Seeking Advice on Balancing Security Controls and Testing Efficacy

Hello all,

Over the past 15 years, I have transitioned from working at smaller consultancies to larger corporations and seen a shift from using self-managed, non-corporate machines to managed corporate systems with advanced features.

I'm currently defining operational requirements for my team. Fortunately, I have a supportive CISO who understands that sometimes it makese sense to relax specific corporate controls (like EDR, Proxy, AV) to conduct adequate testing. For our work, we use corporate-managed MacBooks and run self-managed VMs.

However, the introduction of tools, e.g., ZScaler, which interferes with testing by introducing tunneled traffic and TLS inspection, has started interfering with our testing processes. While these can be circumvented or temporarily removed, my CISO is concerned about maintaining assurance around our actions during these periods.

Our work is pre-approved, so any deviation or investigation into unauthorized areas would be a red flag. I'd like to learn more about how other organizations handle this balance.

Do you:

* Reduce controls only during specific assessment windows, which seems to be a potential overhead, and may not make sense if our team is nearly always testing.
* Implement increased logging or other measures to monitor activity without hindering testing?
* Something else?




Any insights or suggestions on maintaining security without compromising our work's effectiveness would be great.

Thanks in advance. submitted by /u/imadamjh
[link] [comments]


http://dlvr.it/T7cPvl