AuditScripts Policy Update for GDPR

Hello, friends and subscribers. As you know, the European Union’s General Data Protection Regulation (GDPR) is almost here and it is has become an everyday topic of conversation in our data protection circles. If you are an information security person, I hope you have made friends with the privacy folks in your organization, and vice versus. Data protection, especially under terms of GDPR, will involve the security and privacy teams working together.

As most of you know, GDPR goes into effect on May 25, 2018 and it was created to better harmonize data protection laws around the member states. Key components of GDPR include data subjects’ right for rectification, right to fair and lawful processing of personal data, as well as the right to erasure. Basically, GDPR addresses two core principles: Data Protection and Privacy.

Here at Auditscripts.com, our team knows data protection and we have tremendous expertise in information security architecture. We believe in the importance of privacy programs. In this updated release of the policies, we have acknowledged that privacy management is a unique discipline. Our recommendation for organizations is to create a Privacy Program, starting with a Charter that defines the goals of the Privacy Program. We have included an updated privacy policy in our subscription to document how privacy efforts interact with information assurance, governance, and technical controls, but this is not a replacement for a comprehensive and well documented privacy program. If you are in need of privacy resources,

The International Association of Privacy Professionals (IAPP) provides guidance, articles, and an active community supporting other privacy professionals at https://iapp.org/.
Project Management Institute provides information on project management and program management at www.pmi.org .

Today, we release our updated policy library to address the principles and requirements of GDPR, and this blog will highlight the key principles surrounding the updates to the policies.
Guiding Principles in the Creation of This Update (2018 2.3)

 

We Baked Data Protection Principles into the policy library as a whole.

The term ‘Data Protection’ is used frequently in the GDPR Articles and Recitals, but this is nothing new to our policy library. We have created an Information Assurance Policy library for you that already addresses key data protection principles of confidentiality, integrity, privacy, and availability.

We give you the tools to establish a Governance, Risk, and Compliance Program that can support data protection practices under that a GRC umbrella.

We wrote policies for a Multi-Disciplinary Team Approach to Successful Data Protection. Some examples include:

Executive Support for Governance, Information Assurance, Risk Management, and Privacy efforts

Privacy experts reviewing privacy notices

Legal personnel vendor agreements

Risk expects conducting assessments

Information Security architects reviewing technical controls

We Updated policies names to include updated concepts.

Data Protection and Classification Policy has been refined to more closely tied together data classification efforts supporting data protection (formerly, Data Classification Policy)

Data Retention, Backup, Archive Policy includes updated policy statements to reflect handling of personal data

We Avoided Regional Favoritism

We chose open-ended language in the policies to maintain a balance between the requirements of the EU’s GDPR and other geographical region’s privacy and data protection regulations.

Open ended statements that cover all regulatory bodies without being specifically written for one geographical regulatory body. For example, for GDPR, we implied that your organization is the data controller without using that term specifically.

We used the term ‘personal data’ to be inclusive of multiple regulations that refer address data about individuals.

We acknowledged that GDPR Expertise will evolve and grow as the Regulation goes into effect.

As Data Protection Authorities (DPAs) begin to review factors surrounding data subjects’ complaints and data breach notifications, we will better understand how to apply administrative and technical controls to mitigate risk.

As of the writing of this blog post, there is uncertainty of the EU-U.S. Privacy Shield and there are lingering questions if United States companies should certify or not.

We updated all policies. These policies received the largest updates:

Charter Document for Information Assurance

Cloud and Third Party Services Policy

Data Backup, Retention, Archive Policy

Data Protection and Classification Policy

Incident Management Policy

Privacy Policy

Thank you for participating in our community and we will continue to provide guidance and suggestions on how to best use the resources on www.auditscripts.com .

The Digital Security Poverty Line

Like many information security practitioners, this week marks the return to the office and reflection after attending the annual RSA Conference in San Francisco. Every year there are interesting speakers, some better than others, crazy parties, and a vendor show the size of a small city. And every year I admit I get a little contemplative at the end of the week and try to reflect a little more on our industry.

This year there was a phrase that I heard that got me thinking, the phrase described the challenges of the “Digital Security Poverty Line.” So it got me thinking, is this a real thing? Is this hype or when we look at organizations today are there really haves and have nots in the world of information assurance?

I think one of the first discussion points has to be a monetary one. Do larger organizations have larger budgets when it comes to information assurance? I think the knee-jerk reaction most of us would have to this is yes. But a better question might be – do larger organizations have a larger percentage of their budget allocated to information assurance? According to a study performed by BAE Systems Applied Intelligence and the Gartner Group there is a wide range of spending that organizations allocate to information assurance. According to their October 2013 study (http://blogs.gartner.com/john-wheeler/it-security-budgets-rise-as-data-breach-fear-spreads/) the majority of organizations allocate between 3-10% of their IT budgets towards information assurance efforts. 

2013itsecuritybudget

But this still begs the question – does that mean if your organization allocates lower than 3% of its IT budget on information assurance, does that mean your organization is in poverty?

For this statement to be true, there would have to be a set of organizations under-allocating resources – which likely is true. But also the industry would have to be lacking in low cost quality tools that could be used to secure information systems. So is that true?

This is where I think the phrase starts to break down. Yes, in my opinion, there are and there always have been low cost tools available to small, midsized, or “poverty stricken” information assurance departments that could be used to secure information assets. While certainly it would be nice if everyone could afford a tool like Tenable’s Security Center, Tenable has always been gracious enough to provide tools like stand-alone Nessus if your organization did not have the funds for the larger solution. And of course this does not even take into account the abundance of free or open source (FOSS) tools that companies could employ – OpenVAS anyone?

I can certainly understand the vendors point about the appearance of a poverty line. And more importantly I think it’s quite generous for companies such as Qualys and Tripwire (nCircle) to release tools for small businesses to help them alleviate the stress. For those of you would did not notice, both of these vendors released free tools at the RSA Conference to help SMBs to secure their information systems based on the recommendations from the Critical Security Controls project.

So free or low cost tools are available to organizations. So if there is a poverty line, then it would have to be related to the personnel resources that an organization allocates to the issue. In the long term automation will help to remove this as a consideration, but as organizations initiate their assurance programs, it will take people to kick things off and create a strategy for organizations. Certainly that’s hard to argue against.

So, is the idea of a digital poverty line real? That’s hard to say. It could be the emergence of a new trendy marketing word. Or on the other hand if one does exist today I would argue that is has to do with the allocation of personnel and not the allocation of capital budgets. So what’s the moral of the story? If a digital security poverty line exists, it is because of their personnel. So if I was an organization today reading about data breaches and theft of intellectual property I would make sure I’m investing in the people that keep my data secure. Am I giving them the training and mentoring necessary to make good decisions for the organization or am I simply throwing my capital after more products. Maybe it’s time we all followed after groups like the State of Colorado and spend fewer resources on software licenses and fancy appliances and more on investing in the people that watch over our organization’s data every day.

Steps to Creating a New Metrics Program

Metrics definitely seem to be a buzz word in information security circles these days. It seems that I can hardly give a presentation or meet with clients without the topic coming up at some point in our discussion. But to be fair, I think these discussions are healthy and I’m glad to see so many people beginning to ask the question, “how can I measure my efforts in securing my organization’s data?”

My fear though, is that there are a number of organizations who see other organizations implementing metrics and they believe that they can skip the core foundational program steps and jump right to interesting dashboards and metrics. It’s like watching someone who never exercises observing a marathon runner and saying, “I think I’d like to run a sub-four hour marathon too this year.” Without establishing a base and putting in the effort to practice, achieving great results can be difficult to impossible.

So this begs the question, in terms of information security, how would you build a base, and what steps could you take to lay the foundation for a solid, mature information security program. After working with our clients for the past 10-15 years, this would be our advice:

  1. Obtain a security management charter from senior management
  2. Create an organization wide IS Steering Committee
  3. Document your organization’s overall security goals
  4. Create & approve appropriate security policies, procedures, & standards
  5. Educate your organization on those documents

Then what? If we finish those steps, then can we start a metrics program? Absolutely! Once you have a proper foundation and you know what your organization is trying to achieve, then I think it’s a perfect time to kick off a program to develop metrics in your organization. But take it one step at a time. Don’t try to bite off too much too quickly. Take it slow, achieve results, and then progressively add to the sensors and data you collect.

  1. Here are the steps we would take to start your initial metrics program:
  2. Identify what information security sensors you have already successfully deployed
  3. Determine what meaningful metrics can be gleaned from these sensors
  4. Deploy a tool that can centrally aggregate, normalize, and report on the data collected by the sensors
  5. Create basic reports based on the metrics from strep #2
  6. Work with business owners to remediate risk

Our best advice though is this: achieve value from a small number of metrics first, and then grow your program. If you can’t achieve value from a small number of measurements, you certainly won’t achieve value with a greater volume. Eat that elephant one bite at a time.

Basic Steps for Executive Engagement

Recently a met with an organization who mentioned to us that they had identified executive engagement in information security (or lack thereof) the biggest risk to their organization. It’s not to say that the organization’s executives didn’t care. The issue was that this organization had its hands in a number of other important activities, and securing the organization’s assets simply was not one of their top concerns.

But this raises a few questions – What does it mean for executives to be engaged in information security? How much buy in is enough for management? Is there a bare minimum standard for executive engagement?

So we started thinking, executives have a lot on their plates, so what should a busy executive do to sponsor an information security program without getting sucked into a black hole of too much engagement and allocating too much of his or her attention to the program. It seems to me executives have the responsibility to ensure that all the plates are spinning in the organization to continue pursuing the overarching business strategy. It takes a number of moving parts to achieve an organization’s mission. So what steps should they take to make sure the information security plate stays in the air?

Step One:            Assign an information security champion (think senior project manager).

Step Two:            Sign a charter for an information security steering committee, or add security responsibilities to the IS steering committee’s charter.

Step Three:        Task the steering committee with documenting policies & procedures for how information security will take place in the organization.

Step Four:           Support the steering committee in their efforts with other executives and in front of the organization as a whole.

Step Five:            Monitor the committee’s progress and encourage them along the way.

Remember this is a journey, not a destination. This is a program, not a project. But like any part of an organization, the information security team needs executive support and guidance in order to help the organization to achieve their goals. Security is expensive and requires effort, but when balanced with other aspects of the business it can help the organization to be healthy and succeed in the long term.

Elements of an Information Security Charter

Part of any solid project / program management effort is a program charter that defines the program in order to ensure its success. Too many times projects begin without a clear definition of success and as a result it becomes very difficult to measure success or often even to make progress on the project in any way. Information security programs are no exception.

In order to have a successful information assurance program, organizations need to take the first step of creating a charter for the information assurance team. The benefit of these charters is that they should function in the same way as any other program charter. Because of that we have a solid body of knowledge available to us as to what elements should exist in a mature program charter.

Elements of a mature information security program charter should include:

  • Name / Title
  • Start and end date / timeline
  • Approval authorities / executive sponsorship
  • Team leadership / management
  • Key players / stakeholders
  • Business case / purpose / regulatory requirements
  • Problem statement or opportunity
  • Business benefits
  • Measurable performance outcome / metrics
  • Scope of work
  • Key milestones
  • Roles and responsibilities
  • Manpower and budget requirements
  • Barriers to success and risks
  • Communication plan

If you haven’t taken the time to define a program charter for your security team, why not start now. Not only will this process help to define the goals of your effort, but it can focus your team’s efforts and align executives with the team’s efforts.

References:

http://www.sixsigmadigest.com/project-charter.shtml

http://en.wikipedia.org/wiki/Project_charter

http://www.agilebok.org/index.php?title=Elements_of_a_Project_Charter_for_an_Agile_Project

Script for Network Adapter Configuration Baselines

So in this series of blog articles so far we have identified a number of different baseline scripts written in PowerShell. We hope that auditors and others will be able to take this scripts, modify them for their own purposes and use them for baselining the systems that they are evaluating.

This week we found ourselves in the position of having to gather some information about both the MAC addresses and the logical (IP) addresses of the adapters on a set of machines. Unfortunately that meant we had to change our strategy from using simple WMI calls of the Win32 namespace. Since we’re dealing with Microsoft Windows machines, we thought, why not go to the grand-daddy of all network configuration utilities – NETSH? So this week we primarily will use NETSH to gather the information.

We didn’t do much parsing this week (we do have day jobs too), but to query the information on a system’s adapters, we would use the following script:

echo "The following is the list of adapters and MAC Addresses as supplied by WMI calls:"
Get-WmiObject win32_networkadapter | Select-Object Name,MACAddress

echo "The following is the IPv4 network configuration as supplied by the netsh command:"
netsh interface ip show config

echo "The following is the IPv6 network configuration as supplied by the netsh command:"
netsh interface ipv6 show interfaces
netsh interface ipv6 show subinterfaces
netsh interface ipv6 show dnsservers
netsh interface ipv6 show addresses
netsh interface ipv6 show global
netsh interface ipv6 show teredo

There will be more NETSH scripts to come, but we figured we would show you the basics first. Enjoy!

Script for Network Share Baselines

Today we’re going to continue blogging about scripts that we can use to create system baselines. (For a primer on why you might want to consider performing a system baseline or for a process for performing system baselines, check out our previous blog entries here.)

As we discussed earlier as well, we are going to rely primarily on PowerShell to pull this information for us. So all of the scripts you will see in this series will be written as PowerShell scripts. For your sake, make your life easy, and install PowerShell version 2.0, that will give you the latest and greatest functionality and give you the same development environment we’re primarily using to write these scripts.

Today’s script should give you a list of the shares installed on an individual machine and that share’s path on the local file system. In other words, this script gives us a snapshot of the local directories on a machine that are shared on the network. Again for this script we are going to access the WMIObject via PowerShell and access the Win32 component. Eventually we’ll explore other namespaces, but when this space is so productive, why make it harder than we need to? So here is the script you would run if you want to query this share data:

Get-WmiObject win32_share | Select-Object Name,Path

Enjoy! We look forward to providing you more fully featured scripts as the year progresses. If you do have any requests, don’t be shy, and feel free to make requests too.

Script for Locally Installed Software Baselines

Today we’re going to continue blogging about scripts that we can use to create system baselines. (For a primer on why you might want to consider performing a system baseline or for a process for performing system baselines, check out our previous blog entries here.)

As we discussed earlier as well, we are going to rely primarily on PowerShell to pull this information for us. So all of the scripts you will see in this series will be written as PowerShell scripts. For your sake, make your life easy, and install PowerShell version 2.0, that will give you the latest and greatest functionality and give you the same development environment we’re primarily using to write these scripts.

The script we’re going to use today will be useful if you want to discover what software is installed on a given machine. This will not detect stand alone binaries that are copied to a computer (for that we would need to reference a file system object and look for all applications). But if you’re just looking for a basic listing of all the installed applications on a machine, then this is the script for you:

Get-WmiObject win32_product | Select-Object Name,Vendor,Version

Enjoy! We look forward to providing you more fully featured scripts as the year progresses. If you do have any requests, don’t be shy, and feel free to make requests too.

Script for Local User and Group Baselines

In keeping with my New Year’s resolutions, I want to continue posting information on how an auditor might take advantage of baselines when performing an Information System (IS) audit. Certainly I hope system administrators will be able to take advantage of this information as well when performing their own Control Self Assessments (CSAs).

As we discussed earlier as well, we are going to rely primarily on PowerShell to pull this information for us. So all of the scripts you will see in this series will be written as PowerShell scripts. For your sake, make your life easy, and install PowerShell version 2.0, that will give you the latest and greatest functionality and give you the same development environment we’re primarily using to write these scripts.

So to get started with our baseline scripts, we are going to use a couple easy scripts to produce a list of the user accounts and the groups on a local Microsoft Windows machine (Windows 2000 or later). In order to produce a list of local user accounts, try the following command:

Get-WmiObject Win32_UserAccount -filter "LocalAccount=True" | Select-Object Domain,Name,Disabled

For a list of groups on a local machine, try the following command:

Get-WmiObject Win32_Group -filter "LocalAccount=True" | Select-Object Domain,Name

Now, could we have used WMIC to do much of the same work, of course! But for the sake of this series we are going to use PowerShell instead. Once everyone gets a taste for the simple scripts, then we’ll move on to slightly more difficult ones next. So let’s stay in the same language to be consistent.

Enjoy! We look forward to providing you more fully featured scripts as the year progresses. If you do have any requests, don’t be shy, and feel free to make requests too.

Examples of System Baselines

Ok, it sounds like we should have one more point of clarification. In our last blog post we posted about a process to follow for creating and maintaining system baselines. But after thinking about it, one more thing auditors, or administrators performing Control Self Assessments (CSAs) might want to consider what types of baselines could be gathered to comprehensively asses a system.

Some baselines an auditor might want to gather would be:

·         User accounts / Group memberships

·         Running services

·         Installed software

·         System security configurations

·         Installed hardware devices

·         Removable devices

·         System performance

Most definitely there are more baselines than this that we might consider gathering. But this should be a good place to start on a system. Network devices or applications might want to consider other criteria, but this is a good starting point for systems.

For the rest of the year we have decided to post specific methods for gathering baselines. We want to provide practical methods and scripts for gathering information from systems. We hope they’re helpful to everyone. If you have any requests, please don’t hesitate to drop us a line and let us know!