Info Security & Compliance Project
Success Tips from Veteran Security Execs
W I S E G AT E C O M M U N I T Y V I E W P O I N T SIntroduction
The members of Wisegate are some of the most experienced IT and security executives and managers in the world. They work for multi-national corporations, educational institutions, government and non-profit agencies, and other types of organizations, large and small. Our members work in virtually every industry—retail, banking and finance, energy, medical and healthcare, insurance, education, government and more. They lead and have responsibility for the successful implementation of every kind of large IT and security projects you can imagine.
Even at their level, however, these top executives need a sounding board for their decisions. That’s one reason they join Wisegate—to have others in a virtual peer group who have no financial interest in a decision and who can openly share their experiences and insightful advice. They trade war stories, compare how to approach a problem, and share best practices. Our members claim that this kind of information shared among equals from different organizations is some of the most helpful and valuable insight a CISO can get. We asked our members to publicly share some of their sage advice based on their real-world experiences. The tips and advice you’ll find below are the kinds of things that can make or break a successful project. This is the information vendors will never tell you when they are asking you to sign the invoice.
Though we’ve categorized the pointers according to the type of project the Wisegate members worked on – Governance, Risk and Compliance (GRC), Identity and Access Management (IAM), and Security Information and Event Management (SIEM) – many of the tips apply generically to any type of IT or security implementation. This is your opportunity to learn from some of the best IT leaders in industry.
Success Tips for GRC Projects
Driven largely by compliance requirements for the Sarbanes-Oxley Act of 2002, many organizations are adopting a comprehensive approach to managing their governance, risk and compliance activities. GRC suites and toolsets automate the collection, correlation and reporting of information that indicates an organization’s holistic posture with respect to governance, risk and compliance. But more than that, GRC implementations can add business value through improving operational decision making and strategic planning. Implementation of a tool of this magnitude touches every aspect of an organization’s operations. The output of a GRC tool will be used to make the most significant decisions; therefore, “getting it right” is critically important. Several Wisegate members have traveled this road and offer the following advice:
Make sure you understand the operational impacts of the product before you commit
»
to it. GRC products are all-encompassing by nature. Your company’s top executives, in particular, will be impacted by a GRC implementation, so make sure they are willing to go through training and to adapt to the new system. “If I had understood the
product when I was purchasing it I would have realized there is no way I am getting an executive to be trained on how to use it.”
Perform a proof of concept deploying all modules of the tool as part of the PoC. If the
»
PoC is successful, use the instance for your production. Following this process helps you cut costs and develop a working toolset quicker.
Most GRC tools come with connectors that enable quick integration with other
»
security technologies and data feeds. Use them to reduce time and costs.
Communicate extensively. Make everyone aware of the phased approach to using
»
the toolset.
It takes a mature organization with well-defined processes to deal with the work flow
»
capability that a GRC tool provides. The work flow aspect of some products may require everyone in the organization to take training to understand how to use it. “The
workflow of the product we chose meant that everyone had to learn how to use the expense reporting tool. That didn’t work for us since only a small number of privacy officers were the ones who were really in a position to answer the questions.”
Understand that this is a tool that requires care and feeding. A program around GRC
»
must be in place with proper policies, procedures and workflow. If you don’t have procedures and workflow around GRC, it can be easy to use what the tool has built-in. Recognize that implementations can take much longer than expected. At the same
»
time, don’t be afraid to pull the plug if the implementation isn’t going well. You just have to know when to stop throwing good money after bad. “We desperately tried
to make it work because we wanted it to be a success. We should have probably stepped out of it two years before we did.”
No matter what happens, try to maintain good relationships despite the challenges.
»
“I built great relationships because in the end it’s all about the people.”
Success Tips for Identity Management Projects
Few people would argue the importance of having a good system for identity and access management. One of the basic tenets of IT security is to carefully manage who has access to what, and when. But this is easier said than done when companies have to deal with multiple products, multiple platforms, external as well as internal users, and an increasingly mobile user base. These conditions lead to some pretty complex requirements, policies and rules. Wisegate members have seen and done it all.
Start with a thorough assessment of what you are trying to do and really understand
»
the integration points of the different systems and products. Understand if the product you’re considering uses standards or requires customization. By taking this step at the outset, you can save yourself time and money in the long run. You might get pressure over taking your time to do this essential analysis and evaluation, so level-set your superiors that the selection process isn’t going to get done in a week. Make good use of other people’s experience with IAM. Before you buy, take the time
»
to do phone interviews with people that have completed implementations of the same size as your project. Bring in a consultant who specifically has done this type of implementation to help with the assessment.
If you have been evaluating a product and you are getting serious about buying it,
»
send someone from your technical staff to training before you sign with the vendor. This gives you the opportunity to learn things you wouldn’t get from an evaluation, such as how well the out-of-the-box features will work for your organization. It’s better to learn these kinds of things before you make a commitment to a product.
“After we had signed on with the vendor, our people went to training. Then we found that some of the vendor’s out-of-the-box screens that end users may see could bring down the identity and access management system. This was a flaw that forced our teams, early on, to do custom screens.”
Do product pilots, not just product evaluations.
»
Clearly understand the product architecture and the implications of that architecture
»
on your environment.
Be sure to get good definitions of what the access roles need to look like—exactly
»
what type of user would have access to what. This takes time to figure out.
Don’t rush or bypass sufficient time for core identity data design. Aggressively pursue
»
identity data quality issues.
The more data available for a user in the backend repository, the more flexibility you
»
have in making authorization decisions.
Develop a provisioning maturity roadmap. Document manual processes then move
»
to request-driven auto provisioning and only to full auto provisioning once data is of sufficient quality.
Walk before you run in this space. Keep each step as simple as possible and then
»
build on it.
Follow best practices and standard configurations as much as possible.
»
Allow time in your project timeline after development for testing to ensure your roles
»
are correct.
Ensure that the end users understand the responsibility of the roles that they hold for
»
the organization. You may have to develop acceptable use policy and privacy policy. If you grant somebody access to sensitive information, you must make them realize the security implications behind it. You have to let them know they are a super user with these capabilities and they can cause dramatic problems if they do not work right. Additional training may be required depending on the role a person holds.
Success Tips for SIEM Projects
SIEM tools are growing more powerful as they incorporate more sophisticated features. But with sophistication comes complexity, and many of our Wisegate members have faced these challenges first-hand. They graciously share the following tips:
If you don’t have an in-house expert in security technologies – in particular logs and
»
It can be difficult to build event correlations due to the level of expertise required to
»
do so. Expect the building of correlations to take a while.
Ask yourself, in this day and age, is after-the-fact review of incidents more important
»
than preventing incidents?
The solution is only as good as the scope and coverage that you have. So when
»
you plan a logging-monitoring tool for capturing information for investigations, the widest breadth coverage you can do at the time is always to your advantage. If you only cover a few servers initially with the idea of expanding it, there won’t be as much value as if you can take the cost upfront and hook the tool into all the strategic systems that you think may be able to take advantage of it.
SIEM vendors market their solutions as both a security tool and an operational tool.
»
Not only can you monitor security issues but you can also use the SIEM tool to correlate activities that can indicate root causes of operational problems. Getting this dual usage is great, as long as you can work out “ownership” issues between the Security team and the Operations team. Who really owns the tool and controls how it is used, and by whom?
In Closing…
We could go on and on with sharing our tips and best practices. In fact, we do—online at
www.WisegateIT.com.
Wisegate is the invitation-only community where senior IT professionals meet to openly exchange knowledge and solve problems with their peers. It is Wisegate’s ambitious mission to make our members’ job less stressful and more productive by providing the social knowledge network professionals need to collaborate and share experiences with a closed community of highly qualified IT peers. By enforcing strict membership guidelines, which exclude vendors from joining, Wisegate is able to provide members with unmatched access to senior-level IT professionals and quality content.
Would you like to join us? Go to www.wisegateit.com/request-invite/ to learn more and find out if you qualify for membership.
©2011 Wisegate. All rights reserved.
300 Beardsley Lane, Suite C201 Austin, Texas 78746
PHONE 512.329.6444
EMAIL [email protected]
