A well-balanced security program takes many aspects into the test and management log into account and testing schedule. There is not a single point to test in the program. The enterprise is simply too sprawling to count only on a severely limited item.
One aspect that is prudent to test are the endpoints. These provide attack points that may not have been adequately secured. If an issue with this point were to present itself, the endpoints would need to be further secured. In further securing these, there are several points to keep in mind.
The CISO or Architect need to keep in mind is human error. The natural aspect to focus on are the external threats. This is perfectly natural as the number of attackers is massive across the globe and the attack methods continue to grow and change. One aspect to consider in great depth is the level that the users can truly make errors. This may consist of the user’s personal bad habits of BYOD when this is not approved, downloading apps that are not approved onto corporate assets, or working around the security policies to get to the point or action they want. If the human error, intentional or not, is not directly addressed, the security hole will continue to get larger.
Another aspect to consider is applying the security responsibility of where it belongs. InfoSec is not the sole responsibility of IT or the Information Security Department. The business senior management and department management, along with the remainder of the employees shoulder the responsibility also. Granted a majority of the responsibility is with the InfoSec area of operations, however this area cannot be held responsible for the other departments and employees if they do not wish to follow the policies written to secure the enterprise.
The applied security to the endpoints needs to be robust. Too many times the departments are bound by their budget and are strongly recommended to spend the money prior to the year end. Security products purchased should fit well with the enterprise and work well. Simply spending money so as not to lose part of a budget for the next year is not appropriate.
There are many considerations, positive and negative, to take into account for this plan. These should be implemented as much as the NIST and other guidance are.
About the Author: Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.
Share on Facebook
Share on Twitter
I'm busy working on my blog posts. Watch this space!