Good day to all. As we continue to work through the issues of the day, which are growing in nature, we need to remember to focus on our foundations in security and data governance. (Issues of the day being of late: Heartbleed, the latest IE vulnerability and the iPhone encryption gap, insert deep sigh here, etc)
In the Legal industry, we continue to see articles scrutinizing law firm security and our clients are continuing to review our controls. These are actually good things for us to see and participate in. To be honest, I prefer to be in this industry at this exciting time. We are all in this at a great time to mold and improve the over-all programs in our respective Firms. We have ISO, SANS Top 20 and so many other frameworks to help us along that path. My blog today, is simply to remind us all to sit back and not lose focus on the basic 101 items that build a solid foundation for a robust Information Security and Data Governance Program.
The questions to ask ourselves are some of the following: Do we have an accurate, efficient and flexible asset management system and procedure? Do I truly know where my assets are, their age, their lifecycle and their current state? Do I also know the same about all of the software running in my Firm? What daily/weekly/monthly reports are being created and reviewed to ensure I know who, what, when, where and why? Do I know what systems are currently on my system and their patch level? Did I know yesterday and will I know tomorrow? Am I generating and retaining the correct logs for the correct applications and systems? FInally, how about identity management. Do I know who has access to what and am I certain its authorized and appropriate? I know these are mostly simple questions and that obtaining the answers are not that simple. Therefore I will leave off with a simple note to ensure you are sitting down with the appropriate teams in your Firm and reviewing the appropriate controls to identify yourself, where the gaps are. I recommend looking up the SANS Top 20 Critical controls and review these against your current security posture and program. (schedule this quarterly) After reviewing all of these, you will find plenty of places to help improve on the 101 in your organization. Finally, when you fix any of these items, please write it down in a policy, procedure, standard or guideline. This will help to prevent history from repeating itself inside your Firm. Thank you for reading and best of luck to us all, as we know its always easier said, than done.