Security systems and processes generate large amounts of information. Buried in these massive piles of data are key pieces of information about the health of your security program. Security assessment requires collecting and analyzing that data on a regular basis. In this video, learn how to collect security process data in a consistent manner.
- [Instructor] Security systems and processes generate large amounts of information. Buried in these massive piles of data are key pieces of information about the health of your security program. Security assessment requires collecting and analyzing that data on a regular basis. When we designed security programs we often focus primarily on the technical controls that protect the confidentiality, integrity, and availability of information. After all, these controls are usually the ones that require the greatest investment of time and resources.
However, security programs cannot function effectively if they do not also have solid management and operational controls, such as undergoing regular and continuous evaluations. This requires access to both technical and processed data. Technical data includes the logs generated by servers, network devices, firewalls, intrusion detection systems, access control systems, and other tools. This information comes in almost overwhelming quantities, and is normally processed by security information and event management systems.
I cover the capture and analysis of this technical information in the course covering CISSP domain 7, security operations. Process data includes the electronic and/or paper records supporting each of the security processes that an organization puts in place to ensure the confidentiality, integrity, and availability of information and resources. I spoke about many of these controls throughout this course series, but especially in CISSP domain 1, security and risk management.
For example, earlier in this course I discussed the importance of backup verification and tests that you should perform regularly to verify that you are able to restore data from your backups. How do you maintain the documentation of those tests? It's not sufficient to simply say that you do it regularly and keep it on your mental checklist. This type of approach does not allow long-term analysis of test results, and it prevents verification by a third party, such as an auditor. Your organization should also be performing regular account reviews and vulnerability scans.
The documentation of all of these security processes should be maintained in a consistent manner. Maintaining this documentation may be as simple as using a spreadsheet in a tool like Google Docs or Microsoft Office 365 that maintains an audit trail of those records. For example, here's a simple spreadsheet that I created to track the performance of user account reviews. As you can see, it has a column listing each time period where account reviews are expected, the date that an account review was performed during that time period, who performed the review, and the results of those tests.
At first glance this seems like a pretty straightforward review of user accounts, and it seems like tests were done properly. That's where having that revision control becomes very important. If I go and look at the version history by clicking file, see revision history, you can see here that this entire document was created today. It went from being blank at 3:06 p.m. to being completely populated with all of these test results at 3:18 p.m. That's a sign that these test results were probably faked. I just went through and filled in this entire spreadsheet all at once.
Had this log been generated contemporaneously I'd see different times that corresponded to each of the dates that these tests were performed. Organizations should develop consistent, repeatable processes for collecting and maintaining information about security processes. This allows for the consistent evaluation of security programs and facilitates audits and assessments performed by third-parties.
Find the companion study books at the Sybex test prep site and review the complete CISSP Body of Knowledge at https://www.isc2.org/cissp-domains/default.aspx.
Note: This course is part of a series releasing throughout 2018. A completed Learning Path of the series will be available once all the courses are released.
- Using security assessment tools
- Scanning for vulnerabilities
- Threat assessment techniques
- Performing penetration testing
- Reviewing monitor logs
- Performing code reviews
- Performing fuzz testing and misuse case testing
- Analyzing coverage
- Assessing disaster recovery sites and backups
- Testing BC/DR plans
- Collecting security process data and metrics
- Auditing and control management