SECURITY FEATURE
might, in the client’s view, also be expected to provide information security incident response, a very different service altogether. 4) Designing the appropriate InfoSec controls that will protect the client’s environment, including technical controls (devices such as firewalls and end point security solutions for example), administrative controls (such as user awareness training, password policies and patch management policies) and of course the physical controls that offer protection of assets from any physical threats. 5) Ensuring that the Business Continuity Plan (BCP) and any disaster recovery plans are updated to accommodate InfoSec related disruption events. 6) Scheduling compliance checking and auditing of InfoSec systems to ensure that the systems are operating at the desired levels. 7) Accepting the notion that it’s not if a breach will happen but when a breach will happen, and ensuring that contingencies for such an event are planned for and the responses are tested to ensure minimal organisational disruption. 8) Accepting that information security is not a-one-size-fits-all, nor is it set and forget. InfoSec requires constant monitoring, management and tweaking to ensure that your organisation is protected from new and emerging threats. 9) Documenting the plan and making it easily accessible to the relevant personnel. Implementing the Strategy Once an Information Security Strategy has been devised, it needs to be implemented. This will require the organisation to work together on ensuring that the strategy is executed successfully. Broadly speaking, a number of key areas will need to be addressed in order to meet the goals of a welldefined strategy:
• Deploying technical controls to secure your network, devices and electronic infrastructure. This involves the implementation, configuration and maintenance of firewalls, endpoint security software, domain management services, email security solutions such as spam and malware filters, secure configuration of wired and wireless networks and the security hardening of IoT devices and networks. Complementing this, ensuring that privileged access (such as admin access) is restricted only to authorised personnel. • Ensuring that software, firmware and applications are kept up to date. Ensure that patch management for all devices is addressed (including cameras, network switches, routers and IP based devices) and application / operating system updates are deployed as soon as practically possible. • Securing any cloud-based services that the organisation may be using. There are many misconceptions that exist about cloud and security. Cloud services can be secured, however it is critical for an organisation to accept full responsibility for the security posture of cloud services, even when those services are delivered by a third party. • Having a complete and verified backup of your data. In addition, ensuring that disaster recovery testing takes place regularly to ensure that backed up data is complete, accessible and that any restoration of services from backup systems meets an organisation’s down time limits (known as a Recovery Time Objective or RTO) and meets the organisation’s expectations in terms of service and resource availability (known as a Recovery Point Objective or RPO). • Ensuring that your strategy addresses user education and
awareness. More than 30% of all breaches occur because a trusted user either accidentally makes a mistake or deliberately compromises a system. Accidental data loss can come from a user choosing a weak or easily guessed passwords; a user inadvertently sending an email to the wrong recipient; or a user leaving a laptop on public transport or dropping a USB key with sensitive data on it. Addressing user awareness both with your staff as well as with stakeholders, including suppliers and customers, is a beneficial way to minimise potential breaches. • Committing to regular InfoSec assessments, audits and reviews, provided either by a dedicated team of information security professionals, or a specialised external provider. • Given the ever-changing threat landscape, leveraging the services of a suitably qualified managed information security provider who can assist or augment your organisation’s skillset with the experience needed to provide the best possible InfoSec protection. • Involving legal counsel in your strategy, whether it may be internal counsel or an external firm who specialises in information security law. This will be invaluable to ensure that your organisation meets its regulatory commitments as well as exercising legal privilege should a breach occur. • Transferring any residual risk to an appropriate cyber breach insurance policy that will insure against the costs associated with an incident response should a breach occur. Deploying good information security controls take effort to achieve and require constant vigilance, however when properly planned, executed and maintained, these controls are both indispensable and vital to the long-term success of any organisation in the connected world we all live in today. si
About the author: Tony Vizza is the cyber security practice director for Sententia, a boutique provider of advanced information security and information management services for enterprise and government. Tony completed his B. Science in Computing Science from the University of Technology, Sydney, and recently completed his Global Executive MBA from the University of Sydney which included study at Stanford University, the London School of Economics and the Indian Institute of Management. Tony’s information security credentials include CISSP (Certified Information Systems Security Professional), CRISC (Certified in Risk and Information Systems Controls) and is a certified ISO27001 Lead Auditor. Tony is a member of the Australian Information Security Association (AISA) and is also associated with the Australian Cyber Security Centre (ACSC). Tony has been involved in the information technology and information security fields for over 25 years.
SECURITY INSIDER | OCT/NOV 2017 | 21