Security Think Tank: Good documentation could save your bacon

Security learning is a career-long process, so as 2021 draws to a close, participants in the Computer Weekly Security Think Tank sum up the most important cyber lessons they’ve taken away from the past 12 months

Petra Wenham

Petra Wenham

Published: 09 Dec 2021

The year is moving towards its close, Black Friday sales have come and gone and some 50% of those sales were done online, in part due to the ongoing trend to online sales and partly due to the Covid-19 pandemic accelerating that trend.

But, be they big retailers or SMEs moving into the online retail space, how secure are those websites? And how knowledgeable in infosec are the IT companies providing these online infrastructure services?

Security incidents have continued apace during 2021, highlighting the inadequacies of many organisations’ defences. And what weak points these security breaches have shown up! So what lessons have, or should we have, learnt?

For me, two issues stand out. One is that companies or organisations are not fully or properly addressing the basics of infosec. Second is that risk assessments of the IT environment and the data that it contains and/or processes is not being carried out in a full and appropriate manner, or perhaps not carried out at all.

Both of these issues, the basics and risk assessment, boil down to documentation and adequate resources. Resources includes appropriately skilled people and supporting tool sets. Documentation should be comprehensive and kept up to date with regular audits to ensure compliance. It sounds onerous, perhaps in the beginning, but over time, good documentation together with adequate resources will pay back in spades.

What do I mean by documentation? To me, it includes but is not limited to policies, procedures, standards, work guides and methodologies, including threat and risk assessments, network diagrams, audit files, inventories of hardware, software, licences, the data being held or stored including backup and archive data, process flow charts (essential for virtualised and cloud environments), business continuity and disaster recovery plans, security incidence response plans and emergency response plans and contact lists.

Don’t forget that elements of the IT documentation will necessarily need to dovetail in with other company divisions or external services, including:

Business groups identifying who owns which piece or set of data together with statements of who or what needs access to the data in question, its value and what can a process or designated person or group of people do with the data they are accessing. Note that it is not the job of IT to decide what level of security should be applied to any piece or group of data – that is a business function. IT’s job is to interpret the requirements and implement them.
Human resources covering staff vetting and hiring procedures, etc.
Compliance, legal and regulatory.
Building services covering building access security, utilities, air handling, uninterrupted and or emergency power supplies, and so forth.
External agencies, including: external service suppliers, eg cloud-based services; manufacturers/suppliers (licensing, updates and patching); internet providers; security consultancies (for information on current threats and vulnerabilities, secondary infosec support, IT health checks and penetration testing); clients where appropriate: government agencies.

In summary, you need accurate, well-maintained documentation to enable the comprehensive management, securitisation and ongoing support of secure IT infrastructure.

I should add a disclaimer: you are never going to be 100% secure, but with good documentation supported by tested backup mechanisms, together a security incident response plan, a company shouldn’t be dead in the water for long should a security breach occur.