by Peter vR Sternkopf, Vigilant Systems

There’s a myriad of mistakes that can torpedo the most well-intentioned and carefully designed information security program. Our experience working with customers in the InfoSec field is consistent as to what mistakes have the biggest impact on their business. Below, we examine the ten most common information security program pitfalls and provide some perspective to avoid them.

#1 Pitfall – Not Understanding Who the Security Program is Meant to Benefit

Understanding who the beneficiaries of the information security program really are is necessary for success. All of these should be considered customers of the company’s security program:

●        Originators – ultimately, and most importantly, the purpose of information security is to protect the individual or originator that either owns or would be adversely affected by negative consequences resulting from the exposure of their information

●        Clients – the consumers of company products and/or services. Clients most always have entrusted their information to the company you work for; therefore, it is paramount in maintaining their trust by protecting their information. Additionally, and most often, meeting the requirements of a specific security framework is driven by clients

●        Shareholders – specifically individuals or organizations with a financial interest in the company. It goes without saying that information security breaches can have a severe and lasting monetary impact on shareholder interest

●        Stakeholders – individuals within the company, which may include board members, who have an interest in the company outcome. A breach of information in the company’s possession can have severe and lasting consequences to the health and viability of the company

●        Employees – arguably, the staff within the company are absolutely critical, not only to the success of the business but also are the lynchpin to the success of the information security program

●        Intellectual Property – not quite the same personal stake in the consequences of poorly protected information, but company intellectual property is no less important than an individual’s information. Protecting company information assets is absolutely paramount in maintaining a healthy business

●        Partners – partnering with other organizations to ensure a successful and enriching product or service experience, is essential to business success. Consequently, it’s vital to protect partner company information

●        Third-parties – including Cloud-hosting providers, integration partners, and third-party administrators, understanding the responsibilities of each party’s risks and controls and collaborating to ensure information protection are exercised, must be considered for a holistic information security program

●        Other Affected Parties – not to be overshadowed by the above beneficiaries, there are other consequential parties and departments that must be included that have significant operational and financial impacts to the business; these include, Legal, Compliance, Risk Management, Regulators, Insurance Carriers, and other industry-specific parties

#2 Pitfall – Missed Opportunity to Endorse the Security Program

Promoting the value of a security program to Stakeholders and Participants is often overlooked or a nominal focus. Ensuring appropriate program beneficiary inclusion is essential because an organization cannot build a culture of compliance without stakeholder buy-in and support from all employees and partners with an interest in the outcome.

Buy-in from control owners that practice consistent and ongoing buy-in, and actively contribute to the program success, makes for vigorous security initiatives.

#3 Pitfall – Not Understanding How the Company Mission Aligns with Security

If company goals and objectives are not aligned with the scope of the security program, it will eventually lose its way or fail altogether; e.g., if a new product or service is introduced to the marketplace but did not consider associated information security risks and controls.

Executive support will waiver if the security program does not support the company's mission, goals, and objectives. Since companies often adjust their business model, it’s important to continuously evaluate security program alignment with where the company is heading.

#4 Pitfall – Assigning the Wrong Resource as the Business Process Owner

Assigning technical leadership that is responsible for the information security program is most often a huge mistake. Not only is there a significant conflict of interest with risk controls ownership, oversight, and evaluation, they are often not as adept at producing quality documentation for audit examination.

Information security is a business process function, not a technology function. The most appropriate role for managing compliance would be a role that does not have any direct ownership in specific operational risks and controls. The most appropriate roles may include; Compliance Officer/Manager, Legal, InfoSec Officer, ISMS Manager, or Chief Operations Officer.

#5 Pitfall – Selecting an Advisory Committee and Not an Action Council

Leadership through a committee without ownership and action responsibility is a recipe for inaction (ask me how I know). Ideally, forming a formally chartered information security council, where all members actually own the results and do the work is most effective. Here are a few things to keep in mind to create a functional information security council:

o   You need a captain – an effective team needs a captain to cohesively lead the ‘players’ to achieve greatness. Typically the InfoSec Council ‘captain’ is also considered as the sponsor for InfoSec initiatives.

o   Keep it small – including the following business functional areas is optimal; operations, engineering, human resources, legal, and compliance. Also, consider an external consultant that can provide advisory to the council and their security initiatives.

o   Including an Executive – including a strategic and tactical executive (1-2 max) as part of the InfoSec Council creates a direct communication line to the rest of the executive team and stakeholders. It also adds perspective and alignment with the company mission, goals, and objectives.

#6 Pitfall – Hiring an Advisory Firm  that Won’t do the Heavy-Lifting

Selecting an Advisory firm, rather than a partner who does a lot of the heavy-lifting is classically a waste of information security budget dollars

Advisory firms typically tell a company what needs to be done to meet the standard, reviews the work done by the company, tells them what’s wrong with the company’s work, and doesn’t actually do much or any of the actual documentation required to meet compliance requirements.

Professional Services firms, in contrast, will partner with the company, doing a significant part of the heavy-lifting, and may also manage information security initiatives from conception through audit(s), and beyond for continual improvement and compliance.

#7 Pitfall – Using Search & Replace Document Templates

At Vigilant Systems, we have seen organizations buying one-size-fits-all control document templates when they attempt to create their first information security compliance initiative. Buying one-size-fits-all control document templates is classically a simple and avoidable:  mistake made by many companies that are attempting to create their first information security compliance initiative.

A simple search & replace approach to populating templates will not satisfy compliance requirements. It also takes more effort than merely customizing documentation to how the organization operates, rather a holistic approach to the information security program has to be woven throughout the required artifacts

We’ve seen templates that cost ~$1,000 or more to license its use that are so poorly authored, that it takes more time and effort to correct them than it would have taken to craft it correctly in the first place.

There is a real time and resource cost when the documentation does not meet the control standard and has to be re-done.

#8 Pitfall – Hosting Audits without Experienced Support

Going it alone for audits almost always results in negative findings by the auditor. This is easily avoided by including an objective resource that is not only experienced with information security audits specific to a security framework, but who is also extremely knowledgeable about the company’s information security management system.

Regardless of the type of information security audit and the framework compliance is measured against, there are ‘rules-of-engagement’ to consider and significant audit complexities that need to be navigated. Audits should not be navigated alone.

#9 Pitfall – Exclusion of Security Costs in Budgets

Unrealistic ongoing cost expectations or budget exclusion of ongoing management and continual improvement costs to ensure continuous compliance, are often detrimental to the overall program success and often damages executive support.

Not including information security as an integral and funded aspect of company operations will torpedo the success of an information security program.

Additionally, by planning realistic costs into the budget for ongoing security management and improvement, an organization will be able to avoid incurring significant costs and potentially massive losses in the future due to applying ‘shortcuts’ in an underfunded program.

#10 – Pitfall - Treating Security as a Short-term Goal, not as an Ongoing Program

Treating security initiatives as a sprint as opposed to a journey is not only shortchanging the security program, it actually puts the company’s information security at high risk. Implementing an information security program just to meet a customer requirement will shortchange long term security.

With information security, there’s no destination, it’s a continuous and iterative cycle of improvement, not much different than running a software company.

Sitting on one’s hands throughout the review cycle and then scrambling in the eleventh hour when an audit date is looming, does not serve the company, customers, and other entities that have a stake in the outcome of the information security program.

Understanding these pitfalls is the first step in avoiding them altogether. In future articles published on this blog site, we will examine strategic and tactical approaches to driving a successful information security program.

Live Webinar: June 10, 2020

1100 PT | 1400 ET

Great, you’ve got a compliance program in place! But it’s time-consuming to manage and it’s not exactly where you’d like it to be. With so many moving parts, it’s tough to understand where gaps exist within your control environment, and how well protected your organization is from risks that matter.    

When the risk landscape changes this quickly, organizations aren’t willing to hire additional staff to focus on compliance due to tight budgets, and the burden of compliance gets heavier each year due to customer demands and new regulations, organizations are forced to take a hard look at their approach to risk management and compliance. 

Sign up for this webinar with Petrina Youhan, CPA, CISSP and Peter vR Sternkopf, PMP, CEPA to hear how you can approach risk management and compliance differently, in a way that cuts down your compliance workload and improves the security posture of your organization. What’s covered: 

• Why is managing ongoing compliance important

• Approaching compliance strategically without adding more work

• Key benefits and considerations for implementing this approach to compliance, including greater oversight over risks and controls, greater agility, lighter workload, and a stronger security posture

To access the recorded Webinar – go to the following page and click the VIEW ON-DEMAND link.

https://info.hyperproof.io/keep-up-your-compliance

Once you get into the webinar, use the toolbar at the bottom of the screen to de-select the Q&A, Resource List, and Speaker Bio.

Then select the blue Slides icon to view in full screen.  ESC will exit out of the full-screen mode.

The Media Player window allows you to turn pause and revisit/rewind.

Live Webinar: May 23, 2017

10:00 a.m. PT | 1:00 p.m. ET

If you work in compliance, then there's no doubt that you have at least 1 story of a project that has gone horribly wrong. If these nightmare scenarios didn't give you many sleepless nights, then it definitely created lots of stress for you and your team. You probably told your story to your peers and colleagues seeking some catharsis. With limited budgets and resources dedicated to GRC, the margin for error is slim; this webinar can help you reduce the risk associated with new or existing compliance programs.

Join Matt Kelly, Founder of the popular blog Radical Compliance, as he moderates a roundtable discussion with GRC experts about who's got the best and worst story to tell about projects that have given them heartburn and headaches. Not only will you be able to ask our experts about what they've learned from the projects that didn't work out as expected, but you will also have the opportunity to ask our GRC experts for recommendations for when you find yourself in a project that's turning sideways. (Webinar link no longer available)

Building a ‘Unified Information Governance Practice’ - a formula for Information Governance Operational Success

by Peter vR Sternkopf, Vigilant Systems

Information Governance (IG) can mean different things and there are certainly multiple definitions.  For the sake of simplicity, Information Governance is the management of information to effectively mitigate risk, cut costs, and leverage the value of information.

Great- now we have a definition for IG... now what?!  Isn't IG an unruly monster that is too big to do anything about?  Well no, it's not; in fact, there is an approach to building a unified IG practice that is not difficult, not unreasonably expensive, not disruptive to operations, easily managed, scalable, and defensible.  Oh, and the value of the program can actually be monetized as a significant return on investment, saving significant money and resources, as well as providing a path to improved revenue and profitability.  It is absolutely doable!

Sound good?  If yes, here's what your organization needs to do (big picture) in order to drive your IG Practice forward and be successful:

1. Educate the Executive Team and Obtain their Support - There is no way executives need to or have the desire to know all about IG. Keep it simple and focus on the value of your initiative and expected returns on their investment.

2. Form a Lean and Agile IG Team - Comprise your team of key persons that bring value and the required skills to the program, and who will actually do the necessary work. Make sure to include both external and internal resources on your team (not necessarily FTE's)

3. Focus on inside-out Information Security - Leverage the 8 Principles of IG in this order; Transparency, Protection, Compliance, Retention, Disposition, Accountability, Availability, Integrity

4. Take a Holistic Approach to Compliance - Holistic (comprehension of the parts of something as intimately interconnected and explicable only by reference to the whole) Once you understand the parts and how they are interconnected, then tackling a piece at a time with consideration on how it affects the other pieces, makes for a cohesive outcome.

5. Use an IG Program Management Tool - An IG tool is a very important component for coordinating and communicating the efforts required. It must include an accountability framework that establishes information risks and controls ownership assignments. There are a handful of good tools on the market, but only a couple great IG tools.

6. Choose High-Value, Important, and Affordable Initiatives - Pick the most important, highest information risk areas/departments and workflows first and then structure by 'critical systems' within their workflows.

7. Establish Information Assets Ownership - Identify each departmental business process owner (BPO) and a second if possible. These individuals ‘own' the information risks and controls program within of their department.

8. H -

Building a Unified IG Practice is pretty straightforward; there's more but again, this is a high-level overview.  For more information, feel free to contact Peter@Vigilant.us

Written by Sue Wells, A-LIGN on December 19, 2016

When service organizations receive a SOC 1 examination, it is performed under the SSAE 16 or “Statements on Standards for Attestation Engagements 16, Reporting on Controls at a Service Organization” standard.

In Spring 2016, The AICPA’s Auditing Standards Board (ASB) completed the clarity project, the result of which was the issuance of the SSAE 18 standard, “Concepts common to all Attestation Engagements”. This new standard replaces SSAE 16 for SOC 1 engagements and goes into effect for reports dated after May 1, 2017.

It is important to note that the SSAE 16 standard was specific to service organizations and the SSAE 18 is for all attestation engagements. This means that we can no longer refer to SOC 1 as an SSAE 16 examination and it will not be replaced by the term SSAE 18 examination. Instead, it will simply be referred to as the SOC 1.

Despite the potential for confusion related to the naming of the examinations and reports, the actual changes to what a service organization has to do to prepare for an examination is not extensive. Here are four changes that come with SSAE 18 that affect the SOC 1 examination.

Vendor Management

The most significant change in the requirements that has to be met by a service organization is ensuring that its vendor management program for sub-service providers (for example colocation facilities) is significantly robust.  SSAE 18 is requiring that service organizations implement processes that monitor the controls at sub-service organizations. SSAE 18 provides the following control suggestions:

• Review and reconcile output reports.
• Hold periodic discussions with the sub-service organization.
• Make regular site visits to the sub-service organization.
• Test controls at the sub-service organization by members of the service organization’s internal audit function.
• Review Type I or Type II reports on the sub-service organization’s system.
• Monitor external communications, such as customer complaints relevant to the services by the sub-service organization.

Risk Assessment

Another change in what will be required by SSAE 18 will be in the area of more specific requirements as opposed to the existing general considerations of risk via a risk assessment.  SSAE 18 requires service auditors to obtain a more in-depth understanding of the development of the subject matter than currently required, in order to better identify the risks of material misstatement in an examination engagement. This, in turn, should lead to an improved linkage between assessed risks and the nature, timing, and extent of attestation procedures performed in response to those risks.

Complementary Sub-service Organization Controls

SSAE 16 required that service organizations provide a listing of controls that should be performed by user organizations.

In order to recognize that more organizations are outsourcing key functions to their own set of sub-service organizations, SSAE 18 introduces the concept of “Complementary Sub-service Organization” controls. This concept establishes and defines the controls for which user entities must now assume in the design of the system description. Another key factor related to these complementary controls is that they are necessary for the achievement of control objectives in the report. SSAE 18 provides more guidance around this area, and will hopefully lead to more consistent reporting across entities and practitioners.

Written Assertion Requirement

The final change to the SOC 1 is the requirement, per SSAE 18, that the service auditor obtains a written assertion. This written assertion is the statement found within the SOC report wherein the service organization asserts that the system description provided is essentially true and complete. This statement has always been contained within the SOC 1 reporting document but the requirement that the service organization signs the document was optional. In practice, the majority of service organizations have already been signing this document, as a way to strengthen the credibility of the report. Accordingly, there will not be significant changes to what either the service auditor or service organization will have to do to meet this requirement.

Written by Blaise Wabo, A-LIGN on October 11, 2016

Actionable Tips to Prevent Data Breaches

Feeling safe about your organization’s personal data because of encryption standards? Don’t fool yourself into a false sense of security. Managing cyber-risk is a multi-faceted, whole-organization effort that requires implementation at the top levels down. In IBM’s Security Services 2014 Cyber Security Intelligence Index, which analyzed cyber-attack and incident data, more than 95% of all incidents cited “human error” as a contributing factor to the attack.

The list of potential human error risk factors is longer than expected:

• Administrator system misconfiguration
• Not updating systems appropriately
• Not managing system patches
• Default password usage
• Default user ID usage
• Lost devices
• Misplaced devices
• Unlocked devices
• Incorrect disclosure procedures

Though this list is not exhaustive, it emphasizes the importance of cybersecurity education for management and employees, so that organizations are able to prevent data breaches caused by human error.

1. Education from the Top Down

This is number one for a reason. Individuals in management may think that because they have an incredible IT Security Director at the helm, their duties regarding risk mitigation are fully out of their hands. However, ensuring that management and employees fully understand the potential cybersecurity risks innate to your organization is important in preventing risks.

The development of policies and procedures on how to prevent data breaches is essential, and educating employees both new and old on these policies and procedures is critical. Because the cybersecurity landscape is constantly changing, regularly educating management and employees on updated cybersecurity policies and procedures is essential in mitigating risk. In addition, your organization should inform employees on new scams or potential new risks as they arise – for example, new phishing scams or websites with potential vulnerabilities.

2. Hire Well

Strong security starts with great personnel, which is why the hiring process is important. While individuals with experience can be beneficial to an organization, professionals who have a deep understanding of the current risk landscape can be invaluable to an organization, while trying to implement security controls. When recruiting individuals, management should be certain that employees understand the concepts behind both breach prevention and management in the event that a breach does occur.

In addition, management should be sure to maintain communication lines with their security and compliance team in order to ensure that all potential threats are being monitored carefully.

3. Develop an Exit Strategy

It is just as important that employees are educated in cybersecurity as having an exit strategy for employees that are leaving your organization. This includes changing passwords, ensuring that computers and personal devices no longer have sensitive information available on them, and developing contracts that include legal repercussion for sharing or utilizing sensitive data.

4. The Less Data, the Better

Since cyber criminals can only steal information that an employee or organization has access to, one of the major ways to minimize risk is to limit data availability:

• Reduce the number of employees that have access to at-risk information.
• Don’t collect information that isn’t relevant to your business.
• Reduce the number of places where data is physically stored.
• Only grant data access on an as-needed basis and revoke access as soon as information is no longer necessary.
• Purge data early and often!

You prevent data breaches by minimizing the amount of access that individuals have to data.

5. Purge Your Data Properly

It isn’t enough to simply purge your data. Getting rid of sensitive data in the appropriate fashion is the other half of the battle.

Too often, employees think that they are getting rid of all of their data when they remove files that are located on their desktop, without realizing that other clones of the files are present within the body of the computer. By teaching employees’ proper data disposal techniques, you’re able to minimize the risk of having that data get into the wrong hands.

6. Monitor Your BYOD Programs

BYOD or Bring Your Own Device is a program where employees bring their own technology (computers, tablets, cell phones, etc.) to work. Many organizations have moved to this type of program so that employees are able to use technology that they have a better understanding of.  This reduces training time and increases productivity.

However, one of the major risks is that employees do not feel as though they need to be utilizing organizational policies when they are using their “personal” device. The risk here is that while the device may be used for both work and fun, sensitive data is still readily available.

In addition, these programs leave IT administrators frustrated, as they have to understand necessary updates and patches for a litany of different devices instead of just a few.

By implementing strong BYOD policies that force employees to fully understand the risks inherent with the utilization of their own devices, organizations are able to fully prevent data breaches from happening. These programs should emphasize or consider:

• Password and device-encryption requirements
• Update and patch requirements
• Lost or misplaced device notification for emergency response and remote data-wiping
• Utilization of tracking software
• Establishment of secure app workflows
• Anti-malware software
• Jailbreak prevention
• Sandboxing
• Device partitioning

The creation of appropriate BYOD management and policies allow for the program to work successfully, instead of becoming a pain point for organizations.

7. Secure Your Networks

Employees are constantly on mobile devices these days, and often times have their devices set to “Automatically Connect” to the closest Wi-Fi available. This leaves security professionals floundering, as there have been more than a few fake Wi-Fi capture spots that pull sensitive information from these “Hot Spots.”

Ensure the security of your network by investing in a personal or corporate VPN, that way all of the data that is being utilized is appropriately encrypted at the source.

8. Update Software with All Patches and Updates

Software companies are constantly updating their product in order to ensure that their devices are secure for use. Outside companies are constantly finding new vulnerabilities in their software, and patches and updates allow for organizations to ensure that these vulnerabilities do not affect their business functions.

9. Develop “Appropriate Usage” Guidelines for Company Technology

Educate employees on the appropriate usage of organizational technology. This includes when, where and how to login to accounts, how to check their connection to ensure it is reliable and secure, and when not to use devices.

10. Hold Outside Vendors to the Same Standards

By only working with organizations with the correct security and regulatory designations, you are able to prevent data breaches by ensuring all of the appropriate controls are in place. While it may be cheaper to hire organizations that hold no designations or function outside of governing bodies with strict regulation, it is not cheaper than the consumers that are lost due to a data breach. At the end of the day, if your vendor makes a mistake – it is your clients on the line, not just theirs.

11. Prepare for the Worst

Establishing a disaster management plan allows for your organization to feel prepared if the worst were to happen.

While all of your preparations can help you to prevent data breaches, your risk is never fully mitigated. Being prepared allows your team to have a full understanding of their job in order to prevent the breach from growing, or causing unnecessary customer backlash.

12. Test Out Your Disaster Management Plan

Put your breach protocol to the test with a mock disaster. See how well your team is prepared for a potential breach and troubleshoot problems with your protocol before it is a reality.

13. Audit Your Organization Regularly

By auditing your team on their practices, you are able to see where there are potential problems that could lead to future breaches. This allows your organization to modify policies and protocols prior to an issue.

14. Notify Early and Appropriately

If your team even vaguely believes that there was a potential data breach, communicate with your organization’s security management team and notify the appropriate authorities immediately.

The sooner that your team is able to response to an incident, the greater the chance that you have in being able to manage the potential damage to your organization and its clients. Reporting unusual or suspicious activity is the difference between a major breach and a minor one.

This is a fantastic white paper published by one of the true pioneers in inside-out cybersecurity and early threat detection/prevention - Darktrace - The Enterprise Immune System

Click this link Darktrace Insider to read the article - it is a GREAT read!  

Darktrace is the world leader in Behavioural Cyber Defence technology. Based on pioneering Bayesian mathematics developed at the University of Cambridge, Darktrace’s unique approach helps organizations to defend against insider threat and advanced, persistent attackers within the network, by detecting new attack vectors as they emerge. Darktrace’s self-learning platform works out normal and abnormal behavior within an organization in real time, in order to detect anomalous and threatening activity. Darktrace is made up of world-class cyber intelligence experts and mathematicians. The company is headquartered in Cambridge, UK, with offices in London, New York, Paris, and Milan.   www.darktrace.com

Attached is a great whitepaper on Cybersecurity.  It was authored by Christopher Pogue, Chief Information Security Officer @ Nuix.

It's absolutely well worth the time to read the article... enjoy!  There are several valuable links to further reading on page 19 as well.  Select the link below to launch the Nuix Whitepaper.

Why the cybersecurity industry has been fighting the wrong battle for 20 years—and how we can reclaim the surrendered ground

Finding the Digital Elephant in the Room- a story about digital investigation, told using an elephant. 
With traditional digital forensic investigation tools, you can never see the bigger picture –only the individual parts. It's a bit like the ancient parable from Asia about six blindfolded men and an elephant. But there is a better way.

Watch the video