I recently attended my local ISSA chapter meeting, and there were some key takeaways relating to successful cyber security management practices amongst the group. In order to enlighten blog readers, I thought I would highlight some of the successful practices to hopefully inspire others out there to up their game.
Cloud Security — Everyone has concerns about handing their keys over to third parties, and those responsible for IT cyber security software audit controls at the corporate level are no exception. When it comes to mitigating cyber security risks, successful attributes of sound cloud vendor management include the use of surveys and standardized assessments to gather information from these providers prior to contract closing. If you don’t ask questions, you will never know how your data or systems are being managed. Once you have answers to the questions, be sure to take the opportunity to press the vendors on security improvements prior to contract closing.
BYOD — Unlike past game–changing IT cyber security issues, BYOB hit all of us at the same time as iPhones and iPads became a hit when they were first released. This forced everyone’s hand into coming up with some type of solution since the devices were brought in and immediately expected to work on the corporate network in spite of the potential IT cyber security threats they posed. Common themes to success include establishing secure guest networks that offer security features such as URL filtering while still being segmented off the core network. More mature organizations have successfully deployed VDI and application presentation technologies so mobile devices can access the network without truly being connected. MDM solutions are being used to help secure and manage the devices.
Security Awareness — Unfortunately, everyone agreed that awareness initiatives will only go so far because some people simply can’t be helped or forced to understand IT cyber security. The fact that people are trained from birth to be polite goes against some standard security practices. Similar to a man holding the door open for a lady, social engineering tactics and phishing will probably remain issues regardless of the awareness of the existence of IT cyber security threats.
That being said, there was consensus that cyber security awareness initiatives framed around real-life stories and directed toward personal life situations goes much further than just corporate posters. It was also a common practice of enterprise risk management amongst all participants to have an annual sign off of corporate security policies combined with some training initiative to help educate employees.
Application Security — There are different approaches to handling application-level security. While the most regulated environments focus on a proactive approach, more reactive approaches are more common in other industries. In organizations with extremely sensitive data, robust practices are leveraged including: security training for developers, security and compliance management requirements and validation throughout the SDLC, software tools to detect coding issues and access management software for vulnerability/penetration testing.
Most organizations, though, focused on baking security right into the SDLC and testing applications prior to go-live. Training developers on secure coding practices is challenging when many organizations outsource development. Even if contracts include security requirements, it is often difficult to validate and enforce contractual obligations.
Watch Ryan Ward, Chief Innovation Officer at Avatier, describe how to return identity and access management to the business user with Avatier’s Identity Access Management software.
Learn the role IT automation and business driven self-service administration play in creating lean operations. KuppingerCole’s Assignment Management — Think Beyond Access describes the shift in IT operations from tightly controlled identity management processes to workflow enabled administration.