Professional Documents
Culture Documents
DSCI Assesment Framework (DAF)
DSCI Assesment Framework (DAF)
DSCI Assesment Framework (DAF)
rganizations can respond to the security challenge posed by ever expanding threat scenarios only through preparedness. They have to implement appropriate technical and process safeguards along with physical, legal, and personnel security measures for securing their businesses. DSCI Security Framework - DSF - details the best practices using an innovative approach that brings dynamism into security. It is a new risk based approach to security, that is data-centric; driven by security principles of information visibility, coverage & accuracy; they help an organization evaluate itself through self-assessment on the maturity criteria proposed in DSF. Strategic and implementation guidelines in DSF can enable choosing of appropriate controls to help migrate in maturity from low to high levels. Even though DSF does not focus on certification, the need for certification or rating does not go away. Managements are keen to understand the security posture of their organizations; they want to know what improvements can be made, and how to evaluate them. Clearly, maturity is one indicator that would give them some direction. But it is obvious that we have to look at some form of assessment process to assess the security posture, without getting into the trap of checklists and a basket of controls to choose from, in order to satisfy an auditor. How do we not let this assessment become a mechanical process? At DSCI we have debated this internally. We reviewed our security surveys that were based on detailed questionnaires. We analyzed the responses of companies to our rather elaborate questionnaires that we had designed for the DSCI Excellence Awards. It was interesting to observe the emerging pattern, which provided clues to light-weight assessment. The assessment process would lend itself to self-assessment by organizations; with additional confirmation by a third party using a little more inputs. This can act as a quick guide to confirm the security posture. Practices in each of the 16 disciplines of DSF have been articulated in the framework document. The detailed assessment process has been developed for some of the areas that comprise the DSF. In this we have benefitted from consultations with industry the companies that came forward to test the framework in the pilot projects; the consulting firms that have partnered with us. The guiding principle has been to add value to the organization through the assessment by way of reviewing the strategy, processes, implementation including technology solutions deployed through rating arrived for each of the identified criteria. It may look a bit difficult to begin with, but Im sure the value generated by this assessment approach will speak for itself. I want to reiterate that DSF does not promote organization wide certification. DSCI Assessment Framework - DAF - is in your hands. As always, I encourage you to review it critically and give us your constructive suggestions to make it more useful to organizations. Dr. Kamlesh Bajaj CEO, DSCI
About DSCI Data Security Council of India (DSCI) is a section 25, not-for-profit company, setup by NASSCOM as an independent Self-Regulatory Organization (SRO) to promote data protection, develop security and privacy standards and encourage the IT/BPO industry to implement the same.
For more information about DSCI or this DAF, or any feedback, please contact: DATA SECURITY COUNCIL OF INDIA Niryat Bhawan, 3rd Floor, Rao Tula Ram Marg, New Delhi - 110057, India Phone: +91-11-26155071, Fax: +91-11-26155070 Email: info@dsci.in Website: www.dsci.in
This assessment framework contains information that is Intellectual Property of DSCI. No part of this report can be reproduced in any form whatsoever. The information contained herein has been obtained from sources, believed to be reliable. However, DSCI expressly disclaims all warranties, express or implied, as to the accuracy, completeness or adequacy of the information. DSCI shall have no liability for errors, omissions or inadequacies in the information contained herein, or for interpretations thereof. DSCI also disclaims responsibility for any loss, injury, liability or damage of any kind resulting from, or arising out of use of this material/information, or part thereof. Views expressed herein are views of DSCI and/or its respective authors and should not be construed as legal advice or legal opinion. Further, the general availability of information or part thereof does not intend to constitute legal advice or to create a Lawyer/ Attorney-Client relationship, in any manner whatsoever.
Contents
Background......................................................................................................5 Need for Assessment Framework...................................................................6 Key Business Drivers for Assessments.......................................................................7 Assessment Challenges..................................................................................................8 Prevalent Assessment Frameworks / Models.........................................................9 Requirements of Assessment Framework what it should cover................11 DSCI Assessment Framework (DAF)............................................................14 Approach for DSCI Assessment Framework.........................................................15 Structure of DSCI Assessment Framework............................................................16 Managing Assessments under DAF.........................................................................17 Light weight Assessment..............................................................................19 Discipline Specific Assessments based on DSF............................................21 SAMPLE ASSESSMENT REPORT.....................................................................25
Background
Businesses today are global, complex and fast evolving, and technology has made business transactions independent of space and time. This has enabled businesses to focus on their core competencies and outsource non-core business operations to Service Providers, who are capable of providing services to the businesses from around the world. Information Security and Privacy become crucial when it comes to outsourcing as technology enables free flow of information across borders between Clients and Service Providers. This information could be business sensitive information and / or sensitive personal information of the Clients end customers, including but not limited to health-related information, financial details, credit card details, social security number, etc. Also, stringent global data protection regulations make the businesses liable for loss, misuse, wrongful disclosure of any personal information of any citizen irrespective of whether the failure is at outsourcers end or Service Providers end. Indian IT/BPO Service Providers are striving hard to ensure that security and privacy of data is well maintained. They follow stringent security controls specified by the Clients through contractual obligations. The Clients conduct regular information security and privacy assessments of the Service Providers to ensure compliance with the contractual obligations and / or regulatory requirements or to assess the security posture of Service Providers. In this outsourcing ecosystem, many Clients have developed and applied their own proprietary assessment frameworks for evaluating their Service Providers. Service Providers, on the other hand, strain their resources to respond to diverse and varied client information requests. Such independent approach proves to be an ineffective and costly affair, both for the Clients and the Service Providers. Inconsistencies arising from the use of different assessment methodologies cause delays, resulting in inefficient use of time and resources. Unavailability of generally accepted standard for Service Provider assessments further aggravates the problem. To overcome these issues and challenges, DSCI as an industry initiative seeks to establish a well-defined Assessment Framework in order to have a universal assessment approach that can be used to assess different organizations.
1 DSCI Service Provider Assessment Framework, p9: http://www.dsci.in/node/541 2 Gartner Survey Highlights Company Burden of Vetting Third-Party Security Controls Published: 17 October 2008 ID:G00162100
a devoted Full Time Employee (FTE) works 1,880 hours per year. This Most companies spend more translates into two to eight employees devoted to security assessments than $100,000 for an in-depth per year. Fifteen percent of the respondents spent approximately 5,000 assessment, with travel cost & to 10,000 hours a year on assessing the security controls of vendors, time, this goes to $150,000 partners and providers. And a further 20% of the respondents indicated - Gartner that they spent a total of 10,000 to 30,000 hours a year evaluating each of the three groups. That breaks down to 24 to 72 employees a year or, if the hours are actually shared among assessing service providers, vendors and partners, eight to 24 dedicated employees for 20% of the companies surveyed. Another challenge is of the Quality and inefficiency & redundancy of third party assessments. It has been found that many security groups lack a formal process for integrating security and privacy into the vendor management program and are frequently asked to vet the security controls of third parties without any additional budget or support from the sponsoring business owner. This is largely indicative of a systemic problem, where the security group is brought in after the contract is signed with an outsourcer, and especially a business partner. Some of these challenges have forced organizations to look at alternate methods of assessments. DSCI Assessment Framework (DAF) is an effort in that direction and aims to address exactly the issues of multiple assessments yet ensuring that security preparedness of the organizations are taken into cognizance and provide them with the capability of continuously improve their security maturity.
Assessment Challenges
After establishing the needs and key business drivers, DSCI studied the challenges that Service provider and clients regularly face. This was important to ensure that DSCI addresses the challenges that have emerged from Client and Service providers perspective.
Interestingly, it was observed that client see the comfort provided by certifications like ISO 27001 as one of the critical challenge faced by Client organizations in assessing Service Providers on Information Security & Privacy. A majority of Service Providers perceives a high number of assessments around the year as one of the most significant challenges. This difference in the opinion regarding the challenges faced by Client and Service Provider organizations clearly indicates the need to develop a robust assessment solution that meets the requirements of both the parties.
10
11
Clients and service providers believed that a new framework mapped to prevalent standards should be considered as a potential assessment standard for third party assessments of Service Providers. Since DSCI Security Framework (DSF) is a compilation of best practices and takes cognizance of the various standard and practices, industry trends and is designed to enable an organization to establish a particular function (discipline) within their organization, it is best suited as a reference for DSCI Assessment Framework (DAF).
Information security rating that takes care of People, Process as well as Technology issues will be accepted as a proof of sound security practice. Forrester
The Assessment study recommended that DSCI as an industry initiative and a self-regulatory organization having representation from both the Client and Service Provider organizations should empanel auditing firms for conducting independent third party assessments.
12
13
1. 2. 3. 4. 5. 6. 7. 8.
Service Specific BPO, KPO, LPO, SOC, ITO, ADMS, Application Support, Testing Industry Specific Finance (Banking, stocks Exchanges, NBFCs, etc.), Manufacturing, Government, IT (Products, service), Retail, Transport, Telecom, Health, Pharmaceuticals, Food, Entertainment etc. Vertical Specific Administration, HR, IT, Finance, Sales & Marketing, Vendor or Customer management, etc. Compliance Specific HIPAA, GLBA, EUDPA, PIPEDA, etc. Specialisations Payroll & Accounting, application support, call centre, etc. Technology wise Cloud computing, Grid Computing, etc. Mode of Services Remote / onsite Combination of any 2 or more of above - Ex: BPO handling only customer care operations of a banking industry (BPO + call centre + banking) - BPO handling Security services of a Telecom industry ( BPO + SOC + Telecom) DSCI Assessment Framework
14
15
(v) The assessment areas, sub-assessment areas and assessment criteria reflect ideas and principles articulated by DSF (vi) This method can be applied equally to both service provider and user organization
16
17
rating would be directly proportional to minimum service guarantee that it can promise. The same concept has been developed to capture organization competence in specific disciplines. The Assessment framework provides options for a service provider to do a self assessment or can appoint an empanel auditor to carry out an assessment. DSCI will develop process to empanel the auditors by developing training programs and certification models. The maturity ratings that DSCI/DSCI empanelled vendor/auditors provide will be based on the type of assessment that an organization opts for.
18
Organization characteristics provide an overall strategic direction and its culture towards security. The maturity of initiatives and implementations depicts the capability and discipline of an organization in terms of security. The organization characteristics are supported by the factual details that it provides to ascertain the competence and the overall characteristics of its security function. Security Characteristics evaluates the overall approach of an organization towards security, the structure of its security initiatives and programs and how they get reflected or spread in each processes be it in-house or outsourced or client driven. The assessment tries to evaluate the strength of technical and procedural measures that have been adopted to establish security. Overall governance and management of security efforts and the operational competence from skill sets, training and awareness is also focused through this aspect.
19
(v) The score at sub assessment points then computes the score of assessment areas (vi) Total score of the organization is derived from weighted score of the assessment areas The diagram below explains how weight is assigned to sub assessment points, the scoring of an individual assessment point, weights of assessment areas, the respective score of assessment areas and total score of an organization
This method provides a quick but an important insight into the state of an organization in the designated assessment areas. The above representation of a sample evaluation of an organization provides key inputs on its security. (i) The overall performance of the organization stands below the 50 % of the total. The relative scaling of the organization will come from its comparison with others
(ii) While the security strategy of the organization looks good, with all desired strategic components present, significant efforts have been dedicated for ensuring business alignment and a mature process followed for strategy definition, the organization fairs average in terms translating that in a practice with adequate commitment to investment. (iii) The compliance processes need to be revitalized as significant inefficiency observed in it. The efforts on understanding, interpreting and updating compliance knowledge seem inadequate. (iv) A serious lag observed in the threat response capability of the organization. One, there is deficiency in technical architecture that comes from missing an enterprise level solution for addressing threats coming from wireless. (v) The organization spends little efforts and resources for building its assurance capability such as security testing. (vi) Security delivery in services offered by the organization shows reactive approach. It left to more on client attention and requirements than proactive initiatives.
20
21
For a security discipline such as Application Security (APS), now requires attention from both strategic and implementation perspective. DSF provides help for benchmarking and improving organizations strategy each of the security disciplines. This was supported by detailed implementation guidance. DSF also provides maturity metrics for each discipline. Structure of DSF: DSF presents a specific structure for articulating the content under each discipline. It presents the content in three sections as follows: Strategy building: Each discipline deserves strategic treatment. This section recommends approaches and processes for conducting the strategic review. It helps management to provide strategic direction to organizations security initiatives in a discipline. Implementation guidance: DSCI recognizes a need for providing a detailed guidance for systematically planning and implementing security in the organization. This section, in each discipline, compiles the best practices for the security implementer. Maturity criteria: Each discipline is provided with a set of metrics to measure its maturity. These metrics reflects criteria for measuring the outcome of security initiatives in a discipline. The DSF has defined a total of 170 maturity criteria for the 16 disciplines. DSF, thus, brings distinct advantages in security assessment of an organization, which are summarized below: (i) Focus on the strategic direction, tactical mechanisms for governance and maturity of security operations (ii) Assigns importance to the key aspects of security capability management such as responsiveness to threats and aligning protection to threat (iii) Provides performance metrics that are outcome based and keep their focus on assessing actual delivery of security (iv) Focus on coverage of security program and accuracy of solutions (v) Help in getting insight into how security components, elements and actions are positioned, and how they work in tandem to deliver desired levels (vi) Provides an approach to benchmark the assessee organization against the evolving strategic options in security (vii) Help in evaluating management practices with respect to security such as: Organizational understanding of security Management of IT infrastructure (or simply Infrastructure Management ) Resource allocation for security Operationalization of security capability Efficiency in compliance management Integration and convergence with other organizational function Management of information and knowledge; its integration with security operations Problem and incident management Security services management Policy management and enforcement (viii) Helps assess management of the business ecosystems- partners, service providers and externally provisioned systems
22
Assessment Areas
DSF articulates best practices in a particular manner in each of the disciplines. Apart from presenting a specific approach to manage the affairs in a discipline with DSCI principles, it tries to cover all aspects in that discipline. For example, DSF security discipline Threat and Vulnerability Management (TVM) articulates the practices to cover areas as depicted in the figure. For management of threats and vulnerabilities an organization should pay careful attention to these areas. These areas determine where an organization stands in managing the threats and vulnerabilities. The maturity of TVM can be derived by evaluating and benchmarking the organizations against these areas. For each of the discipline, DAF defines these assessment areas
Maturity Metrics
DSF provides maturity metrics for each of the disciplines. These metrics are used to evaluate the performance of Assessment Areas. In case of the discipline Threat and Vulnerability Management (TVM), the maturity metrics, as shown in the figure, are used to conduct detailed evaluation of an organizations performance. The evaluation of an organization in the TVM is carried out for Assessment Areas against the maturity metrics. This necessitates the mapping of these metrics to the Assessment Areas. The sample report in the next section states how the Assessment Areas are mapped to these metrics. DSF best practices and the knowledge feed provide necessary inputs to an assessor to evaluate the maturity level of an Assessment Area. For success of this type of assessment the knowledge and comprehension of the relationship between the assessment areas and maturity metrics is an important factor.
23
and more granular with their state becoming increasingly important to determine the security posture, a multipronged approach is required for information gathering and assessing the area under evaluation. DAF proposes five different means for gathering information and assessing the area as shown in the figure. While some of the techniques such as Information Filing and Questionnaire may not require direct interaction between assessor and assessee, these can be used for self assessment. These techniques bring factual and qualitative inputs. They can be used to make comments on the state of security based on facts and quality of response. Other types such as Interview and Field Visit give more detailed insight into how exactly the security affairs are being managed. They also bring opinion and perspective of assessee to the table to help comprehensive insight/understanding behind the specific steps or set of actions which are being taken by the organization. These techniques also provide significant technical inputs. Moreover, these techniques provide crucial information on operational maturity, style and characteristics of function, ability of an element to integrate with other functions, and overall outcome of many items and element functioning together. Technical Assessment is supposed to provide information technical security posture. It involves a certain set of technical actions to be performed by the assessor. In the discipline specific assessment, DAF proposes to use mix of these techniques depending on the need, requirement and feasibility. However, it proposes recording the technique of information gathering and assessment method. This will help to build trust over the outcome of an assessment. This way, the users accessing the assessment report would be aware of the level of depth and breadth that has been crossed to make a particular observation and comment.
24
TVM
25
26
ABC IT Services Ltd ABC is a mid-size IT Services company, with presence in 20 plus countries, offering services in diverse lines of services to 200 plus clients. Although it is still a small part of business, ABC recently forayed in offering business process services including knowledge services. Apart from the IT services, ABC has a strong presence in most of the geographies and serves mostly enterprise clients. IT service business of ABC takes benefit of the contemporary infrastructural arrangements for serving its clients across the globe. With more than 1000 projects under service, infrastructural arrangement with client organizations introduces significant complexity and diversity in IT infrastructure. Businesses, for managing the corporate applications, rely heavily on IT systems and take benefits of all latest trends in infrastructure management and software market. ABC is in the process of deploying standardized IT infrastructure management processes. It is an ISO 27001 certified organization.
IT Infrastructure
TVM Perspective
The IT infrastructure profile of ABC is quite complex, driven by its client requirements and its own corporate requirements (i) Corporate applications deployed over the Internet exposes organizations to cyber threats (ii) Clients of IT services and their requirements have contributed to the diversity of infrastructural deployment (iii) Factors such as serving different geographies and handling different (set of requirements expose the organization to a varied set of compliance requirements (iv) Varied sensitivities of projects that are under service demand a granular approach for management of threats and vulnerabilities (v) IT infrastructure witnesses a mix of legacy of new generation IT systems (vi) Infrastructure reflects trends such as virtualization. The organization offers its employee all contemporary collaboration tools. Some of the services are hosted at third-party provider and some are procured from cloud service providers. Some of the IT services are also sourced from the market (vii) With advent of wireless and mobility, business users demand maximum flexibility leading to increasing adoption of the same DSCI Assessment Framework
27
TVM Facts
Infrastructure IT services line of the business reflects a mix of client and organization hosting. Corporate applications are hosted in the organizations premises and some of them on third party hosting Varied ownership patterns [Client as well as ABC owned] Combination of Shared & Air-gap ITIL implementation for infrastructure management is in progress Production, Development and Test SOE of Servers - either client driven or organizations own standards Varied standards of Endpoints Organizations collaboration platform Employees get access to client collaboration tools also Standard set of control as offered by the organization Client preferred controls in select projects Firewall Enterprise Antivirus/Spyware Intrusion Prevention Content Filtering & Monitoring Email Protection Web Protection Endpoint Protection (FW/IPS, AV) Patch Management VA/PT [Quarterly |In-house] Monitoring [Daily |In-house] Device Management [In-house] Application Security Testing [In-house] Localized Security Monitoring Governance & Compliance Function ISO 27001 Certification
Network
Infrastructure Management
Endpoints Collaboration
TVM Controls
TVM Solutions
TVM Services
Security Management
28
29
(5) (6)
(7)
(8)
Endpoints represent minimum diversity. However, with the advent of mobility, this situation is changing gradually Client service delivery requirements contribute maximum to diversity in both server and endpoint systems Security infrastructure also reflects diversity in terms of different brands, variations and diverse choice for solution selection The organization has not yet adopted an enterprise wide refreshment cycle for infrastructure. This results in the presence of many legacy systems The organization is in the process of implementing ITIL, which would change the way infrastructure will be managed). At this point, the threat and vulnerability management cannot leverage the benefits from the maturity infrastructure management process As the infrastructure management process such as service management, configuration and change management and problem management, are not mature enough, it seems difficult to ensure effective and responsive threat management There isnt any mechanism to help the organization create desired level of visibility over its infrastructure. This impacts the capability of TVM function to create a high level insight into the state of infrastructure and understand detail state and comparative analysis of organizations units.
TVM Preparedness
The corporate application, on the one hand, and the client requirements, on the other hand, drives the TVM preparedness of ABC. The following observations state the level of its preparedness. 1. Scope and coverage of the TVM The coverage of the TVM program is reflected by the following observations: (i) T V M p ro gra m ex te n d s i t cove r a g e to vulnerabilities emanating from network, endpoints, emails, messaging and web (ii) Although the TVM program covers enterprise infrastructure, some of the departments and legacy network is out of the preview of the enterprise program. The policies and preparedness in these departments and the legacy networks are localized (iii) In some of the client projects, controls and responsibilities with respect to Threat and Vulnerability Management is owned by client organizations. In the cases where ABC is involved in the operations, it has to comply with responsibilities as assigned by the client (iv) There is no significant initiative to cover the systems and services offered by external service providers under the enterprise TVM program (v) The IT environments, except the production environment, are not properly and
30
consistently covered by the TVM program. In production environment also, some of the systems where application compatibility is an issue, the TVM program application is not consistent (vi) For mobility, the TVM program relies on in-built security capability of mobile devices 2. Architectural Direction TVM preparedness of the organization falls short of addressing some of the important concerns. The examples of the deficiency in the architectural directions are: (i) Wireless Security Absence of a competent solution for threats emanating from wireless devices. Increase in adoption of wireless computing seemed evident For wireless security, the focus seems primarily on the protocol encryption than a proactive enterprise level approach that advocates a managed solution for monitoring and preventing wireless devices (ii) Mobile Security The organization is responding to mobile trend by allowing employees use of mobiles. Secondly, a significant number of employees is provisioned with laptops which are connected through home and public networks. The existing TVM architecture is not equipped to address threats originating from the mobility (iii) Virtualization Although virtualization is increasingly being adopted for production as well as development environments, there isnt a mechanism for managing vulnerability of virtual infrastructure (iv) Application Security Application Development and Maintenance is an important line of service contributing significant share to ABC. For application security, it relies on incidental testing of applications primarily done by the quality resources with freeware tools. The same has been followed for its own corporate and business applications There is no plan to deploy or have an arrangement for an enterprise level application vulnerability testing mechanism (v) Response Mechanism The current TVM architecture doesnt provide contemporary threat response capability. The review of the logs of the solutions is left to manual efforts. The reports generated from the solutions are analyzed manually to identify a discrepancy or incidents. The response and remediation process is rudimentary and relies on manual interventions 3. Characteristics of TVM Architecture The following summarizes the characteristics of current TVM architectural arrangement: (i) Gaps in architectural choices A proactive defense against security threats demands a focus on configuration management, and vulnerability detection and remediation. However, these pieces are missing in the TVM preparedness of the organization DSCI Assessment Framework
31
(ii) TVM solution competence: Although the organization has deployed a set of solutions for managing threats and vulnerability in its infrastructure, the competence level of the solutions doesnt seem to match the relevant security market trends (this should be sub-bullet) The Firewall and Intrusion Prevention System are old generation devices. They dont provide capabilities such as real-time detection and prevention, active blocking of connections, deep inspection of traffic, and content & context awareness decision making. These competences are recognized for their ability to deal with new age threats Endpoint protection solutions are still preferred signature-based defense. The competence in terms of real-time techniques for detection of new and targeted threats is missing. Secondly, location based policy enforcement piece is missing, which could add protection a level for wireless access and remote connectivity (iii) Device management: The solutions deployed for threat and vulnerability management either lag in providing centralized management capability or their architectural deployment doesnt reflect that Policy creation, amendment and their deployment is performed locally. The policy configuration and implementation tasks are straight forward or easy. There is a fair bit of complexity in managing them The current arrangement doesnt provide effective centralized visibility into the critical events, requiring human intervention in filtering them from trivial and low-level events. The immediate drill down of important issues is cumbersome consuming significant time Policy and alert management still remains a pull mechanism where the security administrator visits the device management console as per his/her convenience. Even though the some of the solutions have a capability to integrate the alerts with the SMS and email system, the same is not deployed yet
Patch Management
Patch management is an important element of the threat and vulnerability program. ABC has undertaken it as a part of infrastructure management with a specific focus from security perspective. Patch management becomes an agenda of IT operations primarily because of compliance obligation, client requirements and business security requirements. The following statements reflect the state of ABCs patch management initiative. (1) The organization deployed a centralized patch management system, primarily for Windows based infrastructure. (2) Some departments and the legacy systems are beyond the coverage of central management. They follow localized practices of patching are followed (3) The server infrastructure is diverse in nature characterized by different OEMs, operating platforms,
32
(11)
and configurations. Application reliance on particular type configuration set makes the patch management all the more difficult. These are the reasons cited for not extending the scope of central patch management to a significant number of server systems A varied level of maturity of patch management of infrastructure components is observed. It is more mature for Windows endpoints, while less in case of databases and applications Although there is an increasing deployment of virtual infrastructure, the question of the patch management of virtual environments is not yet solved The trigger for initiating patching of the systems, which are not covered by the automated patching mechanism, is the vulnerability assessment performed quarterly. This may lead to significant lag in the closure of a vulnerability or exposure The organization is on its way to implement ITIL process. At present, it doesnt provide integrated, automated and measured remediation for patching of the critical systems The configuration management is still a manual process, and it works in silos with the patch management Some of the networking devices, a couple of routers and a switch in the central network, were found working on the vulnerable IOS version An application hosted on third party service providers is running on the insecure platforms. It was also found that the application works on a vulnerable version of a CMS version. The design flaw has led to a situation that application is not independent of CMS version, forcing it to run on the vulnerable version Matrices for the patch management are not properly defined, and reporting is not established for the same. This leaves information on patch compliance invisible to the management leading to organizational ignorance about its exposure
33
(4)
(8)
(9)
(10)
(11)
to certification, regulation and client requirements help provide understanding on threat exposure to an extent The scope of the application security is limited to a set of security test cases and is run by the quality team. An integrated strategy for vulnerability management is not yet deployed. This may lead to a situation where the application level vulnerabilities are left unresolved for a significant duration of time The lean forward techniques for threat profile assessment such as threat modeling, threat tree and continuous vulnerability management are not yet adopted by the organization The activities and results of security test and audits are managed by IT security team, with oversight responsibility residing with CISO. Due to lack of reporting and inadequate information flow from security and other departments, the management is not getting visibility on the state of security. This leaves gaps in the governance and may lead to a situation where a serious exposure doesnt get the required organizational attention A structured management of services with respect to threat and vulnerability management, although internally managed, is missing. The approach to scheduling, responsibility and execution seems reactive The record of security tests, exposures to vulnerabilities and threat exposures, and associated activities is not properly maintained. It remains a difficult task to trace a vulnerability or threat exposure to its background, behavior of systems under an exploitation and remedial action Involvement of teams such as application development, production support and infrastructure management in the test executions is limited, leading to significant isolation of the actions related to threat and vulnerability activities Ability of the organization to test relevance of a specific vulnerability or threat exposure is seriously lagging
34
(4) Standard Operating Environments, recommended by the organization and its variation in the client projects, resulted in deployment of applications on vulnerable versions (5) There is no consolidated historic record of the changes in security baseline level. (6) Enterprise security function has a little idea of security baseline of client owned infrastructure and externally provisioned applications procured by a cloud provider
35
(3)
(4)
(5)
(6)
(7)
(8)
(9)
(10)
work require indigenous effort for managing their policies, extracting performance reports and taking corrective actions External security intelligence is advocated as a crucial element of threat and vulnerability management. However, the organization doesnt seem to have any initiative in this regard currently Threat and vulnerability management is not adequately integrated in life-cycle development processes. The application development is a representative example of this as application development and deployment doesnt incorporate threat and vulnerability assessment A mechanism to collect and correlate information generated by security solutions and IT assets for identifying a security pattern is lacking and left to human efforts. Human efforts are not sufficient to process the scale of information that may require indentifying an incident. This introduces a serious lag in detecting a threat event. Some of the threat events may remain unnoticed in this process The manual dependency of TVM tasks require a high level of coordination between IT security, IT Infrastructure, Application Development and Maintenance. However, serious gaps were observed in the communication between these functions in a response initiation process Although the solutions have capabilities to integrate with the solutions such as the user provisioning and access management, this integration seems not to have been implemented. This limits the organizations capability of enforcing user centric policies and providing a granular level understanding over the state of security The organizations change management process is not yet fully matured and is not implemented to its full potential for infrastructure management. The security configuration and change management will take significant time to integrate with that The service management process in under the process of implementation. A ticketing system is planned to be implemented. However, how this system will work for TVM response capability is still not explored The threat and vulnerability management tasks are not performed as a structured Security Operation Center. The organizational capability for effective TVM function seriously lacks due to absence of a formal Security Monitoring and Incident Management mechanism. This seriously impacts dynamism in the capability of the organization to respond to the ever emerging security threats
36
(2)
(3)
(4)
(5)
In one of the corporate business services, the organization processes significant number of credit cards. However, there is no structured and complete understanding on what underlying IT systems are involved in processing of credit cards. This understanding would be crucial for credit card related compliance requirements Some of the client projects expose the organization to compliance regulations such as HIPAA/HITECH, UK DPA, EU DPD, etc. However, there isnt adequate visibility on how these regulatory requirements are handled at the projects and what systems are involved The record of system configuration elements associated with the compliance requirements is not maintained properly The compliance centric audits are managed at the local level, i.e. at a project or geographical unit level. The information on the performance against the compliance is not passed to central security function The effort for delivering compliance information to the respective organizational unit or client project is inadequate. The central security function seems to struggle for creating sensitivity about the compliance requirements and liability at a field unit and project level The compliance driven threat and vulnerability management activities lack in proactive planning, vigilant gathering and storage of demonstration artifacts, and capability of tracking issues for their closure
37
(4) The role of the IT infrastructure team is not clearly spelt in regard to operational security management. The division of their responsibility with IT security team is not well defined (5) The coordination for detective, protective and responsive activities for threat and vulnerability management is manual
38
(2)
(3)
(4)
(5)
Systems with unapplied patches Number of machines out of the fold of enterprise antivirus Number machines with outdated signature, disabled services and presence of unauthorized AV solution Security threats exposures Top ten traffic destination outward, category wise traffic analysis Traffic dropped, top ten sources Number of URLs blocked, user traffic blocked TVM performance management suffers from the deficit of overall focus on the ability of the organization to generate a timely response to threats and vulnerabilities. The performance reporting parameters are primarily based on the reporting capability of the solutions deployed Overarching processes such as remediation of vulnerability from the time of its detection, applying a patch to the vulnerable system and identifying threat patterns from multiple information sources are left with undefined performance goals. This introduces serious gaps in the overall performance of TVM Infrastructure characteristics and management practices are also not benchmarked for improving their capability from TVM perspective. For example, the diversity of IT infrastructure is not reported in management reporting, leaving it vulnerable The performance reporting of TVM doesnt reflect the enterprise wide initiatives, as it remains a domain of the security team. The information with respect to performance of TVM is not flowing to other support groups, business functions and higher management. This leads to lack of organizational attention and commitment to the security
39