Having established a framework for assessing IT risks, Mark Pimperton describes some of the changes his company made to protect systems and data.
At the end of my article about our IT risk management framework, I said that we review the IT Risk Register annually to check for incomplete assessments or mitigation tasks, and to add new risks. Since we add a "next review due" date to all completed risk assessments, we also check for risks that are due for reassessment.
In this article I describe typical examples of the work coming from our annual review.
Number one on our list of security risks is "Unauthorised Network Access", whether it's via a web server or any external gateway, firewall or SSL VPN appliance. It also includes the specific risks of wireless networks - sniffing or spoofed access points, for example - as well as unauthorised or infected devices connected directly to the LAN.
I last assessed this a year ago and gave it a 12-month review period because it's so crucial, given that the impact of a breach could include theft or destruction of data, defacement of web sites or injection of malware onto PCs. The reassessment is still in progress so I can't tell you what the outcome will be, but our list of Current Controls includes:
- Network: Carefully-configured firewall rules. Tightened wi-fi security by restricting to specific MAC addresses.
- Software: Password-controlled access to Web pages using HTTPS.
- Devices: Sophos scans for data transfers and removeable devices. Spiceworks scans the network for new hardware. Visitors are not allowed to connect to the main LAN, only our DMZ. (This requirement is enforced only by our Acceptable Use Policy; we did evaluate Sophos Network Access Control but deemed it too complex and unreliable.) Finally, only authorized mobile devices can use ActiveSync to connect to Exchange.
- External Scanning: External IP addresses are subject to external network vulnerability scanning as part of our PCI DSS compliance.
Another risk due for review is that of loss of data held on workstations. We did quite a lot of work on this last time, including a general move away from local .PST files to most mail being held on the Exchange server. We also publicized backup options and the use of network drives. As more staff migrate to Windows 7 I've been annoyed that the built-in backup program doesn't automatically remove old backups - so much so that I'm considering folder redirection to get most data off individual PCs altogether.
Incomplete risk assessments
I've had a long-standing task relating to our Web hosting. We have no SLA with our hosting provider and the site goes down from time to time, potentially causing us loss of customer goodwill or lost enquiries. Depending on the nature of the failure we can sometimes change the home page to redirect to a secondary site hosted elsewhere, but this isn't always possible. We know this isn't good enough and are due to migrate to a completely new platform. Once that migration happens we'll re-do the risk assessment.
There's a separate but related risk assessment for our corporate FTP site, where customers download product literature. That too is pending the migration.
New risk assessments
When I looked at the "personnel" risk category I realized that although it includes the risk of losing vital knowledge when staff leave, it didn't include dealing with long-term sickness. We'll be sitting down to try to pin down the most likely weak spots in the absence of particular staff members, and what we can do to try to get over them.
Recently we had to recertify our PCI DSS Self-Assessment Questionnaire and I noticed that the standard stipulates that "All traffic outbound from inside the cardholder data environment should be evaluated". In other words, we shouldn't really have any firewall rules that allow unfettered outgoing access from the LAN to the WAN, i.e. you can get to any address using any protocol. For historical (and convenience) reasons there are some people that have just that and although I suspect the risks are small, I need to review our policy and consider changing those rules.
Finally, the proliferation of cloud-based storage such as Dropbox has made me realise I have to get some visibility of at least who is using what. Apart from the risk of exposing confidential data, these services can theoretically also provide a malware injection point if an account is accessed and the files corrupted. With the Application Control function of Sophos it's possible to just block some of these services but I'm planning to start with discovery and take it from there. It looks like the cloud services discovery feature of the latest version of Spiceworks should help me with that.
IT risk management needs to be an ongoing activity. Having established a framework, make sure that known risks are kept under review and keep a constant lookout for risks that are new or that were just missed from your original list.