ISACA CISM – Domain 03 – Information Security Program Development Part 8

58. Personnel Part2

Now remember, the skills are really the training, the expertise and experience of that person. Now, this is often a given of a job function. We expect that you have certain skills to perform a certain job, but skills can be gained. They can be gained through training or on the job experience. And in many cases you may have people that are put into a job function who are not quite yet qualified because they have to go through your own training program to get to that point. But still, that’s something we have to look at and consider as we’re taking an overall look at, you know, the eventual goal of a security program. Now, we also have to deal with the culture of the personnel. Culture represents the organization’s behavior and it often influences how the work gets done. Now, one goal, of course, might be that we want to create a more security aware culture. As an example, when I went into a company that was a little part of a strip mall, a store, it was for a cell phone and I was waiting patiently to get a cell phone.

It was unfortunate one person were there and there were like ten customers in the thing. So I knew it was going to be a bit of a wait. And to make matters worse, their computer systems were apparently down. She called a third party to come in, a consultant or somebody to come in and start doing the repairs, apparently under the contract work. But here’s this idea of this culture of security as a way of changing how business is done. When that technician got there and started trying to work on the system, the first thing he did was yell across the room because she was helping other customers. She says, hey, what is the manager’s password? Now, by that very question, I made the assumption that the person that was working there, the employee, was not the manager because otherwise I may have heard this tech say what is your password? But then even more scary was that this person who was not the manager said oh it’s, and spit out the password and then gave me the keywords of how to remember that password.

It was the last name of their favorite basketball player as well as the number on their jersey, which by the way, depending on how it was typed in, means it was even a weak password. So suddenly I understood the culture of security for this particular office, that the manager gave their password to everyone, that it was an easy to crack password, that apparently they’ll give it to a third party and at the same time not caring that everybody in that room now knew the password if they were paying attention. So again, how they do business. And that was the culture they had apparently of how business was done, that the manager gave out their password and that’s the way things were that does influence how work gets done. And maybe that was an easy way of doing work, because the manager didn’t have to constantly come in and approve any transactions because everybody knew their password.

59. Security Awareness

So security awareness is something we should work for and strive in all of our personnel, and that is that people should be aware of the risks and the available safeguards. And this awareness is really your first line of defense. A good security program should always consider the human element number one. Because if we train people about the types of things that can happen social engineering and shoulder surfing and retrieving documents out of the dumpsters. What we’re called dumpster diving. Teaching them about that may make them say, oh, now that I know these things, this has a lot of sensitive information on this paper. I’m just not going to put in the regular trash. We’ll find where we appropriately dispose of those types of documents where they should be shredded.

Likewise, what questions do I answer on the phone with my example of that cell phone company? Very well. Right there. Having those types of training put in place, hopefully that person would not have screamed out the password and the manager wouldn’t have given out their passwords. Right. We need them to be our first line of defense. And unfortunately, we’ve said it before that the human element is usually the weakest part of our security. So awareness training should be available for all the employees, the contractors, even third party parties that we may hire coming in. Everybody should be aware of why the program exists and what are some of the best practices and also why they’re there, so that they understand the importance of security.

60. Awareness Topics

Now as we talk about some of the topics we might see with awareness, awareness training can vary but some of the types of topics we talk are things like backing up files. Okay? Backing up files is an important aspect because if you lose a file it could be disastrous. It could cost you time. I remember many, many years ago a small company back in my hometown, where I work, or where I live I should say, called me up and said that they had just lost a Microsoft Access database and they needed to get this database. Apparently it got corrupted. It needed to get repaired because the project was due the very next day and it would be impossible for the months of work to be reconstructed. And I just simply said okay well because I knew how this company worked, I worked for them before. I said all you need to do is get a copy of the backup off the server and it’ll only be a day old.

And then there was silence on the phone and the silence came back and said well you know, I was taking too long to retrieve the file from the server so I copied it over to my desktop and I worked with it solely on my desktop. Now it’s corrupted, I don’t have a backup. And I was like okay I don’t know how to fix a corrupted access database. I mean I knew some commands you could try and I said you could try calling Microsoft and there’s still more silence that I did that before I called you and I thought, well that was really nice that you thought I knew more about access than Microsoft as a corporation. But it all comes back to training, right? If they really understood training because remember information loss is a security problem that would have been taken care of. Good password security.

Well I can’t keep beating up on the cell phone people but good password security is important. Not writing the password down, not making it easy to guess but coming up with something that is still human, readable but difficult to guess, to be able to crack and at least good for 30 days. So until we change it again teaching people about email and web based attacks, here’s something I talk about when I’m teaching people about their own personal security of what they should do. A lot of times you might get an email, we call it phishing when it’s trying to pretend to be your bank and it’s really not. But more than that we also get emails that try to take you to a website to get you to sign up for something free or some service or some newsletter. They try to make it an enticing offer and it’s not a fishing.

They’re not pretending to be your bank but they are trying to get you to come in and sign up and register. And here’s what happens. Many people will sign up for that new service, that new free, great thing they’re going to get. They’ll create their user account using their existing email address because that’s what it will say. Your account name will be your email.And they’ll say you need to create a password. And they often use the same password at that website as they do on their regular email account. Now, if I’m a hacker, I’m looking forward to this. I’m going to send you something that says you just want a new car. All you have to do is sign in here and maybe take a small survey, a small survey that might help me socially engineer you later and you sign up with your email and your emails password.

And now I’m going to say, all right, I’ve got this. There’s never going to be a free car, but I’m going to try to hack into your email account, into your company’s network with that information. And generally speaking, it’ll work almost every time. Web based attacks, hoaxes and those types of things. All important that we train people about these processes. Understanding social engineering, another awareness topic again, we’ve talked about that again, of not being tricked to give out your phone number or your passwords and how to dispose of documents and those things. There should be a way for people to report a security incident. They need to know who to go to, who to notify if they suspect something. And number one, if they didn’t have awareness training, they may have even never noticed there was a security problem.

So we’re getting a double benefit here by giving them the awareness so they can recognize a problem. But then we need to make sure they know who to report it to. We also have to make sure they understand how to secure information in all forms that I just talked about. Don’t throw away memos and documents. Make them go to shredding locations so that it can be disposed of correctly. Careful of the information you send on your email or information you download onto your USB drives. And do people understand how to look for signs of malware? I know this was an issue for some of my younger kids when they were out there surfing for, I guess, hacks on how to beat these games that they were playing on their video games. And they just started clicking yes, okay.

On all these little pop ups on these websites they were searching and 15 searched bars later on the browser, they finally gave up saying, I can’t use the computer anymore. Not only are disgusting things coming up on the screen, but they couldn’t utilize what was happening. They didn’t know. Ah, the signs of malware by these little things popping up says, do you want to trust? Do you want to trust? Do you want to accept? And they were just hitting yes because they were thinking, well, if I hit yes enough, they’re going to give me my hacks into these games. We can do that. We can train people through awareness to even understand, to be able to recognize signs of malware.

61. Formal Audits

Now, your audits are like your secured reviews and that they should have objectives, scope, constraints, approach and results. Now, an audit is based on an approach to be able to identify, to evaluate, test and assess the effectiveness of a control. Basically the idea is in that concept of trust and trust no one. We trust that the control is doing its job, but at the same time we don’t trust it. So we are auditing it to make sure it’s doing or meeting the objectives that we have stated. Now, the goal, of course, is to test if the control is meeting those objectives or are said to be in compliance with whatever the policies or standards or even the program objectives were to begin with.

The audit documentation should be a way of verifying the mapping of your control to the objectives, how the test was conducted and the final assessment. Now, there are some external standards of audit frameworks that you can use. Some found with COVID or with the ISO IEC 270. Zero two. And those can be helpful if you’re not sure what to do or how to conduct an audit. As a framework, this is something you can use as kind of an overlay and fit it to your particular circumstances. But it works out fairly well to have often a template it to go on.

62. Compliance Enforcement

The idea of compliance enforcement says that once the security program is implemented then there has to be a way of checking to see that we are in compliance. Now, that means we should be referring to any activity to be able to ensure the compliance with our stated objectives. And again, remember, our security program may not be just technically based. A lot of different things that we can look at physical security as well as environmental controls and the rest. Now, in some cases, the control that we choose to be able to get us to that point of compliance,to get us to that objective might be chosen based on the ease of monitoring and enforcement. And I know I’ve mentioned that before that if I had a really complex control it might actually pose more risk because of the lack of monitoring compliance. Meaning if it’s really so complicated that I can’t pull anything meaningful out of it to really determine if it’s doing its job, then I’m running a risk of not being able to verify compliance. And if I can’t verify compliance, I might not be in compliance. And you can see where it’s kind of snowballing from there.

63. Project Risk Analysis

Now, as we look at the project risk analysis, it’s kind of interesting to say the term that they’re trying to get here is that the project itself could have risks. In other words, there are threats that could be found through all stages of the implementation of our project. It’s very easy that we could have unclear objectives. Without unclear objectives objectives, you might leave a lot of ambiguity up for people to make decisions about what was intended to be said. And then that means that they may enact changes or proceed along a plan that wasn’t the intent of the person who or the group of people who created the objectives. And it’s not at all unusual. It is sometimes difficult to be precise. We realize that. But that’s where hopefully there’s a communication process and a clarification process. We all make mistakes simply if somebody is careless or makes a mistake during the execution of this project, that’s going to be a problem. I think of the kind of sounds funny. It was sad, it cost a lot of money.

But there was a Mars lander that crash landed in a mars because apparently some calculations were done in English measurements and some were done in metrics. And when it was all said and done, it came in a little too fast. That’s mistakes, carelessness, things that could have been avoided. Now lack of training or even good planning. If you ask me to go out and implement a firewall, I might do a pretty good job at that. But if you ask me to set up an exchange server, you’re going to hopefully be happy with whatever you get. I’m hoping it will send out some email because my training isn’t necessarily designed for email servers. So that’s kind of a thing that we look at in the project. Looking at your skills, right. Are you capable of handling each of those steps? And of course, if you just said, well, we needed an email server so just install it here, it might not be the best placement. Maybe you put it out into an area that’s easily broken into or hacked.

Again, it all comes down to how we put the project together. But what you’re seeing here is that you might be following the steps to get to the end of this project. But just in those steps there could be risk. Having insufficient resources is certainly something that we have to be careful of because if people are under pressure for time constraints, financial restraints, that might lead to carelessness or mistakes being made in their rush to get somewhere, you might have the improper specifications. That might be a better place to talk about that mars lander that kind of was the Mars crasher, but that’s the same idea, right? We have to be very clear on the specifications. There could be mistakes in the execution or you know what, it could just be malicious actions on the part of those people involved in the process of this project. So we need to make sure that we’re actually analyzing the risk of the conducting of this project.

• Category: Uncategorized