Opinion: In the IT security world, policies and controls are king

Paperwork may be dull, but it's a vital part of an IT security manager's role, says Roger A Grimes

Over a decade ago, Stephen Northcutt, one of the original founders of the SANS Institute, recruited me to help plan a course purely about security policies and procedures. At the time, I was all about hands-on hacking and defending, and I saw little value in a course purely focused on "paperwork." It took me a long time to realise that without the paperwork, you don't get any real security. Almost all security professionals can secure their own computers by tightening down the right settings, applying all the needed patches, properly configuring the firewall, and making sure their antivirus definitions are up to date. The challenge is doing that for hundreds or thousands of machines — PCs, laptops, servers, mobile devices — running different applications or platforms. Documenting and enforcing policies and controls is necessary for us to apply all the good advice in our heads to all the machines that we control. You could even implement the best security possible across a large number of computers to the point of perfection in a particular moment in time. But without policies and controls, that perfection won't last long. It took me years of real-life experiences to learn that policies and controls are king. The technical pros are the fiefs and knights. If your organization is behind on written policies, look to SANS: It continues to be one of my favorite resources for all manner of security information, including guidance and resources on the paperwork side of things. For instance, SANS recently released its top 20 Critical Security Controls for review. As expected, it's par excellence, mostly because of how comprehensive it is: Both knights and kings were clearly involved. Each control has many specific "quick win" recommendations. Some are more detailed than others, but they all should be part of any computer security defense. I encourage defenders to take a look to see what you can learn from it. Here's the summary list: Inventory of Authorized and Unauthorized Devices Inventory of Authorized and Unauthorized Software Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers Secure Configurations for Network Devices such as Firewalls, Routers, and Switches Boundary Defense Maintenance, Monitoring, and Analysis of Security Audit Logs Application Software Security Controlled Use of Administrative Privileges Controlled Access Based on the Need to Know Continuous Vulnerability Assessment and Remediation Account Monitoring and Control Malware Defenses Limitation and Control of Network Ports, Protocols, and Services Wireless Device Control Data Loss Prevention Secure Network Engineering Penetration Tests and Red Team Exercises Incident Response Capability Data Recovery Capability Security Skills Assessment and Appropriate Training to Fill Gaps I encourage those interested to read the large PDF version of the document. Also, I recommend that anyone running the security defenses at an IT shop take a look at the control recommendations and note where his or her organisation's policies, procedures, and implementations have gaps. The list is not ranked in order by priority. You would first have to determine what your organization's risk are, decide what is not being optimally addressed, and then go about fixing the gaps. For instance, in most companies the biggest risk leading to the most compromises is end-users installing things that they shouldn't, such as malware. Controls under the umbrellas of Malware Defenses and Controlled User of Administrative Privileges are the ones most likely to appropriately address those related problems. When you have end-users installing fake antivirus programs, boundary defenses, and more, secure network engineering isn't going to get you a lot of bang for your buck. I especially like that the controls include inventories. I'm surprised by how many IT shops have no idea what software and hardware is used within their environment, especially the unmanaged components. The only other inventory item I would add is data inventory. All the controls we are mentioning are to manage the data, and you can't implement the Data Loss Prevention control if you don't know where the data is. Again, I encourage computer security defenders to download and review the bigger document. You will improve your ideas — you won't be able to help it.