In my first post on the Security Policy Management Maturity Model, I highlighted the challenges of network and security complexity and dynamic business requirements that must be addressed by IT in order for the business to remain competitive. In the forthcoming blogs, I’ll dig into each level of the maturity model and not only examine what each level means in terms of your organization’s environment, but also provide some tips for moving up the ladder and the benefits for doing so.
Now that we have that covered, let’s get started with level 1. Jeff Foxworthy has that joke “You know you’re a redneck if…” Well, the same concept applies here. You know you’re at level 1 if your security management practice is manual. Manual security policy management leads to loads of issues, mainly poor visibility, inefficient processes, no easy way to demonstrate compliance and a weakened security posture. More specifically, if you can’t answer these questions in the affirmative, then you are at level 1:
Do you know why each firewall rule exists?
Typically the “knowledge” of why a rule was created or changed is in the brains of the administrator who created it. If the admin didn’t document the purpose of the rule (which happens all too often), can’t remember the reason or if they leave the company, there is no history to review and it is much harder to troubleshoot firewall-related issues, reduce risk and outages caused by rule changes.
Do you have full visibility of the impact to network traffic?
Organizations at this level often do not have an understanding of how the security policy impacts traffic flowing to and from the network which turns planning and troubleshooting into extremely complex tasks. Being able to generate an accurate map of network topology requires a major undertaking – and usually has gaps. For example, it’s one thing to have a “point-in-time view” like a Visio from last month, but it’s another to have it continuously updated.
Is your security change process automated and can you ensure the accuracy of changes?
Change management is an area where things can very easily break down. Organizations at the initial stages of security policy management have no sound way to enforce the security change process. This means multiple ways of processing changes, increased risk of misconfiguration and non-compliance, and a much slower process that impedes business agility.
Are you spending a significant amount of time and resources on audit preparation?
Regulatory compliance as well as internal mandates result in frequent firewall audits. Organizations at this level spent days and even weeks preparing their firewall for audits manually. Achieving compliance in this manner is not only time-consuming, but also short lived, as frequent changes can cause organizations to fall out of compliance shortly after the audit.
Are your firewall rule sets bloated, impacting troubleshooting efforts and audits as well as impacting firewall performance?
Security policies typically grow in size and complexity over time. Organizations at “Level 1” have bloated rule sets – rules added, but never deleted – because of the fear of causing an outage or a security risk by removing a rule.
Are you manually assessing your firewall policy for risk, if at all?
According to Gartner, “More than 95% of firewall breaches are caused by firewall misconfigurations, not firewall flaws.” Many organizations don’t understand the risks of enabling or disabling certain rules. A firewall without an effective policy doesn’t cut it.
If after reading this, you’re at level 1, as promised, here are 5 tips to help you move up the ladder:
I hope you found this useful. In the next blog in this series we’ll examine Level 2 of the maturity model, as well as tips to continue to move up the ladder.
Receive notifications of new posts by email.