At the end of my article about our IT risk management framework, I said that we review the IT Risk Register annually to check for incomplete assessments or mitigation tasks, and to add new risks. Since we add a "next review due" date to all completed risk assessments, we also check for risks that are due for reassessment.
In this article I describe typical examples of the work coming from our annual review.
Number one on our list of security risks is "Unauthorised Network Access", whether it's via a web server or any external gateway, firewall or SSL VPN appliance. It also includes the specific risks of wireless networks - sniffing or spoofed access points, for example - as well as unauthorised or infected devices connected directly to the LAN.
I last assessed this a year ago and gave it a 12-month review period because it's so crucial, given that the impact of a breach could include theft or destruction of data, defacement of web sites or injection of malware onto PCs. The reassessment is still in progress so I can't tell you what the outcome will be, but our list of Current Controls includes:
- Network: Carefully-configured firewall rules. Tightened wi-fi security by restricting to specific MAC addresses.
- Software: Password-controlled access to Web pages using HTTPS.
- Devices: Sophos scans for data transfers and removeable devices. Spiceworks scans the network for new hardware. Visitors are not allowed to connect to the main LAN, only our DMZ. (This requirement is enforced only by our Acceptable Use Policy; we did evaluate Sophos Network Access Control but deemed it too complex and unreliable.) Finally, only authorized mobile devices can use ActiveSync to connect to Exchange.
- External Scanning: External IP addresses are subject to external network vulnerability scanning as part of our PCI DSS compliance.
Another risk due for review is that of loss of data held on workstations. We did quite a lot of work on this last time, including a general move away from local .PST files to most mail being held on the Exchange server. We also publicized backup options and the use of network drives. As more staff migrate to Windows 7 I've been annoyed that the built-in backup program doesn't automatically remove old backups - so much so that I'm considering folder redirection to get most data off individual PCs altogether.
Incomplete risk assessments
I've had a long-standing task relating to our Web hosting. We have no SLA with our hosting provider and the site goes down from time to time, potentially causing us loss of customer goodwill or lost enquiries. Depending on the nature of the failure we can sometimes change the home page to redirect to a secondary site hosted elsewhere, but this isn't always possible. We know this isn't good enough and are due to migrate to a completely new platform. Once that migration happens we'll re-do the risk assessment.
There's a separate but related risk assessment for our corporate FTP site, where customers download product literature. That too is pending the migration.
New risk assessments
When I looked at the "personnel" risk category I realized that although it includes the risk of losing vital knowledge when staff leave, it didn't include dealing with long-term sickness. We'll be sitting down to try to pin down the most likely weak spots in the absence of particular staff members, and what we can do to try to get over them.
Recently we had to recertify our PCI DSS Self-Assessment Questionnaire and I noticed that the standard stipulates that "All traffic outbound from inside the cardholder data environment should be evaluated". In other words, we shouldn't really have any firewall rules that allow unfettered outgoing access from the LAN to the WAN, i.e. you can get to any address using any protocol. For historical (and convenience) reasons there are some people that have just that and although I suspect the risks are small, I need to review our policy and consider changing those rules.
Finally, the proliferation of cloud-based storage such as Dropbox has made me realise I have to get some visibility of at least who is using what. Apart from the risk of exposing confidential data, these services can theoretically also provide a malware injection point if an account is accessed and the files corrupted. With the Application Control function of Sophos it's possible to just block some of these services but I'm planning to start with discovery and take it from there. It looks like the cloud services discovery feature of the latest version of Spiceworks should help me with that.
IT risk management needs to be an ongoing activity. Having established a framework, make sure that known risks are kept under review and keep a constant lookout for risks that are new or that were just missed from your original list.
Mark Pimperton BSc PhD has worked for a small UK electronics manufacturer for over 20 years in areas as diverse as engineering, technical sales, publications, and marketing. He's been involved in IT since 1999, when he project-managed implementation of a new ERP system, and has been IT Manager since 2008. The first major project he undertook in that role was a second ERP deployment. While still involved in operations, system management, and even a bit of development, Mark is now also responsible for IT risk management. He finds that risk assessment leads to many improvement initiatives, such as a current project to switch from tape backup to disk-based and online backup. Mark is fanatical about documentation, taking special care to record unfamiliar processes. His TechRepublic articles on SSL certificates and PCI DSS compliance are prime examples. Mark is married with two grown-up children.