6.3 Collect security process data (e.g., technical and administrative)

6.3 Collect security process data (e.g., technical and administrative)

• Account management
• Management review and approval
• Key performance and risk indicators
• Backup verification data
• Training and awareness
• Disaster Recovery (DR) and Business Continuity (BC)

Security Management

Management must be involved in the security processes.  We create a feedback loop so that we can make sure that the process is working correctly and to prevent inside people from attacking the system.  We should create a standardized process for management to review.

What are some things that need to be reviewed?

• Security Logs
  
  
• We might collect data through security information and event management (SIEM)
  
  
• SIEM software can help us automate review of logs
  
  
• SIEM collects data from different types of devices and aggregates them
  
  
• We should make sure that the SIEM data is synchronized (all of the systems have the same time)
  
  
• Account Management
  
  
  • We should review user accounts so that users have only the type of permissions that they require
    
    
  • We might manually review each account, but this takes a long time
    
    
  • We might manually review accounts at random
    
    
  • The person reviewing the user accounts should be a manager, not a system administrator, in case the administrator is corrupt
    
    
  • There are automated programs that can review this data
    
    

Some of the things that we collect, review, and measure

• Technical control process data
  
  
  • The types of controls in place
    
    
  • Where we have implemented the controls
    
    
  • How effective the controls are
    
    
  • Whether attempts have been made to breach a control and how often
    
    
• Administrative control data
  
  
  • The types of controls in place
    
    
  • Where we have implemented the controls
    
    
  • How effective the controls are
    
    
  • Whether attempts have been made to breach a control and how often
    
    
• Key Performance Indicators – these could include
  
  
  • Revenue
    
    
  • Profits
    
    
  • Expenses
    
    
  • Cost of controls
    
    
  • Cost of responding to incidents
    
    
  • Number of security breaches detected
    
    
  • Number of security breaches prevented
    
    
• Key Risk Indicators
  
  
  • Crime rates
    
    
  • Number of intrusion attempts
    
    
  • Value of the data and resources being protected
    
    
  • Volume of traffic
    
    
• Number of incidents (we can break down incidents by geographic location, type, and/or severity)
  
  
• Back Up Data
  
  
  • How often we back up data
    
    
  • How often we lose data, the amount of data lost, and the value
    
    
  • How often we need to restore data from back up
    
    
• Training Rates
  
  
  • How many employees have completed training, and the type of training completed
    
    
  • We might break down training data by training type, department, location, or time
    
    
• Disaster Recovery data
  
  
  • How often we practice disaster recovery drills
    
    
  • If we have had to implement a disaster recovery plan, how successful was it?

Once we have reviewed the data, we should ask ourselves whether it makes sense.

We might collect the data manually, or through automated systems.  This depends on how the data is stored.  Automated data collection methods are more accurate.