Security Control Validation
Do you check to make sure your smoke and carbon monoxide detectors are working?
Do you check to make sure doors are locked before turning in at night?
Do you have an outside agency perform a financial audit on your business?
Do you check to make sure your firewall is configured correctly?
I hope you answered YES to all of the above. Just like any security measure, we must make sure it’s working – this is called VALIDATION.
At CSTC2017, Joe and Bob reminded us, as Ronald Reagan put it, “Trust, but verify“. It is important that assumptions aren’t being made and that you regularly validate your security controls are doing their job. Remember, Security Controls can fail and even with the automation and layers of defense, it only takes a single vulnerability to be exploited that can lead to a significant disruption in your business. New threats emerge daily and patches come out quickly. Computers, printers, software, network connections come and go on your network – nothing stays static anymore. Security is not just the responsibility of security and IT staff, it must start with the CEO and involve the entire staff.
Joe and Bob’s Take Home Message
Security Controls Can Fail
- Missing critical updates
- Backups untested
- Human error
You Cannot Mitigate Unknown Risks
- Security Risk Assessments and Analysis must be done
- Annually, if you are a HIPAA covered entity, regulated by PCI, or in a financial industry, like banking.
- After significant changes in your system
- Must be comprehensive: addressing Technical, Administrative and Physical Controls and Vulnerabilities
- Includes Vulnerability Scanning, which most often detects issues you didn’t know you have.
- Perhaps include a Penetration Test
- Include Active Directory Auditing
Address Your Weakest Link – You and Your Staff
- Management Support Required – the entire business must be involved.
- Create a blame free risk- and security-aware culture
- Use a security training platform
- Provide ongoing security tips
- Test users understanding and security practices
- ex. Phishing Tests
Don’t Forget Your Backups
- Your backup program is only as good as the ability to recover data if and when disaster strikes.
- First, is your important data being backed up?
- Second, can it be restored successfully?