With the advent of digital technology, there has been an incredible rise in demand for IT security professionals globally. Organizations have recognized the importance of cyber-security and are ready to invest in resources that can deal with cyber threats. This ensures the overall security of internal systems and critical internal data protection.
In this article we will be discussing two things:
- Model of a security team
- Roles and responsibilities
These are common organization-wide and industry-wide.
Security team can be large as 1000+ people and as small as 2 people, depending on:
- Organization size
- Security need
- Organizational priority
The roles remain the same but the priorities are different for each organization. The company is the one to decide the priority.
In an ideal scenario, organizations have the below designations. The exact designation can be different from company to company. Different companies have different roles on the basis of experience and company type.
CISO (Chief Information Security Officer)
A CISO is the highest designation in the security domain. This position may not be present in every organization; then, the senior-most security personnel in the company will play the role. The roles and responsibilities of a CISO are:
- CXO level reporting, and ensuring that the security structure is clear to the executives; e.g. CEO.
- Architecture and maintenance of the security posture of an organization.
- Providing a vision to the organization from a security standpoint.
Senior Manager and Manager
Organizations hire managers and senior managers to drive projects and security implementations. The managers need to have right experience and skills. This applies to both people management and security management role. Depending on the experience type, managers could be either of the below:
Responsible for the technical operations, troubleshooting, and implementation of the security solutions.
Security Program Managers:
They will be the owners for-
- Compliance bit
- Regulatory requirements
- Running various security programs
Both people management skills along with technical skills are a must. They are responsible for the end to end management of the project and its lifecycle.
Senior Security Analyst
These are the team members with mid-level experience. They are experts in some of the other relevant technology. Skill set includes:
- Expert in Linux
This ensures that the team has in it the required technology-oriented people. They can drive sub-projects within the team and company.
These are the people who do the work at the ground level. They are responsible for:
- Data preparation and analysis
- Training others
- Escalating incidents
- Supporting projects and implementations.
They are not experts in risk analysis, threat hunting, reporting or presentation skills.
Below are a few roles and responsibilities of a security team. The roles and responsibilities can be divided on the basis of the team strength and experience. Some of the activities need technical skills and some need security management skills. Tasks can be prioritized and done as agreed.
An organization 'A' might want to conduct a risk assessment on a yearly basis. Organization 'B' wants to perform a penetration test of the network, applications, etc.
Let’s talk details about the R&R of the information security team.
Monitoring is a broad term; hence, the responsibilities are wide as well. Different organizations check the security attributes in different ways. Monitoring includes the below as a must have:
- Endpoints/systems- This includes monitoring of systems and laptops. They have to be monitored for:
- Patch management
- Anti-virus management
- Software updates
- Usage of unlicensed and pirated software
- Incidents of policy violations as per the information security policy (Here's a resource that will navigate you through cyber security attacks).
-The network needs to be monitored for usage and misuse cases. This can be a tedious task as the network is fast and monitoring manually cannot match that speed. IDS/IPS and various other network monitoring tools are installed in the network. These can generate alerts when any mischief is detected in the network. This can be analyzed by the security team to determine whether it is a false positive or a true positive; action and investigation will follow.
- Applications work on layer 7 of the OSI model and need special monitoring. The attack patterns and categorization are different compared to the network. The expected traffic must be determined beforehand through behavioral analysis. If the traffic peaks this can be an indicator of a DOS attack. Applications can be protected using a Web application firewall, it can analyze the layer 7 traffic and generate the alerts based on a set of rules. The rules can be based on various standards like OWASP and SANS. An expert analyst can see the alerts and determine whether the attack is genuine or a false positive (also consider checking out this perfect parcel of information for cissp certification).
- Servers and network devices are running 24x7; hence, a health check is required at regular intervals. What if the firewall utilization increases to 90%, or the server CPU usage shoots unexpectedly. This has to be given immediate attention, the work will get affected otherwise.
In case any deviation is observed from the agreed buffer, it must be escalated to the next level and investigated if required. This can prevent the incident from occurring, the symptoms are detected in this phase and acted upon.
Enforce policy and compliance
An organization must ensure that the information security policy is something which the employees know and are following. It is the responsibility of the team to ensure that there are enough and proper controls for what has been written in the policy. Stating that no external PC should be connected to the network without proper authorization is one part enforcing this policy through the use of mac binding. Organizations should be in compliance with the security policy, and this is again the security team’s responsibility.
Ensure regulatory compliance and audit
Depending on the type of organization and country, there can be various regulations which an organization needs to follow; e.g. An organization has to undergo and be compliant with PCI-DSS (Payment card industry data security standard) if they store, process or process sensitive customer data. Similarly, healthcare industries have to undergo HIPAA in various countries. It is the security teams’ responsibility to ensure that the regulatory criteria are met and compliance standards are adhered to. Various internal and external audits can be performed to ensure this, as well as other standards which the company has defined (if any).
It is the security team's responsibility to perform an end to end risk assessment of the organization. The same has to be addressed to the management to ensure that the risk is mitigated, accepted, transferred or ignored. This must be performed after a major change or once every year. The risks need to be categorized into high, medium and low- as per the likelihood versus impact matrix- for the management to understand and take necessary action.
We need to understand that the security team is there to enable the business and not just to put restrictions. Business teams have a lot of scenarios where the security team’s consultation is mandatory. What if a team needs to use third-party software for their day to day business ease? It is the security team's responsibility to analyze the need for the said software and verify it, or present an alternative and give a go ahead.
Security solution testing and implementation
Every now and then, new security solutions are coming up; hence, there is a need to upgrade. For any upgrades or new projects, the security team has to shortlist the product, conduct the testing and then implement as necessary. For example, to implement a two-factor authentication for a windows server it needs to be tested. This helps in understanding the functionality of the product. We can analyze if it is impacting the server performance, what is the alternative if the authentication fails, how the management console works. These are a few questions, but they will address the type of responsibility the security team will hold in such cases.
One of the key responsibilities is to educate the employees about security. What if the employee violates the policy? One should make sure that the employee knows what is acceptable and what a violation is.
Security Incident handling
No matter how good the security posture of the organization is, incidents still occur. These incidents occur either due to employee negligence or unidentified risks. The security team should be prepared to handle the incident and must ensure that the incident is managed appropriately. This starts with incident identification, reporting and then taking the necessary action. All this is driven from start to end by information security team.
Responsibilities in information security are not fixed, they are created, removed and modified with time, regulations, organizations, technologies, etc. It is the responsibility of the security professional to work towards ensuring the well-being of society, infrastructure, and technology. The key responsibility lies to protect and ensure that confidentiality, Integrity, and availability is maintained, rest all can be sub-categorized under these.