May 11, 2018

Pillars of Information Security

Information security is about leadership, procedures, people, risks, defense, assets and vulnerabilities

Pillars of Information Security

Information security is a broad area touching various fields, cultures, organizations and a business as a whole. In order to maintain a healthy and security focused organization, following aspects should be taken into consideration:

Leadership

Tell me who is the leader and I will tell you how his/her team performs
Vision - Every leader should have a vision on how information security shall work for the organization
Strategy - Should be clearly communicated and understandable to everyone
Decisions - Shall be made independently and sometimes in a matter of seconds

Procedures

If it is not written, it does not exist
Policies - Foundation of all procedures, high-level combination of vision and strategy
Guidelines - Precise, short and clear step-by-step guide
Instructions - Extension of policies, provides more detailed view on issues laid out by policies

People

Every leader needs a team, team is people and people are strength
Morale - If people are not motivated their morale falls, morale depends on victories and victories on leadership
Dedication - Pushes teams to the limits, boosts morale and lays a foundation for growth
Awareness - Not everyone is dedicated to information security, but everyone can learn something new to boost organization's security posture

Risks

There is no need for information security if there are no risks, but fortunately risks are everywhere
Assets - Shall be assessed against sensitivity to risk, to understand how important they are for an organization
Projects - There is a project everyday, carrying various risks along the way, it can be software, cloud solutions, applications, hardware and anything that can affect the risk stance
Vendors - Show me how secure your friends are and I’ll tell you what risks you have

Defense

Politics is great, lets talk about cyber
Incidents - Detect, triage, contain, learn ... Repeat!
Threats - Exploit vulnerability and realize risk, don't let the threat know your weakness
Attack Vectors - Search for the route, find the source, close the route, intimidate the source

Assets

Know what you are defending and why
Inventory - Always up-to-date with every information needed including: IPs, hostnames, racks, locations, owners and more... Maybe some day!
Ownership - Everything has an owner and owner is responsible for securing their assets
Patches - It's not easy to have everything up-to-date at a given time, but having a proper change management process can facilitate achievement of this goal

Vulnerabilities

That's why you got hacked last time
Pen. Tests - Provides a vision on how an organization can be compromised with something that seems so irrelevant. Internal for everything before DMZ, external for everything in DMZ and beyond
Assessments - Scan regularly and translate to risks
Fixes - It does not make sense to conduct penetration tests or vulnerability assessments for something that has been popping up for past 2 years. Eliminate the threat by fixing those vulnerabilities

Pillars-of-Information-Security-min