Cybersecurity Culture: Process-Driven
August 07, 2020 by Becky Metivier
When building a cybersecurity culture, process plays an integral role. Every process should include learning, improvement, and accountability touchpoints, as well as end-to-end corroboration of the function it represents.
Let’s review what this looks like in practice.
#1. User & Equipment Provisioning
While these duties may be distributed among different people and roles, the process of user and equipment provisioning must be centrally managed. One individual should have a view of the function across the organization, and there is a standard form that documents system access and equipment provisioning.
Appropriate system access should be:
- Granted by approval following the principle of least-privilege required to perform job duties
- Changed if a person’s role changes
- Removed at time of termination
Additionally, all equipment must be recovered at the time of termination and any user accounts/passcodes changed or deleted.
#2 Change Management
Change management is setting a process to identify and implement changes. Types of changes should be fixed according to the risk they present, and the controls around each type of change should correspond with that risk. For example, a low-risk change may be updating a virus software definition, but a high-risk change may be updating critical applications on a server or making a rule change to a firewall.
The procedural and documentation rigor will vary depending on the type of change, hence the level of risk. That means for higher risk changes, the process should require more approvals, more testing, more backout planning, more documentation, etc.
In terms of a process, you want to provide end-to-end corroboration of the function it represents, so tie all changes performed to changes approved. Regular review of performed and planned changes should be scheduled. A Change Advisory Board can provide oversight, foresight, and hindsight to this process. Changes should also be reported to senior management or your Board of Directors.
#3 Cyber Risk Management
Effective cyber risk management starts with an organizational risk criteria or appetite statement to guide you in your risk assessment process. When assessing risks, use a standard methodology that is applied consistently across applications. The process involves:
- Understanding your vulnerabilities and the existing threats that might exploit them
- The impact to your organization if a vulnerability were exploited by a threat source
- The likelihood of exploitation, given your control environment
You want a repeatable process to ensure consistency. This will require training and documentation (institutional memory), so it becomes a living part of your organization that can withstand the loss or change of personnel performing the function.
Schedule risk assessments based on the criticality of applications or processes you’re reviewing. You will also want to have a programmatic remediation process to deal with elevated and severe risks. The process should be assigned and tracked.
Develop a Memorandum of Accepted Risk to document the risks you accept as an organization. Then review those each year to determine if there is some new solution – either technological or procedural – that can help you remediate the risk rather than just accept it.
Reporting is also important so senior management can be involved in determining your risk position.
#4 Account Review
As with user and equipment provisioning, this process should have centralized management with distributed performance. So, somebody owns the task, but performance of the reviews goes to managers who have the custodial responsibility over applications or systems. This is because they will know when they look at a user list who belongs and who does not.
Strive to only have active accounts tied to active employees and vendors.
#5 Activity Review
It’s common knowledge detective controls succeed when preventative controls fail, and there is no such thing as a 100% effective preventative control. That’s why daily log analysis is an important process in organizations with a cybersecurity culture. This process involves looking at your network and firewall logs to ensure all the traffic allowed is actually permitted.
What is allowed through defenses will often be more important than what is blocked – your firewall knows how to be a firewall if it’s maintained properly. What’s blocked is great, you want to review it, but malicious content often gets by firewalls and traditional automated systems.
Creating a process, or employing a service, where someone reviews your logs to identify anomalous or suspicious behavior everyday can definitely bolster your ability to detect threats quickly.
#6 Threat Intelligence
The process for gathering and distributing threat intelligence can help organizations more quickly understand and effectively respond to the evolving threat environment. Like many of the processes we’re discussing, this should be centrally managed with tasks distributed as needed.
An effective threat intelligence process includes:
- Identifying sources that define and explain the evolving threat landscape and are relevant to your business
- Documenting how the sources will be used
- Assigning roles and responsibilities for collecting, assessing, and distributing the information
Actionable intelligence must be tied to the actions taken, and you should have a regular process for reviewing it.
Report out on what sources are working, what sources are not working, and how your organization is using the information. Again, this should go to senior management or the board, so they can stay informed.
#7 System Lifecycle Management
Security considerations should be woven into all lifecycle management conversations – from acquisition to destruction. When sourcing a system, involve someone who can perform the right checks and ask the right questions. It’s much easier to involve security from the beginning than try to bolt it on at the end. Not doing it could cost more money; plus once a project is frozen, it is frustrating to have security want to jump in to do some work.
Systems must be built and hardened according to the documented process before it’s introduced in a production environment. Images should also be updated as patching and new versions are available. Maintaining this at the image level makes it easier to deploy systems.
Lifecycle management is an end-to-end process. So, you know what you bought, what the serial number is, how it was built, hardened, managed, and destroyed. You even have a certificate of the destruction with the serial number on it.
As we close our discussion on process and cybersecurity culture, it’s important to remember that all of the processes we’ve discussed today should be end-to-end with points of accountability built in. Take a look at your current processes and see what components in a cybersecurity culture context you might be missing which could improve your cyber resiliency.