In this chapter, we’re going to cover tools and techniques with an equal emphasis on both process and technology. The temptation among those of us in the technical fields is to think tools first. While tools are often helpful in solving various process problems, especially by using automation, an over-reliance on tools is often expensive and usually decreases the effectiveness of any given program. The outcome of working through this chapter should be a roadmap that will allow you to right level your processes for your current requirements and build a technology roadmap for your future needs.
Build the Process Inventory
We’re going to start with an important data-gathering step. Whether inheriting a mature program or building a new program, the key first steps are to document your process inventory and take an inventory of the tools your organization uses to assist with each process. It’s fundamental that you focus first on your process inventory, understanding how these processes map to your organization’s business objectives. Make sure you understand specifically what you are protecting, and from what threats. Know how are you reporting the effectiveness of these processes to management and communicating expectations to your entire organization. It’s important to keep these points in mind as you inventory your tools and map that inventory to your process inventory.
To make sure you get a complete list, use the same information security framework you use for measuring and reporting. In Chapter 5 on measuring and reporting, I listed several options for security frameworks and standards that you can use to determine where you need to have processes and controls in place. PCI-DSS with its 12 high-level requirements and 300+ detailed requirements is a necessary standard for any portions of your network that handle payment card data. Likewise, NIST 800-53 with its 18 security control families and detailed implementation guides provides a wonderful blueprint for a robust collection of processes. Finally, the CISSP 8 Practice Domains and CIS Critical 20 Security Controls would provide any nascent or recovering program with an inventory of critical must-have processes with which to build a solid program. Any of these will help you create a baseline of processes upon which you can build your inventory and perform your assessment.
For each process, you should uncover activities, organized into procedures and described as work instructions, along with metrics for measuring effectiveness and the roles that individuals will play in those processes. Mature, well-documented processes will also describe opportunities for improvement. Wherever activities, procedures or work instructions call out an interaction with a tool, which can be commercially purchased (referred to as COTS or Commercial Off the Shelf), licensed as a SaaS (Software as a Service) offering, a personal productivity application such as MS Excel, or a homegrown tool, that should be recorded in your tools inventory.
In many cases you’ll have more than one process that relies on the same tool and you’ll often have several tools that are used for a single process. Make sure you note these inter-relationships because they will be important later when you are forced to make decisions about how to allocate your scarce resources. It’s also important to note that some tools that play a part in processes that you own, in whole or in part, are not actually owned or possibly even administered by the Information Security team. Finally, remember to include tools you use purely for reporting or governance activities in addition to your prevention and detection tools you use to protect your organization from threats.
Because we technologists so often place so much of our faith in tools, we often miss the importance of people and process in producing any business outcome. For this reason, I recommend that you seek out people within your operations teams who must bridge the gaps between what your tools produce and the outcomes the business requires. Also sit down with your auditors, internal and external, to understand how they audit key IT processes and your organization’s contractual performance. Regardless of the tools in place, the work must get done and the operations personnel and audit community know how tools are used, augmented and worked around. Look for gaps, ask about what is not covered, and determine what is done manually.
Once that you have your process portfolio documented and you know what tools you have, which processes they are used for, and who owns and administers them, you are ready for the next steps. Now you will…
Copyright © 2016, 2018 CISO DRG JV – All Rights Reserved.