The context of the writing comes from my Systems Security & Auditing course.
With innovation or process improvements comes risk, and if there is a risk, threat actors will exploit it. In today’s threat landscape, being vigilant isn’t an option but rather a must. If you are an executive, ask yourself if a data breach occurs, are you prepared to tell our customers and lawmakers you’ve done everything possible to protect the company’s data and assets and been compliant with regulatory laws?
If the answer is, I’m not sure, or I don’t have the answer. Then you should consult with your security team, which can help you answer a wide range of questions that would come your way. Understanding where these threats may be within the organization’s seven IT infrastructure domains can help protect data and comply with regulatory laws.
These seven domains are:
- User Domain
- Workstation Domain
- LAN Domain
- LAN-to-WAN Domain
- WAN Domain
- Remote Access Domain
- System/Application Domain
Doing regular security risk assessments on these domains will help identify the information and the information systems. Also, it will help determine the lack of or needed IT controls. With continuous monitoring within the seven domains, gaps in controls will reveal themselves and be quickly remediated.
Shifted Threat
A closer look at the Remote Access Domain, the COVID-19 pandemic has brought a significant change to this domain area and how we should reassess our remote access security assessment. Before the pandemic, remote access was limited to a few employees; however, the prevalence of working from home has brought new risks. Before the pandemic, roughly ~70% of employees’ work machines were connected to the company’s secure LAN & WAN networks, which gave the employee more security and saw less risk. However, this has changed; we’re asking employees with limited security knowledge to follow best security practices with a limited understanding of network devices and network controls.
“Gartner survey on June 5 of 127 company leaders, representing HR, Legal and Compliance, Finance, and Real Estate revealed half (47%) said they intend to allow employees to work remotely full time going forward.”
Newsroom, Press Release, ARLINGTON, Va., July 14, 2020
Knowing these unknown risks, doing security assessments is more important than ever. Companies need to be flexible and be able to evaluate their current policies for shifting threats within the seven domains.
Bottom-line and Benefits
On-going annual security assessments reduce the cost of any potential problems, produce metrics, and identify risk. A security assessment isn’t about catching everything because that isn’t possible; however, it reduces organizational risk. We need to look at it this way; having security assessments done on the seven domains is better than the alternative of not having any security assessment done and being out of regulatory compliance, leading to hefty fines. Having a security assessment done will help mitigate the cost.
Summary
The organization’s need for an annual security assessment would give crucial insights into its overall business objectives affecting its bottom line and regulatory compliance. With the security assessment in place, the organization’s policies, standards, and guidelines can be measured more accurately, which gives you, the executive, a birds-eye on business components and crafts better decisions.