- Assets: personnel, computers, servers, software, databases, cloud services, etc.
- Business environment: your business’s role within your industry; your mission; and what your critical services are.
- Governance: legal and regulatory requirements for cyber security in your industry; processes, policies, and procedures to meet the requirements.
- Risk assessment: identify possible threats both internal and external; determine the impact of those threats to the business; define and prioritize how to respond to those risks.
- Risk management strategy: establish processes to manage risks; sign off with stakeholders; express the business’s risk tolerance clearly and transparently.
Develop and implement safeguards. You need to ensure delivery of your critical business services by setting up the following:
- Access control: manage authorized devices and users; protect physical access to assets; provide encrypted remote access; use principles of least privilege to grant access; segregate network where appropriate to create network integrity.
- Awareness and training: regularly train and inform users on risks; set high expectations for privileged users; clearly communicate expectations to third-party vendors.
- Data security: protect data-at-rest; protect data-in-transit; set policies for disposing of old assets; ensure uptime by providing adequate capacity; implement data leak protection; keep development and testing environment separated from production.
- Information protection processes and procedures: define your system development life cycle to manage implementations; put a configuration change control process in place; set up regular backups and test frequently; set a policy for destroying data; define response and recovery plans.
- Maintenance: log maintenance and repair; ensure approval, logging, and performance for all remote maintenance.
- Protective technology: record audits and logs; create a careful policy for the use of removable media.
Unfortunately, the likelihood of your business dealing with a cyber security event is pretty much guaranteed. You want to be the one identifying when it happens, not finding out from a third-party. Get the following taken care of:
- Security continuous monitoring: monitor the network for cyber security events; set up physical security monitoring; track personnel; detect malicious code; set up regular vulnerability scans.
- Detection processes: define the roles and responsibilities for detection and accountability; test detection processes.
Do you know how you will act if a cyber security event is detected? Define your game plan ahead of time by using the following:
- Analysis: investigate all notifications from detection systems; understand the impact of any incident; research causes; categorize incidents with corresponding response plans.
- Mitigation: contain incidents; mitigate incidents; document any newly identified vulnerabilities and determine risk.
- Improvements: include lessons learned with response plans; update response strategies.
Be resilient. To do this, you should prepare ahead of time the activities and plans for restoring business services and repairing your brand following an event. Do the following:
- Recovery planning: execute a plan during or after an event.
- Improvements: include lessons learned with recovery plans; update recovery strategies.
- Communications: manage public relations; work to repair reputation following an event; communicate recovery activities to stakeholders and management.
- Private access to information on the internet through encryption and masking of your IP address.
- A powerful system for filtering out all kinds of cybercrime, including DDoS.
- Virtual presence in the U.S., Europe or another country that is known to provide some level of unrestricted access to information in the cloud.