Call us at 507.319.5206 or This email address is being protected from spambots. You need JavaScript enabled to view it.
Follow us on LinkedIn and Twitter

Top 5 Year-End Security Tasks

You may have noticed that I often recommend that folks just get started doing a little something to address information security. Don’t let everything else you should be doing get in the way of taking steps to secure your system.

In that spirit, this month we’ll discuss the most important security tasks you can address by the end of the year.

Information security management is not a once-and-done proposition. Just because a task appears on my year-end list, doesn’t mean you only need to do it once or even once a year. However, it does mean it’s an important task that provides immediate value or represents a baseline of information that will be useful the next time you perform the task.

1. Security-Related Configuration Values

One of the most important things to do is to make sure your system’s security-related configuration values are set the way you intend them to be set.  If you don’t know what they should be set to, save a list of current settings.

2. Just One Security Policy

Security policies describe the abstract behavior your company believes will provide the desired level of protection for its information assets. In this context, “abstract” means that your policies will describe human behaviors – not the technical details of how your organization intends to prevent, enforce, detect, or deter those behaviors.

For example, an access control policy might state: “Users can access only those resources that are required to successfully meet their job responsibilities.”  It should not address whether or how you intend to enforce that behavior (or prevent any other behaviors), or how you intend to detect whether a person does not comply with this policy.

Small to medium-sized organizations will typically have a handful of broadly-worded security policies.  They will address various behaviors, such as acceptable use, protecting privacy, mobile device usage, mobile storage devices, data categorization, disaster recovery, incident response, etc.

If your organization doesn’t have any policies, focus on just one area.

Do a Google search for “security policy template.”  You’ll be surprised how much is out there.  Many are free; some you must pay for. Pick one that seems the best fit for your company and modify it. Then run it up your management chain for buy-in and approval.

Eventually there are many other things that need to be done; especially making all employees aware of your policies. Don’t worry about that for now. Just get one policy in writing!

3. Estimate the Business Impact of a Breach

You can’t know how much time and money you should spend on security until you know what information assets you need to protect and how much each is worth to your company.

This isn’t as difficult as it sounds. If your organization doesn’t already have this information, you can use a qualitative approach to estimate the value. With a qualitative approach, you focus on categorizing the general business impact and the probability of a breach as High, Medium or Low for each one of your information assets.

I’ve outlined a step-by-step process for estimating the business impact of a breach in a previous post. If you follow this process, you will end up with a matrix of information assets, impact and probability that looks something like this:

    Information Asset Description

Impact

Probability

    e-Commerce application

High

High

    Payroll application

Medium

Low

    DMZ Firewall/router

Medium

High

    Internal web server

Low

Low

    Internal production server

High

Medium

 

This matrix gives you an idea of where to focus your resources. Hint: you probably want to put the security of your e-commerce application at the top of your priority list.

As with policies, after you generate this information, run it up the management chain. The matrix is easy to digest, it shows them quickly where the biggest risk lies, and they will probably find your efforts to translate security into a business point of view refreshing.

4. Review Audit Journal Entries

Of course, if you don’t have auditing turned on, you have nothing to review! If this is true for your company, then change this recommendation to “Turn on *SECURITY and *AUTFAIL” security event auditing.”

NOTE: When you turn auditing on, make sure you have a plan for saving the audit journal receivers as they get filled up.  By default, the system will detach the current journal receiver and create a new one as they fill up.  If you don’t delete them, you’ll eventually use up a ton of disk space. To avoid this, make sure you have a plan to periodically save the current set of journal receivers to offline media (or to another system so they remain online), and then delete them from the production system.

Then, at least once before the end of the year, take some time to look through your audit journal entries.

The CPYAUDJRNE command makes this very easy to do using SQL queries.  See Appendix E of the security reference manual to get an idea of what information is available in each audit type entry.  I generally look for anomalies. Failed attempts for most actions are often an anomaly. For example, sign-in attempts at odd times, especially when attempted from a remote IP address.  Failures to copy or delete objects. I also look for profiles that have been successfully re-enabled or changed (including passwords) at odd times. These are just a few of the items you can look for.

Even if you don’t have time to look for everything, looking for some things is better than nothing.  Of course, the best thing to do, if you can get approval, is to purchase software that will analyze the entries for you.  There are various SIEM products that will analyze these events with respect to the entire network. There are also products that integrate the IBM i audit journal entries with third-party SIEM products.

5. Prioritize for Next Year

Finally, get ready for next year. Put together a list of security tasks you know you need to address. Even though you know you won’t get enough funding — or have the time — to address all of them next year, having a complete list shows your due diligence in thoroughly addressing information security in your planning.

Put them in an order that you feel are most important.  You might want to have a second list sorted in least expensive to most expensive. Get your management’s input on your list. Let them know that you don’t expect to get funding for everything, but want to make sure they understand the items that need to be addressed.

Get Started!

That’s the list. Just 5 things, each requiring just a bit of time and effort to complete.

If you aren’t already doing any of them, pick just one. Get started. Doing something is better than doing nothing!

If you need help, you know where to find me!

 

Facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in IBM i Security, Info Security Mgmt and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>