Part 3 – The 10 Steps to Cyber Security
explains why an information risk management regime is central to an organisation’s overall cyber security strategy as organisations continue to rely on technology, systems and Information. Information security risks need to be assessed just as any other risks would be when they can have a material impact on a business.
explains why an approach to identify baseline technologies ensures that management can improve the security of a company’s systems. Strategies need to be developed to remove or disable unnecessary functionalities from systems, and repair known vulnerabilities. Failing to do this can likely result in increased risk and compromise of a company’s systems and information.
addresses the connections from a company’s networks to the Internet, and other networks which expose systems and technologies to attack. The process of creating and implementing basic policies and the appropriate architectural and technical responses, a company can reduce the chances of such attacks being successful, or causing harm, to the organisation.
suggests that when users are provided with unnecessary system privileges or access to important data, that the impact of misuse or compromise will be more severe. At the minimum, users need to be provided with a reasonable level of system rights and privileges needed for them to accomplish their role. Also, it is important that highly elevated system privileges should be controlled and managed carefully.
explains that users play a critical role in their organisation’s security and therefore it is important that security rules and the technology they are provided enables everyone to do their job properly and to help keep the organisation secure. This can be accomplished by a systematic delivery of awareness programmes and specific training to deliver security expertise and help establish a security-conscious culture.
requires that even though all organisations will occasionally experience security incidents, investment in establishing effective incident management policies and processes. This will help improve resilience, support business continuity, improve customer and stakeholder confidence.
defines malicious software, or malware as an umbrella term that covers any code or content that might have a malicious, undesirable impact on a company’s systems. As every exchange of information will carry with it some degree of risk that malware could be exchanged, the risk can be reduced by implementing the appropriate security controls. This should be part of an overall ‘defence in depth’ approach which should keep systems and services from being seriously impacted.
involves system monitoring which provides the capability to detect actual or attempted attacks. It states that good monitoring is essential to effectively respond to these attacks. Also, system monitoring allows a business to ensure that systems are being used appropriately and in accordance with organisational policies. Monitoring can often also be a key capability to indicate compliance with legal or regulatory requirements.
addresses removable media which can provide a common route for introducing malware and the potential for accidental or deliberate export of sensitive company data. Appropriate security controls should be applied regarding all removable media.
involves the use of mobile working and remote system access. Even though these offer great business benefits, they can expose new risks which need to be managed. Companies need to establish risk-based policies and procedures which support mobile working or remote access to company systems.