Adam Groenhout

Collect and Conquer: Security Question Frameworks for Onboarding

Imgur

Introduction

When joining a company or starting a consulting engagement, there's a lot to learn quickly to be effective. You need to get oriented, navigate organizational dynamics, make informed decisions, and prioritize well to drive positive change. Understanding the relevant history, current state, and target state is crucial, both for the organization and its security program. Contextualizing this information is key to making decisions that provide immediate and long-term value. However, this often involves absorbing potentially hundreds of documents and picking the brains of dozens of people. Time is a constraint, both yours and those you engage with.

As security professionals, we aim to focus on the most critical risks and secure the most important assets first. We need to do this while navigating potential organizational landmines, whether political or cultural, and avoiding wasted time with unnecessary Q&A or rehashing settled issues.

So, how do we efficiently identify and gather this essential information? This post presents question sets designed to uncover the most critical insights. Getting them answered is another challenge, not addressed here.

The Hard Truth

Ideally, all critical questions would be answered perfectly and instantly. Wouldn't that be wonderful? The reality is that relevant information is often scattered, incomplete, and difficult to discern.

Every organization is unique; there's no one-size-fits-all approach to onboarding, orientation, and knowledge acquisition. Knowledge management standards, norms, and practices vary significantly. Some organizations have robust documentation practices, while others rely heavily on oral communication and internal knowledge.

It's unlikely that all your questions will be answered upfront, or even by the end of your first year. We always operate with imperfect information, but we must act regardless. As Harry Truman reportedly said, "Imperfect action is better than perfect inaction."

The Cash is in the Question

Asking the right questions is invaluable. It helps you get to the heart of the matter, save time, stimulate thought, and potentially spark new ideas. There's a natural progression from general, open-ended questions to more focused, action-oriented ones:

  1. What should I know?
  2. What should I read, and who should I talk to?
  3. What specific information is most helpful for me to perform my job effectively? To that end, which documents should I review, and whom should I engage with for specific insights?

Ideally, asking question #1 would be sufficient, unlocking a cascade of relevant knowledge. However, in reality, we often need to ask questions closer to #3, and sometimes even more granularly. As a newcomer, being specific is crucial. Organizational complexity and the dynamic nature of information make it challenging for others to provide readily-packaged answers.

This post provides two groups of questions, each adaptable to the information seeker's unique context:

The first group leverages existing frameworks: The Baldrige Cybersecurity Excellence Builder (BCEB) and the NIST Cybersecurity Framework (CSF). The BCEB offers pre-structured questions designed to extract pertinent information. This post won't repeat the full list but will provide a section as an example of their quality.

The second group consists of more ad-hoc questions organized into common security domains.

Questions from the Baldrige Cybersecurity Excellence Builder

The following is just one section of exemplary questions, among many. The full list of questions can be found here.

Strategy / 2.1 Strategy Development: How do you include cybersecurity considerations in your strategy development?

  1. How do you include cybersecurity planning in your overall organizational strategic planning process?
  2. How do you ensure alignment between your cybersecurity planning and your organization's overall strategic planning?
  3. How does your strategy development process stimulate and incorporate innovation in cybersecurity policies and operations?
  4. How do you collect and analyze relevant data and develop information on cybersecurity for your strategic planning process?
  5. How do you decide which key cybersecurity processes will be accomplished by your workforce and which by external suppliers and partners?
  6. What are your organization's key cybersecurity-related strategic objectives and timetable for achieving them?
  7. How do your organization's key cybersecurity-related strategic objectives align with your organization's overall strategic objectives?
  8. How do your strategic objectives achieve appropriate balance among varying and potentially competing cybersecurity needs, customer and stakeholder requirements, and business objectives?

Questions from the NIST Cybersecurity Framework 2.0

The following are questions derived directly from each of the subcategories in the NIST CSF 2.0.

GOVERN (GV)

Organizational Context (GV.OC)

  1. How does your organization's mission inform its cybersecurity risk management decisions?
  2. How do you identify and consider the needs and expectations of both internal and external stakeholders regarding cybersecurity risk management?
  3. What processes are in place to understand and manage legal, regulatory, and contractual requirements regarding cybersecurity, including privacy and civil liberties obligations?
  4. How do you identify and communicate critical objectives, capabilities, and services that external stakeholders depend on or expect from your organization?
  5. What methods do you use to understand and communicate the outcomes, capabilities, and services that your organization depends on?

Risk Management Strategy (GV.RM)

  1. How are risk management objectives established and agreed upon by organizational stakeholders?
  2. Can you describe your organization's risk appetite and risk tolerance statements? How are they established, communicated, and maintained?
  3. How are cybersecurity risk management activities and outcomes integrated into enterprise risk management processes?
  4. What strategic direction has been established for appropriate risk response options, and how is it communicated?
  5. How are lines of communication established across the organization for cybersecurity risks, including risks from suppliers and other third parties?
  6. What standardized method is used for calculating, documenting, categorizing, and prioritizing cybersecurity risks?
  7. How are strategic opportunities (positive risks) characterized and included in organizational cybersecurity risk discussions?

Roles, Responsibilities, and Authorities (GV.RR)

  1. How does organizational leadership demonstrate responsibility and accountability for cybersecurity risk? How is a risk-aware, ethical, and continually improving culture fostered?
  2. How are cybersecurity roles, responsibilities, and authorities established, communicated, understood, and enforced within the organization?
  3. How does the organization ensure that adequate resources are allocated commensurate with the cybersecurity risk strategy, roles, responsibilities, and policies?
  4. In what ways is cybersecurity integrated into human resources practices?

Policy (GV.PO)

  1. How is the organization's policy for managing cybersecurity risks established, communicated, and enforced?
  2. What processes are in place to review, update, communicate, and enforce the cybersecurity risk management policy to reflect changes in requirements, threats, technology, and organizational mission?

Oversight (GV.OV)

  1. How are the outcomes of the organization's cybersecurity risk management strategy reviewed to inform and adjust strategy and direction?
  2. What process is in place to review and adjust the cybersecurity risk management strategy to ensure coverage of organizational requirements and risks?
  3. How is organizational cybersecurity risk management performance evaluated and reviewed for needed adjustments?

Cybersecurity Supply Chain Risk Management (GV.SC)

  1. How is your cybersecurity supply chain risk management program, including strategy, objectives, policies, and processes, established and agreed upon by organizational stakeholders?
  2. How are cybersecurity roles and responsibilities for suppliers, customers, and partners established, communicated, and coordinated internally and externally?
  3. How is cybersecurity supply chain risk management integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes?
  4. What methods are used to identify and prioritize suppliers by criticality?
  5. How are requirements to address cybersecurity risks in supply chains established, prioritized, and integrated into contracts and other agreements with suppliers and relevant third parties?
  6. What planning and due diligence processes are in place to reduce risks before entering into formal supplier or other third-party relationships?
  7. How does your organization understand, record, prioritize, assess, respond to, and monitor the risks posed by suppliers, their products and services, and other third parties over the course of the relationship?
  8. How are relevant suppliers and other third parties included in incident planning, response, and recovery activities?
  9. How are supply chain security practices integrated into cybersecurity and enterprise risk management programs, and how is their performance monitored throughout the technology product and service life cycle?
  10. What provisions are included in cybersecurity supply chain risk management plans for activities that occur after the conclusion of a partnership or service agreement?

IDENTIFY (ID)

Asset Management (ID.AM)

  1. How does your organization maintain inventories of hardware it manages?
  2. What processes are in place to maintain inventories of software, services, and systems managed by the organization?
  3. How does your organization maintain representations of authorized network communication and internal and external network data flows?
  4. How are inventories of services provided by suppliers maintained?
  5. What method is used to prioritize assets based on classification, criticality, resources, and impact on the mission?
  6. How does your organization maintain inventories of data and corresponding metadata for designated data types?
  7. What processes are in place to manage systems, hardware, software, services, and data throughout their life cycles?

Risk Assessment (ID.RA)

  1. How are vulnerabilities in assets identified, validated, and recorded?
  2. What sources and forums does your organization use to receive cyber threat intelligence?
  3. How are internal and external threats to the organization identified and recorded?
  4. What methods are used to identify and record potential impacts and likelihoods of threats exploiting vulnerabilities?
  5. How are threats, vulnerabilities, likelihoods, and impacts used to understand inherent risk and inform risk response prioritization?
  6. How are risk responses chosen, prioritized, planned, tracked, and communicated?
  7. What processes are in place to manage, assess, record, and track changes and exceptions for risk impact?
  8. How has your organization established processes for receiving, analyzing, and responding to vulnerability disclosures?
  9. What methods are used to assess the authenticity and integrity of hardware and software prior to acquisition and use?
  10. How are critical suppliers assessed prior to acquisition?

Improvement (ID.IM)

  1. How are improvements identified from evaluations of cybersecurity risk management processes?
  2. What methods are used to identify improvements from security tests and exercises, including those done in coordination with suppliers and relevant third parties?
  3. How are improvements identified from the execution of operational processes, procedures, and activities?
  4. How are incident response plans and other cybersecurity plans that affect operations established, communicated, maintained, and improved?

PROTECT (PR)

Identity Management, Authentication, and Access Control (PR.AA)

  1. How does your organization manage identities and credentials for authorized users, services, and hardware?
  2. What processes are in place to proof identities and bind them to credentials based on the context of interactions?
  3. How are users, services, and hardware authenticated?
  4. What measures are in place to protect, convey, and verify identity assertions?
  5. How are access permissions, entitlements, and authorizations defined in policy, managed, enforced, and reviewed, incorporating the principles of least privilege and separation of duties?
  6. How is physical access to assets managed, monitored, and enforced commensurate with risk?

Awareness and Training (PR.AT)

  1. What cybersecurity awareness and training is provided to personnel to ensure they possess the knowledge and skills to perform general tasks with cybersecurity risks in mind?
  2. How is specialized awareness and training provided to individuals in specialized roles to ensure they possess the knowledge and skills to perform relevant tasks with cybersecurity risks in mind?

Data Security (PR.DS)

  1. How does your organization protect the confidentiality, integrity, and availability of data-at-rest?
  2. What measures are in place to protect the confidentiality, integrity, and availability of data-in-transit?
  3. How does your organization protect the confidentiality, integrity, and availability of data-in-use?
  4. What processes are in place to create, protect, maintain, and test backups of data?

Platform Security (PR.PS)

  1. How are configuration management practices established and applied in your organization?
  2. What processes are in place to maintain, replace, and remove software commensurate with risk?
  3. How is hardware maintained, replaced, and removed commensurate with risk?
  4. How are log records generated and made available for continuous monitoring?
  5. What measures are in place to prevent the installation and execution of unauthorized software?
  6. How are secure software development practices integrated and monitored throughout the software development life cycle?

Technology Infrastructure Resilience (PR.IR)

  1. How are networks and environments protected from unauthorized logical access and usage?
  2. What measures are in place to protect the organization's technology assets from environmental threats?
  3. How are mechanisms implemented to achieve resilience requirements in normal and adverse situations?
  4. How does your organization maintain adequate resource capacity to ensure availability?

DETECT (DE)

Continuous Monitoring (DE.CM)

  1. How are networks and network services monitored to find potentially adverse events?
  2. What methods are used to monitor the physical environment for potentially adverse events?
  3. How are personnel activity and technology usage monitored to find potentially adverse events?
  4. What processes are in place to monitor external service provider activities and services for potentially adverse events?
  5. How are computing hardware and software, runtime environments, and their data monitored to find potentially adverse events?

Adverse Event Analysis (DE.AE)

  1. How does your organization establish and manage a baseline of network operations and expected data flows for users and systems?
  2. How are potentially adverse events analyzed to better understand associated activities?
  3. What methods are used to correlate information from multiple sources during event analysis?
  4. How does your organization understand the estimated impact and scope of adverse events?
  5. How are incident alert thresholds established?
  6. How is information on adverse events provided to authorized staff and tools?
  7. How is cyber threat intelligence and other contextual information integrated into the analysis of adverse events?
  8. What criteria are used to declare incidents when adverse events meet defined incident criteria?

RESPOND (RS)

Incident Management (RS.MA)

  1. How is the incident response plan executed in coordination with relevant third parties once an incident is declared?
  2. What process is in place for triaging and validating incident reports?
  3. How are incidents categorized and prioritized?
  4. What criteria and processes are used for escalating or elevating incidents as needed?
  5. How are the criteria for initiating incident recovery applied?

Incident Analysis (RS.AN)

  1. How does your organization ensure notifications from detection systems are investigated?
  2. What processes are in place to understand the impact of incidents?
  3. How does your organization perform analysis to establish what has taken place during an incident and determine the root cause?
  4. How does your organization perform forensics on collected incident data?
  5. What processes are used to categorize incidents based on the impact and urgency of the situation?
  6. How are actions performed during an investigation recorded, and how is the integrity and provenance of these records preserved?
  7. What processes are in place to collect incident data and metadata, and how is their integrity and provenance preserved?
  8. How does your organization estimate and validate an incident's magnitude?

Incident Response Reporting and Communication (RS.CO)

  1. How does your organization ensure personnel know their roles and order of operations when a response is needed?
  2. How are internal and external stakeholders notified of incidents?
  3. What processes are in place for sharing information with designated internal and external stakeholders during an incident?
  4. What coordination mechanisms does your organization have with stakeholders consistent with response plans?
  5. How does your organization engage in voluntary information sharing with external stakeholders to achieve broader cybersecurity situational awareness?

Incident Mitigation (RS.MI)

  1. What methods does your organization use to contain incidents?
  2. How are incidents eradicated once contained?

RECOVER (RC)

Incident Recovery Plan Execution (RC.RP)

  1. How is the recovery portion of the incident response plan executed once initiated from the incident response process?
  2. How are recovery actions selected, scoped, prioritized, and performed?
  3. What processes are in place to verify the integrity of backups and other restoration assets before using them for restoration?
  4. How are critical mission functions and cybersecurity risk management considered when establishing post-incident operational norms?
  5. What steps are taken to verify the integrity of restored assets, restore systems and services, and confirm normal operating status?
  6. How does your organization declare the end of incident recovery, and what process is in place to complete incident-related documentation?

Incident Recovery Communication (RC.CO)

  1. How does your organization manage public relations during and after an incident?
  2. What processes are in place to repair the reputation of the organization after an incident?
  3. How are recovery activities and progress in restoring operational capabilities communicated to designated internal and external stakeholders?
  4. What approved methods and messaging are used to share public updates on incident recovery?

Questions per Security Domain

Identity and Access Management (IAM)

  1. What authentication methods are used across different systems and applications?
  2. How do you manage and enforce access controls based on the principle of least privilege?
  3. What is your process for provisioning, modifying, and revoking user access?
  4. How do you implement and manage identity federation and single sign-on (SSO) across your organization?
  5. What tools and processes are in place for privileged access management (PAM)?
  6. How are role-based and attribute-based access control implemented?
  7. How are identity lifecycles managed, and what identity, governance, and administration (IGA) solutions are used?

Data Security

  1. How do you classify and categorize sensitive data across the organization?
  2. What data loss prevention (DLP) measures are in place to protect sensitive information?
  3. How is data encrypted both at rest and in transit?
  4. What access controls are implemented to protect sensitive data?
  5. How do you ensure secure data disposal when it's no longer needed?
  6. What are the most sensitive information types that have the highest protection needs, and how are they secured?
  7. Explain how you identify, document, and manage data lifecycles and data flows for key applications and services?

Endpoint Security

  1. What anti-malware solutions are deployed on endpoints, and how are they kept up-to-date?
  2. How do you manage and enforce device compliance and encryption policies?
  3. What mobile device management (MDM) solution is used, and what policies are enforced?
  4. How do you handle endpoint patching and updates?
  5. What measures are in place to detect and respond to endpoint security incidents?

Infrastructure Security

  1. What processes are in place for server hardening and secure configuration?
  2. How do you secure virtualization platforms and manage virtual machine security?
  3. What container security measures are implemented for containerized applications?
  4. How do you manage and secure your organization's DNS infrastructure?
  5. What tools or processes are used to monitor infrastructure security?

Application Security

  1. What secure software development practices are followed in your organization?
  2. How do you conduct threat modeling for critical systems or applications?
  3. How are web applications protected against common vulnerabilities (e.g., OWASP Top 10)?
  4. What tools or processes are used for application security testing (e.g., SAST, DAST)?
  5. How do you manage and secure APIs used by your applications?
  6. What measures are in place to monitor and protect against application-layer attacks?

Cloud Security

  1. How do you ensure the secure configuration of cloud resources and services?
  2. What key cloud security solutions are used, and how are they implemented?
  3. How do you manage identity and access in cloud environments?
  4. What measures are in place to protect data stored in the cloud?
  5. How do you monitor and respond to security incidents in cloud environments?

Network Security

  1. How do you manage and configure firewalls to protect the network perimeter and internal segments?
  2. What intrusion detection and prevention systems (IDS/IPS) are in place, and how are they monitored?
  3. How do you implement and manage secure remote access?
  4. What network segmentation strategies are employed to isolate critical assets and limit lateral movement?
  5. How do you monitor and analyze network traffic for potential security threats?

Physical Security

  1. What access control systems are in place for physical entry to facilities?
  2. How is surveillance conducted and monitored across your facilities?
  3. What environmental controls are in place to protect critical infrastructure?
  4. How do you manage and control access to server rooms and data centers?
  5. What processes are in place for visitor management and contractor access?

Vulnerability Management

  1. How frequently are vulnerability scans conducted, and what tools are used?
  2. What is your process for prioritizing and addressing identified vulnerabilities?
  3. How do you manage and track the patching process across different systems?
  4. What is your approach to conducting penetration testing, and how often is it performed?
  5. How do you manage zero-day vulnerabilities?
  6. Do you have a bug bounty program or vulnerability disclosure program (VDP)?

Security Operations

  1. What Security Information and Event Management (SIEM) or similar solution(s) is used, and what is the architecture?
  2. How do you handle log collection, analysis, and retention?
  3. What Security Orchestration, Automation, and Response (SOAR) capabilities are in place?
  4. How do you monitor for and detect potential security incidents?
  5. What is your process for triaging and escalating security alerts?

Incident Response and Management

  1. Can you describe your incident response plan and how it's maintained?
  2. What tools and processes are used for incident detection and analysis?
  3. How do you contain and mitigate active security incidents?
  4. What is your process for post-incident review and lessons learned?
  5. How do you coordinate incident response activities with other teams or external parties?

Threat Intelligence

  1. What sources of threat intelligence do you use, and how are they integrated?
  2. How is threat intelligence used to inform security operations and decision-making?
  3. What processes are in place for threat hunting within your environment?
  4. How do you incorporate threat intelligence into threat modeling?
  5. How is threat intelligence shared within the organization and with relevant external parties?

Resilience, Business Continuity, and Disaster Recovery

  1. What is your backup strategy, and how often are backups tested?
  2. Can you describe your disaster recovery plan and how it's maintained?
  3. How do you ensure critical systems and data can be recovered within required timeframes?
  4. What measures are in place to ensure business continuity during a cyber incident?
  5. How often are business continuity and disaster recovery plans tested and updated?
  6. How are resiliency requirements included in system development processes?

Governance, Risk, and Compliance (GRC)

  1. How are information security policies developed, communicated, and enforced?
  2. What process is used for conducting risk assessments across the organization?
  3. How do you ensure compliance with relevant regulations and standards?
  4. What metrics are used to measure and report on the effectiveness of security controls?
  5. How is security governance integrated into overall business governance?

Security Awareness, Training, and Culture

  1. What security awareness training programs are in place for employees?
  2. How often is security training conducted, and how do you ensure all employees participate?
  3. What methods are used to measure the effectiveness of security awareness programs?
  4. How do you conduct and manage phishing simulations?
  5. What strategies are employed to foster a strong security culture across the organization, and how is security culture assessed and measured?
  6. How are security objectives included as part of goals and performance reviews?

Third-Party Risk Management

  1. What is your process for assessing the security posture of potential vendors or partners?
  2. How do you manage and monitor the ongoing security compliance of third parties?
  3. What security requirements are included in contracts with third parties?
  4. How do you manage access provided to third parties to your systems or data?
  5. What process is in place for responding to security incidents involving third parties?

Privacy

  1. How do you ensure compliance with relevant privacy regulations (e.g., GDPR, CCPA)?
  2. What processes are in place for conducting privacy impact assessments?
  3. How do you manage and fulfill data subject rights requests?
  4. What privacy-enhancing technologies are employed to protect personal data?
  5. How is privacy integrated into the design and development of new products or services?

Conclusion

Getting quality information is hard. Making good sense of it and turning it into action can be harder. By leveraging these kinds of question frameworks, at least getting the right information should be a little easier. Whether you're the new kid or a seasoned vet, these questions can help understand an organization and its security program, cut through the noise and zero in on what matters. They'll help you identify gaps, prioritize what needs attention, and make smart decisions to improve security postures. So dive in, start asking, and get to work.

Obtaining quality information is hard, and transforming it into actionable insights can be even harder. Leveraging these question frameworks can streamline the process of gathering the right information. Whether you're the new kid or a seasoned vet, these questions can help understand an organization and its security program, cut through the noise and focus on what matters. They'll help you identify gaps, prioritize areas needing attention, and make smart decisions to improve security postures. So dive in, start asking, and use the answers to guide your work.

#cybersecurity #security frameworks #security management