What does good look like? Part one

Posted on by | No Comments

Part one

Preamble 

We always hear the words in security “good practice”, “good security” and so on. But what does good mean? From the GDPR it uses the lovely phase of “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures”.  This could be boiled down to “appropriate controls proportionate to the risk posed” you could also use the words sufficient security, however, to come back to the point of this article is what does good security look like. And regulation in this example is rather woolly in the articulation of how to achieve the desired position of appropriate measures. I do suspect these words will be challenged in court before long.

Measure the Risk 

Before you can even begin to decide what good security is needed, you need to know where and what to apply it to. This comes down to taking a data-centric risk view, understanding the value that is at jeopardy. And depending upon the context of the business your view of the value may be slightly different from the CFO’s or CIO’s or even the CEO.

Whatever the outcome of the value someone is going to have to stand behind the assessment.

There are many methods to measure the risk of which I will address in a later article.

Frame your position

I’m not going to bang on about governance here, however, good governance is needed for good security and must be led from the top. Such as the government set out the rules and law we all must abide by so does a company need to set out its own rules and laws to have good governance. Following a security framework such as the ISO27001, NIST cybersecurity framework(CSF), ISF Standard of Good Practice, HITRUST or any one of the numerous frameworks published on the internet, My recommendation is the NIST CSF.

Alignment for the good

We now know the value of our data from the assessment, our data should have a classification according to the risk such as public, internal or confidential. Good security for public data such as your webpage is not going to be the same as good security for your classified data such as customer records.

  • Having data classification for all data is setting the rules along with how the data is handled and protected, which should involve clearly marking the data either physically or electronically. Good in this area would all data owners knowing what the classification is and applying it to their data according to the value.
  • Data encryption has to play a part in the appropriate protection of valuable data, what this is doing is rendering the data valueless. In effect like stealing a bag of shreddings, I am sure if someone had the motivation they could break the encryption ( I’m thinking Nation-state here) given enough time. This has to be applied to the data whether at-rest, in-transit or in-use. Which leads on to its great having the encryption but if you leave the keys lying about in an uncontrolled manner well would you leave the keys of the combination to your home safe laying about for anyone to take? Good here would be strong encryption and controlled access to the keys.
  • This leads on to identity and access management, defining an access control policy, this would also include the provision for segregation of duties. For example, to limit possible of fraud accounts payable must not have the privilege to raise purchase orders, by having appropriate check and balances these risk can be mitigated. Good in access control would be having staff with a need to know only having the access required by their role, would also mean that only the staff that are currently employed are in the identity database and are removed swiftly once they have departed the business including those that are put on gardening leave, I have seen this too many times data exfiltrated after departure, even if they were only trying to help.
  • Included in the above users will be third parties, contractors and service providers and these will need to follow your security rules. Good in this circumstance will be ensuring good due diligence is undertaken with the third party, ensuring they attest to your security obligations through an audit or self-assessment security questionnaire undertaken annually. And of course, these obligations need to within the contract or master services agreement which must have a “right to audit” and data breach clause.
  • The last one for this article is what I would call resilience for a business being able to bounce back after security impacting incident. Good in the case would be a robust incident response, business continuity and disaster recovery plans, which are regularly tested and regularly updated. All staff involved in these processes, know how and what to do in times of business-impacting incident. achieved by desktop exercises and real scenarios to test teh process so in teh event they are needed they work smoothly to limit the damage or harm and incident causes. That, in my opinion, would be a definition of good.

Contact us for any help with the above

Lets Chat

matt hardy

View posts by matt hardy

Matt is a global CISO with 20+ Years of Directing International Security Programmes for Multi-Billion Pound Organisations. With a passion for security and a cybersecurity evangelist.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.