Policies and procedures are important tools in the
information security toolbox and they are most important when
they apply to the IT department. A major role of the information
security department is to evaluate the vulnerabilities out in the
wild, assess their threat level to the business and calculate an
impact. This whole process is made quicker and easier with solid
procedures in the IT department.
A good example is the practice, or lack of it in some cases, of
changing the default
passwords of network devices. Every network administrator will
say they know to do it and will say they always do it, so why do
information security audits still find devices with default
passwords? One of the reasons is that the IT team lacks a network
device configuration procedure, or if it does have one it's missing
an important part, the log section.
A good procedure should meet the three goals of the acronym RRA.
They should be repeatable, reportable and auditable.
A procedure that is repeatable should ensure two people with the
same skill level produce the same results. In the case of default
passwords they should both produce secure network devices. A
repeatable procedure gives a lot of confidence to an audit team as
it means that every product of a procedure is identical.
A reportable procedure requires a logging process. As the
procedure is stepped through, a record of each action is kept,
ideally electronically. This could be as simple as a Y to indicate
the step was done, but could also be a more complex result, such as
the result of a command or the name of a device.
This logging process gives the IS department its first level of
threat analysis and answers questions such as how many, when and
who. If a vulnerability alert comes into the department for a
system configured in a particular way, they can quickly run a
report that shows the number of devices threatened and scale their
response.
The final goal, auditable, is the most important, especially
when responding to an imminent threat. This goal takes the fact
that the procedure is repeatable and reportable and assumes that
verification and forecasting can be done using the logs.
Using the example of default passwords, if the IS department
feels that some network devices have been badly configured, they
can run a report that shows them how many devices of that type are
on the network. If they check a random sample of these devices and
find they are configured correctly, the assumption is that the
others are.
If they find some with default passwords then an analysis of the
procedure logs could reveal a pattern, a particular supplier,
purchase date or network administrator.
There are tools that monitor the configuration of devices and
security of software, but they should not be a replacement for
solid procedures - even these tools need installing and
configuring.
Procedures that meet the RRA goals are also of benefit to IT
departments. They allow cross-skilling of team members, reduce fix
times, as assumptions can be made about how system configuration,
and improve installations times as the wheel does not need
re-inventing every time.●