Many people confuse reviewing a security posture with reviewing a security policy. When you review your security policy, you are focusing on the policy itself and how it addresses the threats and requirements that have been documented. Reviewing your security posture is a review of how well you and your organization are positioned in regard to your security policy. For example, if you have defined that only IPsec VPNs are allowed, have you actually implemented the changes required to enforce this? If you haven t, your security posture is not in line with your security policy, and one of the two must change.
Reviewing your security posture is also where practice comes into play. You should practice to ensure that your organization is prepared to address any security incidents that occur. We will discuss incident response in much more detail in Chapter 17; however, as part of reviewing your security posture, you should validate that your incident response plan performs as expected. You should schedule and perform drills to test the security staff and ensure that everyone knows what their responsibilities are and what they need to do when a violation is detected . Although having notice of a drill is worthwhile, it is also important to have unannounced drills periodically. It s kind of like the part in the movie Heartbreak Ridge , where the troops are complaining that they always ambush the other platoon at the same place. That s when Clint Eastwood says, Kind of makes it easy to get out of an ambush when you know when and where it is happening. Apply the same philosophy to your security posture review. These drills will further assist in illustrating any gaps in the policies, processes, and procedures that need to be addressed and corrected.
As part of reviewing your security posture, you should make sure you evaluate the following areas:
Review your security policy against what you are actually doing. If they don t match, you need to either change your policy or change what you are doing.
Review the technical controls you have put in place to enforce your policies. For example, if you have implemented software to require a certain password methodology, make sure the control is working as defined in the security policy.
Review your users behavior in regard to your security policy. Make sure your users are adhering to the security policy. For example, if your password policy states that your users should never give out their password to anyone , call some users and ask for their passwords.
Review the administrators behavior in regard to your security policy. Make sure your administrators are performing tasks as defined by your security policy. For example, if your security policy defines that event logs should be reviewed on a daily basis, make sure that task is actually being performed.