Ensuring your security policy works
Alex Vovk explains how to leverage security policy and ensure it's performing correctly to prevent a data breach.
Organisations often make the mistake of assuming that implemented security controls are being applied effectively. While internal policies require regular review, the majority of businesses still do it only as part of compliance verification, if at all.
Every company, regardless of its size or industry, is advised to implement adequate measures to govern data usage, performance and security of IT systems and to be able to prove that they work properly. This is not only a key factor in compliance validation, but is also necessary to keep data safe.
Ensuring security policies perform effectively calls for teamwork across departments, C-level management and other stakeholders. Departments, including IT, should define their roles and responsibilities, agree upon the implementation plan and develop a system of verifications and emergency measures in case a breach occurs.
Define the scope
The first step in enhancing security policy is defining the scope of secured data, in order to limit the amount of sensitive information that could be accessed by violators. The scope needs to be regularly reviewed, considering changes in both technical and business processes.
The main point here is not to rush; so start with the most important systems containing the most sensitive data or hosting business-critical applications, and then gradually work down to the least important. This helps avoid work overload from the excessive amount of irrelevant reports people have to look through.
Making the scope smaller will also help cut hardware and software costs and improve visibility. If you are on a tight budget, start with systems for access control such as Active Directory including Group Policy and then extend to monitoring permissions and access to data stored in Share Point, Exchange, SQL and file servers.
Use compliance regulations as a guideline
Establishing security controls as part of a compliance framework is a chance to avoid or significantly minimise damage in the event of a security incident. Mature compliance requirements such as PCI DSS or ISO 27001 and many others, give organisations an idea of how to protect sensitive data, optimise their infrastructure and get rid of outdated processes to improve system performance.
However, compliance requirements should be considered only as a guideline, as they are a bare minimum for controls and do not guarantee that the risk of a data breach will be eliminated. The best action companies can take is to integrate regulatory compliance standards with other organisational processes for comprehensive security maintenance.
Monitor user activity
Insider misuse still remains a hard-to-detect security violation, but one of the most destructive. The 2015 Verizon Data Breach Investigations Report states that 55 percent of insider misuse comes from privilege abuse. So in order to minimise the risk of employees ‘breaking bad', watch closely for accounts with extended access rights and keep an eye on any suspicious rise in activity or unreasonable changes to permissions.
The best practice is to grant permissions adequately to users' business needs, establish continuous monitoring of user lists and disable the accounts of former employees as soon as they leave the company.
Have an emergency plan
Unfortunately, there is no silver bullet against a data breach. In such an event, the best thing you can do is admit you have already been hacked and plan ahead, how to deal with the consequences.
Since people are always on the first line of defence, make sure your employees understand how the implemented security policies work and what they should do in case they spot a security warning or notice malicious activity. The best practice here is to develop detailed instructions when training your employees to explain their actions in case of a violation.
Being able to stop a data leak due to a successful emergency plan is good; but proper investigation will ensure that lessons are learnt.
Review all recent events that stand out from normal behaviour, even if they are not a root cause of the breach. Make sure that you have established internal audit procedures that provide comprehensive documentation of changes made across the entire IT infrastructure such as disk images and detailed reports. This information is very helpful during the investigation as well as during further revision and adjustment of internal policies.
Be prepared that maintaining security while achieving complete visibility of an IT infrastructure and ensuring a non-stop control over the performance of every security component is a never-ending process. And once you have completed all steps, it is time to start all over again.
Contributed by Dr. Alex Vovk, CEO and co-founder of Netwrix.