A Managers Guide
If you have ever taken a Microsoft certification test on security, there is an assumption. Most security settings questions start out with, “Management requires…” The assumption is that no technical expert should make a security settings change, without a business requirement that comes directly from management. The problem is that nobody ever told the manager that they should be creating business requirements around Security & Compliance. When I walk in to talk to managers about business requirements, I usually get a blank look. When I explain what I need to management, there’s usually a bit of frustration. They assume that I am the security expert and therefore I should already know. This Article is to help managers (and technical security experts that talk to managers) to be understand what, why and how to guide a security team to build a safe and secure network.
Note: when I wrote this document, I wanted this to be a “Do it Yourself” document for S&C. When I got done, I realized this is a long document. Please feel free to use this as a DIY document, or contact us to help your team with security compliance.
What is Security and Compliance (S&C)?
S&C is like the controller in an accounting department. The S&C team ensures that an organization is complying to the minimum of the security-related requirement. Like a controller, the leader of the S&C team will hold the IT team accountable for following the organizations technical requirements. They are also making sure that the technical requirements are in alignment with the business requirements of the organization. In a well-run organization, the team advises the Chief Technology Officer (CTO). The CTO uses this information to advise the board and management. Management makes the decisions, informs the CTO. Finally, the CTO manages the operations manager, who runs the technical teams.
There are three High level Data Classifications.
- Confidential – This would be HR, Accounting, Payroll and Company Intellectual Property (IP)
- Internal – This organizational information like Handbooks, departmental, Credit Card information, customer lists, sales information on pre-customers and more.
- Public – This is information that is share with people outside the organization like pre-customers, vendors, and customer specific information.
Looking at these three levels of data, most managers could begin to build requirements for these types of data. Based on some of these examples: managers can begin writing business requirements to protect data.
- Employee records should only be accessed by HR personnel.
- No Employee, outside the payroll department should be able to see the what other employees are being paid.
- Vendors should have a restricted access, to share project information, but not corporate internal information.
- Departmental information should be accessible by the department, but not cross department. The only exception is that management should have limited (Read) access to departmental information in other departments.
The S&C team verifies that technical requirements are in place and support the business requirements management has created.
Data Loss Prevention
Data can be lost in several ways including:
- While the data is static, in a corporate secured data store.
- While data is in transit within the corporate network or outside on the internet
Data Loss prevention includes understanding the tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users.
Data privacy generally means the ability of a person to determine for themselves when, how, and to what extent personal information about them is shared with or communicated to others. This includes Data sovereignty refers to digital data that is subject to the laws of the country in which it is located.
Because there are regional, national and continental expectation and laws around data privacy, the legal department is often included to ensure data privacy for employees, pre-customers and customers.
Note: Too often the IT department is left on its own to make this decision. This is why we hear so much about customer data being lost. The cause is often a lack of policy on data privacy and S&C oversight.
eDiscovery and Content Search
Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. Content search refers to the available search options for each type of search.
Example: During a lawsuit, an attorney can file a discovery for email information. The risk is that the attorney may see more information than intended. This can lead to further discovery and exposure by the company.
Again, the Legal department and not the technology team should be determining recommendations to the board for eDiscovery the business policies. Then S&C needs to make sure that these requirements are being met.
This area refers to email packets in transit. Business policies focus what happens when the email packet is in transit.
Examples: of policies can reference.
- Anonymity of packets while in transit
- Size and types of attachments
- Email Policies by role etc.
Manage Compliance Risk
This area defines how the compliance team will be run and managed, including:
- Identifying, assessing, and monitoring the risks to your enterprise’s compliance with regulations and industry standards,
- Internal controls in place to ensure that you are compliant.
- Monitoring those controls to be sure that they’re effective on an ongoing basis.
Manage Information Governance
Information governance is the way in which information is used and managed. The practice seeks to limit the risks in the management of data and ensure compliance. This process includes policies on managing (but not limited to):
- Redundant data,
- Removing outdated data,
- trivial information policies
These types of policies to ensure effectiveness, efficiency, and optimization of accessing corporate data, with consideration to the financial worth and benefit of that data.
Example: One year a software application called “Elf Bowling” was rampant on the internet. On one small data store, with 200 employees we found 50 duplicate copies on one server.
Reporting & S&C tools
In many larger networks, redundant security tools by different manufactures can be found. With each technology platform added costs. These costs can be associated with licensing, but more importantly with the cost of training S&C team members in multiple platforms and the cost to get these platforms to talk with each other. Management’s role is to develop Key Performance Indicators (KPI) with the S&C teams. Developing policies around redundant systems.
Examples of S&C tools
Microsoft 365 Compliance Center
A dedicated workspace for company compliance, privacy, and risk management specialists.
Microsoft 365 Defender
A unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Defender Services include:
- Unified alerts queue.
- Unified user page.
- Unified investigation page.
- Learning hub.
- Email entity page.
- Integrated alert detail page.
- Role-based access in Microsoft 365 Defender
- Threat analytics.
Microsoft 365 Security Center
Support security team investigations and attack responses
Policies for reporting and S&C tools
Typically, companies reduce earnings costs by develop a companywide standard. These policies standardize on the reports and Tools being used by the S&C team.
Examples of business requirements
- The S&C team will provide a report to the CTO on all attempts/successful access to network through the router. The CTO will provide the board with a risk assessment based on these reports.
- The S&C team will provide the CTO with a report on Trivial files/software on the servers. The CTO will provide the executive management team with a report defining ownership of files/software that have not been approved on the server.
- The S&C team will provide the CTO with a Virus report of viruses found, removed or in quarantine on the network. The CTO will provide the executive management team and the board with a Virus risk assessment report.
In this document we have discussed the need for management teams to drive technical security policies by first defining the business requirements that best supports the vision of the organization. Then hand off these business requirements to the technical team. The technical teams will then translate these business requirements to technical requirements. Then the technical teams will implement the technical changes that support the business requirements and vision of the organization.
The document is long, and the process can be tedious. The problem is that the IT department is not trained or qualified to assess the legal and business risks affected by any technical changes. Security breaches for many industries are rising exponentially. Security breaches started as a form of vandalism, like graphite. Decades later, these types of breaches have become very lucrative.
I would use the analogy of leaving the door unlocked to your house. People can break into a locked door, but if someone else leaves their door unlocked, they will be attacked first. Business policies and a good S&C team makes your company more difficult to breach.
Additionally, it is not necessary to follow-through on everything today. This is a gradual process that may require some cultural change. With the many breeches, it is becoming more and more necessary. If you are concerned about getting something up today, we can share some options for you. If you want to gradually do this, contact us. We can help with training your business team and your technical team.
For a free, no obligation consultation, contact us