Every organization needs to have the ability to mange the threats and the associated vulnerabilities that their networks and data are subjected to. This system needs to address both internal and external threats.
Remember, not every patch or security risk will affect your network. You should have a clear document and understanding of your IT assets so you can respond to new risks found. This way, you can create a proper remediation plan when a risk is identified and no one needs to cry wolf.
It is time to check your policies. Every organization needs formal IT security policies and procedures in place. These policies and procedures should be included with your employee manual and reviewed on a regular basis.
Having security policies and procedures in place is one thing, enforcing them is another. Do you have clear lines of action if these policies are violated? Are you prepared to enforce these actions if it is for a high level employee?
Compliance looks at two separate pieces in regards to policies and procedures; policy existence and policy enforcement.
How current is the diagram of your network? Or do you even have one?
Most organizations don’t update this document on a regular basis. This simply isn’t a priority. This document does several things for your organization. First, it should give you a visual representation of what devices are on your network and how the data flows from point A to point B.
Second, this allows future IT personal a visual of your network so they can step into your environment and be able to effectively support it.
One of these should be created for every site and show how the sites are interconnected. Include details on each network leg and what has access to what.
For any executive you should demand this document be updated (or created) and maintained on a regular basis. Roll this into your business continuity plan so you can be prepared to rebuild if necessary.
The audit we are going through starts with a self assessment questionnaire. This document, which is quite lengthly, goes through all of the things the auditor will cover. Some items are simply questions with no proof required, others are questions with a document that we have to produce to verify the answer. We started with the asset tracking section.
Do you have the following:
- List of All Hardware Assets
- List of All Mobile Devices
- List of All Software
- List of Key Suppliers and Vendors
- Network Diagram
We had most of these. However, there are a few that we had to update or in one case, create. We never had a diagram of our network. This is something we have on all of our clients but I have to admit I never stopped to ask this to be created for our main office. We have firewall certified engineers, Cisco-trained and certified professionals on staff, we have security certified professionals, and numerous other certifications. Our network runs great and is more detailed than almost any we see in the field; yet we never documented it. What if our primary internal network manager left? I would have to grab another resource off of a project and get control of our internal network. After all, I can’t drive my kids to school if I don’t put gas in the car.
So this week, I have a homework assignment. Everyone go through their documentation and develop a plan to fill in the gaps. Never allow your business to be dependent on someone’s head knowledge alone. You clients depend on you to be there when they need something. Not having these documents is an often overlooked risk to the business.
Our firm has voluntarily requested an audit of our security practices by an independent third party. We started this process as a result of a conversation during lunch with a prospective client. While we were busy going through what services we could offer the client, she responded with a poignant question, “If you are watching me, who is watching you?”. What a great question! We were honest and said that isn’t something we had previously considered but we immediately recognized the why behind it. Forty-eight hours later I was researching firms that could provide this service to us and about a week later we entered into an engagement.
Over the next month we will go through the same process we have done for our clients over years. We will make sure all of processes inside our company are sound and as secure as we think it is. We are making sure every department is practicing what we have stated as our best practices in internal meetings. I am so enthusiastic to go through this process.
I will use this BLOG over the next month to share my thoughts and feeling about going through a security audit from a client’s perspective. I hope at the end of this we have discovered ways to improve our services by seeing this through a clients eyes.
It may seem best to start with a perfect secure network design from the ground up. Take into account all aspects of security and process and the end result could be amazing. Building something from scratch often seems easier than fixing an existing system or process. But if we are limited by our unique circumstances not building new doesn’t mean we should just stay where we are.
Sometimes we can start fresh and create something; learning from our history and tapping into our knowledge garnered over the years. Othertimes, you have to renovate. Both ways have the ability to produce an amazing end result. Secure design can be achieved in any scenario. You just have to start the process.
Starting in October 2015 financial liability for card-present counterfeit losses will shift from issuing banks to merchants if merchants receive EMV-enabled cards but have not yet installed EMV-capable terminals. This is a significant change in how merchants will accept payment and whose liability it is.
If you are not planning on deploying EMV-enabled terminals before then you need to understand this shift. All of the financial burden will now be on you.
If you are planning on deploying these terminals you need to understand the technical requirements to make this switch possible.
2015 will be a significant year in the security space and businesses had better prepare. Get an assessment, get a plan, and get secured.