Data Discovery: It worked for Data Privacy Officers
Security teams face a number of challenges. The growing extent and complexity of the technology environment that businesses utilise, the limitations of human capabilities to choose good passwords or avoid clicking on links, the increasing sophistication of attacks and attackers and the burgeoning regulations under which they operate.
Visibility of cyber risks
As a result of all of these highly fluid factors, the key issue is how your business gets visibility of the risks that it faces:
- Where are they?
- What are they?
- How big are they?
The internal and external audit functions clearly play a role in this – ensuring that controls are in place, working effectively and that exceptions are being identified and handled.
Essential 8 Auditor – video overview
Getting answers to the question “Where and how bad are my risks?” has never been harder. Audit teams are reliant on IT functions to operate the environment and also provide performance and control/risk data regarding it. There can be a deficit in knowledge and understanding between these two areas.
The GDPR effect
This post is not about GDPR, however GDPR compliance programmes often faced early challenges of the same magnitude to those that we listed above pertaining to security:
- What personal data do I hold?
- Where is it?
- Who has access?
- Is it accurate?
- Is it protected?
None of these are (or were) trivial to answer. As a result, many businesses embarked on a “Data Discovery” exercise, often under the guidance of their newly appointed Data Protection Officers who, like their colleagues in Audit today, lacked direct management responsibility for the IT networks and systems that held the data.
These data discovery exercises aimed to locate the files, databases, documents and repositories of personal data, and hence the associated risks, vulnerabilities, weaknesses in processes and compliance issues, i.e. they aimed to identify risks in networks and systems that the risk owner needed to be knowledgeable about.
Security “Data Discovery”
There is little point repeating a data discovery exercise for personal data itself (yes, it is important for GDPR, but that isn’t the be-all-and-end-all for security) in isolation and purely for security purposes. However, if security teams – or auditors – want to know where security risks lay the same type of process can be applied.
We need to look at sources of information that shine a light on security risks so they can be quantified for the business. Good examples are records of patches that have been applied to systems and their corresponding patch levels, version information etc.
This dataset provides a clear and direct way to understand the points in the network that could be attacked because known exploits could be used against them. Hence, they represent quantifiable points of risk in terms of number, location or sensitivity.
Another example might be the systems that have had recent successful backups (and those that haven’t where failures have occurred). These highlight areas of data integrity or availability risk – from deliberate attacks such as ransomware or insider misuse, as well as accidental threats such as hard drive failures or damaged laptops.
A last example might be the configuration of administrative accounts. Gathering the configuration of admin accounts and the contents of groups will flag process failings in the way higher-level access is granted and managed. It will also indicate whether or not users that hold them are putting the organisation at risk by using them routinely (instead of just for administrative work) or have them configured with wider powers than they need so that any changes or attacks using them are more serious and less contained.
Continuity and currency of data discovery
The challenge with this sort of data discovery exercise for security risk vulnerabilities, compliance issues and mis-configurations is that unlike with the personal data discovery exercises that GDPR spawned or financial audits and investigations, the state of the network and the threats affecting it change all the time.
Doing this kind of research as part of a one-off audit gives a useful “point in time” view, but this soon becomes out of date even if the control failures that were identified were subsequently addressed.
Security management is a constant and ongoing process, so the auditing of effectiveness and the measurement of risks must be likewise.
Auditors and compliance teams are increasingly seeking to have a continuously updated picture of risks that doesn’t require a standalone activity and doesn’t depend on seeking ad hoc information from the IT function every time it is necessary to update the risk dashboard that senior managers are provided with.
This means greater automation in the data gathering, analysis and reporting in order to enable security metrics and control effectiveness reports to be generated from performance data gathered directly and automatically from the environment itself.
In the current climate, when disruption has become normal and travel and site visits are difficult, the need for flexibility and remote, continuous understanding of security risks has never been more important for auditors and consultants.