In a previous article, Conosco Information Security Manager Hylton Stewart explained the types of controls that can be implemented to mitigate against the risks posed by threats – management controls, technical controls, and operational controls.
In Part 2, he lists some best-practice measures that organisations should implement to mitigate the likelihood and impact of potential information security threats:
Management
- Information security policy – company-wide policy documenting the organisation’s approach to information security, acknowledged by all employees.
- Acceptable use policy – company-wide policy documenting the acceptable use of assets and information by employees (use of internet and email for non-work related actions, not allowing other employees to use login details etc.).
- Password policies – the organisation should ensure that, where possible, there is technical enforcement of user password changes and complexity, as defined in the acceptable use policy.
- HR policies – such as employee screening before employment, disabling of access accounts on termination, segregation of duties (employees responsible for critical functions should not be able to both authorise/monitor and perform the function).
- Mobile device policy – company-wide policy documenting the rules for using mobile devices (laptops, phones, external hard drives) and the responsibilities of employees with regards to their protection.
- Access control policy – company-wide policy documenting both physical access to assets as well as access to information assets and user access rights.
- Classification of information – implement a classification scheme for the information it possesses, as well as rules for the handling of different information classifications. This helps employees to be aware of how to deal with information, and thus also how to protect confidential information.
Technical
- Anti-virus protection – ensure that all workstations and servers are protected by an anti-virus/malware product that is centrally managed and automatically updated.
- Patch management – ensure that all workstations and servers are monitored for, and automatically receive operating system updates from the vendor when available.
- Removable media – implement technical enforcement to restrict the use of removable media (such as USB sticks). This helps to both prevent infections from unknown devices, and also to prevent the exfiltration of organisation data
- Logging and monitoring – ensure that logs from perimeter firewalls and routers are centrally stored and monitored. This allows for the identification of incidents, and also the investigation of incidents after the fact.
- Information backups – ensure that all critical information is backed up and that all critical information storage/processing assets are also backed up to allow for recovery in case of an incident or breach.
Operational
- Change management – implement a process for managing changes to critical infrastructure and assets, as unplanned changes can result in outages to the availability of assets.
- Supplier management – document a policy addressing how they ensure that their suppliers handle the organisation’s information. Rules should be implemented to ensure that suppliers who have access to an organisation’s assets and information adhere to agreed upon security standards.
- Staff awareness training – One of the most important steps an organisation can take to increase its information security is to define and implement a staff awareness training programme. More than half of security incidents are caused by human error, most of which can be prevented if users are made aware of the potential risks.
- Incident response plans – a policy and plan for how the organisation defines an incident, as well as how they will respond, including responsibilities and communication plans.
- Business continuity plans – policy documenting how the organisation will ensure information security is maintained during a business continuity incident, as well as plans for how the organisation will continue to operate incident.
- Asset inventory – maintain an inventory of all its critical assets, both physical and information. Knowing what assets an organisation has assists with the identification of potential threats to those assets, and thus how to protect them.
For advice on implementing these suggestions and how to ensure your organisation is protected, contact the Conosco Security Division today: securitydivision@conosco.com.