Due Diligence

When it comes to information security many organizations, no matter their size, lose sight of the basics.  Performing the proper due diligence around the “basics” can provide a solid foundation for advancement in computer resources and protection against the so-called advance persistent threat.  The question most likely weighing on many organization’s minds is, “What constitutes due diligence?”

The answer to this question is not as easy as many Security Practitioners would like you to believe.  Many organizations tout “Best Practices.”  But how can you be sure that one person’s Best Practices are the best practices for your organization?

The answer:  Due diligence is a relative term; properly inventorying assets and assessing risk will allow an organization to identify gaps and implement controls and/or mitigation processes and polices.

Understanding the business objectives, processes, and data provide organizations a foundation for how to build the proper controls, processes, and policies.

For example:  What type of data are we collecting?  How is it being processed?  Do we need to keep it after it has been processed?  Do compliance regulations drive our need for policy and procedure – i.e. encrypting data at rest.

The “basics” – such as requiring strong passwords, monitoring, disabling and filtering unnecessary services, and least privileged account access are still being missed today.  How we implement these items is relative to our business.

Implementing these “basics” takes resources and discipline, so it is not an effort to be taken lightly.  Often these basics get swept under the rug and forgotten about – a server is built with extraneous services available and/or developer’s administrative credentials are left on that box when it goes into production.  It’s these “basic” things that add up and present risk to an organization.  Everyone knows what happens to a server once it’s built and in production – nobody ever has time to go back and “fix” the issue, or it is seen as too much of a hassle – we have to put in a change ticket, perform the work during an outage window – that’s if you even have a change control process.

The “basics” might seem like a much easier task for an organization with a small technology footprint, but it is just as important – it is in my experience that once technology is injected into a culture, it will not be going away anytime soon – business and user requests will drive the need for more technology.

Not to be lost in the “basics” is security awareness and training for the end-user.  It is not uncommon these days to walk into a small shop/office where the employees are surfing the Internet, checking Facebook and their personal email, on the same system that they will swipe your credit card on when you check out.  Providing basic user awareness in a fun and positive way can go a long way.

I would also recommend to any small company that it ingrain into its culture the idea of the basics and that security is a real part of the organization.  Cliché’ as it may sound everyone has a part to play in securing an organization no matter the size – the IT guy building a purpose built server is just as important as the CEO checking his/her email and not downloading that unknown file.

11 replies
  1. are coconut oil
    are coconut oil says:

    I loved as much as you will receive carried out right here.
    The sketch is attractive, your authored subject matter stylish.
    nonetheless, you command get got an edginess over that
    you wish be delivering the following. unwell unquestionably come
    more formerly again since exactly the same nearly very often inside case you shield
    this increase.

  2. plenty of fish dating site
    plenty of fish dating site says:

    Hey there! This is kind of off topic but I need some guidance from an established blog.
    Is it tough to set up your own blog? I’m not very techincal but I can figure things out
    pretty quick. I’m thinking about creating my own but I’m not sure where to begin. Do you have any tips
    or suggestions? With thanks

  3. quest bars cheap
    quest bars cheap says:

    Hi there! This is kind of off topic but I need some advice
    from an established blog. Is it very hard to set
    up your own blog? I’m not very techincal but I can figure things
    out pretty fast. I’m thinking about creating my own but I’m not
    sure where to start. Do you have any points or suggestions?
    Thank you

  4. quest bars cheap
    quest bars cheap says:

    Today, I went to the beach with my children. I found a sea shell and gave it to my 4 year old daughter and said
    “You can hear the ocean if you put this to your ear.” She placed the shell to her ear and screamed.
    There was a hermit crab inside and it pinched her ear. She never wants to go back!
    LoL I know this is entirely off topic but I had to tell someone!

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.