In the fourth chapter of our series on the key components of an effective cybersecurity management program, we take a deeper dive into how companies can verify cybersecurity control performance.
A critical requirement for any information security program is verifying the effectiveness of established controls. While most leading cybersecurity control frameworks include verification controls, we call special attention to this as part of the process of managing cybersecurity. Periodically, organizations should evaluate their security controls to determine whether the cybersecurity controls are operating as intended.
There are three primary ways we work with organizations to implement processes to monitor cybersecurity control performance and effectiveness:
1. Establish and regularly review security metrics
2. Conduct vulnerability assessments and penetration testing to validate security configuration
3. Complete an internal audit to evaluate security control operation
When it comes to process management, it’s often stated: “You can’t manage what you can’t measure.” It’s no different with cybersecurity. By defining the specific objectives of your security program, you can develop specific measures and monitor these measures over time to gauge process performance. You can think of security performance measures in three main categories:
Number of security events
Number of security incidents
Number of identified security anomalies that require investigation
Number of anomalies that result in confirmed occurrence of breach or data loss
Patch compliance rate
Vulnerability remediation rate
Effective rate of available patches applied to deployed servers
Percentage of vulnerabilities (identified via vulnerability scanning) remediated.
Number of requested policy exceptions
Number of approved policy exceptions
Assuming the organization has a strong policy authorizing applications or devices in the environment, this is how regularly users are requesting exceptions to the policy.
More importantly, how many exceptions to policy management is authorizing needs to be tracked
In order to verify the effectiveness of security configuration, all organizations should conduct vulnerability assessments and penetration testing. The purpose of the vulnerability assessment is to identify system security patches the organization may have missed or any weak security configurations the organization has applied. Security firms use a variety automated scanning tools to compare system configurations to published lists of known vulnerabilities. Penetration testing takes vulnerability scanning a step further. A skilled, ethical hacker leverages identified vulnerabilities and simulate real-life attack scenarios to determine whether these vulnerabilities can be exploited and lead to an actual breach. An organization can use the results of vulnerability scanning and penetration testing to identify any security gaps as well as consider the root cause of what permitted these vulnerabilities to get introduced within the organization.
We often see organizations with internal audit departments focused extensively on internal controls over financial reporting. Given the current state of information security and the constant evolution of security threats, it is imperative that internal audit departments act as a third line of defense and verify cybersecurity control performance to assist in enhancing the overall security posture of the organization.
Leveraging the results of a cybersecurity risk assessment, a good verification process begins with the review of organizational cybersecurity policies, procedures, guides and standards. A successful cybersecurity internal audit needs sponsorship from executive management to facilitate the process. Internal audit kicks-off the audit process by conducting interviews with key stakeholders to confirm an understanding of the activities taking place with respect to satisfying cybersecurity control objectives. As part of the audit, it would be typical to conduct a gap analysis against either the organization’s security policy and standards, or an independent control framework (reference previous article) to determine whether cybersecurity controls are suitably designed to meet the security objective, and that they are in place and aligned with the organization’s risk assessment. Additionally, it’s important to evaluate whether personnel roles and responsibilities for cybersecurity are clearly defined and properly assigned to employees with sufficient skill and authority to perform these controls.
Based on the results of the design evaluation, an organization can provide higher levels of assurance by determining whether cybersecurity controls are operating effectively. The audit team will use the organization’s documented security policies and procedures to establish cybersecurity control audit testing procedures. Evidence of control activity performance is then obtained and reviewed for all controls that have a manual component, i.e., user account management, infrastructure & application change management and systems backup. Lastly, for systems based controls, i.e., firewall settings, antivirus settings, data encryption settings; internal audit examines specific systems configurations to determine whether they are set as expected.
The current state of cybersecurity and rapidly evolving threat landscape mean that cybersecurity is not a one-time event. Once controls have been implemented, an organization needs to monitor its control environment to make sure that controls remain effective. By combining security metrics, internal audit control testing, and regular vulnerability/penetration testing, an organization can help make sure its cybersecurity program remains effective and evolves appropriately with the organization.