15. Exercise: Measurement and Reporting

Exercise: Measurement and Reporting

Answer the questions below related to control measurement and reporting deficiencies.

Question 1.

Your organization uses a user behavioral analytics platform to aid your security team in identifying potential threats. What type of control is user behavior analytics?
SOLUTION: Detective

Question 2.

Your organization employs VLANs on its routers to ensure that users / traffic from certain parts of your network infrastructure is unable to travel to other parts of your network infrastructure. What type of control are VLANs?
SOLUTION: Preventive

Answer the following scenario:

QUESTION:

Your company maintains a vulnerability management procedure which states, "vulnerabilities will be remediated on the following schedule (High - 30 days, Medium 60 days, Low 120 days)". How would you design a test to ensure that the control is functioning as expected?

ANSWER:

For this test, the procedure provides specific guidelines, and it is important that the organization meets those guidelines. You could design a test that samples remediation tickets that may be created by the information security team to see when the vulnerability was discovered and when the ticket was closed as remediated. Otherwise, some vulnerability management tools have robust reporting that can demonstrate when a vulnerability was initially added to the report, and when the last occurrence of the vulnerability was seen.

Answer the following scenario:

QUESTION:

Your company has committed to updating your Information Security Policy at least 1 time annually and ensuring that it is reviewed and approved by senior leadership. What mechanism might you use to ensure the control is working as expected?

ANSWER:

You might review the policy and look for a revision schedule at the beginning or end of the policy that shows when changes were made and when and by whom the document was approved. If the document has a revision schedule but lacks acknowledgment of senior leadership, you may additionally look for evidence of correspondence between the policy owner and senior leadership seeking their approval of the current document version.

Answer the following scenario:

QUESTION:

Your organization is undergoing a lot of transformation as it relates to its network infrastructure. As a result, the information security group has created a security control to ensure that no unauthorized changes are made to any firewall rules. Before a rule is changed or a new rule is implemented, the change must go through a change management process where each change is given formal approval. How would you design a test to ensure that every firewall rule change or addition has gained change management approval? Can you think of any way to automate or enhance your method?

ANSWER:

Many governance assessments can be accomplished through sampling. In this case, it is entirely possible to accomplish the test by sampling a number of firewall rule changes and additions and comparing those changes to what was presented to and approved during the change management process. The challenge with this approach is that sampling at a single point in time could allow gaps to occur in the future that would not be rectified until after the process was retested. In this case, it may be possible to assess the control more frequently (daily, weekly, etc.) or automate reporting that shows firewall changes as they happen.

Question 6.

Which of the following might you consider before designing a corrective action plan for an ineffective control? Check all that apply.
SOLUTION:
  • Budget
  • Organizational Strategy
  • Security Risk
  • Operational Risk
  • Level of effort
  • Control owner input

Answer the following scenario:

QUESTION:

Recently, you spent time assessing the effectiveness of several of your organization's cybersecurity controls. One of the controls you assessed was your organization's full disk encryption (FDE) platform. The platform is intended to ensure that all of your organization's laptop hard drives are encrypted. You sampled several work order tickets for the provisioning of new laptops, and all of them showed that hard drive encryption was implemented. You decided to go a step further and ask for a report from your laptop administrators. The report shows that about 15% of laptops are not currently encrypted. Is the control effective? Are there additional questions you might ask? What would you report about this control?

ANSWER:

This scenario showcases that it may be necessary to dig deeper than initial testing when assessing controls. Had you decided to stop assessing after examining work order tickets, the control would appear fully effective. In this case, we still don't know if the control is effective or not. Strictly speaking, the control is not 100% effective given that 15% of laptops are not currently encrypted, but you may want to understand when the control was implemented. When was the control implemented? Of the 15% of laptops that are unencrypted, were any issued before the control was implemented? How many were issued after? Is there already a plan in place to bring the 15% of laptops into compliance? Are the laptop administrators doing any additional monitoring? I would likely report that the control isn't operating at 100%, but I would need to understand more information about the current state and risk before recommending corrective action.

Next Concept