/pcq/media/agency_attachments/L8pkS8gpnodJThOdAfv1.jpg)
Follow UsAlok Sinha, Head, SI Business, Huawei India
In our last article carried in May, we talked about how compliance and vulnerability indices can be setup to measure your organization's security. This time, we'll cover the remaining indices for the job, which will give you an accurate reflection of your organization's security status. We'll start with one key element that completes the security posture-the security operations index.
Security operations index
At the peak, this index is a culmination of many sub-parts of the operations. In our sample case (see Table below), to demonstrate the methodology, we choose to take six verticals into consideration, and calculate their individual scores and weighted scores. Based on these, we've derived the overall Security Operations Index. The choice of vertical and the weightage you assign to it, varies from organization to organization and from time to time. Your organization may want to establish a higher weightage on say 'userID management', or if you had a recent spate of cyber attacks or frequent breakdowns, you would want to increase the weightage for log and backup management. Having said that, let's understand the six verticals that help you determine the security ops index.
Basic hygiene index
This index represents the basic health check of all your basic systems, like desktops/servers and even network devices like printers, access card controllers, etc. List them down region wise in a table as shown in Table below. Create a host checklist in a separate table as shown (in third page ). Here, the 10 items that have been listed are only for demonstration. Your list could vary based on your requirements. Additionally, your list may be significantly reduced if you deploy Windows login and force many of these features through systems group policy.index.
Typically in practice you would want to run this process once a quarter or so and cover 100% of your computing population. It would be prudent to use a modified version of this list for your servers. With mobile devices being more and more pervasive, there is an increasing demand to secure them as well. You would want a similar checklist to be created for your mobile basic security list. The above table is then drilled down further. Elements, that are not compliant, but have a valid security exceptions, with approvals, with documentation will be considered compliant.
User ID index
The objective of this index is to determine the compliance of the user ID verification process. On a periodic basis (annually or quarterly), each organization does a UID validation exercise. A UID inventory is created and each employee/manager is queried for the validity of the ID. In an ideal state world, as soon as an employee status changes (such a moving into a new role, promotion, outsourcing part of work, etc) the ID management department should be informed. However, real life takes a different course and changes just happen. In such a situation, the periodic ID inventory validation is an important step.
Creating the ID inventory
On the face of it, this would appear to be a simple task — take the list of ids and simply put it in an Excel sheet. The simplicity is lost, when you consider the fact that you would need email ID, Windows network id, specific application id, server login id (for admins), sub-system (database, content management system , etc). In order to get all accurate user ID inventory — we take into account four distinct families of user ID — applications, sub-system, servers, network devices.
The idea is to collect user id from each system, list them down and as a part of the verification process attach them an employee. Next, each manager is then queried for a confirmation on the continuation of the required access rights.
The above action, then can be measured by the following simple formula:
Total IDs: 4512
Verified IDs: 4015
ID Verification Index: 89%
Exceptions — security over-ride Index
While the security policy may provide an organization framework, there are times when business requirements dictates exceptions. You may have a policy that forbids the use of USB read write. However, the sales man in your organization needs to use his device to write on USB disk to share marketing material with customer. This in a controlled environment is achieved by exception approval — many organization use the word Security Override.
SOD index, reflects the issue of such exceptions in the system. It is calculated by the formula
SOD Index = 1 - (# of SOD issued)/ total number of computing device
Hence, if you have 1000 computers and have 200 SODs issued, then the SOD index would be
(1-200/1000) = 1 — 0.2 = 80%
Backup Index
Backing up data and application state is an important part of IT operations that is required to ensure continuance of IT services. For illustrating our case, let us assume that the following schedule (next page) is reflective of our backup schedule for seven days of the month.
Partial/full reflect the plan — to take partial backup or full backup. For some servers, the data backup is not required on certain days, this we reflect by NR. During the course of normal business, some days, our backup did not trigger, or failed to complete successfully, these are what is available as FAIL.
In such a situation the Backup Index is calculated as follows:
Backup Index = 1 - (Number of failed instance / # of total instance of backup)
Thus in the above case it would be
= 1 — (3/30) = 1 — 0.1 = 90%
Currency Index
Applications and operating systems need to be updated on a regular basis, with the new updates and new patches. We are assuming here, that your organization has a system to release notifications about new upgrades/updates that are relevant to you. For instance, there would be hundreds of patch updates released by a DB provider.
However, in your organization only a few specific ones would be applicable — and this, a central team in your organization releases from time to time. These advisories not only advise the type of patch required, but also the patch priority
level — some patches are urgent (required to be deployed within 7 days of release), some critical (required within 30 days), some routine (required to be implemented within 90 days). These are of course reference points. Your organization would establish a security policy to establish similar practice.
The currency index is defined as
= (Total number of patches applied in time) / (Total number of patch incidents required across the organization)
Hence in our sample case above, while the total relevant patches were 100, we could deploy only 98 in time — hence our Currency Index would be 98/100 = 98%
Log management
Logs provides sensitive details about the IT operations of the server. While logs may be required to help you troubleshoot the problem, in some cases logs are mandatory requirements of the law to provide forensic tracks. Whatever may be the reason, there is no refuting the fact that the log system needs to be implemented in your organization.
Configuration checks need to be reviewed periodically to ensure that logs are indeed getting saved, and managed in a way that you have intended it to. e.g. configuration setups like log storage into a common log server, log rotation on a weekly, monthly basis or log backups post a period tenure etc.
Log management index is a reflection of the configuration completeness of the environment.
In our example above, the organization does a quarterly check of its implementation of log configuration. During the quarterly check it realized, that in the auth server, the access log (which was switched off for trouble shooting three weeks back) was never switched back on. Other than that all required configuration in other servers were found compliant. Mail storage access log was not required to be turned on, as per our security policy.
The in our case, the Log index would be = 1 — 1/18 = 94.4 %
Enterprise Security Index
The strategic intent of this article was by no means to be all encompassing security matrix, but to give an insight on the fact that — one needs to measure the security posture of the organization on a periodic basis and establish your own positioning in the security parameter.
As you have seen in the previous article (May 2011) and this, you can design a very intense security measurement matrix that will give us an accurate reflection of the status of security of our organization.
In our case, all the processes, backups, compliance, vulnerability ,etc rolls up into one number 92.87%, and the business managers can rest assured that there is indeed one number that will tell them the answer to the question — How secure is my organization?