Classic Information Security Management Errors

How many errors does your organization have?

By Zsolt Baranya, Information Security Auditor, Black Cell Ltd.

During my work as an information security expert, I encounter numerous errors, many of which are committed not only by one organization but by several. I either uncover or face these errors as an information security officer and auditor. In this article, I aim to present what these errors are. I recommend it to professionals working in information security as well as to those managers who wish to avoid common errors related to information security management.

1. In many cases, during the management of privileges, organizations focus on ensuring that every user receives the necessary permissions to carry out their work. However, the system for distributing these privileges is not properly structured, and it is not determined on a job-specific basis who can access which data or systems. There is a lack of a reference privilege registry, and in many cases, the newly hired or reassigned colleagues only receive permissions based on a predefined image assigned to certain employees. This approach is not appropriate, because it lacks one fundamental requirement of the privilege review system, which is the foundational record (the registry) that would enable the extraction of data on which privileges could be assigned to employees. It is essential to note that the review of privileges is also absent in many organizations, which poses a significant risk as there may be unused privileges that, if exploited, can compromise confidentiality in a significant manner.
2. Compliance is very important when considering an organization’s regulatory framework. Authorities, certification bodies, and partners, customers expect compliance with the regulations, standards, and other governing rules. However, many organizations often concentrate on ensuring compliance instead of focusing on the actual vulnerabilities and risks present within the organization. Striving for compliance based on a regulatory checklist can divert attention from the real problems. In such cases, the fundamental principle of establishing protection proportionate to the risks may not be upheld.
3. In many organizations, over time, the IT and IT security have evolved in a way that doesn’t support the business, but rather, the business adapts to the processes built by IT and the rules implemented by the Information Security department. In all cases, IT and the Information Security department must support the business. If this is not the case, productivity can be compromised, or in worse scenarios, essential operations may become impossible and in less serious cases, it may become more difficult due to the hindering factors. It is important to note that there are rules that must be adhered to and enforced to ensure security, even if they come with some inconveniences. However, it is necessary to find the balance where the most effective way of doing business and the relationship between information security and IT.
4. Risk management is a very important activity in the life of every organization, whether it is business risks or information security risks. Organizations typically identify and analyze risks, but the development and execution of mitigation plans often fail to materialize. In those organizations where mitigation plans are built for the identified risks, there is often a lack of a control and monitoring system, which typically results in the non-execution of the mitigation plans, leaving the risks untreated.
5. Organizations that establish administrative protective measures according to legal requirements and standards typically end up with lengthy regulations, procedures, and instructions due to content requirements. This often leads to a situation where organizational regulatory documents do not fulfill their role because neither the IT operations staff nor the users will read them. In this situation, organizations commonly make the mistake of not creating abstracts or providing training on the content of the regulations to the stakeholders. As a result, the organizational regulations will only partially or not at all fulfill their role.
6. Many organizations use Security Information and Event Management (SIEM) systems to perform event and incident management activities. However, very few people know how to properly configure the alert settings for these systems. A common mistake is setting up alerts for too many events and incidents, causing the important alerts to get lost among the overwhelming number of notifications. There is a higher likelihood that an event handler will overlook a critical alert due to the high volume of alerts. On the other hand, the opposite scenario is also encountered, where too few events and/or incidents are configured, resulting in the failure to detect an ongoing incident. Certain alerts should be configured, and the alerting system should be designed in proportion to the risks.
7. The management of shared accounts is inadequate in many organizations. Often, the principle of accountability is not upheld when creating such shared accounts. It is important to note that in some cases, there may be no alternative but to use shared accounts. However, where it is possible to create individually assigned accounts for individuals, this is not done. Another significant mistake that organizations commonly make is the lack of access management for shared accounts. For example, when someone leaves an organization, passwords are not changed, leaving vulnerabilities in the context of shared accounts.
8. The organizational use of social media platforms is inadequate in many organizations. There is no regulation for the execution of operational and management tasks, which often leads to reputational damage. Unfortunate comments can be posted when, for example, someone forgets to switch between social media accounts on their personal account, resulting in the expression of their personal opinion on behalf of the organization. Additionally, if an organization uses social media for communication or business activities and loses access to the account without being able to recover it through proper BCP processes, it can cause significant disadvantages. It is recommended to regulate and manage organizational social media platforms.

How many of the general mistakes I’ve identified are present in your organization? If I could assist in uncovering even one mistake, then this article has achieved its goal.

About the Author

Zsolt Baranya is a Senior Information Security Auditor of Black Cell Ltd. in Hungary and Germany. Formerly, he has been in information security officer and data protection officer roles at a local governmental organization. He also worked as a senior desk officer at National Directorate General for Disaster Management, Department for Critical Infrastructure Coordination, where he was responsible for the Hungarian critical infrastructures’ information security compliance. Zsolt can be reached at [email protected] and at his company’s website https://blackcell.io/