The Information Security Manager and Leadership Team have the responsibility of ensuring that the IT Infrastructure is being securely managed. This ResourceKit is designed to provide a common set of resources the Security Manager, the Leadership Team, and IT personnel can use in managing security of the all-important IT infrastructure. IT management will want to follow the guidance provided in these references while the Security Manager and Leadership Team will want to (i) ensure that IT has the resources and support to follow the guidance and (ii) assure themselves that the security management of the IT infrastructure is being managed in accordance with this guidance.
The Context: The NIST Cybersecurity Framework
The NIST Cybersecurity Framework provides the context – both technical and management – inside of which the security of the IT infrastructure is managed. The Framework consists of standards, guidelines, and best practices to manage cybersecurity-related risk. The Cybersecurity Framework was developed by NIST as a prioritized, flexible, and cost-effective approach to help promote the protection and resilience of critical infrastructure and other sectors important to the economy and national security. It is fast becoming the de facto information security framework.
Cybersecurity Framework Version 1.1
The Framework establishes 5 core cybersecurity management functions towards the end-objective of cyber-resilience:
Security Management of the IT Network
The Center for Internet Security is a nonprofit organization offering extensive technical security support.
The CIS-Controls are 20 consensus-based controls, benchmarks, and guidelines focused on security performance, not profit. According to a 2017 study by CIS, Organizations that apply just the first 5 CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent.
SecureTheVillage developed the Code of Basic IT Information Security Management Practices as a stepping-stone for organizations not ready to fully-implement the CIS-Controls. The Code describes those basic few that are most necessary in preventing – and recovering from – cybercrime and other cyber incidents. It’s designed to provide the greatest gain for the buck in protecting the IT network. It’s also designed so that if you leave anything out, your cyber risk goes up significantly. Think of the Code as the 20% of expenditures that gives you 80% of the value.
Notwithstanding that the Code is based upon information security management best practices, the Code is not intended as a set of best practices. The Code is a set of critical IT security management practices, so essential that a failure to implement them puts the organization at significant risk of a costly — and potentially fatal — information security incident. Not following the Code is the equivalent of drinking and driving.
- Spotting The Breach: What Are The Indicators of Compromise, ITSP Magazine, July 17, 2018
Secure Website Development and Development of Other Custom Applications
The Microsoft Security Development Lifecycle: The Security Development Lifecycle (SDL) is a software development process that helps developers build more secure software and address security compliance requirements while reducing development cost.
Microsoft Free Application Development Tools:
As another example of secure development practices, see the Cisco Secure Development Lifecycle: The Cisco Secure Development Lifecycle (SDL) is a repeatable and measurable process we’ve designed to increase the resiliency and trustworthiness of our products. See also their presentation: Building Trustworthy Systems with Cisco Secure Development Lifecycle
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license. You’ll find everything about OWASP here on or linked from our wiki and current information on our OWASP Blog. OWASP does not endorse or recommend commercial products or services, allowing our community to remain vendor neutral with the collective wisdom of the best minds in software security worldwide.
OWASP Links of Primary Interest:
- Secure Software Development Lifecycle Project(S-SDLC)
- Top 10 – 2017: The Ten Most Critical Web Application Security Risks
- Top 10 Proactive Controls 2018
- Taxonomy: Attacks
- Taxonomy: Threat agents
- Taxonomy: Application security principles
- Taxonomy: Application vulnerabilities
- .NET Project
- Java Knowledge Base
- Top 6 Application Security Must Dos with Limited Resources, Jared Ablon, Co-founder and CEO of HackED
Basic Vendor Security Management
Before providing a vendor with access to the corporate network or sensitive information, it is incumbent on the Information Security Manager and Leadership Team to thoroughly vet the vendor’s security management capabilities.
In the case of electronic protected health information (ePHI), the HIPAA regulations require that a company have the vendor sign a Business Associate Agreement.
At the very least, a company’s Information Security Manager wants to get legal confirmation that the vendor will secure the company’s information as least as stringently as does the company.
In the case of an IT vendor or MSP, an Information Security Manager is best served by conducting an independent 3rd-party security management assessment of the vendor. The reason for this is the risk to the company of a breach of the IT vendor.
Ronald Reagan’s words are particularly a propos when it comes to vendor security: Trust but verify.
Managing the IT Security Project Portfolio
The IT Security Project Portfolio is a prioritized time-driven set of projects, operational initiatives, and other IT management operations collectively designed to achieve the organization’s IT security management objectives.
As such, the IT Security Project Portfolio forms the ‘technology management’ subset of the organization’s combined information security management project portfolio.
And, since portfolio activities have an obvious impact on the IT infrastructure, the IT Security Project Portfolio must be tightly integrated with the IT Project Portfolio.
The Information Security Manager and Leadership Team manage the Information Security Project Portfolio
The Team will want to review progress on the IT Security Project Portfolio at its monthly management meeting.
- What did we plan?
- What did we accomplish?
- What went wrong?
- What were the reasons for the deltas?
- What do we plan for next month? Next Quarter?
- How can we go faster?
References: The High Performance Technology Management Team
The New IQ: Leading Up, Down, and Across Using Innovative Questions, Kindle Edition, by Chris Coffey and David Lam, 2015
The Five Dysfunctions of a Team: A Leadership Fable, by Patrick Lencioni, 2002
Overcoming the Five Dysfunctions of a Team: A Field Guide for Leaders, Managers, and Facilitators, by Patrick Lencioni, 2005