Professional Documents
Culture Documents
Benefits:
Training employees and keeping them up-to-date on security awareness reduces the
risk of potential errors and damages from occurring through human error, including
falling prey to phishing emails or other spam content that seeks to place malware or
malicious software on the company's network.
n agency should:
Periodically assess the risk and magnitude of the harm that could result from
the unauthorized access, use, disclosure, disruption, modification, or
destruction of its information and information systems.
Develop risk-based policies and procedures that cost-effectively reduce
information security risks throughout the life cycle of each information system
in its information security programs.
Develop subordinate system security plans for providing adequate security for
networks, facilities, and systems or groups of information systems (as
appropriate).
Provide appropriate security awareness training to personnel, including
contractors and other users of information systems that support its operations
and assets.
Test and evaluate the effectiveness of information security policies, procedures,
and practices as frequently as the risk level requires but no less than annually.
Create a process for planning, implementing, evaluating, and documenting
remedial action to address any deficiencies in information security policies,
procedures, and practices.
Establish procedures for detecting, reporting, and responding to security
incidents, which may include using automated tools; mitigating risks associated
with such incidents before substantial damage is done; and notifying and
consulting with the information security incident center and other entities, as
appropriate, including law enforcement agencies and other relevant officials.
Establish plans and procedures to ensure continuity of operations for
information systems that support its operations and assets. Test plans to
ensure they work.
Develop, maintain, and annually update an inventory of major information
systems.
6. Keep your culture in mind, too. When it comes to choosing your equipment
and software packages, consider how they will uphold your company’s
culture. Does your team have a flexible work environment, which you can
support by providing laptops or tablets to your staff? Does your core
communication tool need to support silly off-topic banter, or does it need
to be more restrictive?
7. If you don’t want to deal with it, outsource it. If there’s a portion of your IT
support you don’t want your internal team to have to worry about, if you
don’t want to deal with managing an internal IT team at all, or if you want
to outsource your entire technology environment to another provider in the
form of virtual desktops or otherwise, look into outsourcing.
A user is a weak link in a company’s security if he or she hasn’t been educated about
security issues or adequately trained in best practices. And overall IT system
security is only as strong as its weakest link! Every user must know which data is
considered sensitive and be familiar with the company’s security policy and related
guidelines. For example, basic rules could include: never re-using a personal
password at work; not connecting personal equipment to the company network;
locking the session on one’s work station before stepping away from it; knowing the
procedure to follow when suspecting a potential breach; etc. Companies can organize
spot-training on specific issues — for example, an information session on phishing,
on ransomware, on the risks associated with USB keys, etc.
Companies must develop a policy on which software can and can’t be installed on
work stations. This could take the form of a list of applications and browser
extensions, or application installations requiring authorization by the IT department.
You may want to host authorized applications on your own server as a way to
guarantee their authenticity. Furthermore, work stations must always be up-to-date
and equipped with at least antivirus and antispam software, and a local firewall that
is correctly set up. Volumes and partitions where user data are stored must be
encrypted and regularly backed up on unconnected systems. Encrypting laptops,
especially those that leave the premises, is vital because of the heightened risk of
theft or loss.
All companies must manage their sensitive information, i.e. any data whose loss or
theft could be damaging or even disastrous. Companies must know at all times
where the data resides and on which physical equipment it is located, in order to
define specific security measures. Data that resides on external systems (for
example, on the cloud, on an IaaS, or on a PaaS) must be accorded special treatment
due to their specific risks, and some thought must be given to the merit of
externalizing this data in light of security issues. Identifying sensitive data also
allows you to better control associated access rights.
Users must receive detailed guidelines on how to create robust passwords. The
guidelines must strictly forbid the writing down of passwords on physical media
(notepads, whiteboards, etc.) or non-encrypted digital media (“passwords.txt”, email,
etc.). Users who must juggle several complex identifiers should use a password
management system (KeePass, EnPass, 1Password, etc.).
To boost the security of strategic accounts, use a two-step verification process. This
involves authenticating a user with a password, plus another identifier such as a
physical item in the user’s possession (a FIDO U2F USB key, an OpenPGP card, an
RFID chip, a token, a single-use code sent via SMS, etc.), biometric data
(fingerprints, voice recognition, iris scanning, etc.), or even a geographic location (the
connecting device must be within a certain physical location).
Devices that can connect to the internal network must be under the company’s
jurisdiction. Devices belonging to visitors or to employees are a vulnerability over
which the company has no control. To accommodate these needs, you’re better off
creating a specific Wi-Fi network entirely separate from the rest of the company
infrastructure, while offering a decent level of security (WPA2, soon to be WPA3, AES
CCMP, regular password changes). At the same time, you should control the use of
external USB keys on company systems.
9 8. Encrypt all data transmitting over the Internet.
You should isolate machines that offer services visible on the Internet (for example,
Web hosting) from the rest of your company network (by creating “demilitarized
zones”). Also, your network architecture should be partitioned to stop an attack on
one machine from spreading to all other machines. For example, you can create
separate zones for different systems with similar security needs, and implement
traffic filtering between zones using a firewall.
No matter how strong your security posture is now, if you don’t document it, it won’t
last. You must assume that people instrumental in building your security environment
will eventually move on. In that respect, training the replacement is a lot less painful
and much more effective with a written guide. Without a policy manual, the new
employee would eventually learn what to do but would you really want to risk a
security incident while they are trying to figure it out?
It’s important to understand that there is no procedure, policy, or technology that will
ever be 100% secure. It just doesn’t exist. You can, however, endeavor to get as close
to perfect as possible.
Lack of a documented security policy is a huge red flag when determining liability in
the event of an incident. You do not know when the next attack will happen and if
someone is aggressively targeting you, they will cause pain. When it comes time to
defend yourself, no matter the strength of your security environment, the lack of a
documented information security program is a message that management has not
taken data security seriously. This perception becomes increasingly dangerous when
we’re talking about a court of law and an untold number of potential customers in the
court of public opinion.
Whether you are currently without a policy or want to ascertain where yours fits along
the continuum, here are key components that should be in a best practices ISP.
Besides the time element, the organization must clearly define the expectations of the
Information Security Officer and determine if an individual is capable to fill the role.
During a later post I will describe the attributes that ascertain “capability”, but the
complete lack of someone in this role means that information security is not a priority
in your organization.
Random checks to confirm you are following your own rules is the best way to monitor
the activity.
Vendor Management
You’re only as strong as your weakest link, and when you work with third-party
providers their information security downfall can become your issue. Make sure you
document which vendors receive confidential information and how this information is
treated when in the custody of the vendor. The lack of strict vendor guidelines could
increase the risk of releasing your customers’ private information.
Physical Security
Documents don’t walk out of the office on their own. Having strict rules about who can
physically access your offices and how they gain entry can decrease the likelihood that
an unauthorized individual is present to steal information. The next step is to ensure
that your policy documents how physical information is stored and destroyed.
Wireless Networking
There is no doubt that the implementation of wireless networks has saved many
organizations both time and money in comparison with traditional cabling. As you
decide what type of network connectivity to adopt, understand that with increased
flexibility allowed by wireless, a stronger encryption standard is required to ensure
there is no abuse.
Incident Response
Hands down, the worst time to create an incident response program is when you are
actually having an incident. You can’t undo what has happened and you’re in crisis
mode dealing with the after effects of the breach.
Not the time to be putting policy to paper.
Your reputation is severely at risk, and if you respond inadequately you risk making it
worse with law enforcement as well as your customers. Act as if a breach is inevitable
and take the time to develop the language and procedures you will use in the event of
an incident to ensure you’re prepared when the time comes.
Feel free to use this list in either building your program or as a checklist to determine
your current status. Additionally, other good resources include the National Institute
of Standards and Technology and the SANS Institute. The most successful policy will
be one that blends in with the culture of your organization rather than just existing to
fill a regulatory requirement. In doing so, you increase the security posture of your
organization with as little effort as possible and help ensure you don’t become another
statistic in the evening news.
10 Essential Cybersecurity Best Practices
It is important to take a layered approach with your organization’s security. These ten
cybersecurity best practices are items you may not have considered, but definitely
should.
1. Implement a Formal IS Governance Approach
4. Back Up Data
Backing up your files may seem like common sense, but any organization that has
been hit with ransomware – such as Petya or Wannacry– will tell you how important it
is to ensure this best practice. It is crucial for organization to have a full working back
up of all of data not only from a basic security hygiene prospective, but also to combat
emerging attacks.
In these sessions, it may feel like you are putting your people to sleep or it might be
going in one ear and out the other, but training your people on proper cyber security
hygiene is critically important. Finding creative techniques to make the training stick
will go a long way.
7. Outline Clear Use Policies for New Employees and 3rd Parties
To strengthen and clarify the education for cybersecurity best practices you give your
users, you should clearly outline the requirements and expectations your company
has in regards to IT security when you first hire them. Make sure employment
contracts and SLAs have sections that clearly define these security requirements
No matter how well you follow these best practices, you still may get breached. In fact,
nearly half of organizations suffered a security incident in the past year. If you do,
having a response plan laid out ahead of time will allow you to close any
vulnerabilities, limit the damage of a breach, and allow you to remediate effectively.
Final Thoughts
There are countless cybersecurity best practices and strategies that should be
considered, and these are just a few of the ones that we think are most important. Are
there any essential best practices that we missed? Feel free to reach out to us directly
on Twitter @ObserveIT to share your thoughts and exchange insights.
Biometric access