Security professionals have an obligation to communicate risks and recommendations to management, but the ultimate responsibility for protecting corporate assets lies with executives. Here are five questions top executives should be asking right now:
According to vulnerability scans, how many critical and important patches need to be applied, and how many remain outstanding for 30, 60, 90, and 180 days?
Many IT organizations believe they are doing a good job keeping up with patches, but a scan with Nessus, Qualys, or similar product often tells a different story. From a security operations perspective, applying patches is low-hanging fruit. Proactively addressing vulnerabilities makes it more difficult for attackers to gain a foothold and reduces the opportunities for lateral movement.
While IT operations should focus on missing patches, management should focus on higher-level trends. This requires an enterprise-class product that is capable of tracking vulnerabilities over time instead of simply producing snapshots. Ideally, all security-relevant patches (typically labelled critical or high by vulnerability scanning products) should be applied in less than 30 days; this should result in strongly declining 60, 90, and 180-day numbers. Significant vulnerabilities remaining unpatched for more than 30 days suggests that patch management processes are ineffective and placing the organization at risk.
Is our business continuity plan (BCP) complete, when was our most recent test, and what were the results?
Organizations of all sizes require a BCP to survive potential disruptions, including natural disasters. To be of practical use the plan must focus on critical systems and operational capabilities, including those provided by third parties. The size and complexity of a BCP vary from organization to organization. A small business that relies on cloud services might document service contracts and contingency plans if the service becomes unavailable. Enterprises with their own data centres require far more elaborate plans.
While it can be difficult for management to quickly assess a BCP, the absence of critical information is a red flag. In addition to identifying business-critical systems, the Maximum Tolerable Downtime (MTD), Recovery Time Objective (RTO), and Recovery Point Objective (RPO) for each system should be documented.
Without this information, it is difficult to assess the viability of the plan, and whether other related plans (such as backups and disaster recovery) are aligned. For example, if backups are made daily, the organization is not likely capable of achieving a 4-hour RPO.
There are numerous ways to test BCPs, ranging from checklist reviews and tabletop exercises to simulated emergencies. Executive management should review test results and find evidence of continuous improvement.
What percentage of our information has a classification label attached, when was the last audit conducted, and what were the results?
Information classification is a pillar of information security. It is generally not practical to secure all information as if it was the most sensitive in the organization. Instead, information should be labeled. Policies, procedures, and employee training can then focus on how information of various classifications should be handled, processed, and stored.
A good metric for management is to consider what percentage is labeled in accordance with policy. Even small audits using a sampling approach can provide management with valuable insight.
What percentage of notebooks, USB sticks, and other mobile devices are encrypted? What are the recent audit reports?
Virtually every operating system used on business computers, phones, and tablets includes encryption functionality for free. Encrypted USB sticks are more expensive, but costs are declining and some products such as the Apricorn Aegis line are exceptionally easy to deploy and use.
Given the potential for reputational and monetary damages, there is simply no excuse for failing to encrypt data. In addition to policy requirements and incorporating encryption into employee training, regular audits should be conducted.
How many malware infections have we experienced in the past 12 months? How many were ransomware? What are we doing about it?
Organizations of all sizes continue to struggle with malware, and it is difficult to prevent all infections. However, management needs to understand the overall trend to determine whether the existing policy, standards, training, and technical controls are adequate.
Ransomware incidents continue to escalate due to strong profit motives. While directive and technical controls help to mitigate the risk, backups and disaster recovery plans are the final line of defence. Organizations of all sizes must be capable of restoring all business-critical data in the event of a major malware event.