An independent review of security controls by a 3rd party is often required by organizations.  This process involves a 3rd party who is hired to evaluate your systems and policies against a list of information assurance controls that are part of a standard. This standard can box SOX, CORBIT, FedRAMP, or any other standards depending on the industry or agency and the nature of the data.

Third party data processing is where your organization utilizes the services of another organization to perform some action involving the data supplied or gathered on behalf of the originating party.  That service may store, process, gather, transform, or otherwise have access to the data for your business purposes.

Every application needs a name that it is referred to as, whether it be for internal or external use.  Naming an application and setting boundaries as to what is part of that application and what that application is connected to is an important part of setting boundaries and assigning responsibilities.

A risk management program evaluates observed risks to your organization’s security.  

Typically a risk management program will dictate that all factors generating risk are evaluated on a regular basis (e.g. monthly, quarterly, or annually) and that any issues which arise in between regular analysis are evaluated.

Risks are also classified into severities such as High, Medium, or Low.  The program will also dictate how much time you expect issues to be addressed based on the severity level.   

Finally, the risk management program should be documented and approved, and ultimately upheld, by the business owner or executive management such as the CEO.

For example, the lack of hard disk encryption on employee laptops could present a medium risk as the loss of a laptop would expose all information on that laptop to someone that finds it.  Your risk management policy may dictate that medium risks are addressed within 90 days or the risk must be accepted by the system owner and the most senior security officer.

The asset inventory is a list of all systems, virtual machines, networking equipment, and other devices/software that comprises the system, or IT infrastructure.

This list should include details about each device including, as applicable, name, make and model, serial number or license key, location, IP address(es), MAC address(es), owner and/or technical contact, and function or description.  This information may be found in an asset management system or in a configuration management database (CMDB).

An asset management policy specifies how to track and manage assets.  As part of the management process, assets should be tracked from arrival to disposal.  This includes initial inventory of the systems, assets tagging, and the lifecycle of how to track location of the asset through the steps to dispose of the asset.

Audit logs contain information about user access and activities, server or application activity, and other information about actions on the system. Automated reviews and alerting can detect a subset of events that have happened before, but is lacking in detection and understanding of new or different events and certain types of events or event sequences.  Thus, the audit logs need to be reviewed.

Every organization wants to ensure that their information or money is not misused by employees or external contractors.  As part of the effort to ensure that individuals will not act maliciously, companies perform background checks or background screenings on potential or current employees and expect contractors and other third parties to do the same.

All backup and archival media containing customer data, personally identifying information (PII), protected health information (PHI) should be in secure, environmentally-controlled storage areas owned, operated, or contracted for by your organization. If backup media (e.g. tapes) stored offsite, the media should be encrypted and tracked.

Backups limit the amount of data lost in the event of a storage failure, corruption, or other event.  They should be scheduled to happen on a regular basis. Backups are not replaced by data replication due to the possibility of replicating corrupt data before it is discovered.

A “business associate” is a person or entity, other than an employee, who has access to Protected Health Information (PHI) that the company stores or manages. This may include contractors and subcontractors of the company. The HIPAA Rules generally require that the company and business associates enter into contracts to ensure that the PHI will be appropriately safeguarded. The business associate contract also serves to clarify and limit the permissible uses and disclosures of PHI.

Business continuity is the continuation of business operations in the event of an interruption to the “normal” means of conducting business.  The interruption could be the loss of computer systems due to natural disaster or cyber attack, loss of a facility due to fire or natural disaster, or even the ability to gather everyone in the same location due to a pandemic.

A business continuity plan (BCP) lays out how to continue to conduct business in the event of such an interruption.

A Business Resiliency Plan that is outdated may have areas that are not applicable to the current state of the business.  A Business Resiliency Plan lays out policies and procedures that keep the business operational in the case of an adverse situation or disaster. In order to make sure that the plan is still relevant to all aspects of your organization, it should be reviewed regularly and updated as needed, sometimes even between reviews.

Configuration Management (CM) is a process of proposing, authorizing, and implementing system or software changes. Configuration Management is important for organizations because of system drift and in some cases regulations. System drift is where a system, over time, changes from the established baseline. Drifting from the established baseline can make supporting the systems harder and introduce security vulnerabilities.

Audit logs provide valuable insights into the operations of a system. Audit logs can record who accessed the system, what actions they performed, and other details about users.  Additionally, audit logs can be configured to record all system calls and program actions.  All of this makes audit logs very valuable for investigations, whether they be security related or as to why a system or application may be failing.

When was your company founded? This is the formal date of incorporation, signing the partnership agreement, or registering the business, depending on what form of legal entity your company is. This also might be asked in the form of number of years in business, and this is the number of years since the company became a legal entity.

Cyber security insurance can help offset the cost of a data breach and is becoming a standard requirement for many organizations.  Depending on the policy, cyber insurance can pay for forensics, defense costs, cyber extortion payments and cover any liability to other organizations.

Data loss controls are designed to prevent data from being exfiltrated from the organization.  These are many different controls that can be put in place to reduce data loss, there are policies and procedures, as well as technical controls.  Policies and procedures can specify how data is handled, where and how it is stored, and other controls, such as limiting access. Technical controls may include everything from outbound firewall rules to dedicated data loss prevention (DLP) devices on the network.  DLP devices look for certain patterns of information and, based on those patterns and the destination, may stop the network connection.

In order to protect an individual organization’s data from unauthorized access or disclosure to other parties, data should be segmented on the basis of organization.  An example of segmentation would be to use a different database instance for each organization.

Data generated in a country or about a country’s citizens is often required to be handled in specified ways based on the laws of that country.  Some of these laws require that the data be kept in the country or only exported to countries with the same or similar laws regarding the use and handling of that information.

The location of data storage affects how data must be handled and the availability of that data.  Companies ask for location information so that they can understand the legal requirements related to that data.  Disaster planning is also affected by locations of the data.

Disaster Recovery is the process of planning for the possibility of a major system failure and the recovery from such an event. Such an event may involve a major component failure or the complete destruction of the data center housing the assets.  Recovery may be partial recovery, recovery of the whole system in a capacity limited, or complete recovery at full capacity at an alternate site.

Policies and procedures have little enforceability without some consequences for failure to follow them. Thus, there needs to be a way to respond to failures to comply with the policies and procedures. It should be organizational policy that there is some form of discipline associated with failure to follow policies and procedures. Usually, this includes discipline up to termination for egregious or repeated offenses.

A DMZ is a network between the internal, trusted network and the external, untrusted network, often the Internet.  This is where you place servers that are offering services to the untrusted networks or Internet, but may still need to access or be accessed from the internal, trusted, network.

DMZ networks are separated from the internal network and from the external network by firewalls, which prevent traffic from flowing directly from the external network to the internal network. The firewall between the internal network and the DMZ allows only the minimal connections needed between the internal network and the DMZ network.  The firewall between the external network and the DMZ allows only connections to the servers on the specified ports in order to offer their services to the external network.

Dynamic code analysis is also called Dynamic Application Security Testing (DAST). DAST is the process of analyzing an application through the running of the application and sending data to it via inputs and simulated clicks and the outputs collected, and compared to a set of standards. Often the application has added instrumentation, or it is executed within an emulated environment.  This is dynamic because it exercises the application’s logic and data flow through use. This allows for the testing to see what portions of the code are called in response to different inputs and to see how the application responds. If the application does not handle an input correctly it may crash, run portions of the code that were not intended to be executed or cause other situations that may reveal vulnerabilities in the application.

Standard employee (and contractor) agreements are core to enforcing a security policy at your organization.  Your employee agreement sets the terms for your workforce’s employment which ensures all parties have an understanding of how employment starts and ends.  Specifically, stating how employment would be terminated is important in the event of the worker not adhering to your policies.

Encryption at rest ensures that data is encrypted when it is written to a storage medium.  Hard drives or volumes on virtualized storage must be encrypted, and backup tapes also need to be encrypted. It is important to encrypt all removable media, including hard drives and USB sticks.

Production and test/development environments should be separated from each other both physically and logically.  Data and applications should not flow between the two without safeguards.

Vulnerability scanning uses software to attempt to connect to hosts in the specified range of ports.  When the scanner detects that the port is open, it will try to identify if the software opening the port on the server is vulnerable to a list of known vulnerabilities. If the system proves to be vulnerable, it is added to the report.

The information from a vulnerability scan can be used to either attack the system using known weaknesses or to create a list of vulnerabilities to be addressed.

General Data Protection Regulation (GDPR) is a European legislation that requires certain protection requirements and provides certain rights to EU citizens. Some of the rights include the right to be forgotten, the right to know how your data is used, and that the data has to be kept with the EU so that the regulations cannot be avoided.

Hardening is the process of securing the operating system and applications through the installation of patches and updates, plus making changes to the settings to ensure that they are secure. Virtual images are “templates” that virtual machines are created from.

Hardware security modules (HSM) are network devices that store and generate cryptographic keys for use by applications on the network. An HSM is a highly secure device that uses standard protocols to ensure that the request is authenticated, and the key is transmitted securely.  An HSM uses hardware to generate, store, and protect all the keys, this hardware is tamper resistant and will destroy the information before allowing a physical attack to succeed.

HTTPS is the secure version of the HTTP protocol used by the web. HTTPS uses encryption, SSL or now TLS, to protect the connection as the requests and responses flow across the network. HTTPS can also prove the identity of the remote server through the use of a certificate signed by a trusted Certificate Authority (CA). Similarly, the identity of the user can be established by the use of client certificates, although this is rarely used.

Every organization should have a human resources policy. The human resources policy should include the policies and procedure on how to deal with employees, such as how to do reviews, how to request and approve vacations, how to onboard employees, how to terminate employees, how to discipline employees, and other human resource related issues.

An incident contact is the person or team that can be used to report a security issue. During a security incident is not the time to try to find the contact information for an organization that may be involved. 

Internal vulnerability scanning is the use of a vulnerability scanner to scan the internal networks for vulnerabilities. The vulnerability scanner uses a set of rules to look for vulnerabilities caused by software weaknesses or misconfigured services.

Intrusion Detection Systems (IDS) monitor the network and watch for patterns of traffic that match a predefined set of rules that indicate malicious activity.  Some IDS systems also have the ability to look for patterns of network traffic that may not match a rule, but still indicate malicious activity.  IDS systems alert on these events, but otherwise do not interfere with network traffic.  Another type of system, Intrusion Prevention Systems (IPS), use the same rules or technologies to detect malicious activity, but go a step further in blocking the traffic before it can reach its destination.

A list of applications lists all the software applications used within the system to operate as intended.  This list may include server software, backend applications, desktop applications, and even supporting software that operates “behind the scenes”.

A list of all subcontractors should be kept that includes; the name and contact information for the subcontractor, the work they do for the organization, and what projects or what data that they have access to. This list simplifies the process of managing data and data access permissions.

Scheduled maintenance downtime, or maintenance windows, are periods where the system may be unavailable while maintenance, such as upgrades, replacing parts, or installing new hardware or software. This is a scheduled event that should happen during non-peak usage hours and occur at the same time, every time. The exception to the schedule is generally only permitted for critical maintenance, and users should be notified to the greatest extent possible.

Malware represents a large threat to an IT environment.  Malware refers to viruses, trojan horses, ransom-ware, ad-ware, spy-ware, and many other types of malicious software. A malware policy defines how to address malware, in particular, how to prevent and respond to infections.

Medical information, also called Protected Health Information (PHI) is a special class of information that contains details about an individual's health and identity.

Multi-Factor Authentication (MFA) should be used in remote access to ensure the identity of the individual attempting to gain remote access to the network or system. MFA adds another factor to the login process.  You need to know something, such as the password, with traditional authentication. MFA adds something that you have in the form of an authentication token or a cell phone.

A mobile application is software that runs on a mobile device, such as a smartphone or tablet. These applications often access cloud based applications or services to provide information to the user.

Monitoring internal risk is a large part of a risk management plan, which involves knowing what the vulnerabilities are and an attacker’s ability to exploit the vulnerability. Vulnerabilities can be fixed, mitigated, or accepted. Monitoring the risk ensures that situations do not change, increasing the system risk.

A pandemic or other major event can affect staff availability.  A plan for such an event can help mitigate the impact of the event.  The plan needs to lay out how to respond to such an event.  Are you an information organization, can workers work from home? Are you a products based organization, can you add multiple shifts to the warehouse with smaller crews to increase social distancing? Are you a service based organization, is there a means of effective personal protective equipment (PPE) or barriers? The Pandemic Outbreak plan needs to address the needs of your organization and provide answers on how your organization can continue to serve its customers or clients.

Hashing is a way to store passwords that cannot be read so that they can be used to access the system. By using random salt added to the password during hashing, the hashed password cannot be checked against a list of pre-hashed passwords.  Hashing itself is related to encryption, but is a one way function.  An entered password can be hashed and compared to the stored hashed password and if they match, authentication is confirmed.

Payment Card Industry (PCI) is a trade group.  However, they publish the PCI Data Security Standard (DSS) for computer security that must be followed in order to process credit card transactions through computer networks. A quick reference for the current PCI DSS is available here: https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI_DSS-QRG-v4_0.pdf

PCI DSS has many controls, but 6 main goals:

• Build and Maintain a Secure Network and Systems

• Protect Account Data

• Maintain a Vulnerability Management Program

• Implement Strong Access Control Measures

• Regularly Monitor and Test Networks

• Maintain an Information Security Policy

A penetration test, or pentest, is an exercise where a group, usually a third party, attempts to gain access to the target’s network or system. The group could be a dedicated internal group, but is usually a third party specializing in security and penetration testing.  Permission is granted to this group in an attempt to gain elicit access to the system, often without the knowledge of the internal security team, except for management, or higher level engineers.

The purpose of this exercise is to determine if there are weaknesses or vulnerabilities in the system that are not detected by vulnerability scans.  These vulnerabilities may be because of the system design, social engineering weaknesses, business logic weaknesses, or other factors that are not detected through automated methods.

Penetration Tests (pentests) should be a regularly scheduled activity.  Pentests are an attempt to gain access to a system or network by a third party acting like a malicious party.  Pentests simulate an attack by a malicious party that goes beyond simple vulnerability scans, rather they attack the configuration, design, implementation, and logic of the system, which cannot be tested through simple vulnerability scans.

Physical security controls is a broad topic that includes all aspects of making sure that the organization’s buildings, assets, and employees are protected from harm and malicious acts. Controls often include alarm systems, access control systems, restricting guest access, and other controls to prevent unauthorized access to the environment.  Physical controls also frequently include things to address disaster preparedness, including fire suppression systems,  and even the accounting for threats from natural disasters through threat modeling.

Privileged accounts, accounts with the ability to manage systems or users, should be reviewed or audited on a regular basis.  They should be reviewed to ensure that they are still required, have appropriate access levels, are active, and the owner is still in the same position with the organization.

Production data, that is real data from “customers” that is gathered or used in the production environment, should not be used in non-production environments.  Non-production environments include, but are not limited to, development, quality assurance (QA), test, and user acceptance testing (UAT).

Protected Health Information (PHI) is a classification of the data specified by HIPAA.  PHI is any information that identifies individuals and contains their medical information.  HIPAA requires that this information be handled properly and protected from disclosure. There are many requirements laid out in HIPAA, including storage, transmission, access, and more.

Some services require the use of software installed on the organization’s computer systems.

Incident disclosures indicate that there has been a security breach or data loss. Disclosures can be voluntary or required by law, depending on the nature of the incident and the jurisdiction(s) of the organization or contents of the data. In the United States, some states require an incident disclosure if any of the resident's personal information might have been involved.

Removable media includes everything from CDs and DVDs to USB sticks and hard drives. This media is easily lost or stolen since it is small and easily transportable. Because of the high risk of loss or theft, the use of removable media increases the risk of data disclosure or loss.  

A good removable media policy specifies how and when removable media maybe used, reducing the likelihood of data loss or disclosure. The removable media policy should have limits on use and specify that the devices must be encrypted. Encryption prevents data disclosure even if the device is lost or stolen.

Data wiping is removing data from storage media before the media is disposed of, reused, or otherwise removed from its current production use. Secure data wiping is an enhanced version of removing data from the media. Secure data wiping usually requires overwriting of the entire disk with specified patterns to ensure that the original data is not recoverable.

Human beings are one of the weakest links in the security perimeter that organizations try to maintain.  Human nature is wired in such a way that people want to be helpful and compliant.  Hackers, scammers, and other malicious people attempt to take advantage of this fact to gain access to an organization’s systems or to steal money from the organization.  

Security awareness training teaches people about the threat from these malicious people, how they operate, what to look for that might indicate an attack or a scam, and how to respond to the attack or scam.

A security breach can be a major source of concern for an organization, whether it is within your organization or from another organization with access to or copies of your information. But not all incidents grant the attacker access to sensitive systems of information. Some security breaches could be of a low valve system with nothing but public information on it, or it could be stopped before they could pivot and gain access to sensitive systems. The details of each security breach will tell the reader what was breached, what information or data was affected, the value or sensitivity of that data, and what was done to remediate the situation.

Servers are often used to store and process data, including data from other organizations.  Processing can also be performed on desktop or laptop computers

Service Level Agreements (SLA) are agreements that a provider is committed to deliver the service that they are contracted for within certain parameters.  It also often specifies the penalties for failing to meet this commitment. 

The parameters specified in an SLA usually include uptime specification in the form of total availability and hours of operation, allowing for maintenance. The penalties for failing to meet the SLA range from service credits to termination of the contract.

Session timeout is the process by which the application or system logs a user out of the current session after inactivity for a period of time.

Single sign-on (SSO) allows a user to authenticate to one system and leverage this to use a different system.  There are many different technologies that can be used to connect the systems for authentication purposes. These include SAML, OAuth, or OpenID.

Source code is the instructions that make up an application or utility for the computer in human-readable form. The source code is compiled or interpreted by the computer to run the application.

Access to the source code should be restricted.

Static Code Analysis (SCA) is the process of analyzing the source code to an application without executing the application. The SCA reads in the code and looks for errors and vulnerabilities that exist in the code.  Some examples that the analyzer may look for include:

• Not initializing variables before use

• Known unsafe function calls

• Inconsistent interface between modules and components.

• Unreachable code or “Dead Code”

• Failure to follow standard coding practices

• Syntax violations

Third party vulnerability scans are scans of your organization from outside the network by a separate company. These scans attempt to identify vulnerabilities in your organization’s Internet facing systems.

Time synchronization between all systems is important for logging, certain authentication methods, and for other system administration purposes.  Network Time Protocol (NTP) or Simple Network Time Protocol (SNTP) can be used to synchronize time across systems on a network. A typical configuration involves the use of a few authoritative time-servers that all other systems sync to. These authoritative servers should be connected to a highly accurate time source such as a stratum 1 or stratum 2 time-server feed by GPS or in extreme cases an atomic clock. The most important consideration is that all the machine agree on the time, so even if a stratum 1 or 2 source is not available, sync to the most accurate time source possible and have all systems sync to that source.

Oftentimes, organizations use outside vendors or subcontractors as part of their business processes. Some of these vendors need access to data in order to perform the function for which they are contracted. As a result, some risks that the vendor has are now assumed by your organization since they have access to the data you are charged with protecting.

Vendors should be reassessed for security posture and controls at least annually and whenever a contract is to be renewed. Security controls and policies should be reviewed and, if appropriate, a penetration test should be conducted, or the results of an independent penetration test provided.

Vulnerability management is the process of addressing vulnerabilities.  Vulnerabilities can be addressed in a number of ways.  They can be remediated, mandated, or accepted.  A vulnerability management program specifies how to address the vulnerabilities, in what order, and in what timeline.

A vulnerability management process defines how to detect, assess, and mitigate or remediate vulnerabilities in a system.

A web application firewall (WAF) is an application layer or an OSI layer 7. This does not focus on the source and destination network addresses but rather what is in the HTTP(s) requests and possibly responses. A WAF contains a list of rules for the requests that can be sent to web applications. Some WAFs also monitor responses from the application.