I’ve played piano since I was ten years old. My teacher, Mrs. Keys (no joke, that was her name) put a beginner’s book on the piano in front of me, opened it up to the first lesson, and taught me how to find middle C. Not long after that, she picked up one of those yellow Schirmer books with page after page of scales, arpeggios, and repetitive exercises.
I’m a little older now, arguably a little wiser, and I finally decided to begin studying martial arts. My boys had been studying Kung Fu for years with a Sifu (teacher) at a local school, so I donned my gi and started showing up to the adult classes. The very first thing that Sifu Max did with his new adult class of white belts was to teach all the basic kicks, punches, and stances that would serve as the foundation for the years of teaching ahead of us.
Somewhere between becoming a musician and becoming a martial artist, I threw my hat in the InfoSec ring. I spent quite a few years helping to secure the information systems of a very large public utility here in the Midwest. After that, I moved on to an international luxury retail, helping them secure the systems (and processes) that enable them to process millions (billions?) of dollars in credit card transactions each year.
And how in the world, you might ask, did my knowledge of public utilities translate to luxury retail? The answer, my dear Watson, is elementary: fundamentals.
I’m a huge fan of the ISO/IEC 27001 Information Security Management System (ISMS) standard. It took me years of working in InfoSec before I realized the value of applying a framework to my information security program. Once that framework was in place, I was able to ask myself a few basic questions:
- Risk Management
- Are we analyzing the InfoSec risks (confidentiality, integrity, availability) to the business?
- How are we measuring and prioritizing that risk?
- Policy Management
- Do we have documented policies, procedures, and standards so that our workforce knows what’s expected of them?
- Security Organization Management
- What’s our InfoSec team look like?
- Who does what?
- Asset Management
- What the heck are we securing anyway?
- Can we track it?
- HR Security Management
- Are we teaching our workforce how to securely use their computers?
- Do they know our policies?
- Do they know what social engineering is?
- Physical Security Management
- What are we doing to physically protect our information systems?
- Security Operations Management
- What does our InfoSec team do on a daily basis?
- Can we see what’s happening in our environment?
- Access Management
- How are we controlling access to our systems?
- Are we operating under principle of least privilege?
- Is every ID in our access system appropriately restricted?
- Information Security Systems Management
- Are our systems and apps configured with security in mind?
- Security Incident Management
- In the event that something bad happens, does everyone know what to do?
- Business Continuity Management
- In the event of a disaster (i.e., potential business-ending event), can we keep our doors open and our systems online?
- Do we have a documented plan?
- Compliance Management
- What laws and regulations do we need to comply with?
- Are we complying?
These questions are short, sweet, and to the point, but the answers will paint a pretty clear picture of where the obvious gaps are. Closing those gaps means significantly reducing the likelihood that someone will be able to exploit them.
If we step back and take a look at data breaches and security incidents that have been in the news lately, a surprising number of these incidents could have been prevented by sticking to the fundamentals.
Patch your systems. Configure your systems securely. Teach your workforce how to identify social engineering attacks.
The same principles that apply to music and martial arts apply to InfoSec. If your fundamentals are weak, then everything (and I mean EVERYTHING) you attempt to build on those fundamentals is equally weak.
If you want a solid information security program, then you need to start with (or get back to) the fundamentals.