137 Security Questions Every Leader Should Ask
Every Organization Needs To Be Thinking About Security
Today, everyone is talking about security. Just in the last sixty days there has been over 456,000 mentions of cyber attacks and data breaches in news, blogs, forums and Twitter.
It’s easy to get caught up in the daily news cycle that surrounds the security, focusing on either the breach headlines, downed websites, or even the new threats and vulnerabilities that need constant attention and remediation.
However, while people might be talking a lot about security today, it’s also important to keep everything in perspective. To do that, we also need to take a step back from time to time and ask our colleagues, employees and even ourselves, “are we asking the right questions?”
Are You Asking the Right Questions?
As Albert Einstein is often quoted as saying, “If I had 20 days to solve a problem, I would spend 19 days to define it.” So the first question you need to be asking is, are you asking the right questions? Asking the right questions frames the entire conversation as an inquiry in which stakeholders are coming together to uncover the best solution.
So we put together this comprehensive list of 137 security questions every business leader needs to be asking. This is meant to help guide security discussions in your own organization and it’s based on some of the top security challenges organizations face today and how security intelligence can help protect organizations. We divide these questions into eight sections:
- Security Intelligence
- Business Partners and Outsourcing
- Threat Intelligence
The Basics: Security Questions To Get You Started
To establish an effective security strategy, you must start with an accurate evaluation of the current information security posture. This set of 137 questions will help guide you towards a comprehensive evaluation of the existing security landscape in relation to industry best practices and regulatory requirements. To identify risks and provide detailed, actionable recommendations for mitigating risks and improving protection.
Before you get deeper into the different set of questions, here are seven questions that will help you assess your security posture and overall picture:
- What is your biggest security concern and is your security spend and expertise properly allocated to address that risk?
- Do you have a clear picture of your overall security posture and of how it relates to industry best practices?
- Do you currently conduct security assessments, such as penetration tests on a bi-annual basis?
- How realistic is your plan to address the security gaps that you might have today ?
- Do you have an established process to address computer security breaches?
- How confident are you of your ability to demonstrate compliance?
- Given the skills gap that exists in security, do you view the ability to recruit and retain talent and expertise as a top priority?
- How many of your IT systems generate logs with relevant security-oriented data today?
- What percentage of these logs are you actively collecting and monitoring today?
- Is your process for collecting and storing all of those logs manual or automated?
- Do you have a single place to correlate, report and real-time monitor across all of these relevant logs today
Security Information and Event Management
- Do you routinely manage, monitor and/or analyze the collection of logs of user activity, network activity, performance data, application activity, and/or flow data in your infrastructure?
- What is your process to proactively detect/analyze invalid user access or any anomalies in applications or network traffic in your organization?
- Is your process for this detection/analysis manual or automated?
- What kind of response and remediation procedures do you have in place to handle any incidents identified through this analysis?
- Is the output from this process automatically fed into a single security intelligence console?
- Do you have a unified collection and analysis technology and process for event, network, vulnerability, asset, and intelligence data?
- Is this approach capable of contextual and in-depth analysis and correlation across these diverse data sets?
- Is this process automated, and does it provide response and remediation capabilities?
- Do you measure your annual losses from fraudulent business transactions?
- Do you proactively examine your critical business transactions logs for non-obvious relationships between transactions that often indicate fraudulent activity?
- Have you implemented a testable and automated control for addressing this process?
- Do you provide a solution to your customers to help them avoid being victimized by fraud?
- How many definitive sources of identities does your infrastructure have today?
- Have you standardized on a primary enterprise directory platform?
- What percentage of those identity sources are actively synchronized to ensure currency?
- When you are audited, how do you prove what identities are actively defined within your infrastructure?
User Account and Role Management
- Are you satisfied with the length of time it takes to add new user access to all of their needed systems, on average?
- The last time you checked, what percentage of your user account population was found to be invalid or ‘orphaned’?
- Is your process for managing user access provisioning and deprovisioning manual or automated?
- Are you satisfied with your ability to define users within roles and then leverage those roles to enforce access policy
Single Sign-On and Strong Authentication
- How many userid/password combinations does your average user have to use daily within their jobs today?
- What percentage of your help desk calls are for password resets?
- Is your process for authenticating and resetting passwords manually performed within each system, or automated across the infrastructure?
- Do you have requirements for multi-factor authentication today, and if so, do you have this capability already deployed?
- Are a user’s fine-grained entitlements handled consistently across the organization, such that they can be viewed, audited and modified in a consistent manner ?
- Are the users’ fine-grained entitlements enforced by application code or by infrastructure services?
- [This question only applies to organizations with external system interactions] Are the context-aware authorization services that enforce the users’ fine-grained entitlements in internal systems also used for both inbound and outbound requests to/from business partners and cloud/service providers?
- Are the context-aware authorization services that enforce users’ fine-grained entitlements based on an open standard such as XACML?
Privileged User Management
- Do you have a concise understanding of all shared service accounts being used in your infrastructure?
- Do you have a regular process to validate that all shared service accounts, and all users with access to them, are necessary?
- Are you able to automatically manage the check-out and check-in of shared service account usage, so you’re able to audit exactly who was using a shared account at any given point in time?
- Do you have self encrypting storage?
- Do you have requirement for encrypting all data at rest?
- Is your certificate management a manual or automated process
- Do you use encryption for data leakage protection?
Test Data Masking
- How many disclosures of sensitive business production data did you have within your test and development environments in the past year?
- Do you have a documented policy on how to avoid these disclosures and risks?
- Have you implemented a testable and automated control for enforcing this policy?
Database Activity Monitoring
- Do you know where all your databases are on the network?
- Do you know where all your sensitive data resides in your DB infrastructure?
- Do you know which applications have access to the most sensitive data?
- Do you know which users have access to the most sensitive data in the DB?
Data Loss Prevention (DLP)
- Have you defined data loss prevention policies?
- Do your data loss prevention policies enable you to comply with data privacy regulations?
- Can you automatically enforce configurable DLP response actions?
- Is your DLP solution integrated with your broader endpoint management solution?
Data Discovery and Classification
- Do you know exactly how much data you have, where it is used, and how it is being used?
- Do you know how much data has not been used in the last year?
- Does your infrastructure have any single points of failure?
- Do you know the status of your infrastructure at any given moment?
Key Lifecycle Management
- Are you aware that there is now an agreed to standard called “Key Management Interoperability Protocol” (KMIP)?
- How many key management systems do you currently employ?
- Do you have a plan to centralize key management?
Dynamic Vulnerability Analysis and Testing
- Do you currently host any web-based or internet facing applications?
- Do these web applications contain customer data, proprietary information or compliance regulated material?
- Are you currently performing any penetration tests or dynamic analysis and testing activities?
- Is your dynamic analysis integrated into your software development lifecycle?
- Are you scanning third party applications?
Static Source Code Analysis
- Do you currently run applications, including mobile, that were developed in-house, by an outsourcer or by a partner?
- Do these applications contain customer data, proprietary information or compliance regulated material?
- Do you perform any manual or automated source code review for security vulnerabilities?
- Is source code scanning built into your software development lifecycle?
- Are you currently collecting event and network telemetry data, such as flows, from your IT infrastructure in real-time?
- Is this data being analyzed for anomaly or suspicious activity?
- Is this data being viewed within the context of application vulnerabilities?
- Have you established a formal process around the investigation and remediation of any detected incidents?
SOA Message Protection
- Do you protect your backend business service from the front facing client?
- Do you know where your message is coming from, and how a message is protected against different attacks (e.g. Replay Attack, XML Threat, Confidential and Integrity Protect during transit)?
- Do you need to enforce company policy on the message?
- How many successful intrusions have you had in the last year?
- With your existing technologies, would you know if you had a successful attempt?
- What technologies do you use, that could detect such an attack and intrusion?
- What are you doing to block attacks against Web applications?
- Are you using your technology to passively detect or actively block attacks?
- What technology do you use to mitigate SQL injection attacks?
- Does your organization offer end-users functionality to control the email coming into their inbox?
- What is your process to recover a single e-mail?
- Is your organization concerned about loss of confidential or proprietary information over email?
- Does your organization have filters in place to deal with unwanted email such as newsletters, inappropriate content such as pornographic emails or malicious content?
- Does your organization offer end-users seamless end-to-end email encryption to anyone on the Internet?
- Is your first-pass patch success rate over 95%?
- Are you able to use a single solution and console to automatically manage patches for multiple operating systems, including Microsoft Windows, UNIX, Linux and Mac OS, plus smartphones and tablets?
- Do you have real-time visibility of endpoint compliance against defined policies, such as mandatory patch levels, and can automate and confirm successful remediation?
- Is your patch management solution integrated with a comprehensive endpoint management solution that includes power management, to enable both patching and energy conservation?
- Does your server security solution protect both network- and application-based attacks automatically?
- Does your server security solution give your IT personnel the time they need to test and deploy patches properly while protecting their systems against the vulnerabilities for which the patch was created?
- Are you confident that you have sufficient protection at the server to repel the many attacks that appear in the news?
Anti-Malware and Anti-Virus
- Do you have an anti-virus / anti-malware solution deployed on every endpoint?
- Are you able to verify that antivirus services are installed, running and up to date on all endpoints, and automatically correct out of compliance situations?
- Is your solution integrated with data loss prevention, device control, and other comprehensive endpoint management capabilities?
- Do you have a prevention solution to address malware that can avoid traditional anti-virus technology?
- Are you able to quickly identify all of your distributed endpoints (servers, desktops, laptops, smartphones and tablets, plus specialized equipment such as point-of-sale devices, ATMs and self-service kiosks) and check for rogue assets on the network?
- Do you have real-time visibility of endpoint status and automated compliance reporting?
- Does your solution provide a closed-loop integrated assessment and automated remediation for patch, configuration, vulnerability, anti-malware, and data loss prevention?
- Does your solution continually assess the status of the endpoint and ensure the endpoint remains in compliance with organizational policies?
Mobile Device Security and Management
- Are you able to capture and store detailed mobile device data, including inventory data such as device model and serial number, usage data such as last connection time, and hardware information such as firmware and memory, as well as operating system version, location information, network details, and installed applications and certificates?
- Are you able to detect rooted or “jailbroken” mobile devices and safeguard enterprise data by enabling complete or selective wipes when devices are lost, stolen or decommissioned?
- Does your solution help maintain compliance by identifying non-compliant mobile devices and automatically taking corrective actions such as denying email access, deprovisioning profiles or removing VPN access?
- Does your solution leverage a single infrastructure to deliver unified management and security for all types of enterprise endpoints, including smartp hones, tablets, desktops, laptops and servers?
Rapid Incident Response
- Are you able to set alarms to quickly identify rogue or misconfigured endpoints and takes steps to locate them for remediation or removal, or identify and quarantine tens of thousands of machines in minutes?
- In the event of a security incident, can you protect all of your endpoints by distributing necessary forensics or remediation tools to endpoints, regardless of their location or connection type, quickly enough to prevent further intrusion or disruption?
- Are you able to respond in real-time to zero-day attacks through ad hoc, closed-loop remediation that can target those systems that are affected with specific actions to an exact type of endpoint configuration or user type?
- Does your solution provide analytics capabilities with insights for hardening the infrastructure against attacks to the network, servers and endpoints?
- What are you doing to protect your virtual systems?
- Is the level of security of your virtual systems consistent with that of your physical servers?
- How are you addressing virtualization specific security risks?
Business Partners and Outsourcing
- Is there confidential product or process information stored on computers within your network?
- Could loss of this information compromise one or more of your firm’s competitive advantages?
- Do you give access to your internal network to important partners such as marketing firms or subcontractors?
- Do these important partners provide you with professional assessments of their network security?
Outsourcing and Managed Security Services
- Are you struggling from the high cost to manage your security infrastructure?
- Have you considered outsourcing the management or monitoring of your security devices?
- Do you already outsource management or monitoring and would like to investigate other opportunities?
- Does your Managed Security Service Provider discern legitimate traffic vs malicious traffic?
- Does your Managed Security Service Provider have it’s own vulnerability research team?
Managed Security Services (Cloud Security Services)
- Are you struggling with the upfront capital expenditure to purchase and deploy security technologies?
- Have you considered outsourcing to lower cost of cloud security services?
- Do you already use cloud security services and are interested in outsourcing others?
- Are you integrating external threat intelligence into your overall security posture?
- Is that view comprehensive enough?
- How do you use IP reputation data as part of your security strategy?
- What resources does your organization use to make sure they are updated on the latest in threat intelligence?
- Do you have a process for effectively receiving and sharing threat intelligence with industry peers and government?
- Are you able to correlate internal activity and events with information from the web?
- Do you use existing threat models and indicators to profile and identify malicious behavior in your own organization?
- Do you regularly attend industry conferences such as BlackHat to educate yourself about security research?
- Is a foundational understanding of publicly available exploit kits part of how you assess your own infrastructure?
- How easily can intelligence about malware be distributed and acted upon within your infrastructure?