Security Policy Management Maturity Model and the Benefits from Moving Up the Ladder: Part 3 of 4

In my previous post on the security policy management maturity model, we examined what an Emerging organization (level 2) looks like. Steps to automate security policy analysis and audits were implemented, but the security policy was only optimized, compliant, etc. at a point-in-time, because changes continue to introduce risk and policy bloat.

If you implemented some of the recommendations from our last blog, then you may now be at or on your way to becoming an “Advanced” organization. You know you are if you have automated the security change management process, bringing together security and network teams to process changes more quickly and with greater accuracy and to ensure continuous compliance. What’s missing however, is that this automation and visibility is not extended to another key stakeholder in the change process… application owners. Advanced companies may still struggle to understand business requirements and make the security infrastructure “work for the business”. Here are characteristics of an advanced organization:

• More agile security change workflow: Now security and network operations teams aligned for better response to dynamic business needs and change requests are processed more quickly and accurately through automated workflows that eliminate what were previously manual, time-consuming processes. Redundant change requests are immediately eliminated by comparing change requests with the rule(s) are already in place and automatically closing those change request tickets. Now for the but…
• Limited visibility of business impact of security changes: While security and network operations teams are in sync, application owners are not looped into the security change process which causes key requirements to get “lost in translation” when it comes to creating/updating the necessary firewall rules that enable connectivity. There is little to no understanding of the impact a connectivity change may have on other business applications.
• Continuous compliance and accountability: While organizations at level 2 can automate the generation of compliance reports for faster audits, organizations at level 3 take it up a notch by ensuring that every change request is automatically analyzed for risk BEFORE the change is made. This key step in the change workflow allows involved stakeholders to make informed decisions about changes that affect risk and compliance levels. Advanced organizations can measure every step of the security change workflow to demonstrate compliance and ensure service level agreements are attained.
• Out-of-process changes are discovered: Another key step and benefit of being Advanced is that organizations at this level can eliminate out-of-process changes by automatically matching each change request with the change that was actually performed. Out-of-process changes are a major source of network and application outages, as reported by more than three-fourths of respondents in our State of Network Security 2013 survey.
• Basic documentation of application connectivity needs: Organizations at this level typically have spreadsheet-level documentation of business application connectivity requirements. While having any level of documentation is better than nothing, there is little visibility and control of these requirements and their relation with the security policy. The importance of having this visibility can’t be overstated as 80% of organizations in the State of Network Security 2013 survey reported outages or impaired network performance as a result of application-related rule changes.
• Vulnerabilities are not prioritized by business impact: While organizations have vulnerability management solutions in place, the long lists of vulnerabilities produced is too much for any business to adequately address. Vulnerability information is typically presented for IP addresses and servers, and not in the context that business owners can understand. You can learn more about concept this by joining us along with Qualys for a webcast on Managing Risk and Vulnerabilities in a Business Context, on March 12 at 1pm ET.

Now that you can confirm your status as Advanced, do you want to become a visionary? Here’s how to make it happen:

1. Review processes for documenting application connectivity needs
2. Assess gaps between application and network teams relating to the security and network infrastructure
3. Review processes for decommissioning applications and related unused firewall rules
4. Examine options for making business owners “own the risk” and vulnerabilities in their applications
5. Assess tools which provide application-centric approaches to managing the network security policy

Our final article on this topic will look at the characteristics of a Visionary organization and the benefits of getting there.