— Case Study: Comprehensive Security Assessment
Confidential Client — National Bank
The security team of a national bank found itself at maximum capacity, with no ability to take-on new systems, technologies, or additional responsibility. They also lacked key policies and standards which they knew they needed in order to be more productive and effective. Staffing within the Access and Identity Management (AIM) group was a challenge. Excessive work was placed on the security team by other internal departments, without consideration to timing and cost. Due to the resource constraints, the team had become reactive, making it hard to prevent attacks and protect the organization.
IANS, a leading decision-support and consulting firm in the information security industry, was called in to assess and help resolve these issues. IANS assisted the client to create an Information Security Program Roadmap, containing a direct strategy using a short, medium, and long-term vision over one to three years.
IANS approach took into account the existing staffing constraints, and delivered a strategy that could be built in increments over time:
- Prioritize findings from external and internal departments based on risk and cost
- Evaluate and assign monetary and staffing projections on outside influences from the Information Security team for better ROI.
- Centralize all policies and standards in a formal way that can be communicated to all employees.
- On Process Improvement — look at current processes that are in place for each group and identify efficiency areas in order to improve the effectiveness and reliability of the processes. Conduct an annual review cycle to meet the mid-term objectives for process improvement.
- On Policy Adoption — once policies have been centralized, ensure that there is a communication strategy around what the policies mean and to whom they need to be delivered.
- On Procedure Adoption — Have appropriate procedures in place for when a certain event occurs or when a new machine is provisioned to establish a baseline level of security within the organization.
- On Education and Awareness — Consider expanding the company’s current Education and Awareness program to have a year-round impact vs. occurring once a year.
- Repeatability — Ensure that a repeatable, detailed approach to each of the services offered with injection points into IT and the business is formalized.
- Continual Improvement — Address the four pillars of Information Security (AIM, GRC, IS Ops, and Cyber). Putting additional resources and new protection in place as new needs emerge may be necessary for improvement.
- Automation: Automate with technology or process the ability to perform certain functions within the IS department to promote efficiency, reliability, and repeatability.
- Pro-Active Functioning: In early recommendations around ROI, IANS suggested using a more planned approach to each year’s objectives within IS. This will allow the organization to have a more effective, proactive approach to security with decisive deliverables and key performance indicators.
IANS conducted more than 20 interviews with individuals at a senior level within the organization in order to gain an understanding of where the main focus for the information security program should be directed. IANS used the interview questions as a framework to provide recommendations around several topics:
IANS detailed how to advance the program in the AIM group over a period of time. While a number of requirements from a regulatory and compliance standpoint are being met, it is important to enhance and improve what currently exists.
Begin to isolate core critical servers for the business away from the rest of the organization and consider the internal network to be as much of a hostile zone as the external perimeter. Proper network segmentation and isolation of departments within the organization will enhance the overall security posture of the company.
The type of information and the classification of data should be considered prior to moving to any type of cloud infrastructure.
ATM Network Segmentation
Completely segment the ATM network from the corporate network and allow limited communication back and forth from the network. Dual-level protection ensures that in the event of a corporate network attack, the ATM network is safe and the corporate network is safe.
Lack of Standardized Secure Coding Practices
The developers should be required to undergo annual training around secure coding practices and should adopt standardized secure coding practices that follow the open Web Application Security Project best practices.
Security in the Software Development Lifecycle
Security should be injected during the very early stages of any new project or major revision to existing programs. Through the software development lifecycle, having the ability for the developers to have the types of tools that security uses can help.
IANS assessed the client’s resource challenges and created an Information Security Program Roadmap for the security team. The roadmap outlined a detailed strategy to help the security team become more efficient through the use of standard approaches and methodologies. The ability to re-direct existing resources resulted in a more pro-active environment where energy could now be focused on preventing future attacks as opposed to merely reacting to them.