The risk of lack of maturity with respect to information security

Intellectual maturity in the matter of information security technology are necessary items for any type of company, in any branch or segment.

These basic needs of how to determine who and what people may or may not have access, are often talked about and understood as something abstract and understood as company culture, and most of the time these have no controls and the technological maturity failure makes exposing the company to great risks, in which a breach can cause those who created the rule to break it.

Security is imposed, but it is broken.

There are rules, those same ones conceived as company culture, be it rules for organizing the room at a certain time, or not leaving paper on the table when you are away, among others, every rule exists in a company to avoid any risk.

We are all afraid of something, this fear comes because of some risk of some event or threat actually happening, that is why many times when walking on the street, we do not walk with our cell phones on display for example, and, in the company, we don't always have this care.

Having a notebook with passwords, a paper with user and password on the computer screen, is the same thing as leaving the house key in front of the closed house. Anyone can go there, get the key and get in, and do whatever they want, right? There are controls, such as door, cameras, but they are not effective.

The ideal is for each employee to have his credential, his access, and this is not luxury, this is a mandatory item and should be followed by all types of companies, and with non-transferable access, and if there is access sharing, both have to be canceled immediately. after all, who is doing what?

He has implemented security, but the manager wants to have access to what he cannot.

It is always like this, the limitation, restriction, rules have arrived, there are people who do not support this, and it is useless to someone wanting to implement the rule without even having enough hierarchy for such implementation, because people with higher hierarchical levels, will say "break this, do it this for me "or receives threats in more serious cases.

A new computer arrived at the company, it is not part of the domain, and there comes the manager trying to access the company server without even having the computer audited, and complains about certain items not working, and says he doesn't want to have problems like these .

Now, if there is a control to prevent strange machines from accessing the network, it obviously will not work, but it is useless, the security specialist has his hands tied if at least he is not a partner in the company, otherwise the risk is that he will be sent though.

The "security guy" is always to blame.

No, this is totally wrong. The security professional must keep the controls applied and in operation, including monitoring and auditing, in addition to also seeking to find new risks and threats in current and new technologies, as well as the controls to mitigate their risks.

If something in the company is not in agreement, something elementary that is part of maturity is not working. The minimum of the minimums is to have documentation of the scope that governs information security, without this, there is no security, and this is not the "security guy" who does it, it is the partners, owners, investors, or also called "stakeholders" . There is no point in placing a network administrator or Harvard-trained specialist, if the minimum is not established by who should establish it.

The lack of information security policy for a control, breaks the control.

A certain control was implemented, now everyone must follow this control. Now one of the partners of the company comes with a pen-drive in his pocket, cell phone, camera, and all the controls go down the drain simply because he is the partner who owns 80% of the investments in the company. Do you try to log in with your credential on a machine that you brought from somewhere and who is the "security guy" no matter how much another partner is able to ask to inspect the machine, pen drive, cell phone, etc.?

Where is the Information Security Policy aligned with all partners and experts on the day of the meeting? It's for everyone to follow, right? Everyone signed the term, didn't they? If everyone agrees, the "security guy" will do his job smoothly, without fear of losing a job by talking to anyone.

The "security guy" is to blame for the threat.

Or is it the policy that was poorly planned with stakeholders? The information security specialist will seek and apply controls through the policy, and, in monthly meetings or at least annual meetings with all stakeholders present, present ideas for improvements to complement the policy, and only if approved, will be part of the scope.

Therefore, within the scope, it will be treated.

Nobody ever told me it would take a week to get this back!

This is the excuse for a risk that just happened with an information asset, but, where is the spreadsheet and / or document showing the risk appetite for a given threat? There it also has the Recover Point Object, an item where it says it can wait a certain period without affecting the company. The controls were developed to meet the deadline.

Missing the document again? I know, but imagine a company that barely knows what is domain login or computers that are part of the domain and / or not? As ridiculous as it may be: many companies are totally unaware of this.

Password theft in the absence of maturity.

A computer arrived at the company, put it on the network, it's a computer that is always on the street, you don't know where it is, and someone logs in and generates an error. The network administrator arrives and looks at the machine's domain and the person was typing his login into a local domain (machine itself).

And, if the infiltrated machine was just a Trojan horse ready to take this or that employee's password and send it by e-mail? The person unfortunately did not know how to see the domain and will blame everyone for not making the machine work, without even having an idea of what he just did.

The information security profile

Information security has grown in recent years in several companies, but still due to the lack of maturity of many, it is impractical to implement and configure controls, and impracticable to mitigate risks, leaving them exposed by the most diverse arguments by those who it should promote security and a strong policy, and a well-defined scope.

No comments