Implementing Controls Without Breaking Everything (Incliding the Bank)

How to Ready the Assessment for Success

Achieving an Authorization to Operate (ATO) for any information system is no easy feat. While many would think that a task can be added to the “completed” column simply by running through a checklist, this is an oversimplification of what is truly necessary for thorough system readiness. With all the available frameworks, as well as the myriad variations for a particular implementation, there is much to consider.

Living in a Paper Storm

In many instances, an authorizing official spends most of the time very deep in paperwork, reviewing the continuity, communication, response, and other contingency plans. These responsibilities are also coupled with the obligations that accompany configuration management. However, the job does not stop there, as there is more to the obligations and responsibilities, most notably, accountability. This is because implementation brings challenges that must be carefully observed.

Progressing onward from implementation, it is one thing to implement various controls, but it is only upon testing their effectiveness that a firm level of comfort may be reached. Given the many roles required for system implementation, the value of collaboration becomes clear from the earliest stages of building a system through the full lifecycle of that system.

What Was Requested, and What Was Delivered – Understanding the Plan

There is an old joke about a person who wants to build a tire swing and how a simple concept is misunderstood throughout the whole process. From the perspective of all the pre-assessment documentation, the authorizing official must review the policies with a critical eye towards recognizing and highlighting any weaknesses. This is also true of all directive, preventive, and detective documentation. From this approach, the authorization role takes on the characteristics of project management. An important factor of any system authorization is whether the system that was built is what was required and what was requested.

Readying the Assessment

Before a formal assessment begins, there are some simple preparations you can take to make sure that the assessment has the best chance of success. The three primary areas that can benefit most are the personnel, the documents, and the systems themselves.

When preparing the personnel for an assessment, collaboration and expectation management are critical. As much as we are open to constructive criticism, it is still not easy to accept that there are flaws in one’s hard work. The best approach to an assessment is to engage with all the teams to clarify the true purpose of the testing, both from a methodology- and an outcomes-focused standpoint. By working with the teams that are designated as “supporting roles,” many gaps can be discovered prior to test commencement. The people in these roles can also help by making sure that the scope of the assessment is not beyond the plan.

Making sure that all the documentation is in order is key to a smooth assessment, both from the scoping of the exercise to the ease of conducting the testing. Assessments should never limp along because of poor planning. Making sure that the testing targets are clearly defined will prevent any wasted time as well as any potentially embarrassing errors. There is a strong union between personnel and document management.

Some Simple and Free Testing Methods

Assessments can be budget-breaking exercises, so any tests that can be conducted in advance to make sure that the simple things don’t waste the testers’ time will result in better results all around. An easy way to think of it is “make the assessor work as hard as possible to find the vulnerabilities." It is also very important to not break anything with your own self-tests.

It may be surprising how the obvious can be overlooked, and this can occur not just from carelessness but from familiarity. This is true on a technical as well as an administrative standpoint.

From a technical standpoint, it is easily assumed that login attempts and password re-use are limited on a system, but is that checked regularly? It is certainly part of the configuration management aspect of authorization, but we have all had some experience where that can slip out of compliance unnoticed. A simple technical test is to have someone attempt to defeat the password configurations using simple methods rather than brute-force, hash collision, or similar attack techniques. For example, just attempt to log in as another user with a guessed password. Just be sure to not exceed the lockout threshold when you try this.

Another technical self-assessment is to check the encryption of a system. “Is the data that is supposed to be encrypted truly functioning as it is supposed to” is the question to answer in that exercise. Are you able to obtain an encrypted file from a system, and if so, what can you learn about that file?

Checking for authorization creep is another free exercise. An employee who is promoted or transferred should have all system access reviewed, but a real-world test of the changed access could be a valuable tool in assuring that a control is working.

From an administrative approach, what is the review cycle for all the documents under your control? While it may be as short as bi-annually, there is no guarantee that something doesn’t change well before that review period. Something as trivial as an incident response team member changing their phone number can be the difference between timely and not-so-timely incident response. If you have used your collaboration skills effectively, calling a team member more than every six months could ensure that the information is accurate and current.

The same is true of members of the supply chain in the organization. Recently, many attacks have been carried out by attacking the supply chain and then pivoting into the true target network. Making sure that all your vendors keep their information current and in compliance with your standards is a valuable method of protection. This, too, should occur on a more frequent basis to ensure that no gaps exist.

Remember, if any of these tests fall outside your job description, do not proceed. Again, this is where your collaboration skills will come in handy to get the right people to do the job.

How the CGRC Certification Can Help You to Succeed

At first glance, one could mistakenly think that authorizing a system is little more than reading documents and checking boxes. However, when it comes to implementation and subsequent assessments, there is no doubt about how important this job is to an organization. The role of the authorization professional is multi-faceted, requiring serious attention to detail as well as the ability to collaborate—all to uphold the ethics of only placing the most secure systems into operation.

Whether you work in a government agency or a non-governmental organization, the Certified in Governance, Risk and Compliance (CGRC) credential offered by ISC2 is the perfect way to show that you possess the expertise not only to implement many risk management frameworks but also to know which one is appropriate for a system. Along with that, the CGRC designation indicates your dedication to the field of information security. In many cases, achieving a specialized certification can propel your career to higher levels.