Effective security patch management is probably the number one security control

Effective security patch management is probably the number one security control that can have the greatest impact in your company. It is crucial that you have processes in place to ensure regular, timely, and enterprise-wide patching. Always first test patches on a pilot group, and be sure to include third-party apps. We still see folks concentrating on MS patch Tuesday. The trickiest part will be minimizing the excluding of systems, as owners and certain vendors will still make claims that you can break their apps. Isolate systems that cannot be patched effectively, utilizing VLANS and firewall rules. Long term, look to replace these systems whenever possible. Actually, contact the vendor of these systems directly to discuss; do not take App owners’ or System Admins’ word on the patch issue. Companies are much more responsive now to demands from InfoSec. Good luck!!

InfoSec policies say “what”, procedures say “how”

InfoSec policies say “what”, procedures say “how”. We all know that we need to have a full set of Information Security policies. But, how many of us do not include procedures in policies? Getting a policy approved can be a big deal, often needing Exec Mgmt, HR, and possibly union approval. They typically do not change very often, but procedures change regularly. You don’t want to jump through all the approval hoops to make the required change in procedures. Keep them separate! Of course, you do want to review policies annually and when significant infrastructure changes occur. #informationsecurity #infosec #cybersecurity #dataprotection #policiesandprocedures

Are you practicing good configuration management?

Are you practicing good configuration management? Are you ensuring that a standard image is created, is regularly updated and tested, and is deployed everywhere, especially on admin and developer systems? Also, be diligent so all systems are hardened. Turn off all services that you will not be using. And for any changes, make sure that you have established and tested a change management process. Form a Change Management Board that meets regularly. Make sure the Board has key players from Application Security, Security, Field Support, System Administration, and Network Management. The Board needs to meet regularly (weekly?) to review all past and upcoming changes. A process should be established that classifies changes, so that minor updates/changes can be made in a timely fashion, without the Board having to meet. All changes need a back-out plan and should be as transparent to the users as possible. But all significant changes need to be announced ahead of time. Happy config/change management! #configurationmanagement #changemanagement #configmgr #hardening

Edmond Momartin, CISSP, CISA has been awarded ISSA Senior Member

With great pride we acknowledge a longtime volunteer and former ISSA Los Angeles Board member Edmond Momartin, CISSP, CISA for attaining Senior Member at Information Systems Security Association (ISSA). #issa #issala @issa @issala