Organizations of all sizes should understand by now that they face threats to their data, whether it is stored or accessed on a private network, internet cloud service, or mobile device. Whether the organization is one person or one million people, we are all targets of malicious cyber activity. Hopefully this list will challenge you to enquire, research and question your way through these steps. There are five key things that you can do to begin or improve your Information Security Program:
FIRST, know your organization. Identify the organization systems, assets, data, and capabilities. Document the the business function and resources that support those areas. For each function list the policy and procedures; purpose or output; mechanisms, devices, and human resources; and the sources of information that support the business function. Identify and document threats that would adversely affect that function, such as inclement weather, employee accidents, cyber attacks, or system failures. If you are depended on cloud services or third party vendors, know their security policies and procedures.
SECOND, implement protective measures for the organization. Ensure that the organization has access controls to the network or critical systems. Those controls could be simple password management systems, processes for gaining access accounts, or router settings that initiate safeguards, such as enforce MAC registry and password protection. Depending on the maturity level of the organization or complexity of the infrastructure, deeper measures could be taken to provide protection to the network and organization data, such as threat awareness campaigns, mandatory security training, advanced technology that implements hardware or software security controls.
THIRD, be aware of attacks to the organization. Even if the organization is one person with a laptop, anti-virus software or internal operating system firewalls should be implement to detect and notify you of a possible security issue. The bigger or more complex the organization or business functions, the greater the need for comparable detection and alerting capabilities. All devices should have some form of continuous monitoring software.
FOURTH, be prepared to respond, not panic, at the first sign of trouble. Have a plan to react. Appoint staff to be responsible for executing the response to detected attacks, or have a plan in place for third party vendors to provide professional services. The planned response must include the steps to mitigate and stop the attack, and a process to determine what was attacked, and what was the impact to the business function or critical system.
FIFTH, have a plan to recover. This entails thinking ahead to safe critical data, be prepared with alternative ways or systems for keeping the business function moving, and define which systems and data affected require the priority for recovery. If you use cloud services or third party vendors, how do they recover data lost in an attack? What steps do you need to take to reconnect and begin the business functions again?
Get these steps documented in the most simple way possible, then begin to improve upon them with regularity. This will put you well on your way to developing a comprehensive Information Security Plan that is tailored for your organization!
Please contact us for more information!