To follow a path, you need a good map

How are IT security teams meeting the challenges posed by the increasing use of third-party platforms And services? These changes to the way a company’s IT infrastructure is provisioned gives malicious actors a much wider attack surface to play with and, once gaining access, a wider range of opportunities to attack. move into the IT infrastructure of a target company.

Assuming the security team has a solid understanding of the organization’s business and its internal and external processesa good starting point would be to map all processes and sub-processes – IT, paper and others.

The purpose of this mapping is to identify the different boundaries between applications and services, including where third parties themselves use third party services. By doing so, you should be able to identify the type of control you should have over individual services and the interconnection boundary between services.

The ability to identify these controls, or lack thereof, coupled with business knowledge of what is at stake if a control fails (or is not present), leads to the development of a risk landscape and, from there, a risk management strategy. Note that this is, at this stage, a paper-only exercise.

The first step is to identify what is under the direct control of the organization – for example, on-site IT infrastructure and equipment such as PCs, laptops or mobile phones used by staff that are provided and maintained internally and subject to organizational requirements. security policies, procedures and standards.

The second step is to identify the areas of infrastructure and service delivery for which one relies on a third party to provide, support and maintain – for example, one relies on the third party’s own security policies, procedures and standards.

The third step is to identify areas that are critical to the functioning of the organization’s infrastructure, services, and operations, but where there are no organizational controls over the security of those services – for example, the use the Internet or other third-party networks.

Once these areas have been identified, documented, risks assessed and risks prioritized, the task of assessing the controls in place and their effectiveness can begin. The difference between what “should” be in place and what “is” in place, as well as the priority of the risks, will lead to a corrective action plan.

The following is my take on the controls I would typically look for. It is not exhaustive and I have not gone into detail – there are many sources of useful information, be it books, courses or internet research.

Looking first at step three, where you have no control. The security measures you can take broadly fall into three areas:

  1. Encrypt data in transit – e.g. point-to-point encryption between systems and services, conjure up opportunistic encryption on mail servers, encrypt email content on endpoints.
  2. Control data output so that only non-sensitive data is made available.
  3. Control data entry – for example, ensure all interfaces are updated and subject to regular IT health checks to ensure no vulnerabilities are detectable. Ensure that email systems and associated Internet domain settings are fully compliant with SPF, DMARK, and DKIM protocols.

For the second stage, where one relies on third parties to be secured to a level acceptable to the organization, the main control is the service contract.

This should not only specify the security requirements of the organization, but also how they should be qualified. Simply state that the acquired service is certified to a formal standard such as ISO27001 Is insufficient. The contract should identify the areas that the certification should cover (e.g. ISO 27001 Applicability Statement), should include all areas that are part of or influence the service provided, and should be able to provide formal proof of currency certification.

Other areas not covered by the third party’s formal certifications could include staff hiring and discipline processes, internal audits, and procurement of services in accordance with the provision of services to the organization. These domains must be contractual declarations.

The first step, of course, is to review and assess internal organizational policies, procedures and standards – for example, personnel auditing. Is a prospective employee’s CV checked and is more than one reference considered? Are security policies and supporting procedures and standards up to date and being followed? Is staff training and education sufficient? Are IT and IT security departments properly resourced? Are regular IT health checks performed on internal infrastructure as well as external interfaces? Are contractors subject to the organization’s policies and procedures? Has the organization’s IT been formally certified, e.g. ISO 27001, Cyber ​​Essentials, etc. ? Are other ISO standards followed, such as ISO 27004 (monitoring, measurement and analysis), ISO 27005 (Information security risk management) and ISO 27033 (Network security)?

All of this should be second nature to the seasoned IT security specialist.


Source link