With all of the recent excitement about the “Shellshock” code execution vulnerability in the UNIX bash shell, and the somewhat older news about SSL vulnerabilities, I am reminded once again about the need for organizations to formally manage information security as part of an ongoing process.

This should come as no surprise.  However, sometimes we forget that security is something that requires ongoing diligence.

As an example, I expect that the Shellshock bug will end up being found in a variety of software packages over the coming years, as code is eventually tested and vetted.  Add to that the need to maintain budgets, track audit findings and all of the other administrivia of day-to-day management and it’s clear that some means needs to be found to effectively manage these issues over time.

Plan for Better Security

I am often asked by my customers how they can start getting better at security.  Rather than tell them to perform Nessus scans or harden systems (which are, of course, important), I usually tell them to formalize their information security management process.  To me, this means establishing a workgroup of key stakeholders in the organization that can meet regularly and track security issues over time.

Many IT workers operate in a crisis response mode, moving from issue to issue as circumstances demand.  As such, they likely have a hard time being proactive about security.  Instead, security is responsive – rather than proactive – and done in what time remains from “firefighting” duty.

It is understandably difficult to do a good job with security in this fashion.  One way to address this problem is to establish a formal IT Risk Management Workgroup (ITRMW) comprised of key stakeholders, and set up regular meetings to plan for and respond to security risks.

An ITRMW might engage in tasks such as:

  • Developing and maintaining security policies, procedures and guidelines
  • Managing employee job responsibilities and duties
  • Managing end user and IT staff security training and budgets
  • Managing a budget for security over time, including labor and capital expenditures
  • Maintaining a task list of security actions to complete things like remediation of discovered issues, audit findings, improvements over time, etc.
  • Work with purchasing to promote the acquisition of secure products and services
  • And many others….

If you are interested in forming an ITRMW for your organization, I have created a draft policy that lays out the kinds of duties that the group might engage in, mapped to NIST 800-53 standards.  You are welcome to download and use this document HERE as you see fit!