IT security maintains a number of procedures to ensure control of data and services. In this video, you’ll learn about change management, onboarding, offboarding, playbooks, and more.
One of the most common security procedures for almost any organization is one related to change management. Change management assures that we have a set of processes and procedures each time a change is made to any of our systems. By putting in these checks and balances, we can help prevent downtime, confusion, and mistakes that come when changes are being made in the organization.
With change management, there are a series of steps in the entire process. We start with the process of determining what the scope might be for this change. Are we modifying a single server? Are we modifying multiple devices? And are we updating an entire operating system or a single file?
We also need to know how risky it will be to make this change. Are we making a change to an entire operating system or will this risk only affect one specific application running on that device? We will also need a formal plan for the change to understand exactly what part of these systems will be changing, and then we’ll need to get approval from the end user that these changes can indeed be made.
Most organizations will have a change control board. This board is responsible for analyzing all of the proposed changes and then approving and scheduling those changes. The change control board will also look to see that there is a backup plan. So if something doesn’t go well during the change process, there’s always a way to get back to where we started. And once that change is completed, we can document those changes so that everyone knows what was modified on those systems.
Security teams also deal with onboarding. This is the process of bringing someone into the organization, either a new hire or a transfer from another department. During this onboarding process, the security team will provide the new hire with the employee handbook or a list of the acceptable use policies that will need to be signed off and approved by the new hire.
New accounts will need to be created so the user can log in to the network, and we’ll also need to make sure that the correct rights and permissions are associated with this particular user. All that’s left is to give the new hire their laptop, mobile device, and any other technologies they’ll need to perform their job function, and they are now part of the network and can log in.
Just as we have formal policies and procedures for onboarding, we also need to create formal policies and procedures for offboarding. This way, we know exactly what should happen with all of the user’s assets when they decide to leave the organization. These procedures answer questions such as what happens to the hardware that has been assigned to this user and, perhaps more importantly, what happens to the data that is saved on that hardware.
It’s also a good best practice to disable the account associated with the user in case there are encrypted files or anything else that may need to be retrieved later. If we were to delete these accounts, it’s very possible that we could lose important decryption keys or important data that may be stored on those accounts.
It’s also very common for organizations to maintain a series of playbooks. These playbooks define a set of steps that should be followed in the case of a particular event. For example, if you need to investigate a data breach, there should be a playbook that describes exactly what should be done first, what should be done second, and so on. The same thing might apply to recover from ransomware. There should be a separate playbook for that, as well. There are obviously, then, a large number of playbooks that would be created providing that step-by-step overview of exactly what to do and when to do it.
Once we create this series of steps, we can also integrate them into more of an automated process. This is often integrated into a SOAR platform. That stands for Security, Orchestration, Automation, and Response. This SOAR platform allows us to integrate many third-party products into one single platform and be able to automate connections between all of those very diverse systems. This means we can automate some of the more mundane tasks and have the security teams concentrate on doing much more important work.
Technology never stops integrating. There are always new technologies and new processes that we need to integrate into our environments. That’s why we need to constantly monitor and in some cases revise the processes and procedures that we use on a daily basis. For example, we may need to update and create a stronger security posture. That means that we would need to tighten our change control process. We may need to create additional playbooks. There may be an acquisition of additional technologies required and anything else that can help us make our environment even more secure.
We might also want to look through our existing playbooks and see if there’s opportunities to make those playbooks more efficient or more secure. We might also want to create new playbooks if we happen to have installed new technologies into our infrastructure. We also have to keep an eye on any emerging threats. Attackers are always finding new ways to get into systems or take advantage of vulnerabilities, and we need to make sure that our playbooks, our processes, and all of our procedures take into account these new emerging threats.
The governance structure for many organizations starts with a board. Sometimes this is a board of directors. It’s a panel of specialists that set the tasks or the series of requirements for a committee to follow. These are usually very broad objectives, and it’s left up to the committee to determine the best way to implement those objectives.
Committees usually exist of subject matter experts and may include a member of the board as part of the committee. The committee will take direction from the board at what task needs to be accomplished, and then they’ll work on putting the next steps together to meet those particular goals.
Once that task has been completed, it can be presented to the board for approval or to have the board provide additional feedback or changes. If you’re working in the public sector, which would be a government organization, then there are a different set of policies and procedures. Many of the concerns associated with a governmental agency would be around legal issues, administrative requirements, and, in many cases, political issues. The presentation and scope of this information is also very different than a private organization. Since a governmental agency is working for the people, all of these meetings tend to be open to the public.
And for both public and private organizations, there are different ways to approach governance. One is through a centralized form, and the other would be decentralized. With centralized governance, there tends to be one group that handles the decisions for the entire organization. With decentralized governance, those decisions can be made by others, specifically those who may even be doing those particular jobs. There’s no right or wrong way to present this type of governance, but it needs to be one that works best for that particular organization.