Raymond Pompon
Raymond Pompon
Seattle, Washington, USA
Any source code or other supplementary materials referenced by the author in this text is available to readers at www.apress.com . For detailed information about how to locate your book’s source code, go to www.apress.com/source-code/ .
ISBN 978-1-4842-2139-6
e-ISBN 978-1-4842-2140-2
DOI 10.1007/978-1-4842-2140-2
Library of Congress Control Number: 2016952621
© Raymond Pompon 2016
IT Security Risk Control Management: An Audit Preparation Plan
Managing Director: Welmoed Spahr
Acquisitions Editor: Susan McDermott
Developmental Editor: Laura Berendson
Technical Reviewer: Mike Simon, Dena Solt
Editorial Board: Steve Anglin, Pramila Balen, Laura Berendson, Aaron Black, Louise Corrigan, Jonathan Gennick, Robert Hutchinson, Celestin Suresh John, Nikhil Karkal, James Markham, Susan McDermott, Matthew Moodie, Natalie Pao, Gwenan Spearing
Coordinating Editor: Rita Fernando
Copy Editor: Kim Burton-Weisman
Compositor: SPi Global
Indexer: SPi Global
For information on translations, please e-mail [email protected] , or visit www.apress.com .
Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook versions and licenses are also available for most titles. For more information, reference our Special Bulk Sales–eBook Licensing web page at www.apress.com/bulk-sales .
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.
Printed on acid-free paper
To all the defenders out there working unnoticed to keep us safe.
Far and away the best prize that life has to offer is the chance to work hard at work worth doing.
—Theodore Roosevelt
Growing up before the Internet invaded everything, my discovery of computers in my teen years was akin to discovering and exploring a new hidden alien world. That shiny TRS-80 in my high school library was a magical portal of unlimited possibilities. I’m happy to say that that magic still tickles my brain. As I grew in knowledge and skill, I delved deeper into technology’s sorcerous mysteries: programming, dial-up communities, the Internet, hacking culture. It was here that I found IT security: the most engaging, most challenging, most thought-provoking aspect of computing. Security feels like a never-ending undersea duel between remote-controlled fleets of submarines during uncertain weather conditions.
Congratulations for choosing to work in IT security—doing combat engineering in the war zone of the Internet. It’s exciting and exacting work, where a single lapse can mean a hole that an invisible intruder can creep into. Security can also be the kind of work that not everyone appreciates. Much like airport security, IT security gets in the way, slows us down, and creates a hassle. Many people see security as overhead that apparently contributes nothing to revenue or growing the customer base.
Security defines its best successes to be when nothing happens. After a long period of these kinds of successes, an organization ponders whether you are necessary or not. Then you have to deal with the bothersome chore of justifying what you’ve done to an auditor and the budget axe.
When things do go wrong, many quickly accuse the security team of negligence and ineptitude. Breaches often end up as headlines, embarrassing the whole organization. IT security teams can be trotted out by their own organization as the scapegoats. All of this humiliation is suffered while knowing that the bad guys have outspent, outlasted, and outwitted you.
It’s not enough to discourage me, though. There is the thrill of the chase and arrest of the perpetrators. I’ve helped take down a tiny fraction of them, but that’s ancillary to what matters. What IT security does is protect privacy, bolster confidence, and keep vital systems up. It feels good to make critical systems more durable and predictable—and maybe knowing that you’ve deprived some creep of one less victim. I am energized by designing new systems and making them resilient in the face of a horde of attackers. There’s joy in digging deep and figuring out where the holes are, where the best place to bolster the defenses is, and then untangling all of this for the financial decision makers. It’s more compelling than all the puzzles and video games in the world. IT security is an interesting and challenging field, which rewards dedication and open-mindedness.
This book is framed to walk you through building a security program for an organization about to be audited. Even if you don’t think you’re going to be audited, this is still a useful way to approach a security program. If you think you’re not going to be audited, think again.
Even if you aren’t being audited, it’s useful to act as if you will. The threat of outside scrutiny focuses your attention and keeps you from getting sloppy. For some, the fear of an audit is greater than a fear of hackers. Audits force you to be thorough and organized in your work.
Where do you begin with all of this? IT security requires practitioners to have a strong working knowledge of the fundamental mechanisms of a wide area of technology. This includes experience with the implementation and management of those systems. IT operations such as help desk support, asset inventory, patching, and system configuration are all key components of an organization’s defense. Since a majority of attacks come in via the Internet, a good understanding of Internet protocols and network technology is essential.
As you will be risk analyzing software and systems of software components and strapping controls onto them, IT security professionals should at least have a fundamental grasp of programming. A good measure of this is being able create something simple but useful in a basic scripting language like PERL, Bash, or PowerShell. Bonus points for doing something in Ruby/Python/Java.
IT security professionals also benefit from a basic knowledge of databases. Since most large IT systems are built upon a database of some sort, it’s helpful to know a little SQL. You should at least be able to write queries and understand how tables and indices work. You don’t need to become a DBA, but tinker with something like SQLite or MySQL.
As you can see, IT security professionals need to keep up with technology. Keeping up is part of the job. Since you’re reading this book, it’s likely that you already don’t mind doing homework to improve your skillset. That’s first lesson of IT security: never ever be complacent.
One of the most interesting things about IT security is the requirement to study a diverse range of related disciplines. To be effective, IT security professionals need to branch out of technology. Within an organization, IT security works with many different departments at an operational level, including human resources, physical security, accounting, legal, business development, software development, and sales. This means helping these departments modify and redesign business processes to accommodate security and audit requirements. IT security professionals need to have knowledge of key organizational financial processes, such as budgeting, revenue flows (sales), disbursements, and the related business cycles. This book gets into how this happens.
Knowing the organization’s sector and competitive space is also important, as you may be sharing and comparing information on common risks and regulations amongst your industry peers. Nearly every major organizational sector has peer groups dedicated to security that you should consider joining and subscribing to information feeds. Just plug ISAC (Information Sharing and Analysis Center) and your industry name into a search engine and see what you get.
Since many of the things that IT security does are projects, it’s helpful to have project management skills. I’ve been managing projects for decades and I’m still not satisfied on how well I run a project. Many organizations get hacked because they’ve skipped a few simple but tedious details somewhere in the implementation or routine process.
IT security professionals should understand how corporate culture works and how it differs from organization to organization. This understanding is crucial in being a change agent and educator. It means being able to present orally and in writing. In addition, we should have a good working of the psychology of risk. This means understanding how people react to risk and how to frame risk so that they can make optimal decisions. You should also be aware of the common fallacies and traps people fall into when weighing risky decisions. We’ll get into this a lot more in the book.
IT security professionals need to know something about the law. This includes obvious things like security and privacy regulations, including US federal and state laws, as well as international regulations, since the Internet is global. IT security professionals benefit from an understanding of contract law and liability, as well as the legal implications and requirements of commercial compliance standards and internal organizational policies. This is covered in more detail in the chapters of this book.
While IT security professionals should understand areas outside of technology, they should expect everyone else to be ignorant of security. So IT security professionals need to continually explain and justify IT security concepts for executives, project managers, human resource officers, legal counsel, physical security officers, and law enforcement.
This book follows a chronological progression of building a security program and getting ready for audit.
Part I: Getting a Handle on Things . A good way to develop a security program is to design with an audit in mind to focus attention and to ensure that all controls work as described. This section covers the audit focus, asset analysis, risk assessment, and scope design.
Part II : Wrangling the Organization . This section includes chapters on how to design, nurture, and incorporate an IT security program into a dynamic organization over time. You rarely have a chance to design a program when a new company is formed. Most companies are born without security and need it added later as they grow and experience more security incidents. A security professional is always growing and trimming their program to fit the needs of their organization. These chapters cover everything from high-level governance to how you work with the various teams.
Part III : Managing Risk with Controls . Once the risk and scope are fleshed out, controls can be applied to reduce the risk. These series of chapters cover the various types of controls and how you can best implement them. This is the biggest section, starting with control design and moving into the implementation details of technical and physical controls.
Part IV : Being Audited . This section covers the process of being audited. Its chapters describe how to hire an auditor and the mechanics of various types of formal audits. It also covers the healing power of internal audits and the auditing of your organization’s critical partners and suppliers.
A huge thank you to my family for the boundless encouragement, love, and support. Thank you and I love you Rebecca, August, and Theo. Thank you to my mom and Jim, who nudged me to do this.
Dad, I wish you could read this. Maybe in some way you are. You taught me so much.
Much gratitude to all my teachers and fellow artists who inspired and taught me at the Richard Hugo House. Special thanks to you, Frances for opening up this geek’s world.
To the rest of the Conjungi gang: Cory, Mark, Sara, and Julie. I learned so much from all of you and I miss the heck out of you.
Thank you to everyone who worked hard and fast to make this book a reality: Mike for showing me the way and going above and beyond to help get this book done. Dena, who set me straight on the audit details. Kyle for giving me pointers along the way. Jana for a rocking author photo. Rita, for keeping me and everyone on track. Susan for taking a chance on a new author. Light is the task where many share the toil.
Raymond Pompon is currently the director of security at a global solutions provider in the financial services industry. With over 20 years of experience in Internet security, he has worked closely with federal investigators in cyber-crime investigations and apprehensions. He has been directly involved in several major intrusion cases, including the FBI undercover Flyhook operation and the Northwest Hospital botnet prosecution. For six years, Raymond was president and founder of the Seattle chapter of InfraGard, the FBI public-private partnership. He is a lecturer and on the board of advisors of three information assurance certificate programs at the University of Washington. Raymond has written many articles and white papers on advanced technology topics and is frequently asked to speak as a subject matter expert on Internet security issues. National journalists have solicited and quoted his thoughts and perspective on the topic of computer security. He is a certified information systems security professional as well as GIAC certified in the Law of Data Security & Investigations (GLEG).
Mike Simon has an education in computer science and 25 years’ experience designing and securing information systems. Mike is a well-known and highly respected member of the Northwest’s information security community. Mike is faculty at the University of Washington Information School, a published author, an active collaborator in the PRISEM project and other regional initiatives, and a subject matter expert in the energy and finance sectors. He has also integrated with law enforcement through contacts with the FBI, the Department of Homeland Security, and InfraGard.