It Takes a Team
Print Issue: January 2014
AS GLOBAL COMPANIES face complex IT threats, they need a strong IT security operations team to discover vulnerabilities, identify and assess threats, and report the perceived risk to management, with recommendations for mitigation. Here are some tips on how to assemble a good team, how to launch it, and how to best use the team’s talents.
Building the Team
A company can build a team from the bottom up or the top down. If it takes the bottom-up approach, it could start with mostly grassroots, independent teams that are loosely coupled and focused primarily on single locations or single business areas. These teams should have an eye towards eventually integrating into a single organization-wide team as information security gains prominence in the organization’s operations.
Alternatively, the company may want to have a top down, hierarchical structure from the outset. In that case, the corporate team defines policy, standards, and requirements to be implemented by subordinate teams around the world.
This structure could also have levels, such as having one or more local teams under the responsibility of a regional team. Regional teams should report up to a corporate team.
No matter how the team is organized, it should have an experienced team leader and members that have both technical and nontechnical skill sets that cut across as much of the organization as possible. It should not be made up solely of IT or engineering staff or staff from just one location or area within the organization.
The core members of the team should represent the organization’s major infrastructure and technology support groups, including network, server, client, mobile, database, application, and helpdesk. If the organization develops software in-house, employees from these divisions must also be key players. Additional team members should represent the business areas of the organization, such as human resources, facilities, finance, manufacturing, sales, and customer support. The continual involvement of these areas is crucial as they can be the most affected by technology changes and security controls. Only with their input will the team have well-designed, inclusive solutions.
If the organization has remote offices or full-time telecommuters, it is important to understand these unique viewpoints, needs, and challenges. The team may require additional staff or technical resources from inside and outside the organization. These resources will vary over time and task, and not all of them need to be retained indefinitely.
Because team members are drawn from all corners of the organization, they may not be solely dedicated to the team. However, the team leader should be able to spend more time developing the team’s priorities during the initial stages. This helps crystalize the team’s priorities and provides a single point of contact for users and management. The leader does not need to be the most technical person on the team, but he or she should have a broad knowledge of the organization and how it uses technology.
It can be useful to refresh the team or the skills of its members on a scheduled basis. For example, it may be appropriate to bring in new staff who have additional security skills lacking among the existing team. And as existing members rotate out, they can promote and practice information security in more areas of the organization. However, it is important not to rotate everyone out at once or the team will risk losing the domain knowledge and relationships it has built.
Launching the Team
When management, or the team leader, first makes the rest of the organization aware of the formation of this new team, the announcement should include information about the purpose of the team, what it seeks to achieve, and how it will go about reaching its goals. The launch should also stress that the team is a work in progress and that its success depends on the participation and cooperation of the entire organization.
Initially, team members will need to understand what the organization’s current state of IT security is and what the most pressing IT risks and security gaps are. It is essential to determine what information the company holds, where it is, and who owns, manages, and uses it. To accomplish this, the team must conduct a baseline security assessment. This risk assessment should have two parts. The first is interviews with key staff, who can help enlighten the team about what areas need technical assessment. The second is a technical appraisal, usually in the form of internal and external vulnerability assessments and a penetration test. Conducting interviews first ensures that the technical assessment will cover the areas of most interest to the organization.
However, the team should not limit the technical assessment to only those areas highlighted by the interviews. A global organization should also complete baselines of its technology hubs, followed by baselines of locations that store, or centrally process, sensitive data. Baselines of the remaining parts of the organization should follow. In the end, all locations should have, or be part of, a completed baseline assessment, which is subsequently factored into a single organization-wide IT risk assessment.
A hardware, software, and data inventory should also be completed as part of the baseline. The team cannot fully assess security without these inventories.
The team should update the baseline and recalculate the IT risk profile anytime major changes are made to the computing environment or the organization itself.
After the baseline risk assessment reveals the state of the organization’s IT security, the mission will be to improve the organization’s IT security posture. Senior management may dictate that specific tasks be completed, but the team should have priorities as well.
When evaluating what to do first, the team should come up with an action plan of three to four small tasks that address priority issues and are achievable within a few months. The team should start with less complex tactical deficiencies first, then move onto increasingly strategic issues that affect a broader audience or multiple locations of the organization.
Following are a few tasks the new team should consider undertaking.
Awareness training. An effective program for the team to undertake is information security awareness training. So much training material is available that the team need only customize it for the operation or division being trained.
General security awareness should be covered first. Good topics include techniques for creating passwords that can be remembered rather than written down, tips for using social networking sites, ways to detect phishing e-mails, and responses to computer viruses.
Documentation. The team can also be instrumental in developing or refining documentation relating to IT security. For example, the team could create an employee termination checklist so that pertinent offices are notified, accounts are disabled or removed, important data is saved or remains accessible, and all company equipment is returned. At regular intervals, the team should search for still-active accounts of former employees and update the checklist.
The team could work with the human resources and legal departments to update policies on the use of technology. The team can also review policies annually and make updates as appropriate.
Audits. There are numerous audits the team can perform that both create value and improve security. For example, the team could perform a password audit to assess the strength and complexity, ease of being cracked, date of last change, and uniqueness of employee passwords.
The team could also perform an audit of IT log data to verify that logging is enabled and active on critical devices and systems. The team could also ensure that logging is being conducted properly.
Another audit could be performed on software that is designed to detect and thwart viruses and malware to ensure that signature updates and scheduled scans are being completed as configured. After the audit is completed, the team can develop a plan for addressing noncompliant systems.
Technology. The team could investigate new security developments, technologies, and products to assess how they may benefit or harm the organization. For example, each team member could research a current threat and report on its potential impact to the company. The team member could then present the findings to the team for discussion. The team could also invite vendors in for product presentations and demonstrations.
A security operations team can help the organization assess its vulnerabilities, correct problems, and stay open to new ideas and ways of solving issues. It’s a process that can benefit any organization.
Mark D. Emmett, CISM (Certified Information Security Manager), CISSP (Certified Information Systems Security Professional), is an information security consultant in the Boston area specializing in network and security architecture design within the educational, defense, and pharmaceutical industries.