When it comes to IT governance, it’s one thing to have staff completing compliance risk management processes; it’s quite another to be confident that everything is indeed in line and secure. Understanding your level of compliance and how it relates to business risk is more than simply asking IT staff: “How are things?” or “Are we secure?”
The best way to ensure that you’re getting good information surrounding compliance risk management is to trust but verify. Asking the right questions and getting involved with the security management process are sure ways to bring light to some issues that have been shrugged off or even undetected — sometimes for years. Here are some pointed questions you can ask of those responsible for day-to-day network and system administration to ensure that you’re not creating a monster by making high-risk assumptions:
1. What high-priority items were found during our most recent Web application penetration test? What’s the plan for fixing these issues?
2. What patches were missing during our last vulnerability scan?
3. Why are patches continually showing up as missing on our Windows servers and database systems?
4. How are we managing event logs and correlating potential security incidents? How long are these logs being kept?
5. Our passwords seem pretty secure for our main network logons, but what about for our Web applications, firewalls and all the random database servers scattered around the network?
6. Given our current configurations, what’s the business risk of someone losing a laptop or having their smartphone or iPad stolen?
7. What security incidents have been prevented over the past “X” number of months?
8. How do we know our traditional desktop antivirus software is actually keeping our endpoints secure?
9. What are we doing to proactively prevent data from leaking out of the network unnoticed?
10. Have you seen any protocol anomalies on the network recently when compared with your known baseline? Are any odd systems like workstations, smartphones and rarely-used servers showing up as top talkers on the network?
This is hardly an exhaustive list, but these are some of the major security oversights and risks I see on a consistent basis. If everything appears to be hunky-dory in IT, odds are you need to probe further. Complacency, poor time management and the desire for job security often get in the way of what’s really going on.
One of your main goals for compliance risk management should be to ensure you’re getting the right information at the right time so you, your peers and your executives can make the right decisions. Anything short of this will merely set your compliance program up for failure in the long term.