Security Program: Current Vs. Future Gap Analysis REPORT .

2y ago
25 Views
5 Downloads
1.54 MB
16 Pages
Last View : 10d ago
Last Download : 2m ago
Upload by : Joao Adcock
Transcription

Security Program: Current vs. FutureGap AnalysisREPORT for OrganizationXXX2020

Executive SummaryGDPR Readiness resultsFinancial risks and budget estimationSteps conducted during Gap AnalysisInformation Security Maturity ModelSecurity Program AssessmentKey Cybersecurity Risks identifiedAmazon AWS security controls evaluationSecurity documentation analysisGDPR Readiness StatusCIS20 current controls summary223456778910Improvements RoadmapAppendix D: Increase Security of Office 365 for employeesAppendix E: Key stakeholders interviewedSummary111121214

Executive SummaryOrganizationXXX has requested that UnderDefense, as an independent and trusted CyberSecurity partner, conduct an assessment and analysis of the current state of the informationsecurity level of the OrganizationXXX and its compliance with best practices and CIS20, NIST andGDPR regulations. The main purpose of this Audit was to evaluate business risks associated withcyber security, current processes, available tools, and human resources to meet new EUregulations, readiness to protect employees, and customers from modern attacks, identifygaps, prioritize them by risk level and provide recommendations to close those gaps andmitigate possible future risks. The given recommendations and methodologies are structureddue in reference to the identified gaps with an aim of its further mitigation.Security Program AssessmentThe Radar chart below provides a graphical summary of the assessment outcome. This chartdescribes the current and future levels of managing information security for OrganizationXXXwhich are related to the Technology-Information, Security-Staff-Process, and main securitycontrols.2

This chart consists of 3 major blocks as presented on the image above and represents requiredsteps for a successful transition and achieved compliance with industry certifications such asISO27001 & GDPR.Analysis, description, rating and recommendation for each parameter of this graphicalrepresentation detaily reviewed in section “ Current security controls analysis ”.GDPR Readiness resultsOrganizationXXX provides outsourcing services engaged with clients that collect, store andprocess personal data of EU citizens. OrganizationXXX also provides hosting service for testingand production environments with test and real personal data stored in the public cloud andlaptops owned by OrganizationXXX employees (personal unencrypted, poorly controlledlaptops with poor security governance on them).This creates situations when failure in security of the weakest employee, may risk entireprojects with clients as well as create significant reputational risk for the OrganizationXXX. Wealso should consider 200 new employees are planned in 2020, this then increasing the risklandscape.The graphics below reflect the percentage of OrganizationXXX current GDPR Readiness status.There are activities described with details and recommendations provided to reach a certainlevel of General Data Protection Regulation readiness in the Appendix C table . In order to reachcompliance, recommendations should be followed and the processes implemented in a timeconscious manner.OrganizationXX measures - 14.30 %Technical measures - 42.9 %3

Financial risks and budget estimationWe created this section to estimate business and financial risks of failure in the case of a lack ofproper security controls in the OrganizationXXX and project base.Please consider a situation when failure in security of the weakest employee (like peace of codepublished on stackoverflow or pastebin), may put on risk entire project with clients (e.g.DevOps accidently leaked keys to cloud infrastructure that create a situation when client can beblackmailed, customer data leaked, client fined or whole infrastructure destroyed). Estimatedfinancial risk include only Revenue that might be lost (no fines or liability estimation included)Financial risk estimation:RevenuemonthlyBusiness Value 1yearInvestmentneededInvestment%1 High153,000.0015.98%84.02%xxxxxxxxx58800705,600.00 00 00 Low153,000.0037.95%62.05%PriorityAs you can see from the table above, a recommended investment of 153K for 2020 will havesignificant ROI for most projects/clients served by OrganizationXXX.Reputation risk estimation:As reputation is a relational concept this failure can manifest itself in a number of differentways from mild disappointment to extreme outrage. The risk is value based (just asrelationships are) not cost based and it cannot be expressed in this way. In the case of a serioussecurity incident and if said incident became public, reputation costs can be also calculated asfollowing:Let’s take as instance 2 prospects for 5 developers might bring OrganizationXXX 2,5M inannual revenue, but if reputation will be impacted at least for 3 month (no new deals becauseof bad reputation) this may converted into 1,2M of indirect loss:ProspectsMonths2Revenue monthly32100004Impact1,260,000.00

As visible from our simple ROI calculation, investment of 153 000 will have a significant valueand can increase chances to avoid data breaches, meanwhile minimize risks and allow you topursue confidently new business opportunities through increased trust and compliance.OrganizationXXX has functioned for seven years without proper security processes andcontrols in place. This creates a situation when the current size and structure of theOrganizationXXX cause risks to become extremely high, therefore significant improvement isrequired.Our estimated investment budget required in 2020 for tools, processes, and new hires is 153770.Steps conducted during Gap AnalysisInformation Security Maturity ModelA maturity model is needed to measure the information security processes capabilities. Themain objective of such a maturity model is to identify a baseline to start improving the securityposture of an organization when conducting GAP analysis.5

LEVEL 1 PERFORMEDLEVEL 2 MANAGEDLEVEL 3 ESTABLISHEDLEVEL 4 PREDICTABLELEVEL 5 OPTIMIZEDGeneralpersonnelcapabilities maybe performedby anindividual, butare not lywithin subsets ofthe organization,but inconsistentacross the entireorganizationRoles andresponsibilitiesare identified,assigned, andtrained acrosstheorganizationAchievementandperformance ofpersonnelpractices arepredicted,measured, andevaluatedProactiveperformanceimprovement andresourcing based onorganizationalchanges and lessonslearned (internal &external)General processcapabilities maybe performedby anindividual, butare not welldefinedAdequateproceduresdocumentedwithin a subset ofthe organizationOrganizationalpolicies andprocedures aredefined andstandardized.Policies andproceduressupport theorganizationalstrategyPolicycompliance ismeasured andenforcedProcedures aremonitored foreffectivenessPolicies andprocedures areupdated based onorganizationalchanges and lessonslearned (internal &external) arecaptured.Generaltechnicalmechanisms arein place andmay be used byan individualTechnicalmechanisms areformally identifiedand defined by asubset of theorganization;technicalrequirements inplacePurpose andintent isdefined ogy isimplemented ineach subset oftheorganizationEffectiveness oftechnicalmechanisms arepredicted,measured, andevaluatedTechnicalmechanisms areproactivelyimproved based onorganizationalchanges and lessonslearned (internal &external)CIS 20 CSC BenchmarkLegend:Blue line shows - the current state, whereas the red line shows desired state.For some controls (like Account Monitoring & Control) it’s enough to get maturity level 2 (ML2),but as for today OrganizationXXX don’t have some of these controls at all (ML0).6

A more detailed benchmarking process and recommendations to improve appropriate securitycontrols to minimum required level provided and explained in the Appendix A: Current state ofSecurity Controls according CIS20Key Cybersecurity Risks identifiedMore detailed each risk and threat scenario is calculated and represented in Appendix B.OrganizationXXX Cybersecurity Risk Assessment . Please follow the link provided.Amazon AWS security controls evaluationCurrently 95% of IT Infrastructure is cloud based, so to evaluate security components & controlsfor Amazon AWS hosted systems and services we utilized automated tools Scout2 & Prowler .Each report and configuration was manually reviewed for each availability zone.7

AWS reportServiceStatusEC2MediumS3LowCloud TrailHighIAMHighVPCMediumSNSLowFindings details:Security documentation analysisFollowing policies were assessed during this ngprocessDetailsThis Process is in place, fully simplified, clearly described and available.Missing a paragraph about employee rotation between the projects. ITdepartment should know where people are placed on project basis to controlNeeds someaccess rights, technical equipment and readiness of future working places.improvementsOther than that this Process is in place, fully simplified, clearly described andavailable.PasswordpolicyGoodSecurity Awareness trainings are needed to inform about terms, obligations andrules of the password policyUser policyGood7th paragraph - isn't implemented. 9th paragraph - no backups.New policiesClean deskpolicyThis policy will help your OrganizationXXX reduce the risk of information theft,Is going to be infraud, or a security breach caused by sensitive information being leftplaceunattended and visible in plain view.Email policyHelps employees use their company email addresses appropriately, understandIs going to be inthe limitations of using their corporate email accounts, protect company'splaceconfidential data from breaches.InternetUsage policyThis policy provides employees with rules and guidelines about the appropriateIs going to be in use of network and Internet access. Company employees are expected to useplacethe Internet responsibly and productively. Internet access is limited tojob-related activities only and personal use is not permitted.8

This policy foresees all the mobile devices to be encrypted. It is one of the bestMobile DeviceIs going to be in ways to secure the most sensitive OrganizationXXXs' data on any type of mobileEncryptionplacedevice. Mobile device encryption offers an easy fix for the problem of datapolicybreaches, which are the top threat posed by lost or stolen mobile device.This policy defines standards for connecting to OrganizationXXX's network fromhosts on the Internet by using a VPN to the internal network. It's designed toVirtual PrivateIs going to be in minimize potential exposure from damages which may result from unauthorizedNetworkplaceuse of its resources. Not having this policy in place may lead to damagesPolicyincluding the loss of sensitive or confidential data, intellectual property, damageto critical Information & technology systems.Have to be developedIncidentResponse yPersonal dataprocessingpolicyNeeds to bedevelopedIncident response plan provides instructions for effective responding toinformation security incidents. Without an incident response plan in place, theOrganizationXXX may either not detect the attack in the first place, or not followproper protocol to contain the threat and recover from it when a breach isdetected.Needs to bedevelopedIt is vital for an OrganizationXXX to have a Business Continuity Plan to preserveits health and reputation. A proper Business Continuity Plan decreases thechance of a costly outage. This plan states the essential functions of thebusiness, identifies which systems and processes must be sustained and how tomaintain them.Needs to bedevelopedThis Policy includes a list of project s technical requirements and access rights toOrganizationXXX's IT department from Product Manager. This policy ensuresthat all significant engineering efforts employ approved engineering processesin order to deliver on-time, within-budget, high-quality services to thecustomers.Needs to bedevelopedThis policy should be developed utilizing GDPR guidelines and has to include thelist of defined procedures about personal data processing (for example whatpersonal data you collect, from which sources you collect it, and with whom it isshared).GDPR Readiness StatusThe General Data Protection Regulation (GDPR) is a Regulation by which the EuropeanCommission intends to strengthen and unify data protection for individuals within theEuropean Union. It also addresses export of personal data outside the EU. By “personal data” ismeant personally identifiable information (PII) - names, addresses, phone numbers, accountnumbers, and more recently email and IP addresses.It addresses the following: adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach,9

strengthening rules for data minimization.GDPR imposes direct compliance obligations on both controllers and processors, and bothcontrollers and processors will face direct enforcement and serious penalties if they do notcomply with the new EU data protection law. Therefore, it is important that processorsunderstand their obligations under EU data protection law.Based on interviews with key executives in OrganizationXXX, OrganizationXXX NL (as a legalprocessor on behalf with controller (client)), and all its affiliates, have also full contractresponsibility for personal data processing of EU citizens and share responsibility withController (client).Following data was identified in scope of processing by OrganizationXXX and its affiliates:employees’ personal data, data of clients’ customers used for test and development purposes.The following procedures currently are not in place but need to be implementedSensitive/Personal Data File EncryptionNot readyPC/Laptop Full Disk EncryptionNot readyEmail Communication EncryptionOKRemovable Disk EncryptionNot readyNetwork/Cloud Folder EncryptionOKCIS20 current controls summaryDetailed each control is reviewed in Appendix A.As for OrganizationXXX, which only begins implementing and designing cybersecurity, we offerto start with CIS 20 Controls, CIS CSC contains important components that make-up aneffective cyber defense system, allowing companies to prioritize controls that protect againstthe greatest threats, provide metrics for IT personnel to understand, continuously diagnose andmitigate risks, and automate defenses to ensure compliance with the controls.The image below represents how CIS20 covers NIST CSF and NIST 800-53 ISO 27001. Whilecovering CIS 20 controls, you will also cover 70% of NIST CSF controls and almost 50% of NIST800-53.10

Target state as well as GDPR compliance is achievable and detaily described in theImprovement Roadmap section below.Improvements RoadmapWe recommend dedicating a budget for Security improvements in the amount of minimum 153 000.This amount includes required licenses, tools, processes, tests etc.11

Next activities need to be completed to cover most critical vulnerabilities founded duringanalysis and risk assessmentPrioritized Roadmap12

Appendix D: Increase Security of Office 365 for able MFA for all global adminsEnable MFA for all usersEnable Client Rules Forwarding BlockAdvanced Action[Not Scored] Enable audit data recordingReview signs-ins after multiple failures report weeklyEnable mailbox auditing for all usersReview sign-ins from unknown sources report weeklyReview signs-ins from multiple geographies report weeklyReview role changes weeklyStore user documents in OneDrive for Business[Not Scored] Enable Information Rights Management (IRM) servicesUse audit dataReview mailbox forwarding rules weeklyReview mailbox access by non-owners report bi-weeklyReview malware detections report weekly13

A PPENDIX E: Key stakeholders interviewedPrior to initiating our assessment we conducted interviews with the key stakeholder and employees ofthe OrganizationXXX in order to obtain feedback and to learn about current information securitypractices, control sets, and risks observed within the OrganizationXXX. The following table shows the listof individuals who took part in the interview, the respondents shared their knowledge of informationregarding the state of information security in their OrganizationXXX, presented current controls ofinformation security in their department and answered various questions about security procedures,systems, infrastructure, business processes, policies, growth plans, endpoint security, operating systems,access controls, valuable assets, risks, and other relevant information to the information security stateof the OrganizationXXX.Position in the companyRespondentCEOCFOFinanceDigital MarketingERMOperationalBUMBUMBUMBUMHRCIO14

When conducting Gap Analysis we identified departments. We divided staff into groups. There aredifferent groups: one has to go through Security Awareness, another - Security Training.SummaryWithin the scope of Gap Analysis for OrganizationXXX we conducted 17 interviews with keystakeholders to value current security levels within the organization and review existing procedures,controls, documentation and policies. After mapping outcomes of interview and documentation analysison security best practises we evaluated current state company cybersecurity posture. Radar chart wasprepared to provide a graphical summary of the assessment. Roadmap was prepared as a step-by-stepplan to start executing improvements on the security posture of the organization.We recommend OrganizationXXX conducting a Risk Assessment, creating Gap elimination plan and tostart implementing security controls one-by-one to raise them up to target level of maturity and in suchway enable the organization to perform cost-effective, targeted improvements.15

Steps conducted during Gap Analysis Information Security Maturity Model A maturity model is needed to measure the information security processes capabilities. The main objective of such a maturity model is to identify a baseline to start improving the security posture of an organization when conducting GAP analysis

Related Documents:

AVG Internet Security 9 ESET Smart Security 4 F-Secure Internet Security 2010 Kaspersky Internet Security 2011 McAfee Internet Security Microsoft Security Essentials Norman Security Suite Panda Internet Security 2011 Sunbelt VIPRE Antivirus Premium 4 Symantec Norton Internet Security 20

Slack’s security team, led by our Chief Security Officer (CSO), is responsible for the implementation and management of our security program. The CSO is supported by the members of Slack’s Security Team, who focus on Security Architecture, Product Security, Security Engineering and Opera

Core elements to implementing a fully-realized cloud security program include assessing the current program state, defining the desired outcome and building a roadmap for maturing capabilities. Optiv's Cloud Security Architecture Program uses a programmatic approach with key stakeholders to assess the current state of the cloud security program

FAO FORESTRY PAPER FAO FORESTRY PAPER 171 171 FAO Edible insects: future prospects for food and feed security 171 Edible insects Future prospects for food and feed security Edible insects Future prospects for food and feed security I3253E/1/04.13 ISBN 978-92-5-107595-1 ISSN 0258-6150 9 789251 075951

3 CONTENTS Notation 10 Preface 12 About the Author 18 PART ONE: BACKGROUND 19 Chapter 1 Computer and Network Security Concepts 19 1.1 Computer Security Concepts 21 1.2 The OSI Security Architecture 26 1.3 Security Attacks 27 1.4 Security Services 29 1.5 Security Mechanisms 32 1.6 Fundamental Security Design Principles 34 1.7 Attack Surfaces and Attack Trees 37

Within the guidance provided by these security foundations, two sets of concepts are particularly relevant to the design and understanding of the AWS SRA: security epics (also called security areas) and security design principles. Security epics Both the security perspective of the AWS CAF and the security pillar of Well-Architected

Chapter 6 Security in the Cloud 153 6.1 Chapter Overview 153 6.2 Cloud Security Challenges 158 6.3 Software-as-a-Service Security 162 6.3.1 Security Management (People) 164 6.3.2 Security Governance 165 6.3.3 Risk Management 165 6.3.4 Risk Assessment 165 6.3.5 Security Portfolio Management 166 6.3.6 Security Awareness 166

Cybersecurity is one part of a larger security plan A security plan serves as a management tool to guide a facility's security and response efforts. A strong security plan integrates all major security goals into a holistic approach. This reduces duplication of effort and allows facilities to identify security gaps. Facility Security Plan