of human interaction – even in what would appear to be innocuous advice on security.
For example, this weeks assigned reading article; “Cybersecurity after WannaCry: How to Resist Future Attacks” by PwC offers advice in the form of “five key factors that separate venerable companies from more resilient enterprises”.
This article was offered as ‘expert advice’ and was probably consumed and relied upon by its readers as something which they need to do in order to protect their organizations against future malware attacks.
The problem is that this article contains some of the most blatantly and absurdly stupid statements that I have ever had the misfortune to read. The article in and of itself creates the potential for significant risk to an organization or anyone who might be naive enough to take it seriously and react accordingly.
For example, point number 5, “Early adoption of cloud technology” was written by someone who clearly had no clue about what they were talking about because, (among other things) they try to make the following claims:
“Cloud-based systems are updated easily and automatically in one location, accumulate data in real time about attacks and intrusions, and incorporate built-in constraints that separate software layers and block intrusive software from reaching fruition. This gives them an edge over systems that rely on computers on the premises. It may also be relatively difficult for intruders to exploit holes in cloud-based architecture. For example, in late April 2017, Google blocked a spear phishing attack (an attempted use of targeted email to get people to send compromising information); the cloud-based aspects of Gmail software enabled it to rapidly identify and isolate the intruding malware.”
Actually, cloud-based systems are absolutely NOT ‘updated easily and automatically in one location’. A capability like this is something that completely depends on MULTIPLE factors like application design for example. The fact is that the very nature of cloud based systems and cloud native applications are that they are distributed systems. Typically workload instances and the data that they use are disbursed and ‘cached’ *globally* in order to have them positioned as closely as possible to those who need them. In other words, cloud workloads are no more easily updated or automated than any other “non-cloud” workload unless a conscious and specific effort is made to do this.
Contrary to what the author is trying to claim, accumulating and incorporating data in real-time is not unique to cloud workloads. These are capabilities that you pay for and nothing more. The ability to take advantage of these capabilities is completely service provider dependent and may actually cost significantly more to do in the cloud than within a local data center.
The author also makes the following (ridiculous) claim:
“…[cloud technology] incorporates built-in constraints that separate software layers and block intrusive software from reaching fruition. This gives them an edge over systems that rely on computers on the premises….”
Again, the authors of this article prove that they are either completely confused or completely ignorant here. Clouds are *INHERENTLY* less secure than what the authors refer to as “computers on the premises” (whatever that means).
For example, while it is true that a secure, (typically point to point) tunnel is established between the ‘cloud’ and the end user or the data center, it is also true that once the machine instances are up and running within a cloud data centers, the traffic between the instances can be looked at and treated in any way that the service provider feels is in its own best interest – this includes consciously and intentionally DISCARDING customer traffic during periods of peak traffic congestion if they want to.
If the author was making the point that handing over every bit of control to a third party that neither allows you to understand how their network is designed or how their traffic engineering is accomplished is more secure than “computers on the premises” then they are completely delusional and should not be offering advice on networking or anything else for that matter.
The author goes on trying to make the point that ‘clouds’ are more secure with the the following claim:
“It may also be relatively difficult for intruders to exploit holes in cloud-based architecture. For example, in late April 2017, Google blocked a spear phishing attack (an attempted use of targeted email to get people to send compromising information); the cloud-based aspects of Gmail software enabled it to rapidly identify and isolate the intruding malware.”
REALLY? The author probably missed the point or simply just fails to understand that the CIA sat in Internet POPs between Googles data centers running network analyzers on their traffic *FOR Y E A R S* without being detected and did it despite the fact that Google has one of the most advanced and sophisticated internal security practices in the world.
The simple fact of the matter is that ‘Clouds’ are not magic. You can’t just dump everything into one and somehow mysteriously end up with a more secure environment. Unfortunately the author seems to be unable to grasp the fact that a ‘Cloud’ is nothing more than a data center and that *A L L* data centers, Cloud and non-cloud, are like sausage factories – what comes out of them is great to consume but you’d never want to know what goes into creating that output 🙂
I want to make the point here that I am certainly NOT taking a Luddite, anti-cloud or anti-Google position, On the contrary! I’m just trying to point out that people who try to pass themselves off as experts with valuable advice to share can pose just as much risk as any hacker or well-meaning but incompetent employee does – because we are all only human 🙂
Richard Flanagan says
Vince – Wow, I guess you didn’t like the article. Your points are well taken, though I think for many small organizations their is some benefit to running their limited computer operations as PAAS rather than in their closet down the hall. Such places just don’t have the knowledge and discipline to do even the basics of physical security, backups and business continuity planning. Going to the cloud helps them a little, but it doesn’t make them secure by any means.
I am not saying that going to the cloud solves all their problems. Look at the Gartner ten processes you must get right. Do any of them sound like the cloud provider would take them over for your organization? I don’t think so, your organization will need to continue to run them all.
Donald Hoxhaj says
Vince,
Glad that you picked up a very valid risk to any organization i.e. People. People interact closely with systems and are functionally more aware about security connections than anyone else. Believing that they would be the operators of these systems, it is imperative that they would be the first level of risks to any system. Cloud based examples throws light on the fact that the security and risk learning aspect is solely
Vince Kelly says
3. Security education is spoken of often. Why is it important?
According to the Gartner, a lack of security awareness and education “runs the risk of all other processes being ineffective unless there is an effective awareness and education program.” “Enlightened awareness is achieved in part through education and aids in reshaping enterprise cultures that do not fully understand or appreciate the impact that inadequate security can have on all other IT and business processes.”
Security education is important because, (among other things), it identifies and sets the organizational and cultural boundaries for what is and what is not acceptable within the enterprise. Without an understanding of what the rules are, people have a tendency to rely upon their own experience and judgement in cases where clarity is undefined or ‘murky’ – as opposed to seeking out guidance or doing the kind of research that would be necessary to make an informed decision.
Like any other form of ignorance, the lack of (security) education creates organizational and cultural ‘blind spots’ and significantly increases risk. I think that this concept is best summed up by a now famous, seemingly non-sequitur but actually profound (and hilarious) quote by Donald Rumsfeld:
“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know.”
:););)
Michael Gibbons says
I had the pleasure of working a data loss incident where we were required to notify our regulator if we knew customer data was lost. The person responsible for making that notification used a known-unknown for the reason to not notify. He knew the third party lost it but the third party could not confirm that anyone else accessed or found it so his believe was the regulator did not require notification.
Donald Hoxhaj says
Hi Vince,
Thanks for your response. I liked the way you described the boundaries that security education creates in an organization as it helps to understand what is acceptable and what is not. It is true that lack of awareness or ignorance to security education creates blind spots and puts the organization into a stage of unknown risks for which is not prepared of. Moreover, security education, as you mentioned, helps in removing uncertainty and risks associated with human error or knowledge and replies more on fixed rules or line of operations.
Vince Kelly says
4. How much attention do you pay to the security of your device, data, and behaviors?
I’m certainly no expert when it comes to security but I do believe that I have at least a basic understanding of the necessity for paying attention to commonly accepted security principles and practices. *THAT* being said, I must admit to a fair amount of hypocrisy and failure in ‘practicing what I preach’ when it comes to security.
I have, on multiple occasions accepted a USB stick handed to me by a total stranger during a meeting. I also admit to using overly simplistic passwords at times and have often failed to not only back up my PC and enthusiastically stay on top of application software patches but have even stooped so low as to force inactivity timers on my PC well above their intended settings – for these and all other security transgressions I am truly sorry. Unfortunately though human nature usually dictates that expedience trumps secure practices – penalties be damned 😉
The one thing that I’m sure will affect these unintended behaviors in a positive way however, is the security awareness, education and insights that I will gain from the Temple ITACS program. My expectations for this program are extremely high – well above what I would normally consider reasonable in fact – this is in part because the topic of security has become table stakes as a competency and *profoundly* more important to IT practitioners than ever before. I’m hoping that I will not be disappointed.
Richard Flanagan says
Vince – I hope we meet your expectations, but I want to emphasize something your said. IT as a practice has be focused on producing value (at least good IT orgs have been) to the exclusion of all else. This is not sustainable. Security must be built in from the ground up, sometimes at the cost of reducing the value of the system to be delivered. We all need to pay attention to security, and I would have to admit that I only paid it minimal attention during my career.
Vince Kelly says
not to quibble professor,(and I think we may be saying the same thing here) but ‘producing value’ is a relative term. Any business can create ‘value’. Any business can have the grandest vision, create the best products, and provide the best support but rule number one is that they must be able to demonstrate that they can do this consistently – not simply for a couple of quarters or even a couple of years but over the long run.
This is *THE* reason why markets “price in” future events and expectations when they evaluate a company. There is a basic assumption that all companies will and *must* perform in a consistent, sustainable way – otherwise those companies can’t be relied upon to provide predictable returns and when that happens, investors punish them.
So I do believe that IT as a practice has to be focused on producing value to the exclusion of all else but if for example, IT develops the ability to generate the most timely, insightful, impactful business analytics dashboard that has ever been created in the history of business but then can’t deliver that information to the right people at the right time, then they’re really not adding any value – right?
My point here is not that ‘producing value to the exclusion of all else’ only means profitability, on the contrary. In my opinion, protecting profitability is one of the factors that goes into creating value – whether that means building the best supply chain or manufacturing processes or having the most effective and robust security in the world – they are all aspects of creating value.
One point that I’d wonder about though is the statement that “security must be built from the ground up” – are the words – “…from the ground up” meant to be taken literally or are they to be simply metaphorical? I’d certainly agree with the latter but would think that the former would be extremely hard to do for any significantly sized company or institution right?
Richard Flanagan says
Vince – once again I think we are in violent agreement. My view of value is more probabilistic, so the correct team is probably expected value. All the things you mention raise the future expected value of the organization. But I see many organizations that are not paying attention to security in their short term race for increased profits, thus raising the odds on having an incident and loss in the future. Some may get away with it, others will not.
And yes, I am speaking metaphorically.
Michael Gibbons says
Professor – From the audit side (ISACA, the IIA, the AICPA, etc.) are all writing about the need for audit to provide value to the organization. I understand that audit findings are not necessary bad things but when you write up multiple findings, the majority of people on the receiving end are more than happy to say that adds no value to their process. It might just be an ego rather than taking a step back to look at that process and see if the findings actually improve something. Where do you see the most value from the audit process and is it similar to value created by Information Security?
Richard Flanagan says
Michael – Great question. I believe that the majority of value that audit produces is in mitigating risks. Whether this is a bad business process that could cost in terms of causing customers pain, or traditional fraud, or cyber attack, audits are done to identify potential risks that are not well mitigated. Unfortunately, if an organization is responsive, the holes are filled and the risks are mitigated, then lower levels of the organization do not see the benefits. Your point about people saying the audit added no value is dead on. This is most likely because the person in charge of a process is measured by the output of that process, while someone else is measured by the risks it poses. Thus, anything risk related that hurts production is seen as destroying value. Only when you get someone in charge who is responsible for both the output and risk of a process are you likely to see an acceptance that handling audit findings can add value.
Donald Hoxhaj says
Vince – You pointed out an interesting thing about ignoring risks when someone hands over a USB stick. Even I have faced these things, especially in a local gathering in meetings. I think security is an individual awareness factor and it requires a little bit of discipline too. Many a times we have a tendency to quickly jump the gun and fill in a weak password thinking that it won’t affect. However, when a security breach happens, we are devastated. Thanks for sharing your response.
Vince Kelly says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
Gartner highlights Security Governance as a process where “collaboration between security and the lines of business occur to review processes, to assess business goals and risks and to drive the direction of security accordingly.” “The outputs are the outcomes of governance meetings, such as key decisions, endorsements and commitments to provide resources to initiatives and issues that are tables.”
This is not unlike the COBIT5 Governance Evaluate, Direct and Monitor (EDM) components. Governance Evaluate includes identifying and agreeing on objectives that must be achieved, Directing and prioritizing decision making and Monitoring performance and compliance against objectives.
Michelangelo C. Collura says
What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
In security governance, the primary risk is not aligning your IS to the needs of the business, thereby giving the wrong ‘marching orders’ to the rest of the firm. In policy management, a major risk would be inadequate buy-in from stakeholders, running the risk of policies not being implemented well or at all. In awareness and education, the risk is that incorrect, inadequate or excessive information gets to a given audience, wasting time and resources. In identity and access management, the main risk is in messy access controls allowing the wrong people access to the wrong systems/authorizations, potentially causing chaos for the firm. In vulnerability management, the obvious risk is misidentifying the key security vulnerabilities and so not properly mitigating the risks. In incident response, the major risk is not learning from prior incidents, thereby dooming yourself to repeat the past. In change management, the risk might be in the CISO allowing changes that cause more harm than good – a result of bad assessment and testing. In business continuity/disaster recovery management, we know many risks can pop up if DR plans are left out of date or poorly understood by staff, meaning disaster strikes anyway. In project life cycle management, one risk could be in the IT staff not signing off on product changes, potentially introducing flaws or added work to the life cycle. In vendor management, a large risk would be in allowing vendors unnecessary access to the network, potentially compromising proprietary data.
In all examples, controls help by simply allowing those systems to do what they’re designed to do. The planning and processes are solid, but they can easily fall apart due to the risks I listed and many others.
Michelangelo C. Collura says
Who or what do you think is the most significant risk to any organization?
This depends on a firm and its business model, but one common element across industries and company sizes might be lack of genuinely engaged governance. By not adequately understanding or caring about IS, a firm’s leadership sets the tone for all staff, even vendors or possibly clients. All would see a ship without a captain, or perhaps one unaware of systemic issues. This has a damaging effect on the brand, but it also means the potential for risk is much higher, simply because leadership does not care to exert authority appropriately and in an informed manner. This might be a CEO, or it might be the entire c-suite, or perhaps a leader of a department in government, but the rule would still apply.
Michael Gibbons says
Very nice description, Michelangelo! I agree with the lack of governance, it’s almost like tunnel vision sets in for specific silos within the organization and they cannot let go and look at the bigger picture.
Patrick DeStefano (tuc50677) says
I wholeheartedly agree Michael. This also would have a very large affect on employee performance and morale within IT. If they feel their leadership doesn’t care about or appreciate the work they do, they will be less likely to go above and beyond, less likely to respond quickly, and less likely to care when a security incident occurs. Depending how dismissive the organization is of it’s IT department, this might even bring employee morale down so low that the risk of an employee initiated incident increases. All things to think about.
Michelangelo C. Collura says
Security education is spoken of often. Why is it important?
It is perhaps the most effective control, as it prevents the risk from occurring. When education occurs, it also allows individual users/staff to use the controls; there is no oversight or managerial intervention necessary to implement. This saves money and allows more risk to be identified and addressed quicker, since many different perspectives are brought to bear. Also, a firm is not only helping itself but also the staff, because such education tends to be valuable to private citizens these days. Knowing how to avoid phishing attacks, for example, is incredibly important to a firm, and it is also quite important to individuals. To provide this education, one might argue that a win-win occurs, with some tangential benefit to society from increasing the awareness of security vulnerabilities in the modern age.
Anthony Quitugua says
Exactly. There is a common theme in this discussion that people are the biggest risk to IT security, and education is the best way I see of mitigating that risk. An individual educated on the threats and vulnerabilities is LESS LIKELY to become a threat or vulnerability. Properly educating users makes governance that much easier.
Michelangelo C. Collura says
Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
There is a heavy emphasis on governance in the Week 2 article – something heavily emphasized in this week’s reading as well. Governance management is seen as the fountainhead from which all other security management processes originate and gain authority, so it’s no surprise that the biggest successful hack defeats involved strong governance. The board must be involved, and in a corporate setting, this would translate to the strong governance management described. The board would be actively engaged, with security briefings to understand risks and how to assign oversight responsibility for given issues. Above all this of course, strong and smooth communication is a crucial piece.
I also feel the Week 2 article gives focus to the incident handling processes, in line with incident response discussed this week. Detection, assessment, response and learning are the main steps listed out, which provides the clear process mentioned in Week 2 for a successful IR plan.
Michelangelo C. Collura says
How much attention do you pay to the security of your device, data, and behaviors?
I am aware of most of the issues/strengths, but I try to mitigate them wherever possible. For example, I was aware that my phone was running a lot of memory-intensive processes with dubious authorizations, so I obtained root access to the device and removed all of them. Behavior is most important, in my opinion, and so I attempt to avoid being predictable on public devices. On private devices, security can be lax, and so it’s that much more important for me to utilize as much security as I can without compromising basic device functionality. At the end of the day, this is my main calculation; how much lost convenience am I willing to accept for added security? I feel this is different for every person, but most should err on the side of security.
Tamekia P. says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
The risks associated with these processes include unauthorized access, loss of data integrity and availability, data breach, incorrect selection of projects.
Tamekia P. says
2. Who or what do you think is the most significant risk to any organization?
The most significant risk to organization is the CEO. The CEO and executive board drive the tone at the top. Their priorities become the priorities of the organization. This is often why CEOs are replaced or penalized after data breaches and other incident. As the saying goes, the captain goes down with the ship.
Richard Flanagan says
If only this happened all the time. Note the Wells Fargo incident where all the board members survived a retention vote despite their clear lack of oversight on the internal fraud being committed by the company
Anthony Quitugua says
That is a sad but true fact. As a Marine Officer, I always believe that you can delegate authority but you can’t delegate responsibility. As the leader of any organization, you must accept responsibility for EVERYTHING that happens within that organization. Wells was a clear case of institutional failure emphasizes through a terrible corporate culture. This should have resulted in a purge of the firms senior leadership, or at least the CEO stepping down out of principle.
Lezlie Jiles says
Tamekia I couldn’t agree with you more. The CEO priorities are sometimes focused solely on the organization’s objectives that it could lead to a not so favorable incident. If the tone at the top says to sell more product line items then what happened at Wells Fargo is not a surprise.
Professor, I was in banking for 10+ years and this type of behavior is not unusual. The only problem is Wells Fargo got caught. However, if someone looks into PNC and Citizens they would find the exact same behavior, and yes, this behavior comes from the top. I am not sure if it goes on now, but at PNC if you weren’t making your sells quota within 90days you were fired.
Tamekia P. says
3. Security education is spoken of often. Why is it important?
Security education is spoken of often because it is meaningless to have strong security governance and policy management if employees are not aware. The organization must take a strong position on the need to educate employees about security. This is specifically important given the risks that companies are exposed to as connectivity and technology enhancements are made.
Tamekia P. says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10?
The topics from the article relate to the top 10 security processes because the processes are essentially ways that the business can mitigate the risk of cyber security attacks. The board being involved sets the tone and ensures addressing these risks are one of the organization’s priorities.
Tamekia P. says
5. How much attention do you pay to the security of your device, data, and behaviors?
I pay relative attention but am not overly cautious. I own a MacBook partly because the risks of viruses are lower. This risk is increasing as hackers are now creating viruses that target MacBooks. Eventually, I will get a privacy screen for my mobile device. My work devices are pretty secure in comparison – the data is encrypted and multiple passwords are required.
Anthony Quitugua says
You are right not to be complacent about security on your MacBook. The amount of malware being pointed at OSX is growing everyday. There are numerous free mac antivirus/malware programs available that will keep your system relatively safe.
Duy Nguyen says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
• The methodology is used to assess the maturity of an organization security processes and the risk is for an organization with security models that have not matured. Unmatured organizations will react negatively to the extreme audit process required for this methodology. The article also outlines other risk associated with security matured organization using a variation of this methodology with the addition of risks assessment, security architecture, and information classification.
Duy Nguyen says
2. Who or what do you think is the most significant risk to any organization?
• Based on all our readings humans has always been the biggest risk to any organization’s security. Based on Burg and Joyce, human error is the most prevalent means of an intrusion. Either of employees unwittingly exposes organizational data to threat actors or through fraudulent emails from social engineering techniques.
Duy Nguyen says
3. Security education is spoken of often. Why is it important?
• Security awareness and education play a big role in the detection process. No system is 100 % percent secured and incident or intrusion is inevitable. Training and educating employees plays a dual role in incident recognition as well as incident prevention.
Duy Nguyen says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
• Gartner’s security governance process is similar what was detailed in Cybersecurity and Boards oversights. Both states a clear and defined function and processes for decision making in case of an incident. In addition, an organization should clearly define group or person of authority to decide security and business decision accordingly.
Duy Nguyen says
5. How much attention do you pay to the security of your device, data, and behaviors?
• Before taking cybersecurity courses, I never really considered getting hacked or my identity getting stolen. I have always thought that with credit card chips and mobile security technologies were sort of good enough for protection. In addition, I have always had the notion that there is a very small percent of people out there with the skill sets to steal information from mobile payment devices. But after a few months of cybersecurity courses, I have a mental note of changing passwords and making them more complex.
Patrick DeStefano (tuc50677) says
3. Security education is spoken of often. Why is it important?
Security education is extremely important to any firm to have any chance at incident response success. You can have excellent security measures and procedures, however it is all useless if your employees aren’t properly educated in them. Security education can also encompass fire drills and dry runs for practicing incident response. This type of education can also help with improving response time to any security events or incidents.
Heiang Cheung says
5. How much attention do you pay to the security of your device, data, and behaviors?
In reality I don’t really pay much attention to security of my devices, data and behaviors. Security is set up at the beginning like anti-virus for my computer and password or security codes for my phone. Once everything is setup I go along with everything and basically just forget about the risk that are out there. I know I should be more proactive before my information is stolen but it doesn’t seem like it should be a priority especially if I have Items in place like anti-virus. I guess if I was a company I would be hacked by now.
Richard Flanagan says
Everyone – what other security measures do you take on your personal devices beyond password and anti-virus?
Anthony Quitugua says
I have MFA set up on all of my OSX devices, which give me an extra layer of security in that regard. I also utilize the built in OSX firewalls at home with my macs.
Even though it’s a minor thing, and might not actually do much, I don’t broadcast my home router’s SSID.
Paul Needle says
I have a 1 Million limit from Lifelock through Verizon. This includes LifeLock Identity Alert System, dark web monitoring, lifelock privacy monitoring, address change verification, lost wallet protection, reduced pre-approved credit card offers, fictitious identity monitoring, and arrest and court records alert.
I also have McAfee Mobile Security which backs up certain material and scans my devices.
Finally I back up my most important documents, pictures, information, etc on an external hard drive.
Heiang Cheung says
There are a lot of thing to secure devices like biometric finger scan and facial recognition. Different type of monitoring thing like credit Karma to make sure there’s nothing on your account that’s not supposed to be on there.
Heiang Cheung says
3. Security education is spoken of often. Why is it important?
Security education is really important for an organization because it helps with shaping the enterprise culture. By having security education, it raises awareness of possible risk out there. It also would change the behavior of the target audience. For example, if people were educated on phishing emails than people would be more aware and not open suspicious emails. I remember when Wannacry came out we were notified not to open any suspicious emails due to the hacking. Education might not stop a potential attack but it will lower the risk of one.
Heiang Cheung says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
The topic in week 2 definitely relates to Gartner’s Top 10 security process because it talked about strong governance. How policy and procedure need to be set in place so it could change the culture to take proper risk. 1 of the top 10 is security education which, help change the culture in an organization and give people the knowledge of what not and what to do.
Heiang Cheung says
2. Who or what do you think is the most significant risk to any organization?
The most significant Risk to any organization are the people in the organization from the top down. If there is a lack of governance than things will be all over the place. Policy and procedures need to be put in place and having a good culture and security education would decrease the risk to an organization. If you think about most hacking cases it’s usually one employee opening a suspicious email, if there was a culture of being aware of stuff like that than it would be less likely a employee would open suspicious emails.
Jonathan Duani says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
I think that there are a few risks that are associated with the 10 processes that Gartner says you must get right. However, after reading through all the processes it seems clear to me that ever process has a risk associated with it for example access management and not having the right access on the right user so they are able to get into the wrong system. Or vendor management where a vendor device is not vetted properly and vulnerable software is put on your network and allows you to be attacked. Even though that there are a bunch of risks this frame work of the 10 processes are the perfect set of controls that you should look at to make sure they are sound moving forward in your company. If is CISO or a security officer in the company would sit down and make sure all the risks in the 10 processes have been mitigated and the controls are sound then there should be no reason to worry about the risk associated to it.
Jonathan Duani says
2. Who or what do you think is the most significant risk to any organization?
I think the most significant risk to any organization is an organization is weak governance and lack of security. A lot of companies will have security implemented into their environment but most of the time it is an afterthought. They will development or stand up a bunch of equipment and not once thing about the security implications of this equipment till it is already live. I have noticed multiple times that if security is an afterthought and something is not designed with security in mind then it will not be sound and will be vulnerable. Also holds true for governance. If the company does not have a solid IT governance structure in place at first a lot of things will slip through the cracks and by then it will be too late.
Jonathan Duani says
3. Security education is spoken of often. Why is it important?
Security education is important because knowledge is power. If a user does not know about security how can they practice it? You are only as strong as your weakest link and in an enterprise situation that weakest link could cost you millions. If you teach you employees and hold mock phishing scams and stuff where no one actually gets hurt but you can aware your users what to look out for they will be a lot more conscience about what they are doing and be alert. Also if you have a whole company who knows about security you have that many people being critical of systems as well. For example a person that should not belong in an area or a website that does not seem correct and they can aware the proper people instead of finding out as an after fact and having to play clean up you can get ahead of it. They are inadvertently working for you without them even realizing it.
Jonathan Duani says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
It seems like after going back and looking at that week’s information that there is a strong emphasis on governance and not only in that week but also in this week as well. We almost always see a strong collation between a strong governance and a strong defat of hackers. Which will tell us that the stronger the governance of a company the better chance that they have fighting off an attacker due to the checks and balances that are in place as well as the polices that are put forth to make sure things hold true. There is also an emphasis on the board. There needs to be not only some board input but there needs to be backing by the board so that it is not just 1 person making a ruling and that is it but they have the support of the whole board which is everyone is backing everyone the governance will be even stronger.
Jonathan Duani says
5. How much attention do you pay to the security of your device, data, and behaviors?
Personally, I have always been a stickler for security. I make sure that my devices are locked down as much as possible and that my passwords are secure. Ever since starting this program it actually has made me much more paranoid than I was before and I have become even worse with security. At home I run an enterprise network with an actual hardware firewall and I do a lot of stuff (for fun mind you to actually learn what is going on) on my home network with regards to security. Anything that can receive a two factor authentication I make sure it has it at this point regardless just as another level of security. I actually found software that will allow you to security desktops as well if you want to not only unlock it via password but also a two – factor solution as well which is how I run all my outside facing servers like RDP. I recently started using a password manager as well and began changing all my passwords to much more complex passwords and using the password manager to help with keeping track. I do feel like I can do more but it gets to the point where you need to know where to stop or you are never going to leave the house or do anything and I think at this point I found the happy middle ground at least for me.
Brandan Mackowsky says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
First, the ten processes that are defined by Gartner can be broken down into two categories, each of which face a separate risk. These categories are Security and IT. The ten processes and their associated risks are as follows:
Security’s Responsibilities:
Security Governance – Governance must be adequately supplied because with a lack in governance causes an inability of monitoring the organization to ensure compliance to policy and that corrective actions are assigned and followed through.
Policy Management – Policies in place must be managed effectively in order to define the types of risks that the organization is willing to accept. Without it, an organization will take on risks as it pleases and can wind up in a catastrophic situation.
Education and Awareness – Implementing a continuous learning process within an organization is critical to ensure that all people understand what policies are in place and what actions they need to take to follow them and remain complaint. Without this, employees may not understand policy that will lead to policy breaches and failure to compliance.
Identity Management and Access Control – Without proper identity management and access control, an organization has no way to determine how it knows who someone is and what limits to their access should be put in place to ensure a safe environment.
Vulnerability Management – Utilizing a vulnerability management plan allows an organization to hold a focus on identifying vulnerabilities, determining a threat level, and prioritizing its defense systems. Without this, an organization will not identify key holes in its systems and attacks will be disastrous as no planning was put in place to prevent intrusions.
Incident Response – Without an incident response plan, the organization will not know how to respond to bad events and protect its company data. Data loss and reputation loss are quickly attached to a business as incidents occur and with no plan to mitigate the outcome, a business can quickly move from thriving to failing.
IT Responsibility:
Change Management – Having a change management plan ensures that a system that was once secure and effective will remain safe and functional as changes occur since they are monitored and tracked. Without a change management plan, random changes may occur and will not be tracked, thus causing the system to become unsafe and inoperable.
Disaster Recovery & Business Continuity – With a DRBC plan in place, an organization can quickly restore information from backups when a disaster arises. Without this, a company’s systems may be down for an extended period of time and data loss is inevitable, resulting in potentially critical information to be lost.
Project Lifecycle Management – Given that most changes in a business are made due to the result of projects, the methodology should monitor all changes envisioned from the beginning of the project to its end. Without project lifecycle management, unauthorized changes may occur, thus resulting in failed or altered projects that do not benefit the business.
Vendor Management – By ensuring that devices only share the network with similar devices and functions, a business will not have to worry about vendors gaining access to unauthorized information. However, ignoring these provisions can result in vendors who are authorized to maintain the cooling system having access to a network that holds classified data, thus increasing the exposure of a major data breach.
Through all of the associated risks, each process helps in incident response by creating preparation, detection and exposure of risks, triage, classification and containment of the vulnerability, remediation, and reporting and post-mortem statements.
Brandan Mackowsky says
2. Who or what do you think is the most significant risk to any organization?
I feel that the most significant risk to any organization is their reputational risk. While data losses and security breaches pose a huge risk to any organization, without a well-established and positive reputation, and organization will not thrive and will ultimately fail in the long-run. In order to run and manage a business effectively, the organization needs to remain in a positive light and continuously recruit customers. With a negative reputation, customers will stray away and quickly move to competitors in order to ensure that they are receiving the best quality business. This lack of customers seeking the organization’s service will lead to its demise. A company can establish itself and ensure that it has all of the top of the line material, but with one failed agenda that impacts reputation, the company is worthless without a demand for business.
Brandan Mackowsky says
3. Security education is spoken of often. Why is it important?
Security education is important because it ensures that security breaches remain at a minimum during a company’s daily operational functions. By enhancing the security education within an organization, employees have a much higher awareness as to what to look out for to protect the company’s systems and assets to avoid breaches. By avoiding a data breach, a company avoids the whole procedure of a major incident occurring and avoids hindering its public reputation. By keeping employees vigilant, they will know what to look out for as real attacks occur. For example, my company will send out a phishing email two to three times a month to see if employees will follow through and click the email that would result in a breach. In doing so, they will be notified that this was part of a phishing test and will learn from their mistakes. If they identify it, they receive a “thank you for staying vigilant” message. All in all, the procedure works to keep all employees vigilant of potential attacks.
Brandan Mackowsky says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
Looking back at week two’s article, it is evident that both the Gartner processes and the article place a heavy emphasis on addressing cyber security through the board and the CISO. Essentially, each talked about the need to remain vigilant to cyber-attacks and how controls and procedures set in place can mitigate the effects of an attack on a system or organization. Each ensure that by building a strong cultural foundation, an organization can ensure its employees will work for the greater good of a business’ success.
Brandan Mackowsky says
5. How much attention do you pay to the security of your device, data, and behaviors?
Personally, it really depends on what I’m doing on my device when I pay attention to its security. When browsing social media, sending messages, or making phone calls, I do not think much of security as I use my device. However, when using my device to pay credit card statements, access secured data, or access banking information, the first thing I think of is how safe is this device and is there sufficient security before I provide key information. All in all, it really depends on the specific activity that I am engaged in before I think about the security of the specific device.
BIlaal Williams says
What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
Gartner’s Security Processes You must get right
Security Responsibility
1. Security Governance – “The right things done right” Who is deciding roles and access controls. Are the proper controls in place to protect business operations?
2. Policy Management – includes risk assessment, decides risk appetite, what risks are you willing to accept, what requires mitigation?
3. Awareness and Education – is everyone in the organization aware of the security policies and controls and what they must do to ensure the proper policies and standards are followed.
4. Identity and Access Control – individuals are properly identified and given proper access to systems. Least privilege and Separation of duties.
5. Vulnerability Management – appropriate processes in place to identify vulnerabilities, determines the threat it may pose on the enterprise and prioritize which should be patched.
6. Incident Response – is the organization ready and able to respond to an incident once it’s been verified.
IT Responsibility
7. Change Management – Monitor changes to systems to ensure system remains secure. Verify and audit changes to ensure only certain people have the permissions to do so.
8. Disaster Recovery and Business Continuity – ensure the business has the processes in place and resources to continue business operations in the event of critical service disruption or a disaster
9. Project Life Cycle Management – Security controls must be implemented at every stage of a project
10. Vendor Management – Ensure third party vendors adhere to the security policy and controls of the enterprise.
BIlaal Williams says
2. Who or what do you think is the most significant risk to any organization?
I think the most significant risk to an organization are careless or uniformed employees. These are the employees who are not trained in security best practices, and who can introduce serious vulnerabilities into any secure infrastructure. For instance, the Target breach was initiated when an uniformed employee from a third-party vendor clicked on the phishing link and allowed the hackers to obtain their username and password and gain access to the system. A careless or uniformed employee can sink any security strategy, so it is important that this is addressed through security awareness policies and training.
BIlaal Williams says
3. Security education is spoken of often. Why is it important?
Security education is important because it is often the uniformed or careless employee who is the weakest link in an information security strategy. No matter how well an information system or organization is secured, all it takes is one careless action from an employee to break the defenses. If security education is not practiced, all other efforts to secure the infrastructure may be in vain.
Patrick DeStefano (tuc50677) says
Don’t forget about incident response education. This can definitely help out whenever an incident does occur. Just as in the case study we read for this week, you don’t want your IT people knowing that there is a “binder” somewhere with procedures to follow but not know what those procedures are. If your organization doesn’t have a dedicated incident response team, key stakeholders should have in depth knowledge of incident response procedures and they shouldn’t have to look them up to know them. They should be able to list them off the top of their heads.
BIlaal Williams says
4.Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
Both emphasize the importance of governance which involves the key concept of “the right things done right”. Critical stakeholders such as board members and top level execs must agree on the proper strategy to ensure all business critical assets are properly protected. This involves having an effective governance process and policy management procedure.
BIlaal Williams says
5. How much attention do you pay to the security of your device, data, and behaviors?
Since being in the ITACS program I am definitely more aware of the security of my devices, but I still choose to tolerate certain risks. I periodically scan my home network to see if I notice anything out of place, have a backup for my OS, and I don’t do any personal banking or purchasing on public wi-fi. There is more I could be doing, like verifying checksums when downloading software etc, but in some instances I choose to tolerate the risks.
Patrick DeStefano (tuc50677) says
5. How much attention do you pay to the security of your device, data, and behaviors?
While I am usually aware of the security measures on my devices and almost always lock my session or phone when I step away from my devices, I also generally don’t keep much sensitive data on my own devices. I understand how easy it is to lose a phone or for someone to look over your shoulder when entering your password, however even if someone does crack my phone password, there’s not much for them to find.
Mohammed Syed says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
To name a few, with security governance the risk is not distinguishing that the IS and business needs need to be parallel with each other. For identity and access management the risk is permitting access control to the wrong entities. While incident response the risk is not learning from previous projects or losses. There are risks associated with all the process, however the controls help ensure that each process follows the specific strategies to ensure success, and prevent them from failing due to the risks.
Mohammed Syed says
2. Who or what do you think is the most significant risk to any organization?
I would say that it would depend on the type of organization. However, in my experience the ones I have dealt with is identity and access management.
Mohammed Syed says
3. Security education is spoken of often. Why is it important?
Security educations is very important as it enables the organization to be aware of the system structure. It allows organization to train its employees and raise awareness and allows employees to assimilate awareness in their everyday work. Thus, ensuring that the organization and its partners are secure.
Mohammed Syed says
4. Refer back to Week 2’s article on Cybersecurity and Boards. How do the topics there relate to Gartner’s top 10 security process?
In the COBIT5 article there is emphasis on the governance, while Gartner does highlight governance he also mentions the merging of business and security by assessing the risks and business goals in regards to security.
Mohammed Syed says
5. How much attention do you pay to the security of your device, data, and behaviors?
Prior to enrolling in this course, not much. I had the common Norton Antivirus installed to monitor viruses. Now, have started to pay more attention to the security of my device.
Lezlie Jiles says
2. Who or what do you think is the most significant risk to any organization?
I believe the most significant risk to an organization is the employees. Human error is very prevalent and still one of the driving issues in organizational breaches. An organization could have the best policies and educational structure but it will always be that one employee that doesn’t follow policy for whatever reason. I am sure you have read about the cases over the years where an employee clicks on a suspicious email and cause an attack, I know I have. Therefore, I think employees are an organization’s highest risk.
Lezlie Jiles says
5. How much attention do you pay to the security of your device, data, and behaviors?
Prior to enrolling in ITACS, I paid no attention to securing my devices. I am not into “devices” so much. I have an iPhone and a laptop that is only used for work or school. However, since I began this program I have learned that I am not so safe, so I use my devices even less now. I’m careful not to use just any WiFi when I am out and about. I’ve covered all of my cameras (smh), and I no longer keep personal information on anything.
Patrick DeStefano (tuc50677) says
At first I laughed as I read that you covered your cameras, however after a second I thought, well if someone could easily hack my wifi or get access to my computer, they can certainly gain access to my webcam. My life is pretty boring most of the time, so if they want to watch me do my homework, or fold laundry, they are more than welcome to, however it’s something to definitely keep in mind for future reference.
Lezlie Jiles says
3. Security education is spoken of often. Why is it important?
Security education was created to diminish the number of security gaps that occur because of an employee’s lack of knowledge with regards to security. Security education set the tone for the employees within an organization and clarifies the employee’s role in IS. This is important because employees (in my opinion) are a risk to any organization. Therefore, and uneducated employee as it relates to security is an even greater risk.
Patrick DeStefano (tuc50677) says
Who or what do you think is the most significant risk to any organization?
The most significant risk to an organization is a ‘what’ that encompases many ‘who’. The most significant risk to an organization is poor response to an incident. In the context of this class, let’s go along with a security incident. If the organization fails to have a good response to a security incident, this opens up the firm for government inquiries, fines, lawsuits, loss of reputation and public trust, in addition to the actual financial or operational impact to the breach itself. Poor incident response can sink any large or small organization in todays highly competitive industries.
Lezlie Jiles says
1. What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
The 10 processes ensure that risk is reduced to an acceptable level. The risk associated with these 10 processes is an organization has no assurance that the proper structure, process or policies are in place to govern the organization. Nor, are there any plans to recover the system or detect vulnerability’s or respond to incidence.
These 10 processes limit the risk of a security breach and create a strong foundation for an organization. It also provides structure if an unlikely event were to occur.
Change Management
Business Continuity Management and Disaster Recovery Management
Project Life Cycle Management
Vendor Management
Security Governance
Policy Management
Awareness and Education
Identity and Access Management
Vulnerability Management
Incident Response
Heiang Cheung says
What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
I think there are risk to doing anything but the processes that Gartners says must get right definitely lower the possible risk out there. Not implementing these processes could cause issues. For example, not having security governance could set the wrong type of culture in the organization. Same with awareness and education not having this process in place people in the organization will be less likely to know the possible risk that are out there especially if those employees are not technical.